AAF R4 - M3 Architecture Review

Project Overview

AAF is first-order Security Infrastructure being used for the following:

  • AAF allows each ONAP Component to have a "Namespace" to set up their important Security Authentication and Authorization elements
    • Permissions
    • Roles
    • Credentials
  • AAF provides Access to Organizational Identities
    • There is a maintained set of Identities for use in ONAP Test Systems for each ONAP Component
  • Credentials for this Identities
    • Passwords as appropriate
      • AAF has ability to Delegate to Organization, but houses all Passwords For ONAP Testing.
    • Certificates
      • These certificates have unique Authorized Identity embedded, which supports 2 way TLS Authentication
      • These certificates can also be used as Server side certificates
  • Authorizations (Fine Grained)
    • AAF provides Applications or other Enforcement Points with APP configured Permissions
  • Roles
    • AAF provides Roles for Identities that include any Granted Permissions
  • OAuth Tokens and Introspection
    • Currently unused by ONAP
  • Locator
    • AAF Components and ports can be found Globally
    • AAF Team would like Arch Team to know the following about the Locator
      1. "Locator" is not technically restricted to AAF.  It can register (protected by Authentication/Authorization) any running process/port/interface 
      2. Registrations include Global Coordinates, allowing Clients to pick the "closest" one
      3. Locator is independent of any "Cluster" or "Container" mechanisms, which gives accessibility to any network accessible component
        1. Globally - Components can reside anywhere in the world
        2. Scalable - You can start any new instances anywhere and instantly increase capacity and usage
          1. "For best results", use Cassandra in Scalable way.
        3. Resilient - VMs, Clusters, Datacenters, K8s could go down, and Authentication/Authorization is still accessible.
  • Security FS
    • AAF provides a globally accessible Fileserver to get public security information ex:
      • RCLs
      • Root Certificates (any the Organization wants to publish)
      • Organizational approved Truststores, etc
  • Approval Processing mechanisms
  • AAF provides real-time RESTful based 
    • fast evaluation of Security Authorization (and Authentication, if housed in AAF)
    • Management API for all AAF components, protected by Stringent Authentication and Authorization
  • AAF provides Java Client Infrastructure
    • CADI Framework, primarily Java
      • Includes all AAF interactions
      • Is able to process MULTIPLE kinds of Authentication in the same Client (X509, BasicAuth and OAuth included, Adapter Interfaces for Company based elements)
    • Shiro Adapter included for ONAP use of ODL
  • AAF provides Auto-Configuration for Clients, and Auto-Generation of ONAP Certs
    • as part of "Bare Metal"
    • on Docker "volumes"
  • ROOT CA Acess
    • For ONAP, AAF is proving "Root CA Capabilities" by Using AAF Certman to generate Certs from Issuer CA.  This is for TEST only
    • AAF has the ability to use an "SCEP" protocol to CAs (example CA, Windows Server).  However, this is not provided or validated by ONAP.

New component capabilities for Dublin, i.e. the functional enhancements

    1. AAF Locator can now differentiate Public FQDNs from K8S FQDNs

      1. When Clients declare their Container NS, they get the Internal K8S FQDN
      2. Public FQDNs are simultaneously accessible for
        1. GUIs/Management outside Cluster
        2. Non-ONAP entities (typical usage of AAF is use by large organizations... They don't house everything in one K8S.
        3. Other Clusters (if so desired)
    2. AAF is providing more documentation and enhanced configuration helps for ONAP Components
      1. Example: Providing example "Helm" init containers to setup Volumes
    3. AAF is refactoring existing maintenance processes online for Open Source (meaning non company specific), including
      1. Analysis of expiring Creds and Roles
      2. Generation of Approval records
      3. Notification of Approvals, Creds and Roles in an external company configurable way.
  1. New or modified interfaces

    1. None

  2. Interface naming

    AAF Interfaces are 
       1) RESTful

       2) Relate to AAF Structures (i.e. Perm, Role, etc)

       NOTE: Because AAF is critical Infrastructure, AAF can FULLY support MORE THAN Interface version at runtime. (example, 2.0, 2.1, etc)

       3) Most AAF Access is done by supplied "CADI Framework", because it already provides

            a) Required Caching

            b) Authentication/Authorization requirements.

    Note: AAF currently supports "SCEP" Protocol to an External CA.

    Reference to the interfaces

    1. AAF's is documented primarily in the AAF GUI, protected by Authentication (with the intention of Consistent Organizational Usage... API where you need to use it)

           https://aaf-onap-test.osaaf.org:8200/gui/api

      Note: You need "Winriver" access to get to this system, but any running AAF System will have the same info

  3. What are the system limits

    1. When configured as originally designed (on VMs), recent analysis shows

      1. Currently observing 9,000,000 trans a day on the Service (note, CADI Caching means AAF is used many, many times that, up to 100-200x s)
      2.  Top limit of 6,000,000,000 trans a day on 15 VMs.
    2. It is questionable that any K8S cluster could handle this kind of load.
  4. Involved use cases, architectural capabilities or functional requirements

    1. Working "Container" modification requirements

    2. Junits
    3. Helping Clients utilize AAF capabilities
  5. Listing of new or impacted models used by the project (for information only)

    1. None.