blob: a64afae1621cdc3fe67b0bf7c1d457ef630568ad (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
*********************
HTTPS and AAF Support
*********************
.. contents::
:depth: 3
The pap, console, pdp-x, brmsgw, and pdp-d components have been migrated from HTTP to HTTPS. Server certificates were derived from the AAF Root CA.
AAF is supported for externally facing entry points into the Policy subsystem. These are:
* PDP-D supports AAF for its telemetry and healthcheck APIs.
* PDP-X supports AAF for its external policy APIs. It is currently disabled as some of clients are not AAF-capable, and this is a global setting.
* Console (for Browser Portal redirects) supports AAF when accessed through Portal.
+--------+------+------------+-----+-----+---------------------------------+
| Policy | Role | Remote |HTTPS| AAF | Notes |
+========+======+============+=====+=====+=================================+
| pdp-d |server| \* |true |true |Healthchek and Telemetry APIs |
+--------+------+------------+-----+-----+---------------------------------+
| pdp-d |client| aaf |true |true |Two-way TLS |
+--------+------+------------+-----+-----+---------------------------------+
| pdp-d |client| aai |true |true |Runtime Control Loop Execution |
+--------+------+------------+-----+-----+---------------------------------+
| pdp-d |client| dmaap |true |false|Runtime Control Loop Execution |
+--------+------+------------+-----+-----+---------------------------------+
| pdp-d |client| so |false|false|Not supported in so |
+--------+------+------------+-----+-----+---------------------------------+
| pdp-d |client| vfc |false|false|Not supported in vfc |
+--------+------+------------+-----+-----+---------------------------------+
| pdp-x |server| \* |true |false|Not all clients are AAF-capable |
+--------+------+------------+-----+-----+---------------------------------+
| pap |server| \* |true |false|Not all clients are AAF-capable |
+--------+------+------------+-----+-----+---------------------------------+
| console|server| portal |true |true |Redirected from portal |
+--------+------+------------+-----+-----+---------------------------------+
| brmsgw |client| dmaap |true |false|Runtime Control Loop Execution |
+--------+------+------------+-----+-----+---------------------------------+
AAF Configuration
^^^^^^^^^^^^^^^^^
The default demo ONAP installation comes up bootstrapped with the following AAF data with regards to Policy.
.. code-block:: bash
:caption: Bootstrapped AAF configuration
Basic Permissions:
org.onap.policy.access * *
org.onap.policy.access * read
org.onap.policy.certman local request,ignoreIPs,showpass
Portal Permissions (for UI purposes, administered by Portal team):
org.onap.policy.menu menu_admin *
org.onap.policy.menu menu_ajax *
org.onap.policy.menu menu_concept *
org.onap.policy.menu menu_customer *
org.onap.policy.menu menu_customer_create *
org.onap.policy.menu menu_doclib *
org.onap.policy.menu menu_feedback *
org.onap.policy.menu menu_help *
org.onap.policy.menu menu_home *
org.onap.policy.menu menu_itracker *
org.onap.policy.menu menu_job *
org.onap.policy.menu menu_job_create *
org.onap.policy.menu menu_job_designer *
org.onap.policy.menu menu_logout *
org.onap.policy.menu menu_map *
org.onap.policy.menu menu_notes *
org.onap.policy.menu menu_policy *
org.onap.policy.menu menu_process *
org.onap.policy.menu menu_profile *
org.onap.policy.menu menu_profile_create *
org.onap.policy.menu menu_profile_import *
org.onap.policy.menu menu_reports *
org.onap.policy.menu menu_sample *
org.onap.policy.menu menu_tab *
org.onap.policy.menu menu_task *
org.onap.policy.menu menu_task_search *
org.onap.policy.menu menu_test *
org.onap.policy.url doclib *
org.onap.policy.url doclib_admin *
org.onap.policy.url login *
org.onap.policy.url policy_admin *
org.onap.policy.url policy_dashboard *
org.onap.policy.url policy_dictionary *
org.onap.policy.url policy_editor *
org.onap.policy.url policy_pdp *
org.onap.policy.url policy_push *
org.onap.policy.url policy_roles *
org.onap.policy.url view_reports *
PDP-D Permissions for Telemetry REST API access:
org.onap.policy.pdpd.healthcheck * get
org.onap.policy.pdpd.healthcheck.configuration * get
org.onap.policy.pdpd.telemetry * delete
org.onap.policy.pdpd.telemetry * get
org.onap.policy.pdpd.telemetry * post
org.onap.policy.pdpd.telemetry * put
PDP-X Permissions for XACML REST APIs:
org.onap.policy.pdpx.config * *
org.onap.policy.pdpx.createDictionary * *
org.onap.policy.pdpx.createPolicy * *
org.onap.policy.pdpx.decision * *
org.onap.policy.pdpx.getConfig * *
org.onap.policy.pdpx.getConfigByPolicyName * *
org.onap.policy.pdpx.getDecision * *
org.onap.policy.pdpx.getDictionary * *
org.onap.policy.pdpx.getMetrics * *
org.onap.policy.pdpx.list * *
org.onap.policy.pdpx.listConfig * *
org.onap.policy.pdpx.listPolicy * *
org.onap.policy.pdpx.policyEngineImport * *
org.onap.policy.pdpx.pushPolicy * *
org.onap.policy.pdpx.sendEvent * *
org.onap.policy.pdpx.updateDictionary * *
org.onap.policy.pdpx.updatePolicy * *
Basic Namespace Admin Roles:
org.onap.policy.admin
org.onap.policy.owner
org.onap.policy.seeCerts
Portal Roles for UI:
org.onap.policy.Account_Administrator
org.onap.policy.Policy_Admin
org.onap.policy.Policy_Editor
org.onap.policy.Policy_Guest
org.onap.policy.Policy_Super_Admin
org.onap.policy.Policy_Super_Guest
org.onap.policy.Standard_User
org.onap.policy.System_Administrator
PDP-D Roles:
org.onap.policy.pdpd.admin
org.onap.policy.pdpd.monitor
PDP-X Roles:
org.onap.policy.pdpx.admin
org.onap.policy.pdpx.monitor
Users:
demo@people.osaaf.org
policy@policy.onap.org
demo@people.osaaf.org and policy@policy.onap.org are properly configured with AAF in n a default ONAP installation. These are:
.. code-block:: bash
:caption: Default permissions for demo and policy accounts.
