diff options
Diffstat (limited to 'docs')
25 files changed, 2535 insertions, 6 deletions
diff --git a/docs/.gitignore b/docs/.gitignore new file mode 100644 index 00000000..965350de --- /dev/null +++ b/docs/.gitignore @@ -0,0 +1,5 @@ +/_static/ +/etc/ +/.tox/ +/conf.py +/tox.ini diff --git a/docs/index.rst b/docs/index.rst index 3ce33136..3b903c24 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -13,11 +13,18 @@ This is a critical function for Cloud environments, as Services need to be able To be effective during a computer transaction, Security must not only be secure, but very fast. Given that each transaction must be checked and validated for Authorization and Authentication, it is critical that all elements on this path perform optimally. +Sections +++++++++ .. toctree:: - :maxdepth: 3 - - + :maxdepth: 1 + :glob: + + sections/architecture/index + sections/installation/index + sections/configuration/index + sections/logging + sections/release-notes Introduction ------------ @@ -25,7 +32,7 @@ AAF contains some elements of Role Based Authorization, but includes Attribute B |image0| -.. |image0| image:: aaf-object-model.jpg +.. |image0| image:: sections/architecture/images/aaf-object-model.jpg :height: 600px :width: 800px @@ -41,5 +48,3 @@ The Data is managed by RESTful API, with Admin functions supplemented by Charact -CADI (A Framework for providing Enterprise Class Authentication and Authorization with minimal configuration to Containers and Standalone Services) -Cassandra (GRID Core) - --Hadoop Plugin (a plugin via Hadoop Group Mapper mechanism) diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst new file mode 100644 index 00000000..815a5a48 --- /dev/null +++ b/docs/sections/architecture/aaf_architecture.rst @@ -0,0 +1,38 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +AAF Architecture +================ +AAF is designed to cover Fine-Grained Authorization, meaning that the Authorizations provided are able to used an Application’s detailed authorizations, such as whether a user may be on a particular page, or has access to a particular Pub-SUB topic controlled within the App. + +This is a critical function for Cloud environments, as Services need to be able to be installed and running in a very short time, and should not be encumbered with local configurations of Users, Permissions and Passwords. + +To be effective during a computer transaction, Security must not only be secure, but very fast. Given that each transaction must be checked and validated for Authorization and Authentication, it is critical that all elements on this path perform optimally. + +|image0| + +.. |image0| image:: images/aaf-object-model.jpg + :height: 600px + :width: 800px + +Certificate Manager +=================== + +Overview +-------- +Every secure transaction requires 1) Encryption 2) Authentication 3) Authorization. + + - HTTP/S provides the core Encryption whenever used, so all of AAF Components require HTTP/S to the current protocol standards (current is TLS 1.1+ as of Nov 2016) + - HTTP/S requires X.509 certificates at least on the Server at minimum. (in this mode, 1 way, a client Certificate is generated) + - Certificate Manager can generate certificates signed by the AT&T Internal Certificate Authority, which is secure and cost effective if external access are not needed + - These same certificates can be used for identifying the Application during the HTTP/S transaction, making a separate UserID/Password unnecessary for Authentication. + - Authentication - In order to tie generated certificates to a specific Application Identity, AAF Certificate Manager embeds a ILM AppID in the Subject. These are created by AT&T specific Internal Certificate Authority, which only generates certificates for AAF Certman. Since AAF Certman validates the Sponsorship of the AppID with requests (automatically), the end user can depend on the AppID embedded in the Subject to be valid without resorting to external calls or passwords. + + - ex: + - Authorization - AAF Certman utilizes AAF's Fine-grained authorizations to ensure that only the right entities perform functions, thus ensuring the integrity of the entire Certificate Process + +|image1| + +.. |image1| image:: images/aaf-cm.png + :height: 768px + :width: 1024px diff --git a/docs/sections/architecture/images/SecurityArchAAF.svg b/docs/sections/architecture/images/SecurityArchAAF.svg new file mode 100644 index 00000000..34b592ab --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchAAF.svg @@ -0,0 +1,55 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="210.566" height="286.166" viewBox="0, 0, 210.566, 286.166"> + <g id="AAF" transform="translate(-283.488, -41.5)"> + <g> + <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)"> + <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan> + </text> + </g> + <g> + <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)"> + <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan> + </text> + </g> + <g> + <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)"> + <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan> + </text> + </g> + <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)"> + <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan> + <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan> + <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan> + </text> + <g> + <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)"> + <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan> + </text> + </g> + <g> + <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)"> + <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan> + </text> + </g> + <g> + <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)"> + <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan> + </text> + </g> + <g> + <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)"> + <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan> + <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan> + </text> + </g> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchAAFOrg.svg