This documentation will help you to up and run AAF service from the docker image
Step 1:
-----------
git clone https://gerrit.onap.org/r/aaf/authz
Build
mvn clean install
Build Docker Image
mvn clean install docker:build
Step 2:
-----------
Make sure you have installed Docker & Docker Compose on your VM / Server ( Linux/Windows)
We have written a docker-compose file which will bind AAF service & Cassandra DB and loads data to Cassandra DB.
Path to docker- compose folder
cd AAF/authz/authz-service/src/main/resources/docker-compose
Check read & write permissions for docker-compose folder
chmod –R 777 docker-compose
To start AAF service use the following command. Which will up AAF & Cassandra docker instances.
docker-compose up -d
at this point AAF & Cassandra Images will be downloaded and containers will start and service will be up.
ecomp.cql is the default data template which will be loaded into Cassandra container. Which contains default namespaces,roles,permissions and APPID to test AAF service.
To check running containers
Docker ps –a
To check container logs
Docker logs container-name/ID
To access files inside the container
docker exec -it dockercompose_aaf_container_1 bash
AAF files located in the following folder : opt
- opt/app/aaf/authz-service/etc
- opt/app/aaf/authz-service/lib
to find authz-service logs find them in the following folders:
logs
_LOG_DIR_
Step 3: access the cassandra command line from bash
---------------------------------------------------
docker exec -it dockercompose_cassandra_container_1 bash
1.cqlsh -u root -p root
2.use authz; ( to use keyspace)
3.describe tables; ( to list all the tables)
3.select * from ns; ( to check name spaces ,perm,roles etc)
To come out from bash & container
quit
exit
Step 4: AAF Command line to create & grant permissions
---------------------------------------------------
Get into the aaf container
1.docker exec -it dockercompose_aaf_container_1 bash
2.cd opt/app/aaf/authz-service/
3. sh runaafcli.sh –c
aaf_id : dgl@openecomp.org
pass: ecomp_admin
At this point you get access to AAF command line
aafcli> ns list name org.openecomp
will give you the details of namespace org.openecomp
To get list of permission types of the user
>> perm list user dgl@openecomp.org
Create and grant permissions
>> perm create org.openecomp.dmaapBC.mr.topic :topic.org.openecomp.dmaapBC.mytopic1 pub org.openecomp.dmaapBC.admin org.openecomp.dmaapBC.access
>> perm create org.openecomp.dmaapBC.mr.topic :topic.org.openecomp.dmaapBC.mytopic1 sub org.openecomp.dmaapBC.admin org.openecomp.dmaapBC.access
AAF Command Line
AAF commands are broken into 4 major categories:
- ns - commands dealing with a namespace
- perm - commands dealing with permissions
- role - commands dealing with roles
- user - commands dealing with users
If you know you want to do something namespace related, type "ns" and hit return; you will be given a list of all the subcommands to "ns", along with the syntax of each.
AAF Command Line Tool --------------------- ------------------------------------------------------------------------------ perm create <type> <instance> <action> [role[,role]* (to Grant to)] delete <type> <instance> <action> <grant|ungrant> <type> <instance> <action> <role[,role]*> rename <type> <instance> <action> <new type> <new instance> <new action> list user <name> name <root perm name> activity <type> ------------------------------------------------------------------------------ role <create|delete> <name> user <add|del> <role> <id[,id]*> list user <id> name <role> activity <name> ------------------------------------------------------------------------------ user role <add|del> <user> <role[,role]*> cred <add|del|reset> <id> [password (not required for del)] delegate <add|upd|del> <from> [to REQ A&U] [until (YYYY-MM-DD) REQ A] list role <role> perm <type> <instance> <action> delegates <user|delegate> <id> approvals <user|approver|ticket> <value> activity <user> ------------------------------------------------------------------------------ ns create <name> <responsible (id[,id]*)> [admin (id[,id]*)] delete <name> admin <add|del> <name> <id[,id]*> responsible <add|del> <name> <id[,id]*> list name <ns> activity <name> ------------------------------------------------------------------------------
AAF Command Line Tool ------------------------------------------------------------------------------ perm create <type> <instance> <action> [role[,role]* (to Grant to)] ------------------------------------------------------------------------------ Create a Permission with: type - A Namespace qualified identifier identifying the kind of resource to be protected instance - A name that distinguishes a particular instance of resource action - What kind of action is allowed role(s) - Perms granted to these Comma separated Role(s) Nonexistent role(s) will be created, if in same namespace Note: Instance and Action can be a an '*' (enter \\* on Unix Shell) APIs: POST authz/perm application/PermRequest+json;version=2.0 ------------------------------------------------------------------------------ perm delete <type> <instance> <action> ------------------------------------------------------------------------------ Delete a Permission with type,instance and action see Create for definitions APIs: DELETE authz/perm application/PermKey+json;version=2.0 ------------------------------------------------------------------------------ perm <grant|ungrant> <type> <instance> <action> <role[,role]*> ------------------------------------------------------------------------------ Grant a Permission to a Role or Roles OR Ungrant a Permission from a Role or Roles: see Create for definitions of type,instance and action APIs: POST