Project Overview
AAF is first-order Security Infrastructure
...
being used
...
for the following:
- AAF allows each ONAP Component to have a "Namespace" to set up their important Security Authentication and Authorization elements
- Permissions
- Roles
- Credentials
- AAF provides Access to Organizational Identities
- There is a maintained set of Identities for use in ONAP Test Systems for each ONAP Component
- Credentials for this Identities
- Passwords as appropriate
- AAF has ability to Delegate to Organization, but houses all Passwords For ONAP Testing.
- Certificates
- These certificates have unique Authorized Identity embedded, which supports 2 way TLS Authentication
- These certificates can also be used as Server side certificates
- Passwords as appropriate
- Authorizations (Fine Grained)
- AAF provides Applications or other Enforcement Points with APP configured Permissions
- Roles
- AAF provides Roles for Identities that include any Granted Permissions
- OAuth Tokens and Introspection
- Currently unused by ONAP
- Locator
- AAF Components and ports can be found Globally
- AAF Team would like Arch Team to know the following about the Locator
- "Locator" is not technically restricted to AAF. It can register (protected by Authentication/Authorization) any running process/port/interface
- Registrations include Global Coordinates, allowing Clients to pick the "closest" one
- Locator is independent of any "Cluster" or "Container" mechanisms, which gives accessibility to any network accessible component
- Globally - Components can reside anywhere in the world
- Scalable - You can start any new instances anywhere and instantly increase capacity and usage
- "For best results", use Cassandra in Scalable way.
- Resilient - VMs, Clusters, Datacenters, K8s could go down, and Authentication/Authorization is still accessible.
- Security FS
- AAF provides a globally accessible Fileserver to get public security information ex:
- RCLs
- Root Certificates (any the Organization wants to publish)
- Organizational approved Truststores, etc
- AAF provides a globally accessible Fileserver to get public security information ex:
- Approval Processing mechanisms
- AAF provides real-time RESTful based
- fast evaluation of Security Authorization (and Authentication, if housed in AAF)
- Management API for all AAF components, protected by Stringent Authentication and Authorization
- AAF provides Java Client Infrastructure
- CADI Framework, primarily Java
- Includes all AAF interactions
- Is able to process MULTIPLE kinds of Authentication in the same Client (X509, BasicAuth and OAuth included, Adapter Interfaces for Company based elements)
- Shiro Adapter included for ONAP use of ODL
- CADI Framework, primarily Java
- AAF provides Auto-Configuration for Clients, and Auto-Generation of ONAP Certs
- as part of "Bare Metal"
- on Docker "volumes"
- ROOT CA Acess
- For ONAP, AAF is proving "Root CA Capabilities" by Using AAF Certman to generate Certs from Issuer CA. This is for TEST only
- AAF has the ability to use an "SCEP" protocol to CAs (example CA, Windows Server). However, this is not provided or validated by ONAP.
...