b/docs/sections/architecture/images/SecurityArchAAFOrg.svg new file mode 100644 index 00000000..f003b810 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchAAFOrg.svg @@ -0,0 +1,128 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="427.813" height="340" viewBox="0, 0, 427.813, 340"> + <g id="Connections" transform="translate(-66.241, -41.5)"> + <g> + <path d="M366.78,98.146 L209.158,119.643" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M208.753,116.671 L201.232,120.724 L209.564,122.616 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M353.251,291.445 L206.695,276.655" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M206.996,273.67 L198.736,275.852 L206.394,279.64 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(0.991, -0.136, 0.136, 0.991, 269.475, 112.33)"> + <tspan x="-11" y="-7.49" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Sign</tspan> + <tspan x="-14.052" y="9.31" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">CSRs</tspan> + </text> + <text transform="matrix(0.996, 0.095, -0.095, 0.996, 260.93, 287.412)"> + <tspan x="-21.796" y="-9.522" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Delegate</tspan> + <tspan x="-26.493" y="6.078" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">by Domain</tspan> + </text> + <g> + <path d="M353.251,263.072 L211.399,240.185" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M211.877,237.223 L203.501,238.911 L210.921,243.147 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="AAF" transform="translate(-66.241, -41.5)"> + <g> + <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)"> + <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan> + </text> + </g> + <g> + <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)"> + <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan> + </text> + </g> + <g> + <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)"> + <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan> + </text> + </g> + <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)"> + <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan> + <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan> + <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan> + </text> + <g> + <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)"> + <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan> + </text> + </g> + <g> + <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)"> + <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan> + </text> + </g> + <g> + <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)"> + <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan> + </text> + </g> + <g> + <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)"> + <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan> + <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan> + </text> + </g> + </g> + <g id="Organization" transform="translate(-66.241, -41.5)"> + <g> + <path d="M89.448,90 L191.034,90 C195.843,90 199.741,92.149 199.741,94.8 L199.741,147.2 C199.741,149.851 195.843,152 191.034,152 L89.448,152 C84.639,152 80.741,149.851 80.741,147.2 L80.741,94.8 C80.741,92.149 84.639,90 89.448,90 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 119)"> + <tspan x="-38.87" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Certificate</tspan> + <tspan x="-34.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Authority</tspan> + </text> + </g> + <g> + <path d="M89.448,299 L191.034,299 C195.843,299 199.741,301.149 199.741,303.8 L199.741,356.2 C199.741,358.851 195.843,361 191.034,361 L89.448,361 C84.639,361 80.741,358.851 80.741,356.2 L80.741,303.8 C80.741,301.149 84.639,299 89.448,299 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 330.5)"> + <tspan x="-17.629" y="-7" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">DNS</tspan> + <tspan x="-25.454" y="7" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">(Externally </tspan> + <tspan x="-17.314" y="19" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">Visible)</tspan> + </text> + </g> + <path d="M67.741,73 L213.741,73 L213.741,381 L67.741,381 L67.741,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <g> + <g> + <path d="M89.448,157.75 L191.034,157.75 C195.843,157.75 199.741,162.447 199.741,168.24 L199.741,282.76 C199.741,288.553 195.843,293.25 191.034,293.25 L89.448,293.25 C84.639,293.25 80.741,288.553 80.741,282.76 L80.741,168.24 C80.741,162.447 84.639,157.75 89.448,157.75 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(-0, -1, 1, -0, 140.241, 211.015)"> + <tspan x="-24.744" y="-34.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Formal</tspan> + <tspan x="-45.104" y="-16.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Organization</tspan> + </text> + </g> + <g> + <path d="M142.278,176.934 L195.204,176.934 C197.71,176.934 199.741,178.038 199.741,179.401 L199.741,206.325 C199.741,207.687 197.71,208.792 195.204,208.792 L142.278,208.792 C139.772,208.792 137.741,207.687 137.741,206.325 L137.741,179.401 C137.741,178.038 139.772,176.934 142.278,176.934 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 192.863)"> + <tspan x="-22.914" y="-2.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Notification</tspan> + <tspan x="-15.089" y="8.