List Permissions by User[policy@policy.onap.org]
--------------------------------------------------------------------------------
PERM Type Instance Action
--------------------------------------------------------------------------------
org.onap.policy.access * *
org.onap.policy.access * read
org.onap.policy.certman local request,ignoreIPs,showpass
org.onap.policy.pdpd.healthcheck * get
org.onap.policy.pdpd.healthcheck.configuration * get
org.onap.policy.pdpd.telemetry * delete
org.onap.policy.pdpd.telemetry * get
org.onap.policy.pdpd.telemetry * post
org.onap.policy.pdpd.telemetry * put
org.onap.policy.pdpx.createDictionary * *
org.onap.policy.pdpx.createPolicy * *
org.onap.policy.pdpx.decision * *
org.onap.policy.pdpx.getConfig * *
org.onap.policy.pdpx.getConfigByPolicyName * *
org.onap.policy.pdpx.getDecision * *
org.onap.policy.pdpx.getDictionary * *
org.onap.policy.pdpx.getMetrics * *
org.onap.policy.pdpx.list * *
org.onap.policy.pdpx.listConfig * *
org.onap.policy.pdpx.listPolicy * *
org.onap.policy.pdpx.policyEngineImport * *
org.onap.policy.pdpx.pushPolicy * *
org.onap.policy.pdpx.sendEvent * *
org.onap.policy.pdpx.updateDictionary * *
org.onap.policy.pdpx.updatePolicy * *
List Permissions by User[demo@people.osaaf.org]
--------------------------------------------------------------------------------
PERM Type Instance Action
--------------------------------------------------------------------------------
org.onap.policy.access
org.onap.policy.access * read
org.onap.policy.menu menu_admin *
org.onap.policy.menu menu_ajax *
org.onap.policy.menu menu_customer *
org.onap.policy.menu menu_customer_create *
org.onap.policy.menu menu_feedback *
org.onap.policy.menu menu_help *
org.onap.policy.menu menu_home *
org.onap.policy.menu menu_itracker *
org.onap.policy.menu menu_job *
org.onap.policy.menu menu_job_create *
org.onap.policy.menu menu_logout *
org.onap.policy.menu menu_notes *
org.onap.policy.menu menu_process *
org.onap.policy.menu menu_profile *
org.onap.policy.menu menu_profile_create *
org.onap.policy.menu menu_profile_import *
org.onap.policy.menu menu_reports *
org.onap.policy.menu menu_sample *
org.onap.policy.menu menu_tab *
org.onap.policy.menu menu_test *
org.onap.policy.pdpd.healthcheck * get
org.onap.policy.pdpd.healthcheck.configuration * get
org.onap.policy.pdpd.telemetry * delete
org.onap.policy.pdpd.telemetry * get
org.onap.policy.pdpd.telemetry * post
org.onap.policy.pdpd.telemetry * put
org.onap.policy.pdpx.config * *
org.onap.policy.pdpx.createDictionary * *
org.onap.policy.pdpx.createPolicy * *
org.onap.policy.pdpx.decision * *
org.onap.policy.pdpx.getConfig * *
org.onap.policy.pdpx.getConfigByPolicyName * *
org.onap.policy.pdpx.getDecision * *
org.onap.policy.pdpx.getDictionary * *
org.onap.policy.pdpx.getMetrics * *
org.onap.policy.pdpx.list * *
org.onap.policy.pdpx.listConfig * *
org.onap.policy.pdpx.listPolicy * *
org.onap.policy.pdpx.policyEngineImport * *
org.onap.policy.pdpx.pushPolicy * *
org.onap.policy.pdpx.sendEvent * *
org.onap.policy.pdpx.updateDictionary * *
org.onap.policy.pdpx.updatePolicy * *
org.onap.policy.url doclib *
org.onap.policy.url doclib_admin *
org.onap.policy.url login *
Disabling AAF
^^^^^^^^^^^^^
AAF is enabled by default in PDP-D installations. Set the AAF installation variable to false to disable it.
+---------------+-------------------------+----------+---------------------------+
| Repository | Install File | Variable | Notes |
+===============+=========================+==========+===========================+
| policy/docker | config/drools/base.conf | AAF | Heat Installation |
+---------------+-------------------------+----------+---------------------------+
| oom | config/drools/base.conf | AAF | OOM Installation |
+---------------+-------------------------+----------+---------------------------+
AAF can also be disabled at runtime within the PDP-D container by modifying the following files.
+----------------------------------------------------+-----------------------------------------+
| File | Property |
+====================================================+=========================================+
| $POLICY_HOME/config/policy-engine.properties | http.server.services.SECURED-CONFIG.aaf |
+----------------------------------------------------+-----------------------------------------+
| $POLICY_HOME/config/feature-healthcheck.properties | http.server.services.HEALTHCHECK.aaf |
+----------------------------------------------------+-----------------------------------------+
After modifying these files, restart the container with "policy stop; policy start"
End of Document
|
