diff options
| author |   Instrumental <jonathan.gathman@att.com> | 2018-05-25 12:29:38 -0500 |
|---|---|---|
| committer | Instrumental <jonathan.gathman@att.com> | 2018-05-25 12:29:43 -0500 |
| commit | bbe7154de3be6ff4fb3433ee6ea3688b4929ef71 (patch) | |
| tree | 568e1359fcb6c3b7028623998cbfafd9b64f1327 /docs/sections/architecture | |
| parent | 4906c14f770e85452240fc8e04807b6114fab1ca (diff) | |
Create Essential DOC Structure for AAF
Issue-ID: AAF-328
Change-Id: I9508611149405bd95d0d1bf2ebe1e0ed37ba333b
Signed-off-by: Instrumental <jonathan.gathman@att.com>
Diffstat (limited to 'docs/sections/architecture')
| -rw-r--r-- | docs/sections/architecture/aaf-cm.png | bin | 0 -> 149239 bytes | |||
| -rw-r--r-- | docs/sections/architecture/aaf-object-model.jpg | bin | 0 -> 189989 bytes | |||
| -rw-r--r-- | docs/sections/architecture/aaf_architecture.rst | 49 | ||||
| -rw-r--r-- | docs/sections/architecture/security.rst | 29 |
4 files changed, 78 insertions, 0 deletions
diff --git a/docs/sections/architecture/aaf-cm.png b/docs/sections/architecture/aaf-cm.png Binary files differnew file mode 100644 index 00000000..602f17e4 --- /dev/null +++ b/docs/sections/architecture/aaf-cm.png diff --git a/docs/sections/architecture/aaf-object-model.jpg b/docs/sections/architecture/aaf-object-model.jpg Binary files differnew file mode 100644 index 00000000..30caa7d5 --- /dev/null +++ b/docs/sections/architecture/aaf-object-model.jpg diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst new file mode 100644 index 00000000..6e522888 --- /dev/null +++ b/docs/sections/architecture/aaf_architecture.rst @@ -0,0 +1,49 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +AAF Architecture +================ +AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to used an Application’s detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-SUB topic controlled within the App. + +This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. + +To be effective during a computer transaction, Security must not only be secure, but very fast. Given that each transaction must be checked and validated for Authorization and Authentication, it is critical that all elements on this path perform optimally. + +|image0| + +.. |image0| image:: aaf-object-model.jpg + :height: 600px + :width: 800px + +Certificate Manager +=================== + +Overview +-------- +Every secure transaction requires 1) Encryption 2) Authentication 3) Authorization. + + - HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016) + - HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated) + - Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed + - These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication. + - Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a ILM AppID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the AppID with requests (automatically), the end user can depend on the AppID embedded in the Subject to be valid without resorting to external calls or passwords. + + - ex: + - Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process + +|image1| + +.. |image1| image:: aaf-cm.png + :height: 768px + :width: 1024px + +Capabilities +------------ + + +Usage Scenarios +--------------- + + +Interactions +------------ diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst new file mode 100644 index 00000000..fd10dc98 --- /dev/null +++ b/docs/sections/architecture/security.rst @@ -0,0 +1,29 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Security Architecture +===================== +Communicating +------------- +When one compute process needs to communicate to another, it does so with networking. + +The service side is always compute process, but the client can be of two types: + - People (via browser, or perhaps command line tool) + - Compute process talking to another computer process. + +Thus, the essential building blocks of any networked system is made up of + + +In larger systems, it is atypical + +Communicating *Securely* +------------------------ +Whenever two processing entities exist that need to communicate securely, it is *essential* that + - The communications between the two are encrypted + - The identities of the caller and callee are established (authentication) + - The caller must be allowed to do what it is asking to do (authorization) + + + + |
