diff options
author | Instrumental <jonathan.gathman@att.com> | 2018-05-25 20:54:35 -0500 |
---|---|---|
committer | Instrumental <jonathan.gathman@att.com> | 2018-05-25 21:02:24 -0500 |
commit | 79c5df5f97317a5712ebc8e9cbc72f7d49ee7d19 (patch) | |
tree | 73d35ed740fcfc43c986be91ecf2bd7a390bc279 | |
parent | a97d731d65bb988e12495d7f9fa6565097c78e26 (diff) |
Create Security Overview
Issue-ID: AAF-331
Change-Id: If588c053710e35554aa31d7dd41d9191be155840
Signed-off-by: Instrumental <jonathan.gathman@att.com>
-rw-r--r-- | docs/index.rst | 2 | ||||
-rw-r--r-- | docs/sections/architecture/aaf-object-model.jpg | bin | 189989 -> 0 bytes | |||
-rw-r--r-- | docs/sections/architecture/aaf_architecture.rst | 4 | ||||
-rw-r--r-- | docs/sections/architecture/images/SecurityArchAAF.svg | 55 | ||||
-rw-r--r-- | docs/sections/architecture/images/SecurityArchAAFOrg.svg | 128 | ||||
-rw-r--r-- | docs/sections/architecture/images/SecurityArchBasic_1.svg | 48 | ||||
-rw-r--r-- | docs/sections/architecture/images/SecurityArchBasic_TLS.svg | 62 | ||||
-rw-r--r-- | docs/sections/architecture/images/SecurityArchCADI.svg | 64 | ||||
-rw-r--r-- | docs/sections/architecture/images/SecurityArchFull.svg | 255 | ||||
-rw-r--r-- | docs/sections/architecture/images/aaf-cm.png (renamed from docs/sections/architecture/aaf-cm.png) | bin | 149239 -> 149239 bytes | |||
-rw-r--r-- | docs/sections/architecture/images/aaf-object-model.jpg (renamed from docs/images/aaf-object-model.jpg) | bin | 189989 -> 189989 bytes | |||
-rw-r--r-- | docs/sections/architecture/security.rst | 130 |
12 files changed, 738 insertions, 10 deletions
diff --git a/docs/index.rst b/docs/index.rst index dacc9d06..3b903c24 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -32,7 +32,7 @@ AAF contains some elements of Role Based Authorization, but includes Attribute B |image0| -.. |image0| image:: images/aaf-object-model.jpg +.. |image0| image:: sections/architecture/images/aaf-object-model.jpg :height: 600px :width: 800px diff --git a/docs/sections/architecture/aaf-object-model.jpg b/docs/sections/architecture/aaf-object-model.jpg Binary files differdeleted file mode 100644 index 30caa7d5..00000000 --- a/docs/sections/architecture/aaf-object-model.jpg +++ /dev/null diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst index 6e522888..b955ce10 100644 --- a/docs/sections/architecture/aaf_architecture.rst +++ b/docs/sections/architecture/aaf_architecture.rst @@ -11,7 +11,7 @@ To be effective during a computer transaction, Security must not only be secure, |image0| -.. |image0| image:: aaf-object-model.jpg +.. |image0| image:: images/aaf-object-model.jpg :height: 600px :width: 800px @@ -33,7 +33,7 @@ Every secure transaction requires 1) Encryption 2) Authentication 3) Authorizati |image1| -.. |image1| image:: aaf-cm.png +.. |image1| image:: images/aaf-cm.png :height: 768px :width: 1024px diff --git a/docs/sections/architecture/images/SecurityArchAAF.svg b/docs/sections/architecture/images/SecurityArchAAF.svg new file mode 100644 index 00000000..34b592ab --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchAAF.svg @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="210.566" height="286.166" viewBox="0, 0, 210.566, 286.166"> + <g id="AAF" transform="translate(-283.488, -41.5)"> + <g> + <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)"> + <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan> + </text> + </g> + <g> + <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)"> + <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan> + </text> + </g> + <g> + <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)"> + <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan> + </text> + </g> + <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)"> + <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan> + <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan> + <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan> + </text> + <g> + <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)"> + <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan> + </text> + </g> + <g> + <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)"> + <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan> + </text> + </g> + <g> + <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)"> + <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan> + </text> + </g> + <g> + <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)"> + <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan> + <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan> + </text> + </g> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchAAFOrg.svg b/docs/sections/architecture/images/SecurityArchAAFOrg.svg new file mode 100644 index 