Project Name:

Proposed name for the project: Application Authorization Framework
Proposed name for the repository: AAF

Project description:

The goal of the project is to provide consistent authentication, authorization and security to various ONAP components. AAF organizes software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to use an Application's detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-Sub topic controlled within the App. This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. The sister framework CADI ( Code Access Data Identity ) allows Java Applications to utilize Identity Authentication methods as plugins. Certificate Manager delivers X509 certificates in support of 2 way x509 TLS.

Scope:

The scope of AAF project is a plugable and extensible framework that

Organizes software authorizations so that applications, tools and services can match the access needed to perform job functions.
Provides Enterprise Level Authentication and Authorization
Provides Role based authorization, including attribute based authorization elements as well
The frameworks exposure layer should be consumable by any product or technology.
The frameworks should be highly available with a resilient data store
Provides administration functions by GUI and management API's.
Provides consistent client plugins to access authentication and authorization frameworks functions
Provides support for multi-tenancy
Provides support for SSL Certificate management
Provides support for OAuth2.
Support Microservices ( Docker/Kubernetes )
Provide hardware security plugin for storing private keys and for performing crypto operations that require private keys.
Management of Secrets and Protection of secrets

CADI ( Code Access Data Identity) - Addresses the Runtime Elements of Access and Identity.

Secure code by Reuse
Defend Access with Authentication and Authorization
Protect Data by ensuring TLS encryption over the wire
Ensure Apps protect resources for each Identity
CADI can handle multiple Authentication Protocols in the same service
Client Side Caching for Speed and less network access

Certificate Manager :

Creates certificates.
Eliminates Expiration Risk with Auto-Renewal

Entities within AAF

Namespaces

A Namespace, in AAF, is the ensemble of Roles, Permissions and Identities. Namespaces are known by domain, example com.onap.dcae or com.onap.appc and they are hierarchically managed. A

Namespace is assigned to an application. A namespace contains one or more roles and one or more permissions. By default, every namespace has an admin role

People in Namespaces

Tasks Owner (Responsible) must do:

Owners receive by email a notification to Approve.
Owners also receive notifications of time based activities
- Periodic Revalidation of Users in Roles in Namespace
- Periodic Revalidation of Permission in Namespace to Roles

Admin

Admins may

Create/Delete/Modify Roles in Namespace
Add/Remove Users from Roles in Namespace
Create/Delete/Modify Permissions in Namespace
Grant/Ungrant Permissions in Namespace to any Role in the company (Cross Company Role Grants are possible, but require approvals from both sides).

Object Model

In AAF, permissions are granted to roles. Roles are assigned to User. A user can be assigned to any number of roles. Roles and permissions are stored centrally but segregated by Application.

For authorization, all that matters is the permissions you are granted.

AAF is an Attribute Based Access Control System. Permission is the embodiment of the Attribute. It is broken up into three elements.

Type - This is the core name of the Permission, and describe it's kind. The type is "meta-data" it is a reference to kind of Resource that is to be protected
Instance - The object that is being interacted with. E.g. Database Table.
Action - What is happening to that object. E.g. read, write, delete, etc.

ONAP Wiki > Initial Charter (5/16/17) > AAF HL Object Model.png

Interacting with AAF

AAF GUI

The AAF GUI is designed primarily to provide AAF-specific information to users, though it does contain a few management features.

What AAF-specific information can you see in the GUI?

You can see the roles to which you are assigned, the permissions which you have been granted and the Namespaces in which you are an admin or responsible party

What management features are in the GUI?

My Approvals
1. If you are responsible for any namespaces or other resources, this is where you will need to approve or deny requests about those resources.
Password Management
1. This page provides the ability to reset passwords.
Permission Granting
1. If you are an admin or responsible person for a Namespace, you will find a "Grant This Perm" link for each permission in your Namespace details page. You can grant your permission to a role from this page. You can also expose this link to others if you want them to request access to your permission

AAF CUI (Command User Interface)

The CUI provides more management and reporting features to users through a command prompt interface.

Application Authorization Framework Big Picture

ONAP Wiki > Initial Charter (5/16/17) > AAF architecture.jpg

Architecture Alignment:

How does this project fit into the rest of the ONAP Architecture?

AAF is used for fined grained authorization of an application. It can authorize DMaaP for pub/sub to a topic. It can authorize access to services registered in Microservices Bus.

ONAP Wiki > Initial Charter (5/16/17) > ONAP AAF Architecture.jpg

What other ONAP projects does this project depend?
- Does not depend on any ONAP project.
How does this align with external standards/specifications?
- X-509 Certificates
Are there dependencies with other open source projects?
- Cassandra
- DME ( Direct Messaging Engine, developed by "AT&T Common platform" Team )

Resources:

Primary Contact Person - Ram Koya(ATT), John Murray(ATT)
Names, gerrit IDs, and company affiliations of the committers
Names and affiliations of any other contributors
Project Roles (include RACI chart, if applicable)

Name	Company	Email	Time Zone
Ram Koya	AT&T	rk541m@att.com	Dallas, USA CST/CDT
John Murray	AT&T	jfm@research.att.com	Bedminster, USA EST/EDT
Dominic Lunanuova	AT&T	dgl@research.att.com	MiddleTown, USA EST/EDT
Sitharaman T R	IBM	tsithara@in.ibm.com	Middletown,USA EST/EDT

Other Information:

link to seed code: https://github.com/att/AAF
Vendor Neutral
- The current seed code has been already scanned ( Using Fossology and Blackduck) and cleaned up to remove all proprietary trademarks, logos.
- Subsequent modification to the existing seed code should continue to follow the same scanning and clean up principles
Meets Board policy (including IPR)

Key Project Facts

Project Name:

JIRA project name: Application Authorization Framework
JIRA project prefix: AAF-

Repo name: org.onap.aaf
Lifecycle State: incubation
Primary Contact: Ram Koya
Project Lead: Ram Koya
mailing list tag [Should match Jira Project Prefix]
Committers:

Ram Koya rk541m@att.com

Jonathan Gathman jg1555@att.com

Contributors:

Varun Gudisena vg411h@att.com

Sai Gandham sg481n@att.com

Sowjanya Vemulapally sv8675@att.com

Sitharaman T R tsithara@in.ibm.com

Catherine Lefèvre cl664y@intl.att.com

*Link to TSC approval:
Link to approval of additional submitters: