Client Config & Cert Documentation

Issue-ID: AAF-378
Change-Id: Ic0c05803551f1874b230c5c9e031b5bf5ff03599
Signed-off-by: Instrumental <jonathan.gathman@att.com>

5 files changed, 104 insertions, 30 deletions

diff --git a/auth/auth-cass/src/main/cql/pull.sh b/auth/auth-cass/src/main/cql/pull.sh
index f4db573a..01fa52bf 100644
--- a/auth/auth-cass/src/main/cql/pull.sh
+++ b/auth/auth-cass/src/main/cql/pull.sh
@@ -1,5 +1,10 @@
-for T in x509 ns_attrib config cred user_role perm role artifact ns; do
+mkdir -p dats
+cd dats
+for T in ns ns_attrib cred user_role perm role config artifact ; do
   cqlsh -e "use authz; COPY $T TO '$T.dat' WITH DELIMITER='|';"
 done
-tar -cvzf dat.gz *.dat
+tar -cvzf ../dat.gz *.dat
+rm *.dat
+cd -
+rmdir dats
 
diff --git a/auth/auth-cass/src/main/cql/push.sh b/auth/auth-cass/src/main/cql/push.sh
index 8026c9f9..330326d5 100644
--- a/auth/auth-cass/src/main/cql/push.sh
+++ b/auth/auth-cass/src/main/cql/push.sh
@@ -1,5 +1,8 @@
-tar -xvf dat.gz
-for T in x509 ns_attrib config cred user_role perm role artifact ns; do
-  cqlsh -e "use authz; COPY $T FROM '$T.dat' WITH DELIMITER='|';"
+mkdir -p dats
+cd dats
+tar -xvf ../dat.gz
+for T in $(ls *.dat); do
+  cqlsh -e "use authz; COPY ${T%.dat} FROM '$T' WITH DELIMITER='|';"
 done
-
+cd -
+rm -Rf dats
diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java
index d423731a..6d4e167a 100644
--- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java
+++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java
@@ -102,7 +102,7 @@ public class CMArtifactShow extends Page {
 										"&machine='+machine.value,'_self');"
 							    	).end(js);
 								hgen.leaf("input","id=machine","style=margin:1em 1em 1em 1em;width:30%").end();
-								hgen.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newArtifact()","style=color:white;").text("New Machine").end();
+								hgen.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newArtifact()","style=color:white;").text("New FQDN").end();
 							}
 						});
 						}
@@ -146,7 +146,7 @@ public class CMArtifactShow extends Page {
 			this.sc = sc;
 		}
 
-		private static final String[] headers = new String[]{"Machine","Directory","CA","Renews","Expires",""};
+		private static final String[] headers = new String[]{"FQDN","Directory","CA","Renews","Expires",""};
 		@Override
 		public String[] headers() {
 			return headers;
diff --git a/auth/docker/agent.sh b/auth/docker/agent.sh
index aa3db663..eb0bf3aa 100644
--- a/auth/docker/agent.sh
+++ b/auth/docker/agent.sh
@@ -40,11 +40,11 @@ done
 . ./aaf.props
 
 # Need AAF_FQDN's IP, because not might not be available in mini-container
-if [ "$AAF_AAF_FQDN_IP" = "" ]; then
-  AAF_AAF_FQDN_IP=$(host $AAF_FQDN | grep "has address" | tail -1 | cut -f 4 -d ' ')
-  if [ "$AAF_AAF_FQDN_IP" = "" ]; then
-    read -p "IP of $AAF_FQDN: " AAF_AAF_FQDN_IP
-    echo "AAF_AAF_FQDN_IP=$AAF_AAF_FQDN_IP" >> ./aaf.props
+if [ "$AAF_FQDN_IP" = "" ]; then
+  AAF_FQDN_IP=$(host $AAF_FQDN | grep "has address" | tail -1 | cut -f 4 -d ' ')
+  if [ "$AAF_FQDN_IP" = "" ]; then
+    read -p "IP of $AAF_FQDN: " AAF_FQDN_IP
+    echo "AAF_FQDN_IP=$AAF_FQDN_IP" >> ./aaf.props
   fi
 fi
 
@@ -58,7 +58,7 @@ docker run \
     -it \
     --rm \
     --mount 'type=volume,src='${VOLUME}',dst=/opt/app/osaaf,volume-driver='${DRIVER} \
-    --add-host="$AAF_FQDN:$AAF_AAF_FQDN_IP" \
+    --add-host="$AAF_FQDN:$AAF_FQDN_IP" \
     --env AAF_FQDN=${AAF_FQDN} \
     --env DEPLOY_FQI=${DEPLOY_FQI} \
     --env DEPLOY_PASSWORD=${DEPLOY_PASSWORD} \
diff --git a/docs/sections/installation/client_vol.rst b/docs/sections/installation/client_vol.rst
index ea98e5f2..fc33e1bb 100644
--- a/docs/sections/installation/client_vol.rst
+++ b/docs/sections/installation/client_vol.rst
@@ -26,8 +26,8 @@ Prerequisites
     | but it DOES have be accessible to the AAF Instance.  
   * For ONAP, this means
     
-	* Windriver VPN
-	* include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS
+    * Windriver VPN
+    * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS
 
 -----------------------
 Obtain the Agent Script
@@ -49,22 +49,88 @@ In your chosen directory ::
  
   $ bash agent.sh
 
-The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it
+The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it.
 