00000000..f003b810 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchAAFOrg.svg @@ -0,0 +1,128 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="427.813" height="340" viewBox="0, 0, 427.813, 340"> + <g id="Connections" transform="translate(-66.241, -41.5)"> + <g> + <path d="M366.78,98.146 L209.158,119.643" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M208.753,116.671 L201.232,120.724 L209.564,122.616 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M353.251,291.445 L206.695,276.655" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M206.996,273.67 L198.736,275.852 L206.394,279.64 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(0.991, -0.136, 0.136, 0.991, 269.475, 112.33)"> + <tspan x="-11" y="-7.49" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Sign</tspan> + <tspan x="-14.052" y="9.31" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">CSRs</tspan> + </text> + <text transform="matrix(0.996, 0.095, -0.095, 0.996, 260.93, 287.412)"> + <tspan x="-21.796" y="-9.522" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Delegate</tspan> + <tspan x="-26.493" y="6.078" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">by Domain</tspan> + </text> + <g> + <path d="M353.251,263.072 L211.399,240.185" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M211.877,237.223 L203.501,238.911 L210.921,243.147 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="AAF" transform="translate(-66.241, -41.5)"> + <g> + <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)"> + <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan> + </text> + </g> + <g> + <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)"> + <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan> + </text> + </g> + <g> + <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)"> + <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan> + </text> + </g> + <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)"> + <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan> + <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan> + <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan> + </text> + <g> + <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)"> + <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan> + </text> + </g> + <g> + <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)"> + <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan> + </text> + </g> + <g> + <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)"> + <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan> + </text> + </g> + <g> + <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)"> + <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan> + <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan> + </text> + </g> + </g> + <g id="Organization" transform="translate(-66.241, -41.5)"> + <g> + <path d="M89.448,90 L191.034,90 C195.843,90 199.741,92.149 199.741,94.8 L199.741,147.2 C199.741,149.851 195.843,152 191.034,152 L89.448,152 C84.639,152 80.741,149.851 80.741,147.2 L80.741,94.8 C80.741,92.149 84.639,90 89.448,90 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 119)"> + <tspan x="-38.87" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Certificate</tspan> + <tspan x="-34.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Authority</tspan> + </text> + </g> + <g> + <path d="M89.448,299 L191.034,299 C195.843,299 199.741,301.149 199.741,303.8 L199.741,356.2 C199.741,358.851 195.843,361 191.034,361 L89.448,361 C84.639,361 80.741,358.851 80.741,356.2 L80.741,303.8 C80.741,301.149 84.639,299 89.448,299 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 330.5)"> + <tspan x="-17.629" y="-7" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">DNS</tspan> + <tspan x="-25.454" y="7" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">(Externally </tspan> + <tspan x="-17.314" y="19" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">Visible)</tspan> + </text> + </g> + <path d="M67.741,73 L213.741,73 L213.741,381 L67.741,381 L67.741,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <g> + <g> + <path d="M89.448,157.75 L191.034,157.75 C195.843,157.75 199.741,162.447 199.741,168.24 L199.741,282.76 C199.741,288.553 195.843,293.25 191.034,293.25 L89.448,293.25 C84.639,293.25 80.741,288.553 80.741,282.76 L80.741,168.24 C80.741,162.447 84.639,157.75 89.448,157.75 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(-0, -1, 1, -0, 140.241, 211.015)"> + <tspan x="-24.744" y="-34.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Formal</tspan> + <tspan x="-45.104" y="-16.