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">System</tspan> + </text> + </g> + <g> + <path d="M142.278,216.731 L195.204,216.731 C197.71,216.731 199.741,217.835 199.741,219.197 L199.741,246.122 C199.741,247.484 197.71,248.588 195.204,248.588 L142.278,248.588 C139.772,248.588 137.741,247.484 137.741,246.122 L137.741,219.197 C137.741,217.835 139.772,216.731 142.278,216.731 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 232.978)"> + <tspan x="-16.335" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Identity/</tspan> + <tspan x="-19.166" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Hierarchy</tspan> + </text> + </g> + <g> + <path d="M142.278,255.89 L195.204,255.89 C197.71,255.89 199.741,256.994 199.741,258.356 L199.741,285.281 C199.741,286.643 197.71,287.747 195.204,287.747 L142.278,287.747 C139.772,287.747 137.741,286.643 137.741,285.281 L137.741,258.356 C137.741,256.994 139.772,255.89 142.278,255.89 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 272.137)"> + <tspan x="-19.507" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Company </tspan> + <tspan x="-16.42" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Authn(s)</tspan> + </text> + </g> + </g> + <text transform="matrix(1, 0, 0, 1, 126.872, 60.5)"> + <tspan x="-59.631" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Organizationally Defined</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchBasic_1.svg b/docs/sections/architecture/images/SecurityArchBasic_1.svg new file mode 100644 index 00000000..1066f2c3 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchBasic_1.svg @@ -0,0 +1,48 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="516.973" height="313.5" viewBox="0, 0, 516.973, 313.5"> + <g id="Basics" transform="translate(-175.969, -237)"> + <path d="M186.675,488.5 L303.255,488.5 C308.773,488.5 313.247,490.649 313.247,493.3 L313.247,545.7 C313.247,548.351 308.773,550.5 303.255,550.5 L186.675,550.5 C181.156,550.5 176.682,548.351 176.682,545.7 L176.682,493.3 C176.682,490.649 181.156,488.5 186.675,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.497)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.5 L683.521,464.5 C688.33,464.5 692.229,467.481 692.229,471.158 L692.229,543.841 C692.229,547.519 688.33,550.5 683.521,550.5 L581.936,550.5 C577.127,550.5 573.229,547.519 573.229,543.841 L573.229,471.158 C573.229,467.481 577.127,464.5 581.936,464.5 z" fill="#38AB4E"/> + <g> + <path d="M582.649,237 L684.234,237 C689.043,237 692.942,239.149 692.942,241.8 L692.942,294.2 C692.942,296.851 689.043,299 684.234,299 L582.649,299 C577.84,299 573.942,296.851 573.942,294.2 L573.942,241.8 C573.942,239.149 577.84,237 582.649,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <g> + <path d="M631.441,299.5 L633.285,442" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M630.285,442.039 L633.388,450 L636.285,441.962 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.31,520.114 L335.202,521.06" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M335.19,518.06 L327.202,521.091 L335.214,524.06 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.138)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <path d="M185.961,488.5 L302.541,488.5 C308.06,488.5 312.534,490.649 312.534,493.3 L312.534,545.7 C312.534,548.351 308.06,550.5 302.541,550.5 L185.961,550.5 C180.442,550.5 175.969,548.351 175.969,545.7 L175.969,493.3 C175.969,490.649 180.442,488.5 185.961,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.251, 519.498)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.222,464.5 L682.808,464.5 C687.617,464.5 691.515,467.481 691.515,471.158 L691.515,543.842 C691.515,547.519 687.617,550.5 682.808,550.5 L581.222,550.5 C576.413,550.5 572.515,547.519 572.515,543.842 L572.515,471.158 C572.515,467.481 576.413,464.5 581.222,464.5 z" fill="#38AB4E"/> + <g> + <path d="M581.936,237 L683.521,237 C688.33,237 692.229,239.149 692.229,241.8 L692.229,294.2 C692.229,296.851 688.33,299 683.521,299 L581.936,299 C577.127,299 573.229,296.851 573.229,294.2 L573.229,241.8 C573.229,239.149 577.127,237 581.936,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.099, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 632.015, 504.139)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchBasic_TLS.svg b/docs/sections/architecture/images/SecurityArchBasic_TLS.svg new file mode 100644 index 00000000..664593bd --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchBasic_TLS.svg @@ -0,0 +1,62 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.817" height="313.5" viewBox="0, 0, 517.817, 313.5"> + <g id="TLS" transform="translate(-175.969, -237)"> + <text transform="matrix(-0, 1, -1, -0, 639.901, 366.492)"> + <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 439.736, 509.201)"> + <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan> + </text> + <text transform="matrix(1, 0, 0, 1, 634.155, 457.499)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 320.012, 516.681)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> + <g id="Basics" transform="translate(-175.969, -237)"> + <path d="M186.675,488.5 L303.255,488.5 C308.773,488.5 313.247,490.649 313.247,493.3 L313.247,545.7 C313.247,548.351 308.773,550.5 303.255,550.5 L186.675,550.5 C181.156,550.5 176.682,548.351 176.682,545.7 L176.682,493.3 C176.682,490.649 181.156,488.5 186.675,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.497)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.5 L683.521,464.5 C688.33,464.5 692.229,467.481 692.229,471.158 L692.229,543.841 C692.229,547.519 688.33,550.5 683.521,550.5 L581.936,550.5 C577.127,550.5 573.229,547.519 573.229,543.841 L573.229,471.158 C573.229,467.481 577.127,464.5 581.936,464.5 z" fill="#38AB4E"/> + <g> + <path d="M582.649,237 L684.234,237 C689.043,237 692.942,239.149 692.942,241.8 L692.942,294.2 C692.942,296.851 689.043,299 684.234,299 L582.649,299 C577.84,299 573.942,296.851 573.942,294.2 L573.942,241.8 C573.942,239.149 577.84,237 582.649,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <g> + <path d="M631.441,299.5 L633.285,442" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M630.285,442.039 L633.388,450 L636.285,441.962 