Versions Compared

Old Version 12

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Adheli Tavares

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira Legacy
serverSystem Jira
columnIdsissuekey,summary,issuetype,created,updated,duedate,assignee,reporter,priority,status,resolution
columnskey,summary,type,created,updated,due,assignee,reporter,priority,status,resolution
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-4681


Follow up Jira for documentation -

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keyPOLICY-4817

Security Knowledge

Know Secure Design

...

If so, please provide a URL to the pages on wiki.onap.org or onap.readthedocs.io that have the architecture or high level design. If not, please describe the high level design here using one or more paragraphs.

...

If so, please provide a URL to the page(s) on wiki.onap.org or onap.readthedocs.io. If not, please describe the security requirements here using one or more paragraphs.

...

If so, please provide a URL to the page(s) on wiki.onap.org or onap.readthedocs.io that describe how the project meets its security goals. If not, please describe here (using one or more paragraphs) how the project meets its security goals.

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

Depends of user managing crypto their own passwords - passwords are configurable in application.yaml for Spring applications (api, pap and acm) and .json configuration files for others. The credentials provided in these files are used for authentication (no authorization dealt in any of PF components) to use any of the REST APIs provided by PF.

All of the authorization/authentication is being managed by service mesh - using the authorizationPolicy implemented into SM.

? 2023/8/22: move information in "Your Answer" to the security documentation.

Please expand on the use of configurable usernames+passwords and what they allow.

2023/8/22: add password use and protection to security documentation. Determine if spring is doing authentication, authorization or both. If PF is storing passwords in order to call APIs, document the secure storage and access of the passwords.

2023/8/22: cryptography provided by K8S using secure algorithms and ciphers.

...

Your Answer-Please ExplainSECCOM Feedback / Recommendations

UUID generator is being used, but for IDs, not for security concerns.

No crypto being used.

Doesn't answer the question

2023/8/22: PF to document all uses of cryptographic algorithms within the PF application. UUID generation is not part of cryptography.

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

No crypto is being used, aside from UUID generated (using java native way), which are used for identifiers.

Doesn't answer the question

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

Passwords are in configuration files, can be replaced without code recompilation, but requires application restartCredentials are managed by k8s secrets.

Doesn't answer the question

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

PF only communicates with components within ONAP.

PF's primary communication is through HTTP.

PF uses Kafka or REST api interfaces between PF components and service mesh for other communications.

As mentioned above, we need to add to documentation that PF is supposed to run within OOM deployment. That said, SM is managing all communication.


?

is HTTP protected by mesh and HTTPS?

  • yes

...

Your Answers-Please ExplainSECCOM Feedback / Recommendations

PF is compliant and compatible with the ongoing service mesh implementation (https://gerrit.onap.org/r/c/oom/+/128543) for ONAP. 

As mentioned above, we need to add to documentation that PF is supposed to run within OOM deployment. That said, SM is managing all communication.

Doesn't answer the question

service mesh takes care of http communications