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Organization</tspan> + </text> + </g> + <g> + <path d="M142.278,176.934 L195.204,176.934 C197.71,176.934 199.741,178.038 199.741,179.401 L199.741,206.325 C199.741,207.687 197.71,208.792 195.204,208.792 L142.278,208.792 C139.772,208.792 137.741,207.687 137.741,206.325 L137.741,179.401 C137.741,178.038 139.772,176.934 142.278,176.934 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 192.863)"> + <tspan x="-22.914" y="-2.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Notification</tspan> + <tspan x="-15.089" y="8.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">System</tspan> + </text> + </g> + <g> + <path d="M142.278,216.731 L195.204,216.731 C197.71,216.731 199.741,217.835 199.741,219.197 L199.741,246.122 C199.741,247.484 197.71,248.588 195.204,248.588 L142.278,248.588 C139.772,248.588 137.741,247.484 137.741,246.122 L137.741,219.197 C137.741,217.835 139.772,216.731 142.278,216.731 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 232.978)"> + <tspan x="-16.335" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Identity/</tspan> + <tspan x="-19.166" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Hierarchy</tspan> + </text> + </g> + <g> + <path d="M142.278,255.89 L195.204,255.89 C197.71,255.89 199.741,256.994 199.741,258.356 L199.741,285.281 C199.741,286.643 197.71,287.747 195.204,287.747 L142.278,287.747 C139.772,287.747 137.741,286.643 137.741,285.281 L137.741,258.356 C137.741,256.994 139.772,255.89 142.278,255.89 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 272.137)"> + <tspan x="-19.507" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Company </tspan> + <tspan x="-16.42" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Authn(s)</tspan> + </text> + </g> + </g> + <text transform="matrix(1, 0, 0, 1, 126.872, 60.5)"> + <tspan x="-59.631" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Organizationally Defined</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchBasic_1.svg b/docs/sections/architecture/images/SecurityArchBasic_1.svg new file mode 100644 index 00000000..1066f2c3 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchBasic_1.svg @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="516.973" height="313.5" viewBox="0, 0, 516.973, 313.5"> + <g id="Basics" transform="translate(-175.969, -237)"> + <path d="M186.675,488.5 L303.255,488.5 C308.773,488.5 313.247,490.649 313.247,493.3 L313.247,545.7 C313.247,548.351 308.773,550.5 303.255,550.5 L186.675,550.5 C181.156,550.5 176.682,548.351 176.682,545.7 L176.682,493.3 C176.682,490.649 181.156,488.5 186.675,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.497)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.5 L683.521,464.5 C688.33,464.5 692.229,467.481 692.229,471.158 L692.229,543.841 C692.229,547.519 688.33,550.5 683.521,550.5 L581.936,550.5 C577.127,550.5 573.229,547.519 573.229,543.841 L573.229,471.158 C573.229,467.481 577.127,464.5 581.936,464.5 z" fill="#38AB4E"/> + <g> + <path d="M582.649,237 L684.234,237 C689.043,237 692.942,239.149 692.942,241.8 L692.942,294.2 C692.942,296.851 689.043,299 684.234,299 L582.649,299 C577.84,299 573.942,296.851 573.942,294.2 L573.942,241.8 C573.942,239.149 577.84,237 582.649,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <g> + <path d="M631.441,299.5 L633.285,442" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M630.285,442.039 L633.388,450 L636.285,441.962 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.31,520.114 L335.202,521.06" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M335.19,518.06 L327.202,521.091 L335.214,524.06 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.138)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <path d="M185.961,488.5 L302.541,488.5 C308.06,488.5 312.534,490.649 312.534,493.3 L312.534,545.7 C312.534,548.351 308.06,550.5 302.541,550.5 L185.961,550.5 C180.442,550.5 175.969,548.351 175.969,545.7 L175.969,493.3 C175.969,490.649 180.442,488.5 185.961,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.251, 519.498)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.222,464.5 L682.808,464.5 C687.617,464.5 691.515,467.481 691.515,471.158 L691.515,543.842 C691.515,547.519 687.617,550.5 682.808,550.5 L581.222,550.5 C576.413,550.5 572.515,547.519 572.515,543.842 L572.515,471.158 C572.515,467.481 576.413,464.5 581.222,464.5 z" fill="#38AB4E"/> + <g> + <path d="M581.936,237 L683.521,237 C688.33,237 692.229,239.149 692.229,241.8 L692.229,294.2 C692.229,296.851 688.33,299 683.521,299 L581.936,299 C577.127,299 573.229,296.851 573.229,294.2 L573.229,241.8 C573.229,239.149 577.127,237 581.936,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.099, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 632.015, 504.139)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchBasic_TLS.svg b/docs/sections/architecture/images/SecurityArchBasic_TLS.svg new file mode 100644 index 00000000..664593bd --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchBasic_TLS.svg @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.817" height="313.5" viewBox="0, 0, 517.817, 313.5"> + <g id="TLS" transform="translate(-175.969, -237)"> + <text transform="matrix(-0, 1, -1, -0, 639.901, 366.492)"> + <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 439.736, 509.201)"> + <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan> + </text> + <text transform="matrix(1, 0, 0, 1, 634.155, 457.499)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 320.012, 516.681)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> + <g id="Basics" transform="translate(-175.969, -237)"> + <path d="M186.675,488.5 L303.255,488.5 C308.773,488.5 313.247,490.649 313.247,493.3 L313.247,545.7 C313.247,548.351 308.773,550.5 303.255,550.5 L186.675,550.5 C181.156,550.5 176.682,548.351 176.682,545.7 L176.682,493.3 C176.682,490.649 181.156,488.5 186.675,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.497)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.5 L683.521,464.5 C688.33,464.5 692.229,467.481 692.229,471.158 L692.229,543.841 C692.229,547.519 688.33,550.5 683.521,550.5 L581.936,550.5 C577.127,550.5 573.229,547.519 573.229,543.841 L573.229,471.158 C573.229,467.481 577.127,464.5 581.936,464.5 z" fill="#38AB4E"/> + <g> + <path d="M582.649,237 L684.234,237 C689.043,237 692.942,239.149 692.942,241.8 L692.942,294.2 C692.942,296.851 689.043,299 684.234,299 L582.649,299 C577.84,299 573.942,296.851 573.942,294.2 L573.942,241.8 C573.942,239.149 577.84,237 582.649,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <g> + <path d="M631.441,299.5 L633.285,442" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M630.285,442.039 L633.388,450 L636.285,441.962 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.31,520.114 L335.202,521.06" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M335.19,518.06 L327.202,521.091 L335.214,524.06 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.138)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <path d="M185.961,488.5 L302.541,488.5 C308.06,488.5 312.534,490.649 312.534,493.3 L312.534,545.7 C312.534,548.351 308.06,550.5 302.541,550.5 L185.961,550.5 C180.442,550.5 175.969,548.351 175.969,545.7 L175.969,493.3 C175.969,490.649 180.442,488.5 185.961,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.251, 519.498)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.222,464.5 L682.808,464.5 C687.617,464.5 691.515,467.481 691.515,471.158 L691.515,543.842 C691.515,547.519 687.617,550.5 682.808,550.5 L581.222,550.5 C576.413,550.5 572.515,547.519 572.515,543.842 L572.515,471.158 C572.515,467.481 576.413,464.5 581.222,464.5 z" fill="#38AB4E"/> + <g> + <path d="M581.936,237 L683.521,237 C688.33,237 692.229,239.149 692.229,241.8 L692.229,294.2 C692.229,296.851 688.33,299 683.521,299 L581.936,299 C577.127,299 573.229,296.851 573.229,294.2 L573.229,241.8 C573.229,239.149 577.127,237 581.936,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.099, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 632.015, 504.139)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchCADI.svg b/docs/sections/architecture/images/SecurityArchCADI.svg new file mode 100644 index 00000000..b05a7f90 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchCADI.svg @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.259" height="323.537" viewBox="0, 0, 517.259, 323.537"> + <g id="CADI" transform="translate(-176.682, -236.872)"> + <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)"> + <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)"> + <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)"> + <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan> + </text> + <g> + <g> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)"> + <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <g> + <g> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)"> + <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/> + <g> + <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <g> + <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchFull.svg b/docs/sections/architecture/images/SecurityArchFull.svg new file mode 100644 index 00000000..0093eaa1 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchFull.svg @@ -0,0 +1,255 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="627.701" height="518.909" viewBox="0, 0, 627.701, 518.909"> + <g id="Direct_AAF" transform="translate(-66.241, -41.5)"> + <g> + <path d="M572.081,454.632 L395.909,317.04" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M397.756,314.675 L389.604,312.116 L394.062,319.404 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M606.551,441 L445.662,316.508" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M447.498,314.135 