authz/role/<role>/perm application/PermKey+json;version=2.0 DELETE authz/role/<role>/perm application/PermKey+json;version=2.0 ------------------------------------------------------------------------------ perm rename <type> <instance> <action> <new type> <new instance> <new action> ------------------------------------------------------------------------------ Rename a Permission from: <type> <instance> <action> to: <new type> <new instance> <new action> Namespace must be the same in <type> and <new type> see Create for definitions of type,instance and action APIs: PUT authz/perm/<type>/<instance>/<action> ... application/PermRequest+json;version=2.0 ------------------------------------------------------------------------------ perm list user <name> ------------------------------------------------------------------------------ List Permissions by User APIs: GET authz/perms/user/<user id> application/Perms+json;version=2.0 ------------------------------------------------------------------------------ perm list name <root perm name> ------------------------------------------------------------------------------ List Child Permissions APIs: GET authz/perms/<parent type> application/Perms+json;version=2.0 ------------------------------------------------------------------------------ perm list activity <type> ------------------------------------------------------------------------------ List Activity of Permission APIs: GET authz/hist/perm/<type> application/History+json;version=2.0 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ role <create|delete> <name> ------------------------------------------------------------------------------ Create OR Delete a Role name - Name of Role to create APIs: POST authz/role application/RoleRequest+json;version=2.0 DELETE authz/role application/RoleRequest+json;version=2.0 ------------------------------------------------------------------------------ role user <add|del> <role> <id[,id]*> ------------------------------------------------------------------------------ Add OR Delete a User to/from a Role role - Name of Role to create id(s) - ID or IDs to add to the Role Note: this is the same as "user role add..." except allows assignment of role to multiple userss APIs: POST authz/userRole application/UserRoleRequest+json;version=2.0 DELETE authz/userRole/<user>/<role> application/Void+json;version=2.0 ------------------------------------------------------------------------------ role list user <id> ------------------------------------------------------------------------------ List Roles for User APIs: GET authz/roles/user/<user> application/Roles+json;version=2.0 ------------------------------------------------------------------------------ role list name <role> ------------------------------------------------------------------------------ List Roles for Role APIs: GET authz/roles/<role> application/Roles+json;version=2.0 ------------------------------------------------------------------------------ role list activity <name> ------------------------------------------------------------------------------ List Activity of Role APIs: GET authz/hist/role/<role> application/History+json;version=2.0 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ user role <add|del> <user> <role[,role]*> ------------------------------------------------------------------------------ Add OR Delete a User to/from a Role user - ID of User role(s) - Role or Roles to which to add the User Note: this is the same as "role user add..." except allows assignment of user to multiple roles APIs: POST authz/userRole application/UserRoleRequest+json;version=2.0 DELETE authz/userRole/<user>/<role> application/Void+json;version=2.0 ------------------------------------------------------------------------------ user cred <add|del|reset> <id> [password (not required for del)] ------------------------------------------------------------------------------ Add, Delete or Reset Credential id - the ID to create/delete/reset within AAF password - Company Policy compliant Password (not required for Delete) The Domain can be related to any Namespace you have access to * The Domain is in reverse order of Namespace, i.e. NS of com.att.myapp can create user of XY1234@myapp.att.com *NOTE: com.att.csp is a reserved Domain for Global Sign On Delegates can be listed by the User or by the Delegate APIs: POST authn/cred application/CredRequest+json;version=2.0 DELETE authn/cred application/CredRequest+json;version=2.0 PUT authn/cred application/CredRequest+json;version=2.0 ------------------------------------------------------------------------------ user delegate <add|upd|del> <from> [to REQ A&U] [until (YYYY-MM-DD) REQ A] ------------------------------------------------------------------------------ Add, Update or Delete Delegate A Delegate is a person who will temporarily cover the Approval and Ownership questions on behalf of the person Responsible. fromID - the person who is the Responsible person of record toID - the person who will be delegated (required for Add/Update) until - the end date for this delegation APIs: POST /authz/delegate application/DelgRequest+json;version=2.0 DELETE /authz/delegate application/DelgRequest+json;version=2.0 PUT /authz/delegate application/DelgRequest+json;version=2.0 ------------------------------------------------------------------------------ user list role <role> ------------------------------------------------------------------------------ List Users for Role This report lists the users associated to Roles. role - the Role name APIs: GET authz/users/role/<role> application/Users+json;version=2.0 ------------------------------------------------------------------------------ user list