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.31,520.114 L335.202,521.06" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M335.19,518.06 L327.202,521.091 L335.214,524.06 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.138)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <path d="M185.961,488.5 L302.541,488.5 C308.06,488.5 312.534,490.649 312.534,493.3 L312.534,545.7 C312.534,548.351 308.06,550.5 302.541,550.5 L185.961,550.5 C180.442,550.5 175.969,548.351 175.969,545.7 L175.969,493.3 C175.969,490.649 180.442,488.5 185.961,488.5 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.251, 519.498)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.222,464.5 L682.808,464.5 C687.617,464.5 691.515,467.481 691.515,471.158 L691.515,543.842 C691.515,547.519 687.617,550.5 682.808,550.5 L581.222,550.5 C576.413,550.5 572.515,547.519 572.515,543.842 L572.515,471.158 C572.515,467.481 576.413,464.5 581.222,464.5 z" fill="#38AB4E"/> + <g> + <path d="M581.936,237 L683.521,237 C688.33,237 692.229,239.149 692.229,241.8 L692.229,294.2 C692.229,296.851 688.33,299 683.521,299 L581.936,299 C577.127,299 573.229,296.851 573.229,294.2 L573.229,241.8 C573.229,239.149 577.127,237 581.936,237 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.099, 266)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 632.015, 504.139)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchCADI.svg b/docs/sections/architecture/images/SecurityArchCADI.svg new file mode 100644 index 00000000..b05a7f90 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchCADI.svg @@ -0,0 +1,64 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.259" height="323.537" viewBox="0, 0, 517.259, 323.537"> + <g id="CADI" transform="translate(-176.682, -236.872)"> + <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)"> + <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)"> + <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)"> + <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan> + </text> + <g> + <g> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)"> + <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <g> + <g> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)"> + <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/> + <g> + <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <g> + <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchCADIClient.svg b/docs/sections/architecture/images/SecurityArchCADIClient.svg new file mode 100644 index 00000000..66ab0737 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchCADIClient.svg @@ -0,0 +1,70 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="517.259" height="330.354" viewBox="0, 0, 517.259, 330.354"> + <g id="CADI" transform="translate(-176.682, -236.872)"> + <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)"> + <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)"> + <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)"> + <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan> + </text> + <g> + <g> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)"> + <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <g> + <g> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)"> + <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/> + <g> + <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <g> + <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> + <g id="CADI_Client" transform="translate(-176.682, -236.872)"> + <text transform="matrix(1, -0, 0, 1, 459.076, 543.239)"> + <tspan x="-89.025" y="-13.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Utilize CADI Client REST client (auto </tspan> + <tspan x="-89.025" y="-1.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">loads credentials, Contexts, etc)</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/SecurityArchFull.svg b/docs/sections/architecture/images/SecurityArchFull.svg new file mode 100644 index 00000000..f25fd0c2 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchFull.svg @@ -0,0 +1,275 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0" y="0" width="627.701" height="525.726" viewBox="0, 0, 627.701, 525.726"> + <g id="Direct_AAF" transform="translate(-66.241, -41.5)"> + <g> + <path d="M572.081,454.632 L395.909,317.04" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M397.756,314.675 L389.604,312.116 L394.062,319.404 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M606.551,441 L445.662,316.508" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M447.498,314.135 L439.335,311.612 L443.826,318.88 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(0.79, 0.613, -0.613, 0.79, 497.62, 402.334)"> + <tspan x="-43.687" y="-9.685" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">1) User/Password</tspan> + <tspan x="-58.872" y="8.315" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">validation (if Basic Auth)</tspan> + </text> + <text transform="matrix(0.79, 0.613, -0.613, 0.79, 531.051, 387.658)"> + <tspan x="-22.418" y="-9.685" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">2) Obtain</tspan> + <tspan x="-41.762" y="8.315" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">AAF Permissions</tspan> + </text> + </g> + <g id="AAF_Batch" transform="translate(-66.241, -41.5)"> + <g> + <path d="M351.193,158.06 L351.024,222.389 C351.016,225.434 349.725,227.899 348.14,227.893 L316.818,227.788 C315.233,227.783 313.955,225.31 313.963,222.265 L314.132,157.936 C314.14,154.89 315.431,152.426 317.015,152.431 L348.338,152.537 C349.923,152.542 351.201,155.015 351.193,158.06 z" fill="#D65E15" fill-opacity="0.52"/> + <text transform="matrix(-0.003, 1, -1, -0.003, 332.578, 190.162)"> + <tspan x="-13.15" y="-3.013" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Batch </tspan> + <tspan x="-28.805" y="8.987" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Maintenance</tspan> + </text> + </g> + <g> + <path