L439.335,311.612 L443.826,318.88 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(0.79, 0.613, -0.613, 0.79, 497.62, 402.334)"> + <tspan x="-43.687" y="-9.685" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">1) User/Password</tspan> + <tspan x="-58.872" y="8.315" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">validation (if Basic Auth)</tspan> + </text> + <text transform="matrix(0.79, 0.613, -0.613, 0.79, 531.051, 387.658)"> + <tspan x="-22.418" y="-9.685" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">2) Obtain</tspan> + <tspan x="-41.762" y="8.315" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">AAF Permissions</tspan> + </text> + </g> + <g id="AAF_Batch" transform="translate(-66.241, -41.5)"> + <g> + <path d="M351.193,158.06 L351.024,222.389 C351.016,225.434 349.725,227.899 348.14,227.893 L316.818,227.788 C315.233,227.783 313.955,225.31 313.963,222.265 L314.132,157.936 C314.14,154.89 315.431,152.426 317.015,152.431 L348.338,152.537 C349.923,152.542 351.201,155.015 351.193,158.06 z" fill="#D65E15" fill-opacity="0.52"/> + <text transform="matrix(-0.003, 1, -1, -0.003, 332.578, 190.162)"> + <tspan x="-13.15" y="-3.013" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Batch </tspan> + <tspan x="-28.805" y="8.987" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Maintenance</tspan> + </text> + </g> + <g> + <path d="M314.463,190.662 L209.956,190.662" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M209.956,187.662 L201.956,190.662 L209.956,193.662 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, -0, 1, 259.372, 193.06)"> + <tspan x="-19.959" y="-6.244" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Expiring</tspan> + <tspan x="-16.604" y="9.356" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Events</tspan> + </text> + <g> + <path d="M200.956,198.706 L229.109,198.706 L229.109,224.632 L209.956,224.632" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M209.956,221.632 L201.956,224.632 L209.956,227.632 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M351.693,200.083 L437.888,200.083" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M437.888,203.083 L445.888,200.083 L437.888,197.083 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="AAF_Cassandra" transform="translate(-66.241, -41.5)"> + <g> + <path d="M485.176,158.06 L485.007,222.389 C484.999,225.434 483.708,227.899 482.123,227.893 L450.8,227.788 C449.216,227.783 447.938,225.31 447.946,222.265 L448.114,157.936 C448.122,154.89 449.414,152.426 450.998,152.431 L482.321,152.537 C483.906,152.542 485.184,155.015 485.176,158.06 z" fill="#1715D6" fill-opacity="0.52"/> + <text transform="matrix(-0.003, 1, -1, -0.003, 463.496, 190.162)"> + <tspan x="-24.075" y="-3.013" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cassandra</tspan> + </text> + </g> + <g> + <path d="M433.476,96.895 L462.989,144.836" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M460.434,146.409 L467.183,151.648 L465.544,143.263 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M433.476,180.993 L439.445,180.993" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M439.445,183.993 L447.445,180.993 L439.445,177.993 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M433.476,219.752 L441.331,213.665" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M443.169,216.036 L447.655,208.765 L439.494,211.294 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M448.674,243.29 L460.62,233.94" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M462.469,236.303 L466.919,229.01 L458.771,231.578 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="Connections" transform="translate(-66.241, -41.5)"> + <g> + <path d="M366.78,98.146 L209.158,119.643" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M208.753,116.671 L201.232,120.724 L209.564,122.616 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M353.251,291.445 L206.695,276.655" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M206.996,273.67 L198.736,275.852 L206.394,279.64 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(0.991, -0.136, 0.136, 0.991, 269.475, 112.33)"> + <tspan x="-11" y="-7.49" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Sign</tspan> + <tspan x="-14.052" y="9.31" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">CSRs</tspan> + </text> + <text transform="matrix(0.996, 0.095, -0.095, 0.996, 260.93, 287.412)"> + <tspan x="-21.796" y="-9.522" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Delegate</tspan> + <tspan x="-26.493" y="6.078" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">by Domain</tspan> + </text> + <g> + <path d="M353.251,263.072 L211.399,240.185" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M211.877,237.223 L203.501,238.911 