perm <type> <instance> <action> ------------------------------------------------------------------------------ List Users for Permission This report lists the users associated to Permissions. Since Users are associated to Roles, and Roles have Permissions, this report accomodates all these linkages. The URL must contain the Permission's type,instance and action, and may include "*"s (type in as \\*). See Perm Create Documentation for definitions. APIs: GET authz/users/perm/<type>/<instance>/<action> ... application/Users+json;version=2.0 ------------------------------------------------------------------------------ user list delegates <user|delegate> <id> ------------------------------------------------------------------------------ List Delegates Delegates are those people temporarily assigned to cover the responsibility of Approving, etc, while the actual Responsible Party is absent. Typically, this is for Vacation, or Business Travel. Delegates can be listed by the User or by the Delegate APIs: GET authz/delegates/user/<id> application/Delgs+json;version=2.0 GET authz/delegates/delegate/<id> application/Delgs+json;version=2.0 ------------------------------------------------------------------------------ user list approvals <user|approver|ticket> <value> ------------------------------------------------------------------------------ List Approvals Approvals are used when the Requestor does not have the rights to perform the action required. Approvers are those listed as responsible for Namespace associated with the request, and those required by the Company by Policy. This may be, for instance the supervisor of the requestor Delegates can be listed by User, Approver or Ticket. APIs: GET authz/approval/user/<value> application/Approvals+json;version=2.0 GET authz/approval/approver/<value> application/Approvals+json;version=2.0 GET authz/approval/ticket/<value> application/Approvals+json;version=2.0 ------------------------------------------------------------------------------ user list activity <user> ------------------------------------------------------------------------------ List Activity of User APIs: GET authz/hist/user/<user> application/History+json;version=2.0 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------ ns create <name> <responsible (id[,id]*)> [admin (id[,id]*)] ------------------------------------------------------------------------------ Create a Namespace name - Namespaces are dot-delimited, ex com.att.myapp and must be created with parent credentials. Ex: to create com.att.myapp, you must be admin for com.att or com responsible - This is the person(s) who receives Notifications and approves Requests regarding this Namespace. Companies have Policies as to who may take on this responsibility admin - These are the people who are allowed to make changes on the Namespace, including creating Roles, Permissions and Credentials APIs: POST authz/ns application/NsRequest+json;version=2.0 ------------------------------------------------------------------------------ ns delete <name> ------------------------------------------------------------------------------ Delete a Namespace Namespaces cannot normally be deleted when there are still credentials associated with them. These can be deleted automatically by setting "force" property. i.e. set force=true (note force is unset after first use) Permissions and Roles are not deleted when the Namespace is. Roles and Permissions are retained, but assigned to the Parent Namespace. Similarly, Namespaces can be created even though there are Roles/Perms with that name. They are simply reassigned to the Child Namespace APIs: DELETE authz/ns/<ns>[?force=true] application/Void+json;version=2.0 ------------------------------------------------------------------------------ ns admin <add|del> <name> <id[,id]*> ------------------------------------------------------------------------------ Add or Delete Administrator to/from Namespace name - Name of Namespace id - Credential of Person(s) to be Administrator aafcli will call API on each ID presented. APIs: POST authz/ns/<ns>/admin/<id> application/Void+json;version=2.0 DELETE authz/ns/<ns>/admin/<id> application/Void+json;version=2.0 ------------------------------------------------------------------------------ ns responsible <add|del> <name> <id[,id]*> ------------------------------------------------------------------------------ Add or Delete Responsible person to/from Namespace Responsible persons receive Notifications and approve Requests regarding this Namespace. Companies have Policies as to who may take on this responsibility name - Name of Namespace id - Credential of Person(s) to be made responsible aafcli will call API on each ID presented. APIs: POST authz/ns/<ns>/responsible/<id> application/Void+json;version=2.0 DELETE authz/ns/<ns>/responsible/<id> application/Void+json;version=2.0 ------------------------------------------------------------------------------ ns list name <ns> ------------------------------------------------------------------------------ List Namespaces by Name APIs: GET authz/nss/<ns> application/Nss+json;version=2.0 Indirectly uses: GET authz/roles/ns/<ns> application/Roles+json;version=2.0 GET authz/perms/ns/<ns> application/Perms+json;version=2.0 ------------------------------------------------------------------------------ ns list activity <name> ------------------------------------------------------------------------------ List Activity of Namespace APIs: GET authz/hist/ns/<ns> application/History+json;version=2.0 ------------------------------------------------------------------------------ ------------------------------------------------------------------------------