CADI USER_CHAIN

USER_CHAIN is a HTTP Header, as you have listed,

“USER_CHAIN” is the standard name for the Property Tag



The format is a comma delimited set of entries:

<ENTRY1>,<ENTRY2>…



Within each ENTRY, there are at least 3, but up to 4 fields delimited by colon ‘:’

Field 1: FQI (Fully Qualified Identity)

Field 2: Component name (Component isn’t an official entry in NS, but should start with NS).  It is primarily for logging.   

Field 3: Protocol (BAth, OAth and x509 are best practice). These should be no more than 4 chars long for logging consistency.

Field 4 (Optional): Request (If Field 3 exists, and is “AS”, then the calling services is requesting that the Identity be treated as the official Identity



example

USER_CHAIN=m99999@myapp.onap.org:org.onap.myapp.gui:x509:AS,m00000@something.onap.org:org.onap.myapp.entrypoint:BAth



 Note: The app itself may not choose to honor the “AS” request, because it is up to the App to decide which incoming Apps it actually trusts to do correct Authentication.



If using CADI, set the “cadi_trust_perm” value with the Permission which THE APP WILL GRANT trust.



Example:

Where "org.onap.myapp" is the NS of the group adding.

cadi_trust_perm=org.onap.myapp.mytrust|org.onap|trust



APP B, having set this perm, can then grant this perm to the APP A if it chooses to trust the “AS” request on the first entry.