Versions Compared

Old Version 5

changes.mady.by.user Amy Zwarico

Saved on

compared with

New Version Current

changes.mady.by.user Stephen terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PAGE STATUS: UNDER CONSTRUCTION

STATUS: Project Approved (next step is Architecture ApprovalDraft (seeking PTL approval)

AAF (Application Authorization Framework):

1 High Level Component Definition and Architectural Relationships 


The AAF functional entity provides

Drawio
bordertrue
viewerToolbartrue
fitWindowfalse
diagramNameCLAMP AAF System Context View
simpleViewerfalse
width
diagramWidth624754
revision1

The CLAMP functional entity provides the capability to manage runtime control loops.  It provides the capability to

  • Create control loop from DCAE blueprint sent by SDC
  • Create configuration policy from the policy Tosca sent by SDC
  •  Configure DCAE applications of the control loop
  • Associate µService configuration policies to the DCAE application
  • Configure the operations to be taken by the control loop (by creating/updating/deleting operational policies)
  • Deploy/un-deploy control loop flow (blueprints) to DCAE
  • Control loop visualization. 

CLAMP relies on Policy to communicate to App-C/VF-C/SDN-C/SO in runtime, hence these are not part of CLAMP 

3


AAF (Application Authentication Framework) provides the services for authentication, authorization and certificate management services for the ONAP components.  It provides the capability to:

...

services to the ONAP components to manage the lifecycle of authentication and authorization elements

...

such as Permissions, Roles and Credentials.  It supports:

  • Manage authentication and authorization elements such as: Perminssions, Roles, Credentials
  • Access to organizational identities
    • There is a default set of identities each ONAP component for use in ONAP Test Systems
  • Store credentials for organizational identities
    • Passwords
      • AAF provides secure password storage for test/lab use only
      • AAF has ability to delegate authentication to external authenticator
    • Certificates
      • These certificates have unique Authorized Identity embedded, which supports 2 way TLS Authentication
      • These certificates can also be used as Server side certificates
  • Manage fine grained permissions
  • Provide ONAP components or other enforcement points with APP configured permissions
  • Manage roles
    • AAF provides roles for identities that include any granted permissions
  • Validate and provide introspection of OAuth tokens
    • Currently unused by ONAP
  • Provide locator services through the AAF Locator
    • AAF Components and ports can be found globally
    • Locator facts
      • Locator is not technically restricted to AAF.  It can register (protected by Authentication/Authorization) any running process/port/interface 
      • Registrations include global coordinates, allowing clients to pick the "closest" one
      • Locator is independent of any cluster or container mechanisms, which gives accessibility to any network accessible component
        • Global - Components can reside anywhere in the world
        • Scalable - A new instances can be started anywhere and instantly increase capacity and usage
          • "For best results", use Cassandra scaling
        • Resilient - VMs, clusters, data centers, K8S could go down, and AAF is still accessible.
  • Provide a globally accessible file server to get public security information. For example,
    • RCLs
    • Root Certificates (any the Organization wants to publish)
    • Organizational approved truststores
  • Process approvals
  • Authorize UI and API requests (REST interface)
  • Authenticate users (human and application) (REST interface)
  • Manage AAF components (REST interface)
  • Auto-Generation of ONAP certificates
    • For ONAP test/lab use, AAF Certman provides a local certificate authority (CA)
    • AAF Certman can integrate with any certificate authority (CA) that supports the Simple Certificate Enrollment Protocol (SCEP). ONAP does not test this functionality
  • Auto-configuration of ONAP certificates for ONAP clients
    • as part of "Bare Metal"
    • on Docker volumes

Additionally, AAF provides a Java client called CADI, which simplifies AAF use by an ONAP component. The CADI framework is a Java client that:

    • Includes all AAF interactions: authentication, authorization, management
    • Provides the following authentications: X509, BasicAuth and OAuth
    • Provides adapter interfaces for external authenticators
    • Includes a Shiro adapter to support ONAP use of ODL
  • entities
  • Manage the lifecycle of passwords and certificates
  • Access to external credential authoriites (e.g. CA)
  • Autogenerate ONAP certificates

2. API definitions

AAF provides real-time REST  interfaces for

  • Authorization
  • Authentication, if local AAF authentication is used
  • Management API for all AAF components, protected by strong authentication and authorization

CLAMP provides the following interfaces: TO BE UPDATED

Interface NameInterface Definition Interface Capabilities
CLAMPE
VersionStatusConsumed Models
AAFE-1
Control Loop Lifecycle
Application Authorization Framework Management Interface
CLAMPE-2Control loop dashboard.  User interface to show the overall status of the control loop through DMAAP events

 Display and update:

Events received and actions taken on the control loop
  A user interface for:
  • Selecting the control loop flow
  • Entering configuration policy parameters
  • Entering operational policy parameters
  • Managing life cycle of DCAE control flow blueprint 
    • to be filled in



    AAFE-2Application Authorization Framework Authentication and Authorization Interface

     An interface for the ONAP components to:

    • to be filled in.



    Note:   xxxI interface is a Component internal interface.  xxxxE interface is a component external interfaceThe current API documents can be found at:

    AAF Consumes no Interfaces:

    Interface NamePurpose Reason For Use
    AAFE-3

    ...

    A more detailed figure and description of the component.

    ...

    : AAF External Credential InterfaceAn interface to retrieve and authenticate using credentials from a credential supplier external to ONAP.

    The current API documents can be found at:

    • AAFE-1 (to be added)

    • AAFE2 (to be added)
    • AAFE3 (to be added)

    3. Component Description:

    Link to read the docs



    4. known system limitations: (IN PROGRESS)

    Runtime: NoneClamp data redundancy is dependent on Kubernetes and the persistent volume.

    Clamp application redundancy HA relies on Kubernetes


    5. Used Models: (

    ...

    AAF uses the following models:

    • Service model (received from SDC)
    • VNF model (received from SDC)
    • Policy Model.

    N/A)


    6. System Deployment Architecture:

    ...

    AAF consists of x containers:

    • CLAMP container
    • MariaDB container
    • Kibana container
    • E_Search container
    • LogStash container 

    Drawio
    bordertrue
    viewerToolbartrue
    fitWindowfalse
    diagramNameCLAMP runtime architectrue
    simpleViewerfalse
    diagramWidth821
    revision1

    FFS


    7. New Capabilities in this Release

    This release, AAF adds the following capabilities:

    ...

    AAF Locator differentiates public fully qualified domain name (FQDN) from Kubernetes FQDN

    • Internal Kubernetes FQDN generated when client declares its container namespace
    • Public FQDN are accessible for both:
      • GUIs/Management outside cluster
      • Non-ONAP entities outside the cluster
      • Other clusters

    ...

    • Example "Helm" init containers to setup volumes

    ...

    • Analysis of expiring credentials and Roles
    • Generation of approval records
    • Notification of approvals, credentials and roles to support configurable integration with external services.


    8. References

    1.  AAF Overview & User Guide: https://onap.readthedocs.io/en/latest/submodules/clampaaf/authz.git/docs/index.html AAF internal interfaces:  https://onap.readthedocs.io/en/latest/_downloads/d3c9f924c6586fe411d40a05ad9b1bb7/swagger.pdf