d="M314.463,190.662 L209.956,190.662" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M209.956,187.662 L201.956,190.662 L209.956,193.662 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, -0, 1, 259.372, 193.06)"> + <tspan x="-19.959" y="-6.244" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Expiring</tspan> + <tspan x="-16.604" y="9.356" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Events</tspan> + </text> + <g> + <path d="M200.956,198.706 L229.109,198.706 L229.109,224.632 L209.956,224.632" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M209.956,221.632 L201.956,224.632 L209.956,227.632 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M351.693,200.083 L437.888,200.083" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M437.888,203.083 L445.888,200.083 L437.888,197.083 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="AAF_Cassandra" transform="translate(-66.241, -41.5)"> + <g> + <path d="M485.176,158.06 L485.007,222.389 C484.999,225.434 483.708,227.899 482.123,227.893 L450.8,227.788 C449.216,227.783 447.938,225.31 447.946,222.265 L448.114,157.936 C448.122,154.89 449.414,152.426 450.998,152.431 L482.321,152.537 C483.906,152.542 485.184,155.015 485.176,158.06 z" fill="#1715D6" fill-opacity="0.52"/> + <text transform="matrix(-0.003, 1, -1, -0.003, 463.496, 190.162)"> + <tspan x="-24.075" y="-3.013" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cassandra</tspan> + </text> + </g> + <g> + <path d="M433.476,96.895 L462.989,144.836" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M460.434,146.409 L467.183,151.648 L465.544,143.263 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M433.476,180.993 L439.445,180.993" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M439.445,183.993 L447.445,180.993 L439.445,177.993 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M433.476,219.752 L441.331,213.665" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M443.169,216.036 L447.655,208.765 L439.494,211.294 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M448.674,243.29 L460.62,233.94" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-dasharray="3,2"/> + <path d="M462.469,236.303 L466.919,229.01 L458.771,231.578 z" fill-opacity="0" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="Connections" transform="translate(-66.241, -41.5)"> + <g> + <path d="M366.78,98.146 L209.158,119.643" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M208.753,116.671 L201.232,120.724 L209.564,122.616 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M353.251,291.445 L206.695,276.655" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M206.996,273.67 L198.736,275.852 L206.394,279.64 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(0.991, -0.136, 0.136, 0.991, 269.475, 112.33)"> + <tspan x="-11" y="-7.49" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Sign</tspan> + <tspan x="-14.052" y="9.31" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">CSRs</tspan> + </text> + <text transform="matrix(0.996, 0.095, -0.095, 0.996, 260.93, 287.412)"> + <tspan x="-21.796" y="-9.522" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Delegate</tspan> + <tspan x="-26.493" y="6.078" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">by Domain</tspan> + </text> + <g> + <path d="M353.251,263.072 L211.399,240.185" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M211.877,237.223 L203.501,238.911 L210.921,243.147 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + </g> + <g id="AAF" transform="translate(-66.241, -41.5)"> + <g> + <path d="M360.277,242.79 L448.072,242.79 C452.228,242.79 455.597,244.074 455.597,245.659 L455.597,276.982 C455.597,278.567 452.228,279.851 448.072,279.851 L360.277,279.851 C356.12,279.851 352.751,278.567 352.751,276.982 L352.751,245.659 C352.751,244.074 356.12,242.79 360.277,242.79 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 404.174, 264.314)"> + <tspan x="-16.57" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Service</tspan> + </text> + </g> + <g> + <path d="M371.153,79.5 L428.002,79.5 C430.693,79.5 432.875,80.785 432.875,82.369 L432.875,113.692 C432.875,115.277 430.693,116.562 428.002,116.562 L371.153,116.562 C368.462,116.562 366.281,115.277 366.281,113.692 L366.281,82.369 C366.281,80.785 368.462,79.5 371.153,79.5 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 101.024)"> + <tspan x="-20.745" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Cert Man</tspan> + </text> + </g> + <g> + <path d="M371.153,201.967 L428.002,201.967 C430.693,201.967 432.874,203.252 432.874,204.837 L432.874,236.16 C432.874,237.744 430.693,239.029 428.002,239.029 L371.153,239.029 C368.462,239.029 366.28,237.744 366.28,236.16 L366.28,204.837 C366.28,203.252 368.462,201.967 371.153,201.967 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.577, 223.491)"> + <tspan x="-14.175" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">OAuth</tspan> + </text> + </g> + <path d="M305.139,73 L493.554,73 L493.554,327.166 L305.139,327.166 L305.139,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <text transform="matrix(1, 0, 0, 1, 380.99, 60.5)"> + <tspan x="-12.155" y="-7" font-family="HelveticaNeue" font-size="13" fill="#000000" fill-opacity="0.87">AAF</tspan> + <tspan x="12.155" y="-7" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87"> </tspan> + <tspan x="-76.495" y="5" font-family="HelveticaNeue" font-size="9" fill="#000000" fill-opacity="0.87">(Application Authorization Framework)</tspan> + </text> + <g> + <path d="M355.161,279.851 L383.272,279.851 C384.603,279.851 385.682,280.931 385.682,282.263 L385.682,308.589 C385.682,309.92 384.603,311 383.272,311 L355.161,311 C353.83,311 352.751,309.92 352.751,308.589 L352.751,282.263 C352.751,280.931 353.83,279.851 355.161,279.851 z" fill="#15C6D6" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 