diff options
-rw-r--r-- | auth/auth-cass/docker/.gitignore | 1 | ||||
-rw-r--r-- | auth/auth-cass/docker/backup.sh | 11 | ||||
-rw-r--r-- | auth/auth-cass/docker/backup/backup.sh | 32 | ||||
-rw-r--r-- | auth/auth-cass/docker/cbackup.sh (renamed from auth/auth-cass/docker/backup/cbackup.sh) | 0 | ||||
-rw-r--r-- | auth/docker/aaf.sh | 48 | ||||
-rw-r--r-- | auth/docker/d.props.init | 8 | ||||
-rw-r--r-- | auth/docker/dpush.sh | 7 | ||||
-rw-r--r-- | auth/sample/local/aaf.props | 2 | ||||
-rw-r--r-- | auth/sample/local/org.osaaf.aaf.cm.ca.props | 2 | ||||
-rw-r--r-- | docs/index.rst | 119 | ||||
-rw-r--r-- | docs/sections/architecture/aaf_architecture.rst | 2 | ||||
-rw-r--r-- | docs/sections/architecture/images/aaf-hl-object-model.png | bin | 0 -> 188035 bytes | |||
-rw-r--r-- | docs/sections/architecture/images/aaf-permission-mapping.png | bin | 0 -> 13710 bytes | |||
-rw-r--r-- | docs/sections/architecture/images/aaf-use-case.png | bin | 0 -> 150364 bytes |
14 files changed, 180 insertions, 52 deletions
diff --git a/auth/auth-cass/docker/.gitignore b/auth/auth-cass/docker/.gitignore new file mode 100644 index 00000000..10d00b57 --- /dev/null +++ b/auth/auth-cass/docker/.gitignore @@ -0,0 +1 @@ +*.gz diff --git a/auth/auth-cass/docker/backup.sh b/auth/auth-cass/docker/backup.sh new file mode 100644 index 00000000..31a12141 --- /dev/null +++ b/auth/auth-cass/docker/backup.sh @@ -0,0 +1,11 @@ + +DIR=$(date +%Y%m%d) +echo $DIR +mkdir -p $DIR +docker container cp cbackup.sh aaf_cass:/opt/app/cass_backup +docker container exec -it aaf_cass bash -e '/opt/app/cass_backup/cbackup.sh' +docker container cp aaf_cass:/opt/app/cass_backup/ $DIR/ +mv $DIR/cass_backup/*.dat $DIR +tar -cvzf $DIR.gz $DIR +rm -Rf $DIR + diff --git a/auth/auth-cass/docker/backup/backup.sh b/auth/auth-cass/docker/backup/backup.sh deleted file mode 100644 index 1359d3de..00000000 --- a/auth/auth-cass/docker/backup/backup.sh +++ /dev/null @@ -1,32 +0,0 @@ -# BEGIN Store prev -BD=/opt/app/osaaf/backup -if [ -e "$BD/6day" ]; then - rm -Rf $BD/6day -fi - -PREV=$BD/6day -for D in $BD/5day $BD/4day $BD/3day $BD/2day $BD/yesterday; do - if [ -e "$D" ]; then - mv "$D" "$PREV" - fi - PREV="$D" -done - -if [ -e "$BD/today" ]; then - if [ -e "$BD/backup.log" ]; then - mv $BD/backup.log $BD/today - fi - gzip $BD/today/* - mv $BD/today $BD/yesterday -fi - -mkdir $BD/today - -# END Store prev -date -docker exec -t aaf_cass bash -c "mkdir -p /opt/app/cass_backup" -docker container cp $BD/cbackup.sh aaf_cass:/opt/app/cass_backup/backup.sh -# echo "login as Root, then run \nbash /opt/app/cass_backup/backup.sh" -docker exec -t aaf_cass bash /opt/app/cass_backup/backup.sh -docker container cp aaf_cass:/opt/app/cass_backup/. $BD/today -date diff --git a/auth/auth-cass/docker/backup/cbackup.sh b/auth/auth-cass/docker/cbackup.sh index 9c91d0c6..9c91d0c6 100644 --- a/auth/auth-cass/docker/backup/cbackup.sh +++ b/auth/auth-cass/docker/cbackup.sh diff --git a/auth/docker/aaf.sh b/auth/docker/aaf.sh index a54c54a1..efd4fe37 100644 --- a/auth/docker/aaf.sh +++ b/auth/docker/aaf.sh @@ -1,9 +1,8 @@ #!/bin/bash . ./d.props -docker run \ - -it \ - --rm \ +function run_it() { + docker run $@ \ --mount 'type=volume,src=aaf_config,dst='$CONF_ROOT_DIR',volume-driver=local' \ --add-host="$HOSTNAME:$HOST_IP" \ --add-host="aaf.osaaf.org:$HOST_IP" \ @@ -13,4 +12,45 @@ docker run \ --env LONGITUDE=${LONGITUDE} \ --name aaf_config_$USER \ $PREFIX${ORG}/${PROJECT}/aaf_config:${VERSION} \ - /bin/bash "$@" + /bin/bash $PARAMS +} + +function encrypt_it() { + docker exec -t aaf_config_$USER /bin/bash /opt/app/aaf_config/bin/agent.sh NOOP encrypt "$1" "$2" +} + +P12_LOAD="no" + +for PROP in AAF_INITIAL_X509_P12 AAF_INITIAL_X509_PASSWORD AAF_SIGNER_P12 AAF_SIGNER_PASSWORD; do + if [ "${!PROP}" != "" ]; then + P12_LOAD='yes' + break; + fi +done + +# First Time Run does a bit more setup +if [ "$(docker volume ls | grep aaf_config)" = "" ] && [ ${P12_LOAD} = "yes" ]; then + echo "Initializing first aaf_config" + if [ "$(docker container ls | grep aaf_config_$USER)" = "" ]; then + PARAMS="bash" + run_it -t -d + else + echo "aaf_config_$USER is already running" + fi + docker container cp ${AAF_INITIAL_X509_P12} aaf_config_$USER:/opt/app/osaaf/local/org.osaaf.aaf.p12 + docker container cp ${AAF_SIGNER_P12} aaf_config_$USER:/opt/app/osaaf/local/org.osaaf.aaf.signer.p12 + + encrypt_it cadi_keystore_password "${AAF_INITIAL_X509_PASSWORD}" + encrypt_it cm_ca.local "${AAF_SIGNER_PASSWORD}" + + echo -n "Stopping " + docker container stop aaf_config_$USER + echo -n "Removing " + docker container rm aaf_config_$USER +fi + +PARAMS="$@" +if [ "$PARAMS" != "" ]; then + run_it -it --rm +fi + diff --git a/auth/docker/d.props.init b/auth/docker/d.props.init index 1394c76d..782f0c3f 100644 --- a/auth/docker/d.props.init +++ b/auth/docker/d.props.init @@ -16,3 +16,11 @@ AAF_ENV=DEV AAF_REGISTER_AS=$HOSTNAME LATITUDE= LONGITUDE= +# +# Initial AAF Certificate (not Generated) +AAF_INITIAL_X509_P12= +AAF_INITIAL_X509_PASSWORD= + +# CA info (leave blank unless functioning as CA) +AAF_SIGNER_P12= +AAF_SIGNER_PASSWORD= diff --git a/auth/docker/dpush.sh b/auth/docker/dpush.sh index f6ea970a..d7ba9fb6 100644 --- a/auth/docker/dpush.sh +++ b/auth/docker/dpush.sh @@ -4,12 +4,7 @@ # Pull in Variables from d.props . ./d.props -f [ "$1" == "" ]; then - AAF_COMPONENTS=$(cat components) -else - AAF_COMPONENTS="$@" -fi - +AAF_COMPONENTS=$(cat components) for AAF_COMPONENT in ${AAF_COMPONENTS}; do # docker push ${DOCKER_REPOSITORY}/${ORG}/${PROJECT}/aaf_${AAF_COMPONENT}:${OLD_VERSION} diff --git a/auth/sample/local/aaf.props b/auth/sample/local/aaf.props index f8c4f886..71ba73a2 100644 --- a/auth/sample/local/aaf.props +++ b/auth/sample/local/aaf.props @@ -15,7 +15,7 @@ cadi_alias=aaf@aaf.osaaf.org cadi_keystore=/opt/app/osaaf/local/org.osaaf.aaf.p12 cadi_truststore=/opt/app/osaaf/public/truststoreONAPall.jks cadi_truststore_password=changeit -cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US +cadi_x509_issuers=CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US # Other aaf_data_dir=/opt/app/osaaf/data diff --git a/auth/sample/local/org.osaaf.aaf.cm.ca.props b/auth/sample/local/org.osaaf.aaf.cm.ca.props index 5c692f4b..98e16ce7 100644 --- a/auth/sample/local/org.osaaf.aaf.cm.ca.props +++ b/auth/sample/local/org.osaaf.aaf.cm.ca.props @@ -4,7 +4,7 @@ ## #Certman -cm_ca.local=org.onap.aaf.auth.cm.ca.LocalCA,/opt/app/osaaf/local/org.osaaf.aaf.signer.p12;aaf_intermediate_7;enc: +cm_ca.local=org.onap.aaf.auth.cm.ca.LocalCA,/opt/app/osaaf/local/org.osaaf.aaf.signer.p12;aaf_intermediate_9;enc: cm_ca.local.idDomains=org.osaaf cm_ca.local.baseSubject=/OU=OSAAF/O=ONAP/C=US cm_ca.local.perm_type=org.osaaf.aaf.ca diff --git a/docs/index.rst b/docs/index.rst index f31f7cee..0390857f 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -4,7 +4,7 @@ AAF - Application Authorization Framework ================================================== -.. The purpose of AAF (Application Authorization Framework) is to organize software authorizations so that applications, tools and services can match the access needed to perform job functions. +.. The purpose of AAF (Application Authorization Framework) is to organize software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to used an Application's detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-SUB topic controlled within the App. @@ -26,17 +26,77 @@ Sections sections/development/index sections/logging sections/release-notes - + Introduction ------------ -AAF contains some elements of Role Based Authorization, but includes Attribute Based Authorization elements as well. +AAF acronym stands for Application Authorization Framework and initially it was focused on “Authorization”, but now supports implementations for both Authentication and Authorization. AAF is a set of Client Libraries (CADI Framework) and RESTful Services that support multiple Authentication Protocols and Fine-Grained Authorization. +The goal of AAF project is