L210.921,243.147 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="AAF" transform="translate(-66.241, -41.5)"> + <g> + <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)"> + <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan> + </text> + </g> + <g> + <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)"> + <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan> + </text> + </g> + <g> + <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)"> + <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan> + </text> + </g> + <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)"> + <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan> + <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan> + <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan> + </text> + <g> + <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)"> + <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan> + </text> + </g> + <g> + <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)"> + <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan> + </text> + </g> + <g> + <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)"> + <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan> + </text> + </g> + <g> + <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)"> + <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan> + <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan> + </text> + </g> + </g> + <g id="Organization" transform="translate(-66.241, -41.5)"> + <g> + <path d="M89.448,90 L191.034,90 C195.843,90 199.741,92.149 199.741,94.8 L199.741,147.2 C199.741,149.851 195.843,152 191.034,152 L89.448,152 C84.639,152 80.741,149.851 80.741,147.2 L80.741,94.8 C80.741,92.149 84.639,90 89.448,90 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 119)"> + <tspan x="-38.87" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Certificate</tspan> + <tspan x="-34.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Authority</tspan> + </text> + </g> + <g> + <path d="M89.448,299 L191.034,299 C195.843,299 199.741,301.149 199.741,303.8 L199.741,356.2 C199.741,358.851 195.843,361 191.034,361 L89.448,361 C84.639,361 80.741,358.851 80.741,356.2 L80.741,303.8 C80.741,301.149 84.639,299 89.448,299 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 330.5)"> + <tspan x="-17.629" y="-7" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">DNS</tspan> + <tspan x="-25.454" y="7" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">(Externally </tspan> + <tspan x="-17.314" y="19" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">Visible)</tspan> + </text> + </g> + <path d="M67.741,73 L213.741,73 L213.741,381 L67.741,381 L67.741,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <g> + <g> + <path d="M89.448,157.75 L191.034,157.75 C195.843,157.75 199.741,162.447 199.741,168.24 L199.741,282.76 C199.741,288.553 195.843,293.25 191.034,293.25 L89.448,293.25 C84.639,293.25 80.741,288.553 80.741,282.76 L80.741,168.24 C80.741,162.447 84.639,157.75 89.448,157.75 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(-0, -1, 1, -0, 140.241, 211.015)"> + <tspan x="-24.744" y="-34.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Formal</tspan> + <tspan x="-45.104" y="-16.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Organization</tspan> + </text> + </g> + <g> + <path d="M142.278,176.934 L195.204,176.934 C197.71,176.934 199.741,178.038 199.741,179.401 L199.741,206.325 C199.741,207.687 197.71,208.792 195.204,208.792 L142.278,208.792 C139.772,208.792 137.741,207.687 137.741,206.325 L137.741,179.401 C137.741,178.038 139.772,176.934 142.278,176.934 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 192.863)"> + <tspan x="-22.914" y="-2.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Notification</tspan> + <tspan x="-15.089" y="8.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">System</tspan> + </text> + </g> + <g> + <path d="M142.278,216.731 L195.204,216.731 C197.71,216.731 199.741,217.835 199.741,219.197 L199.741,246.122 C199.741,247.484 197.71,248.588 195.204,248.588 L142.278,248.588 C139.772,248.588 137.741,247.484 137.741,246.122 L137.741,219.197 C137.741,217.835 139.772,216.731 142.278,216.731 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 232.978)"> + <tspan x="-16.335" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Identity/</tspan> + <tspan x="-19.166" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Hierarchy</tspan> + </text> + </g> + <g> + <path d="M142.278,255.89 L195.204,255.89 C197.71,255.89 199.741,256.994 199.741,258.356 L199.741,285.281 C199.741,286.643 197.71,287.747 195.204,287.747 L142.278,287.747 C139.772,287.747 137.741,286.643 137.741,285.281 L137.741,258.356 C137.741,256.994 139.772,255.89 142.278,255.89 