Currently VES supports 4 authentication methods:
noAuth --> Works by default. No changes are required.
basicAuth --> Works with/without https healthcheck endpoint (readiness) defined; DCAE healthcheck pass on either case. VES blueprint needs to be overwritten.
certOnly --> Works only when https healthcheck endpoint (readiness) is removed from blueprint; DCAE healthcheck also pass (when readiness is not explicitly defined). VES blueprint needs to be overwritten.
certBasicAuth-->Works with/without https healthcheck endpoint (readiness) defined; DCAE healthcheck pass on either case. VES blueprint needs to be overwritten.
For Dublin, there is created separate jira (DCAEGEN2-1593) for documentation updates to include steps for deploying VESCollector with above authentication enabled.
Readiness support on certOnly mode can be dealt vwith healtchecks disabled. Support for healtchecks is planned as future enhancement (DCAEGEN2-1594).
For enabling TLS, as new application port is involved the service should be redeployed (by modifying the parameters in blueprint), esp when changing from noAuth to basicAuth/certOnly/certBasicAuth. The latter 3 types use 8443 while the noAuth uses 8080. Any changes within basicAuth/certOnly/certBasicAuth can be done through consul update as k8s deployment descriptor (which contains the service definition and healthcheck spec) are still valid.authentication methods certBasicAuth. It is possible to run as a option noAuth method, hovewer HTTP it is not supported by default.
High level test cases for auth.method = "
...
certBasicAuth" :
...
Tests were done without adopting healthcecks. Healthchecks and rediness probe was tourn off to have VES Collector running.
| TC ID | Test Case Name | Test Case |
|---|
DescriptionExecution | Expected Result | Test Status |
|---|
| T01 | Client with correct basic auth and correct certificate | curl -vk --cert |
rootCAcrt rootCA.key --pass collector | key.pem -u sample1:sample1 -X POST https:// |
192.168.0.22 correct incorrect | correct certificate | curl -vk |
-u sample1:sample1 X - incorrect_rootCAcrt rootCA. --pass collector POST https://192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"PASS. HTTP/1.1 202 | | T03 | Client with correct basic auth and without certificate | curl -vk -u sample1:sample1 -X POST https://192.168.0.22T04| T03 | Client without basic auth and |
without certificatecurl -vk -X POST https://192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | FAIL, HTTP/1.1 401 | | T05 | Client without basic auth and | with correct certificate | curl -vk --cert |
rootCA.crt --key rootCA.key --pass collector -X POST https://192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"FAIL, HTTP/1.1 401 | | T06 | Client with incorrect basic auth and with correct certificate | curl -vk -- rootCAcrt key rootCA. --pass collector -u sample2:sample1 -X POS https://192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"curl -vk --cert rootCA.crt -- rootCAkey --pass collector -u sample1:sample2 -X POS | TC ID | Test Case Name | Test Case Description | Expected Result | Test Status |
|---|
T01 | Client with correct basic auth and correct certificate | curl -vk --cert rootCA.crt --key rootCA.key --pass collector -u sample1:sample1 -X POST https://192.168.0.22:192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"FAIL, HTTP/1.1 401 | | | T07 | Client with incorrect basic auth and without certificate | curl -vk -u sample2:sample1 -X POS https://192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | FAIL , HTTP/1.1 401 | |
High level test cases for auth.method = "certOnly" :
T02 incorrect basic and correct | and incorrect certificate | curl -vk --cert |
rootCA| incorrect.crt --key rootCA.key --pass collector -u sample1: |
sample2 PASS. HTTP/1.1 202 | | T03 | Client without basic auth and with correct certificate | curl -vk --cert rootCA.crt --key rootCA.key --pass collector -X POST https://192.168.0.22192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json"T04 | Client without basic auth and without certificate | curl -vk -X POST https://192.168.0.22:30417/eventListener/v7 -d @event.json --header "Content-Type: application/json" | PASS. HTTP/1.1 202 | | | FAIL, connection closed because of bad certificate | |
| T05 | Client with |
correct basic auth and without certificate| correct basic auth and without certificate | curl -vk |
-pass collector -192.168.0.22FAIL, connection closed because of bad certificate| PASS. HTTP/1.1 202 | |
| T06 | Client with |
correct basic auth and with incorrect certificate| incorrect certificate and incorrect basic auth | curl -vk --cert incorrect |
_rootCA| .crt --key rootCA.key --pass collector -u |
sample1192.168.0.22 certificate with without | without certificate and without basic auth |
and with incorrect certificate --cert incorrect_rootCA.crt -key rootCA.key --pass collector -192.168.0.22 connection closed because of bad certificate | High level test cases for auth.method = "certBasicAuth" :
| TC ID | Test Case Name | Test Case Description | Expected Result | Test Status |
|---|
T01 | Client with correct basic auth and correct certificate | PASS. HTTP/1.1 202 | | T02 | Client with incorrect basic auth and correct certificate | PASS. HTTP/1.1 202 | | T03 | Client without basic auth and with correct certificate | PASS. HTTP/1.1 202 | | T04 | Client with correct basic auth and incorrect certificate | PASS. HTTP/1.1 202 | | T05 | Client with correct basic auth and without certificate | PASS. HTTP/1.1 202 | | T06 | Client with incorrect certificate and incorrect basic auth | FAIL, connection closed because of bad certificate | | T07 | Client without certificate and without basic auth | FAIL, connection closed because of bad certificate