to provide consistent authentication, authorization and security to various ONAP components. AAF organizes software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to use an Application's detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-Sub topic controlled within the App. This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. The sister framework CADI (Code Access Data Identity) allows Java Applications to utilize Identity Authentication methods as plugins. Certificate Manager delivers X509 certificates in support of 2 way x509 TLS. + +AAF contains some elements of Role Based Authorization, but includes Attribute Based Authorization elements as well. + +Entities within AAF +------------------- + +AAF is an IAM that organizes software authorizations so that applications, tools and services can match the access needed to perform job functions. AAF is more than a typical RBAC. There are Roles, to be sure, but the important Architectural Pattern includes separation of Roles and Permissions. |image0| -.. |image0| image:: sections/architecture/images/aaf-object-model.jpg +.. |image0| image:: sections/architecture/images/aaf-permission-mapping.png + :height: 200px + :width: 500px + +A permission is composed of the following attributes: + +* Type: core name of the permission +* Instance: the object that is being interacted +* Action: What is happening with this object + +All roles, permissions identities of a given module in ONAP is covered by a Namespace (e.g. roles, permission and identities for the APP-C modules of ONAP) + +The permissions, having a 3 part definition, make AAF also like an ABAC (A=Attribute). +Roles, Permissions are stored centrally, but segregated by Application (the proverbial Namespace). The Application Creates Permissions that match their code (for the question "Does User have Permission"). Permissions are granted to Roles, to which the User belongs. AAF is not a Policy Engine, where dynamically based Policies are validated against differing kinds of Data Stores. AAF (Application Authorization Framework) is focused on RealTime Authentication and Authorization. + +Namespace +^^^^^^^^^ +A Namespace, in AAF, is the ensemble of Roles, Permissions and Identities. Namespaces are known by domain, example com.onap.dcae or com.onap.appc and they are hierarchically managed. A Namespace is assigned to an application and contains one or more roles and one or more permissions. By default, every namespace has an admin role + +**People in Namespaces** + +Tasks Owner (Responsible) must do: + +* Owners receive by email a notification to Approve +* Owners also receive notifications of time based activities + + * Periodic Revalidation of Users in Roles in Namespace + * Periodic Revalidation of Permission in Namespace to Roles + +Admins may: + +* Create/Delete/Modify Roles in Namespace +* Add/Remove Users from Roles in Namespace +* Create/Delete/Modify Permissions in Namespace +* Grant/Ungrant Permissions in Namespace to any Role in the company (Cross Company Role Grants are possible, but require approvals from both sides). + +Only Namespace Admins may manage Roles/Permissions within a Namespace. The Granting process is One-Way. The Namespace Admins must Grant given Permissions to Roles on request. + + + + +Object Model +^^^^^^^^^^^^ + +|image1| + +.. |image1| image:: sections/architecture/images/aaf-hl-object-model.png :height: 600px :width: 800px +Resource Owner in ONAP defines permissions: + +* He defines and grants permission to roles +* Get notified by a mail when an Identity with a Role asks to be granted a permission + + Essential Components -------------------- @@ -44,8 +104,53 @@ The core component to deliver this Enterprise Access is a RESTful service, with The Data is managed by RESTful API, with Admin functions supplemented by Character Based User interface and certain GUI elements. --The Service accessible by provided Caching Clients and by specialized plugins +CADI Framework +^^^^^^^^^^^^^^ + +CADI is