369.216, 297.941)"> + <tspan x="-13.155" y="1.374" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authn</tspan> + </text> + </g> + <g> + <path d="M390.797,278.605 L450.482,278.605 C453.307,278.605 455.597,279.728 455.597,281.113 L455.597,308.492 C455.597,309.877 453.307,311 450.482,311 L390.797,311 C387.972,311 385.682,309.877 385.682,308.492 L385.682,281.113 C385.682,279.728 387.972,278.605 390.797,278.605 z" fill="#D6AF15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 420.639, 297.419)"> + <tspan x="-12.775" y="1.029" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Authz</tspan> + </text> + </g> + <g> + <path d="M371.153,161.145 L428.002,161.145 C430.693,161.145 432.875,162.43 432.875,164.014 L432.875,195.337 C432.875,196.922 430.693,198.207 428.002,198.207 L371.153,198.207 C368.462,198.207 366.281,196.922 366.281,195.337 L366.281,164.014 C366.281,162.43 368.462,161.145 371.153,161.145 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 182.669)"> + <tspan x="-17.13" y="-0.264" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">Locator</tspan> + </text> + </g> + <g> + <path d="M371.153,120.322 L428.002,120.322 C430.693,120.322 432.875,121.607 432.875,123.192 L432.875,154.515 C432.875,156.099 430.693,157.384 428.002,157.384 L371.153,157.384 C368.462,157.384 366.281,156.099 366.281,154.515 L366.281,123.192 C366.281,121.607 368.462,120.322 371.153,120.322 z" fill="#D65F15" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 399.578, 138.083)"> + <tspan x="-8.7" y="-1.5" font-family="HelveticaNeue" font-size="10" fill="#FFFFFF" fill-opacity="0.87">GUI </tspan> + <tspan x="-25.564" y="8.5" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">(Management)</tspan> + </text> + </g> + </g> + <g id="Organization" transform="translate(-66.241, -41.5)"> + <g> + <path d="M89.448,90 L191.034,90 C195.843,90 199.741,92.149 199.741,94.8 L199.741,147.2 C199.741,149.851 195.843,152 191.034,152 L89.448,152 C84.639,152 80.741,149.851 80.741,147.2 L80.741,94.8 C80.741,92.149 84.639,90 89.448,90 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 119)"> + <tspan x="-38.87" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Certificate</tspan> + <tspan x="-34.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Authority</tspan> + </text> + </g> + <g> + <path d="M89.448,299 L191.034,299 C195.843,299 199.741,301.149 199.741,303.8 L199.741,356.2 C199.741,358.851 195.843,361 191.034,361 L89.448,361 C84.639,361 80.741,358.851 80.741,356.2 L80.741,303.8 C80.741,301.149 84.639,299 89.448,299 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 139.612, 330.5)"> + <tspan x="-17.629" y="-7" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">DNS</tspan> + <tspan x="-25.454" y="7" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">(Externally </tspan> + <tspan x="-17.314" y="19" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">Visible)</tspan> + </text> + </g> + <path d="M67.741,73 L213.741,73 L213.741,381 L67.741,381 L67.741,73 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <g> + <g> + <path d="M89.448,157.75 L191.034,157.75 C195.843,157.75 199.741,162.447 199.741,168.24 L199.741,282.76 C199.741,288.553 195.843,293.25 191.034,293.25 L89.448,293.25 C84.639,293.25 80.741,288.553 80.741,282.76 L80.741,168.24 C80.741,162.447 84.639,157.75 89.448,157.75 z" fill="#4D9BAF" fill-opacity="0.87"/> + <text transform="matrix(-0, -1, 1, -0, 140.241, 211.015)"> + <tspan x="-24.744" y="-34.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Formal</tspan> + <tspan x="-45.104" y="-16.173" font-family="HelveticaNeue" font-size="16" fill="#FFFFFF" fill-opacity="0.87">Organization</tspan> + </text> + </g> + <g> + <path d="M142.278,176.934 L195.204,176.934 C197.71,176.934 199.741,178.038 199.741,179.401 L199.741,206.325 C199.741,207.687 197.71,208.792 195.204,208.792 L142.278,208.792 C139.772,208.792 137.741,207.687 137.741,206.325 L137.741,179.401 C137.741,178.038 139.772,176.934 142.278,176.934 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 192.863)"> + <tspan x="-22.914" y="-2.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Notification</tspan> + <tspan x="-15.089" y="8.5" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">System</tspan> + </text> + </g> + <g> + <path d="M142.278,216.731 L195.204,216.731 C197.71,216.731 199.741,217.835 199.741,219.197 L199.741,246.122 C199.741,247.484 197.71,248.588 195.204,248.588 L142.278,248.588 C139.772,248.588 137.741,247.484 137.741,246.122 L137.741,219.197 C137.741,217.835 139.772,216.731 142.278,216.731 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 232.978)"> + <tspan x="-16.335" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Identity/</tspan> + <tspan x="-19.166" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Hierarchy</tspan> + </text> + </g> + <g> + <path d="M142.278,255.89 L195.204,255.89 C197.71,255.89 199.741,256.994 199.741,258.356 L199.741,285.281 C199.741,286.643 197.71,287.747 195.204,287.747 L142.278,287.747 C139.772,287.747 137.741,286.643 137.741,285.281 L137.741,258.356 C137.741,256.994 139.772,255.89 142.278,255.89 z" fill="#438596" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 168.741, 272.137)"> + <tspan x="-19.507" y="-2.818" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Company </tspan> + <tspan x="-16.42" y="8.182" font-family="HelveticaNeue" font-size="9" fill="#FFFFFF" fill-opacity="0.87">Authn(s)</tspan> + </text> + </g> + </g> + <text transform="matrix(1, 0, 0, 1, 126.872, 60.5)"> + <tspan x="-59.631" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Organizationally Defined</tspan> + </text> + </g> + <g id="TLS" transform="translate(-66.241, -41.5)"> + <text transform="matrix(-0, 1, -1, -0, 639.901, 366.492)"> + <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 439.736, 