SO API Security Matrix
- Byung-Woo Jun
The following describes the SO API Security matrix for the Dublin release.
Most of the SO interfaces support HTTP Basic Authentication without using HTTPs. Since the HTTP Basic Authentication password is encoded, not encrypted, use of HTTPS is a must.
Authorization support is being verified, but it seems that most of them do not apply the authorization mechanism.
Related JIRA: SO-2066: SO API Security MatrixClosed
Component Pair | Communication Protocol | Authentication | Authorization | Comments |
|---|---|---|---|---|
NBI | ||||
VID ↔ SO | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
UUI ↔ SO | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
ExtAPI ↔ SO | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
Ext Client ↔ SO Monitoring UI | HTTP | No | No | |
Inter-ONAP Components | ||||
SO ↔ SDC via DMaaP | HTTP | user+password | No | |
SO ↔ SDC Query | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | Role? need to verify | check if SDC certificate is expired. If so, use HTTP |
SO ↔ AAI | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | ? Permission specified by: type :instance :action :role | need to verify authorization |
SO ↔ SDNC | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | role? need to verify | |
SO ↔ MultiCloud | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
SO ↔ VFC | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
SO ↔ OOF | HTTPS | HTTP basic authentication with clear password | No | |
SO ↔ Sniro | HTTP | HTTP basic authentication with clear password | No | |
SO ↔ Policy (Scaling) | HTTP | HTTP Basic Authentication | No | |
SO ↔ APPC | HTTP | Secret | No | verify it |
SO ↔ LOG | ? | |||
CMSO ↔ SO | ? | |||
SO ↔ DMaaP | HTTP | ConsumerGroup+Id | ||
PRH ↔ SO via DMaaP | HTTP | user+password | ||
SO ↔ DCAE (?) | ? | Does SO have this interface? | ||
SO ↔ Camunda DB | JDBC | id+clear text password | use of MariaDB authorization | |
BPMN Infra ↔ OOF | HTTPS | user+password | No | |
BPMN Infra ↔ Sniro | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ Policy | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ SDNC | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ AAI | HTTPs | HTTP Basic Authentication | No | |
BPMN Infra ↔ CDS | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ Camunda BPM | HTTP | Id+clear text password | No | |
BPMN Infra ↔ DMaaP | HTTP | ConsumerGroup+Id | ||
Openstack Adapter ↔ AAI | HTTPS | HTTP Basic Authentication | No | |
Openstack Adapter ↔ BPMN-infra | HTTP | HTTP Basic Authentication | No | |
Openstack Adapter ↔ Catalog DB Adapter | HTTP | HTTP Basic Authentication | No | |
VFC-Adapter ↔ Request DB | JDBC | user+password | use of Maria DB authorization | |
VFC-Adapter ↔ Request DB Adapter | HTTPS | HTTP Basic Authentication | No | |
VNFM Adapter ↔ SDC | HTTPS | User+password | No | |
SOL003 VNFM Adapter ↔ AAI | HTTPS | HTTP Basic Authentication | ||
SOL003 VNFM Adapter ↔ SDC | HTTP | HTTP Basic Authentication | No | SDC Certificate is expired, so it uses HTTP |
SDC Controller ↔ SDC | HTTP | ConsumerGroup+Id | No | |
Intra-SO Components | ||||
SO ↔ db-secrets | N/A | db_admin-User+clear text password | N/A | secrets for mariadb |
SDC Controller ↔ CatalogDB Adapter | HTTP | HTTP Basic Authentication | No | |
SDC Controller ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
SDC Controller ↔ Request DB | JDBC | user+password | use of Maria DB authorization | for mariadb |
SDNC Adapter ↔ Catalog DB Adapter | HTTP | HTTP Basic Authentication | No | |
Request Handler ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
Request Handler ↔ BPMN Infra | HTTP | HTTP Basic Authentication | No | |
SO Monitoring UI ↔ Monitoring Service | HTTP | No | No | |
SO Monitoring Service ↔ BPMN Infra | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ Catalog DB Adapter | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
BPMN Infra ↔ SDNC Adapter | HTTP | HTTP Basic Authentication | No | verify it |
BPNN Infra ↔ OpenStack Adapter | HTTP | HTTP Basic Authentication | No | verify it |
BPMN Infra ↔ VFC Adapter | HTTP | HTTP Basic Authentication | No | verify it |
BPMN Infra ↔ SOL003 VNFM Adapter | HTTP | No | No | Currently, it is intra-SO communication. |
SDNC Adapter ↔ Catalog DB adapter | HTTP | HTTP Basic Authentication | No | |
VFC Adapter ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
SBI | ||||
SDNC Adapter ↔ SDNC | HTTP | HTTP Basic Authentication | Role | |
SOL003 VNFM Adapter ↔ SVNFM | HTTP | No | No | |
SOL003 VNFM Adapter ↔ VNFM Simulator | HTTP | No | No | |
VFC Adapter ↔ VFC | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
APPC Client ↔ APPC | HTTP | secrets | No | |