a framework for providing Enterprise Class Authentication and Authorization with minimal configuration to Containers and Standalone Services +It is in fact a library used by services to: + +* Authenticate with one or more Authentication Protocols +* Authorize in a FINE-GRAINED manner using AAF Components + +AAF Components – RESTful Services +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +Service (primary) – All the Authorization information, it is accessible by provided Caching Clients and by specialized plugins: + +* Locate – how to find ANY OR ALL AAF instances across any geographic distribution +* OAuth 2.0 – new component providing Tokens and Introspection +* GUI – Tool to view and manage Authorization Information, and create Credentials +* Certman – Certificate Manger, create and renew X509 with Fine-Grained Identity +* FS – File Server to provide access to distributable elements (like well known certs) +* Hello - Test your client access (certs, OAuth 2.0, etc.) + +Cassandra as global replicating Data Store +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + + +How AAF works +--------------------- +To understand how AAF works, let's describe its workflow through a high level "three tiered web app" use case: + +|image2| + +.. |image2| image:: sections/architecture/images/aaf-use-case.png + :height: 400px + :width: 800px + + +1. Browser client goes to GUI using for instance SSO plugin (or Basic Auth) +2. App goes directly to a Service using x509 or Basic Auth (or other) +3. CADI Filter coverts credential to “Principal”. If not in cache, AAF is contacted for Permissions protecting GUI with Service ID/Credential (MechID of App/Pass or X.509 Client Cert (preferred)). +4. AAF does provide User/Password features, or can be delegated to other credential service via Plugin +5. If information is not in Service Cache, AAF’s DB is contacted using AAF Service ID/Credential. +6. Client App uses Permission Attributes delivered by AAF/AAF Cache for protecting sensitive data/functions (using J2EE method). +7. If not in Cache, Client contacts App Service, using App ID/Credential. +8. CADI Filter converts App ID/Credential to Principal. If not in cache, contacts with AAF (with App ID/Credential) for Permissions of Client. +9. App protects data based on Client Permissions. +10. Component contacts next layer using Service ID/Credential. +11. If ID or Permissions of AppServer are not in Cache, contact AAF using AAF Security Plugin for Cassandra, which uses AAF Java Client. +12. Cassandra protects Cluster/Keyspace/ColumnFamily w/Permissions. --CADI (A Framework for providing Enterprise Class Authentication and Authorization with minimal configuration to Containers and Standalone Services) --Cassandra (GRID Core) diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst index e806fb64..8681cf12 100644 --- a/docs/sections/architecture/aaf_architecture.rst +++ b/docs/sections/architecture/aaf_architecture.rst @@ -11,7 +11,7 @@ To be effective during a computer transaction, Security must not only be secure, |image0| -.. |image0| image:: images/aaf-object-model.jpg +.. |image0| image:: images/aaf-hl-object-model.png :height: 600px :width: 800px diff --git a/docs/sections/architecture/images/aaf-hl-object-model.png b/docs/sections/architecture/images/aaf-hl-object-model.png Binary files differnew file mode 100644 index 00000000..f20eaace --- /dev/null +++ b/docs/sections/architecture/images/aaf-hl-object-model.png diff --git a/docs/sections/architecture/images/aaf-permission-mapping.png b/docs/sections/architecture/images/aaf-permission-mapping.png Binary files differnew file mode 100644 index 00000000..cad01dad --- /dev/null +++ b/docs/sections/architecture/images/aaf-permission-mapping.png diff --git a/docs/sections/architecture/images/aaf-use-case.png b/docs/sections/architecture/images/aaf-use-case.png Binary files differnew file mode 100644 index 00000000..38427453 --- /dev/null +++ b/docs/sections/architecture/images/aaf-use-case.png |