You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 17
Next »
Integration details
A&AI webservices resources and traversal are integrated with AAF through the Cadi filter. The request workflow looks as follows:
- The request is authenticated in AAF
- TODO: the request should be authorized in the future
- If the request passes all the checks (authentication and in the future authorization), it is forwarded to the A&AI servlet which handles the web services.
The AAF model
Permissions in AAF are triplets - type, instance, action.
- Type: core name of the permission
- Instance: the object that is being interacted
- Action: What is happening with this object
Users have roles assigned and each role has permissions.
A&AI permissions for Casablanca
There will be a separate permission for traversal and resources web services. Let's call these permissions org.onap.aai.resources and org.onap.aai.traversal. For now we will not distinguish between different objects we could affect, so the instance will always be "*" meaning everything. Actions will be mapped to HTTP verbs - GET, PUT, POST, DELETE, PATCH.
For a seemless transition to AAF, the first roles we use for our clients will be called org.onap.aai.resources_all and org.onap.aai.traversal_advanced and org.onap.aai.resources_readonly and org.onap.aai.traversal_basic. These roles will be assigned to all users/applications which access A&AI web services.
| Role name | Meaning |
|---|
| org.onap.aai.resources_all | read + write access to the resources web service |
| org.onap.aai.resources_readonly | read-only access to the resources web service |
| org.onap.aai.traversal_advanced | applications may issue basic and advanced queries in the traversal web service |
| org.onap.aai.traversal_basic | applications may issue only basic queries in the traversal web service |
| Role org.onap.aai.traversal_advanced |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.traversal | * | advanced |
|
| Role org.onap.aai.resources_all |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.resources | * | get | | org.onap.aai.resources | * | put | | org.onap.aai.resources | * | post | | org.onap.aai.resources | * | delete | | org.onap.aai.resources | * | patch |
|
| Role org.onap.aai.resources_readonly |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.resources | * | get |
|
| Role org.onap.aai.traversal_basic |
|---|
| Permission type | instances | action |
|---|
| org.onap.aai.traversal | * | basic |
|
Resources webservice AAF role and permission setup
role create org.onap.aai.resources_all
perm create org.onap.aai.resources * get org.onap.aai.resources_all
perm create org.onap.aai.resources * put org.onap.aai.resources_all
perm create org.onap.aai.resources * post org.onap.aai.resources_all
perm create org.onap.aai.resources * patch org.onap.aai.resources_all
perm create org.onap.aai.resources * delete org.onap.aai.resources_all
user role add demo@people.osaaf.org org.onap.aai.resources_all #just an example, add role to the correct user
role create org.onap.aai.resources_readonly
perm create org.onap.aai.resources * get org.onap.aai.resources_readonly
role create org.onap.aai.traversal_basic
perm create org.onap.aai.traversal * basic org.onap.aai.traversal_basic
role create org.onap.aai.traversal_advanced
perm create org.onap.aai.traversal * advanced org.onap.aai.traversal_advanced
user role add demo@people.osaaf.org org.onap.aai.traversal_advanced #just an example, add role to the correct user
Open questions