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 272.137)"> + <tspan x="-19.507" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Company </tspan> + <tspan x="-16.42" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Authn(s)</tspan> + </text> + </g> + </g> + <text transform="matrix(1, 0, 0, 1, 126.872, 60.5)"> + <tspan x="-59.631" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Organizationally Defined</tspan> + </text> + </g> + <g id="CADI" transform="translate(-66.241, -41.5)"> + <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)"> + <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)"> + <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)"> + <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan> + </text> + <g> + <g> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)"> + <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <g> + <g> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)"> + <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/> + <g> + <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <g> + <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/aaf-cm.png b/docs/sections/architecture/images/aaf-cm.png Binary files differindex 602f17e4..602f17e4 100644 --- a/docs/sections/architecture/aaf-cm.png +++ b/docs/sections/architecture/images/aaf-cm.png diff --git a/docs/images/aaf-object-model.jpg b/docs/sections/architecture/images/aaf-object-model.jpg Binary files differindex 30caa7d5..30caa7d5 100644 --- a/docs/images/aaf-object-model.jpg +++ b/docs/sections/architecture/images/aaf-object-model.jpg diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst index fd10dc98..7c4ef85d 100644 --- a/docs/sections/architecture/security.rst +++ b/docs/sections/architecture/security.rst @@ -9,21 +9,137 @@ Communicating When one compute process needs to communicate to another, it does so with networking. The service side is always compute process, but the client can be of two types: - - People (via browser, or perhaps command line tool) - - Compute process talking to another computer process. + * People (via browser, or perhaps command line tool) + * Compute process talking to another computer process. -Thus, the essential building blocks of any networked system is made up of +In larger systems, it is atypical to have just one connection, but will the call initiated by the initial actor will cause additional calls after it. Thus, we demonstrate both a client call, and a subsequent call in the following: +Thus, the essential building blocks of any networked system is made up of a caller and any subsquent calls. + +.. image:: images/SecurityArchBasic_1.svg + :width: 70% + :align: center -In larger systems, it is atypical Communicating *Securely* ------------------------ Whenever two processing entities exist that need to communicate securely, it is *essential* that - - The communications between the two are encrypted - - The identities of the caller and callee are established (authentication) - - The caller must be allowed to do what it is asking to do (authorization) + * The communications between the two are encrypted + * The identities of the caller and callee are established (authentication) + * The caller must be allowed to do what it is asking to do (authorization) + + +**Encryption** + +Encryption is provided by HTTP/S with the TLS 1.2+ protocol. Lesser protocols can also be added, but it is highly recommended that the protocol go no lower than TLS 1.1 + +.. image:: images/SecurityArchBasic_TLS.svg + :width: 70% + :align: center + +**Establishing Identity** + +*Client Side* + +In order to be secure of the Server Identity, the client will: + * Carefully select the Endpoint for the server (URL) + * The Service side Certificate chain obtained by TLS must ultimately be signed by a Certificate Authority that is trusted. + +*Server Side* + +The server side is a little harder to accomplish, because, while a client can choose carefully whom he contacts, the server, ultimately, might be contacted by literally anyone. + +To solve this difficult problem, the CADI Framework Filter is attached to the incoming transaction before any code by Application 1 or Application 2 is invoked. The CADI Framework does the following: + A) Establishes the claimed Identity (this differs by Protocol) + + i) The Identity needs to be a Fully Qualified Identity (FQI), meaning it has + + #) An ID approved by Organization (such as bob) + #) A Domain establishing where the Credential is defined (ex: @bobs.garage.com) + #) FQI Example: bob@bobs.garage.com + + B) Validates the credential of the FQI ( *Authentication* ) + + i) Basic Auth (User/Password) is validated against the system supporting the domain + ii) AAF Certman can create a fine-grained X509 certificate, which can derive FQI + iii) If the FQI fails the Credential test in any way, the transaction is terminated + + C) Obtain *Authorization* information + + i) This might include a call to AAF which will return all the Permissions of the User per Application Context + ii) This might involve pulling these from Cache + iii) This also might be pulled from Token + +.. image:: images/SecurityArchCADI.svg + :width: 70% + :align: center + +Enabling the Client to Send Securely +------------------------------------ + +Once a secure scenario is in place, the client must provide more information, or he will be rejected by the secured server. + + * FQI (Fully Qualified Identity) + * Credential + * If User/Password, then the client must send via "BasicAuth" Protocol + * If two-way X509 identity, then the client must load the Cert and Private Key into the Client Software outside of the calling process. + * If Token based Identity, such as OAuth2, the token must be placed on the call in just the right way. + * Upstream Identity + * Application Two might well want to process Authorizations based on the *end-user*, not the current caller. In this scenario, Application One must provide the End User FQI in addition to its own before Application Two will accept. + +In order to do this efficiently, ONAP services will use the CADI Client, which includes + * Connection Information by Configuration + * Encryption of any sensitive information in Configuration, such as Password, so that Configuration files will have no clear-text secrets. + * Highly scalable Endpoint information (at the very least, of AAF components) + * The ability to propogate the Identity of originating Caller (User One) + +Obtaining Security Information +------------------------------ + +In order for the client and server to perform securely, the need information they can trust, including + * TLS needs X509 Certificate for the Server and any Client wishing to authenticate using Certificates + * Any User/Password Credentials need to be validated real time + * The server needs comprehensible Authorization information, preferably at the Application Scope + * The client needs to find a server, even if the server must be massively geo-scaled + +The AAF Suite provides the following elements: + * AAF Service + This service provides fine-grained Authorization information, and can, if required, also provide specialized Passwords for Applications (that allow for configuration migrations without a maintainance window) + * OAuth + AAF provides Token and Introspection service, but can also delegate to Organizatinally defined OAuth Services as well. + * Locator + Provides machine and port information by geo-location for massively scalable services. This is optional for ONAP services, but required for AAF as part of its reliability and scalability solution. + * GUI + AAF provides a GUI for managing Namespaces (for Applications), Roles, Permissions and Credentials. + * Certificate Manager + Since AAF has fine-grained information about Identities, it can provide Certificates with FQIs embedded. CADI Framework understands when and how to trust these FQIs. When used, these Certificates provide enhanced speed and additional resiliency to the system, as they do not require network connections to validate. + +.. image:: images/SecurityArchAAF.svg + :width: 30% + :align: center + +The Organization +---------------- + +AAF is only a tool to reflect the Organization it is setup for. AAF does not, for instance, know what IDs are acceptable to a particular company. Every Organization (or Company) will also likely have its own Certificate Authority and DNS. Most importantly, each Organzation will have a hierarchy of who is responsible for any give person or application. + + * AAF's Certman connects to the Organization's CA via SCEP protocol (Others can be created as well) + * AAF ties into the Organizational hierarchy. Currently, this is through a feed of IDs and relationships. + * AAF can process some Passwords, but delegate off others based on domain. + +.. image:: images/SecurityArchAAFOrg.svg + :width: 70% + :align: center + +The Whole Picture +----------------- + +CADI is a framework that enforces validations of Identities, and uses those Identities to obtain Authorization information for the Server. The CADI client ensures that the right information is passed during secure connections. +AAF provides essential information based on the Organization to services in order to enable secure transactions between components. It also provides sustaining processing capabilities to ensure that Credentials and Authorization relationships are maintained. +.. image:: images/SecurityArchFull.svg + :width: 90% + :align: center |