+This file is available to reuse for multiple calls. More importantly, you should use it as a template for auto-configuration.  (In ONAP, these are HEAT templates and OOM Helm Charts)
 
---------------- ---------------
-Tag             Value
---------------- ---------------
-CADI Version    Defaults to CADI version of this
-AAF's FQDN      PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org'
-Deployer's FQI  deployer@people.osaaf.org.  In a REAL system, this would be a person or process 
-App's Root FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap
-App's FQI       Fully Qualified ID given by Organization and with AAF NS/domain.  ex: clamp@clamp.onap.org 
-App's Volume    Volume to put the data, see above. ex: clamp_aaf
-DRIVER		Docker Volume type... See Docker Volume documentation
-LATITUDE	Global latitude coordinate of Node (best guess for Kubernetes)
-LONGITUDE	Global longitude coordinate of Node (best guess for Kubernetes)
---------------- ---------------
+---------------------
+'aaf.prop' Properties
+---------------------
 
+=================== =============== ============
+Query               Tag             Description
+=================== =============== ============
+CADI Version        VERSION         Defaults to CADI version of this
+AAF's FQDN          AAF_FQDN        PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org'
+Deployer's FQI      DEPLOY_FQI      deployer@people.osaaf.org.  In a REAL system, this would be a person or process 
+App's Root FQDN     APP_FQDN        This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap
+App's FQI           APP_FQI         Fully Qualified ID given by Organization and with AAF NS/domain.  ex: clamp@clamp.onap.org 
+App's Volume        VOLUME          Volume to put the data, see above. ex: clamp_aaf
+DRIVER              DRIVER          Docker Volume type... See Docker Volume documentation
+LATITUDE of Node    LATITUDE        Global latitude coordinate of Node (best guess in Kubernetes)
+LONGITUDE of Node   LONGITUDE       Global longitude coordinate of Node (best guess in Kubernetes)
+=================== =============== ============
+
+---------------------
+Dynamic Properties
+---------------------
+
+These Properties do not automatically save in 'aaf.props', because...
+
+  | Passwords should not be stored clear text, with the possible exception of constant Environment Recreation, where it is impractical.
+  | The IP of the AAF's FQDN is looked up, if possible.  It can be set, however, when lookup isn't available.
+
+=================== =============== ============
+Query               Tag             Description
+=================== =============== ============
+Deployer's Password DEPLOY_PASSWORD Password for the Deployer. Avoids storing, except where impossible otherwise. 
+IP of <AAF_FQDN>    AAF_FQDN_IP     IP for Name of AAF FQDN, if not available by normal lookup means
+=================== =============== ============
+
+-----------------------
+ONAP Entity Info in AAF
+-----------------------
+
+============================= ===========================  =======================
+ONAP Namespaces               APP FQI                      APP FQDN
+============================= ===========================  =======================
+org.onap.aaf-sms              aaf-sms@aaf-sms.onap.org     aaf-sms
+org.onap.aai                  aai@aai.onap.org             aai
+org.onap.appc                 appc@appc.onap.org           appc
+org.onap.clamp                clamp@clamp.onap.org         clamp
+org.onap.dcae                 dcae@dcae.onap.org           dcae
+org.onap.dmaap-bc             dmaap-bc@dmaap-bc.onap.org   dmaap-bc
+org.onap.dmaap-mr             dmaap-mr@dmaap-mr.onap.org   dmaap-mr
+org.onap.oof                  oof@oof.onap.org             oof
+org.onap.sdnc                 sdnc@sdnc.onap.org           sdnc
+============================= ===========================  =======================
+
+*Note: FQDNs are set in AAF's Credential Artifact data, accessible in "Cred Details" from Namespace Page*
+
+If something goes wrong, and Certificate is not created, you can adjust the data, remove the data from the Container's /opt/app/osaaf/local dir, and it will generate again. ::
+
+  root@77777:/opt/app/osaaf/local# rm *
+  root@77777:/opt/app/osaaf/local# exit
+  $ bash agent.sh bash
+
+-------------
+Informational
+-------------
+
+There are two sets of Credentials at play here.  The ability to create the Certificate belongs to one of
+  
+  * The person responsible for the ID in the Organization 
+  * A delegated deployer
+
+It is expected in large organizations that Individual Employees are given the responsibility of an ID for an APP they are responsible for.
+
+  In ONAP test, to simplify create/tear-down environment... 
+     | The **Owner** is always "mmanager@people.osaaf.org". 
+     | The **Sponsor** is always "aaf_admin@people.osaaf.org".
+
+In a large org, there are probably many Operations teams to support many different apps.
+
+  In ONAP test, 
+     The **Deployer** is always set to "deploy@people.osaaf.org" for all Apps.