509.201)"> + <tspan x="-22.253" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">TLS 1.2+</tspan> + </text> + <text transform="matrix(1, 0, 0, 1, 634.155, 457.499)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 320.012, 516.681)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> + <g id="CADI" transform="translate(-66.241, -41.5)"> + <text transform="matrix(0, 1, -1, 0, 565.177, 521.164)"> + <tspan x="-28.221" y="1.366" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, -0, 0, 1, 632.729, 307.083)"> + <tspan x="-28.221" y="1.917" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">X509 Client</tspan> + </text> + <text transform="matrix(1, 0, -0, 1, 650.783, 318.583)"> + <tspan x="-31.576" y="1.922" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">or BasicAuth</tspan> + </text> + <g> + <g> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill="#CA3F3F" fill-opacity="0.862"/> + <path d="M583.149,441 L684.734,441 C689.543,441 693.442,441.832 693.442,442.858 L693.442,463.142 C693.442,464.168 689.543,465 684.734,465 L583.149,465 C578.34,465 574.442,464.168 574.442,463.142 L574.442,442.858 C574.442,441.832 578.34,441 583.149,441 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 633.442, 452.5)"> + <tspan x="-26.477" y="2.25" font-family="HelveticaNeue" font-size="11" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <g> + <g> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill="#CA3F3F"/> + <path d="M331.312,493.536 L331.312,546.463 C331.312,548.969 330.703,551 329.952,551 L315.107,551 C314.356,551 313.747,548.969 313.747,546.463 L313.747,493.536 C313.747,491.031 314.356,489 315.107,489 L329.952,489 C330.703,489 331.312,491.031 331.312,493.536 z" fill-opacity="0" stroke="#000000" stroke-width="1"/> + </g> + <text transform="matrix(-0, 1, -1, -0, 319.997, 519.5)"> + <tspan x="-19.256" y="1.25" font-family="HelveticaNeue" font-size="8" fill="#FFFFFF" fill-opacity="0.87">CADI Filter</tspan> + </text> + </g> + <path d="M186.675,488.372 L303.255,488.372 C308.774,488.372 313.248,490.521 313.248,493.172 L313.248,545.572 C313.248,548.223 308.774,550.372 303.255,550.372 L186.675,550.372 C181.156,550.372 176.682,548.223 176.682,545.572 L176.682,493.172 C176.682,490.521 181.156,488.372 186.675,488.372 z" fill="#38AB4E"/> + <text transform="matrix(1, 0, 0, 1, 244.965, 519.37)"> + <tspan x="-42.661" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Application</tspan> + <tspan x="-15.257" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF">Two</tspan> + </text> + <path d="M581.936,464.372 L683.522,464.372 C688.331,464.372 692.229,467.353 692.229,471.03 L692.229,543.714 C692.229,547.391 688.331,550.372 683.522,550.372 L581.936,550.372 C577.127,550.372 573.229,547.391 573.229,543.714 L573.229,471.03 C573.229,467.353 577.127,464.372 581.936,464.372 z" fill="#38AB4E"/> + <g> + <path d="M582.649,236.872 L684.234,236.872 C689.043,236.872 692.942,239.021 692.942,241.672 L692.942,294.072 C692.942,296.723 689.043,298.872 684.234,298.872 L582.649,298.872 C577.84,298.872 573.942,296.723 573.942,294.072 L573.942,241.672 C573.942,239.021 577.84,236.872 582.649,236.872 z" fill="#7A40CA" fill-opacity="0.87"/> + <text transform="matrix(1, 0, 0, 1, 635.812, 265.872)"> + <tspan x="-35.896" y="-4.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">User One</tspan> + <tspan x="-31.161" y="15.5" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">(Person)</tspan> + </text> + </g> + <text transform="matrix(1, 0, 0, 1, 631.212, 433.373)"> + <tspan x="-19.244" y="3" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + <g> + <path d="M631.442,299.373 L631.943,414.772" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M628.943,414.785 L631.978,422.772 L634.943,414.759 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <g> + <path d="M574.311,519.987 L353.842,519.762" fill-opacity="0" stroke="#000000" stroke-width="1"/> + <path d="M353.845,516.762 L345.842,519.754 L353.839,522.762 z" fill="#000000" fill-opacity="1" stroke="#000000" stroke-width="1" stroke-opacity="1"/> + </g> + <text transform="matrix(1, 0, 0, 1, 632.729, 504.011)"> + <tspan x="-42.661" y="-6.219" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">Application</tspan> + <tspan x="-15.75" y="13.781" font-family="HelveticaNeue" font-size="17" fill="#FFFFFF" fill-opacity="0.87">One</tspan> + </text> + <text transform="matrix(-0, 1, -1, -0, 337.577, 519.5)"> + <tspan x="-19.244" y="3.235" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">HTTP/S</tspan> + </text> + </g> + <g id="CADI_Client" transform="translate(-66.241, -41.5)"> + <text transform="matrix(1, -0, 0, 1, 459.076, 543.239)"> + <tspan x="-89.025" y="-13.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">Utilize CADI Client REST client (auto </tspan> + <tspan x="-89.025" y="-1.986" font-family="HelveticaNeue" font-size="11" fill="#000000" fill-opacity="0.87">loads credentials, Contexts, etc)</tspan> + </text> + </g> +</svg> diff --git a/docs/sections/architecture/images/aaf-cm.png b/docs/sections/architecture/images/aaf-cm.png Binary files differnew file mode 100644 index 00000000..602f17e4 --- /dev/null +++ b/docs/sections/architecture/images/aaf-cm.png diff --git a/docs/aaf-object-model.jpg b/docs/sections/architecture/images/aaf-object-model.jpg Binary files differindex 30caa7d5..30caa7d5 100644 --- a/docs/aaf-object-model.jpg +++ b/docs/sections/architecture/images/aaf-object-model.jpg diff --git a/docs/sections/architecture/index.rst b/docs/sections/architecture/index.rst new file mode 100644 index 00000000..5a20f2d1 --- /dev/null +++ b/docs/sections/architecture/index.rst @@ -0,0 +1,12 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Architecture +============ +.. toctree:: + :maxdepth: 2 + :glob: + + * + diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst new file mode 100644 index 00000000..93247899 --- /dev/null +++ b/docs/sections/architecture/security.rst @@ -0,0 +1,150 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Security Architecture +===================== +Communicating +------------- +When one compute process needs to communicate to another, it does so with networking. + +The service side is always compute process, but the client can be of two types: + * People (via browser, or perhaps command line tool) + * Compute process talking to another computer process. + +In larger systems, it is atypical to have just one connection, but will the call initiated by the initial actor will cause additional calls after it. Thus, we demonstrate both a client call, and a subsequent call in the following: + +Thus, the essential building blocks of any networked system is made up of a caller and any subsquent calls. + +.. image:: images/SecurityArchBasic_1.svg + :width: 70% + :align: center + + +Communicating *Securely* +------------------------ +Whenever two processing entities exist that need to communicate securely, it is *essential* that + * The communications between the two are encrypted + * The identities of the caller and callee are established (authentication) + * The caller must be allowed to do what it is asking to do (authorization) + + +**Encryption** + +Encryption is provided by HTTP/S with the TLS 1.2+ protocol. Lesser protocols can also be added, but it is highly recommended that the protocol go no lower than TLS 1.1 + +.. image:: images/SecurityArchBasic_TLS.svg + :width: 70% + :align: center + +**Establishing Identity** + +*Client Side* + +In order to be secure of the Server Identity, the client will: + * Carefully select the Endpoint for the server (URL) + * The Service side Certificate chain obtained by TLS must ultimately be signed by a Certificate Authority that is trusted. + +*Server Side* + +The server side is a little harder to accomplish, because, while a client can choose carefully whom he contacts, the server, ultimately, might be contacted by literally anyone. + +To solve this difficult problem, the CADI Framework Filter is attached to the incoming transaction before any code by Application 1 or Application 2 is invoked. The CADI Framework does the following: + A) Establishes the claimed Identity (this differs by Protocol) + + i) The Identity needs to be a Fully Qualified Identity (FQI), meaning it has + + #) An ID approved by Organization (such as bob) + #) A Domain establishing where the Credential is defined (ex: @bobs.garage.com) + #) FQI Example: bob@bobs.garage.com + + B) Validates the credential of the FQI ( *Authentication* ) + + i) Basic Auth (User/Password) is validated against the system supporting the domain + ii) AAF Certman can create a fine-grained X509 certificate, which can derive FQI + iii) If the FQI fails the Credential test in any way, the transaction is terminated + + C) Obtain *Authorization* information + + i) This might include a call to AAF which will return all the Permissions of the User per Application Context + ii) This might involve pulling these from Cache + iii) This also might be pulled from Token + +.. image:: images/SecurityArchCADI.svg + :width: 70% + :align: center + +Enabling the Client to Send Securely +------------------------------------ + +Once a secure scenario is in place, the client must provide more information, or he will be rejected by the secured server. + + * FQI (Fully Qualified Identity) + * Credential + * If User/Password, then the client must send via "BasicAuth" Protocol + * If two-way X509 identity, then the client must load the Cert and Private Key into the Client Software outside of the calling process. + * If Token based Identity, such as OAuth2, the token must be placed on the call in just the right way. + * Upstream Identity + * Application Two might well want to process Authorizations based on the *end-user*, not the current caller. In this scenario, Application One must provide the End User FQI in addition to its own before Application Two will accept. + +In order to do this efficiently, ONAP services will use the CADI Client, which includes + * Connection Information by Configuration + * Encryption of any sensitive information in Configuration, such as Password, so that Configuration files will have no clear-text secrets. + * Highly scalable Endpoint information (at the very least, of AAF components) + * The ability to propogate the Identity of originating Caller (User One) + +.. image:: images/SecurityArchCADIClient.svg + :width: 70% + :align: center + + +Obtaining Security Information +------------------------------ + +In order for the client and server to perform securely, the need information they can trust, including + * TLS needs X509 Certificate for the Server and any Client wishing to authenticate using Certificates + * Any User/Password Credentials need to be validated real time + * The server needs comprehensible Authorization information, preferably at the Application Scope + * The client needs to find a server, even if the server must be massively geo-scaled + +The AAF Suite provides the following elements: + * AAF Service + This service provides fine-grained Authorization information, and can, if required, also provide specialized Passwords for Applications (that allow for configuration migrations without a maintainance window) + * OAuth + AAF provides Token and Introspection service, but can also delegate to Organizatinally defined OAuth Services as well. + * Locator + Provides machine and port information by geo-location for massively scalable services. This is optional for ONAP services, but required for AAF as part of its reliability and scalability solution. + * GUI + AAF provides a GUI for managing Namespaces (for Applications), Roles, Permissions and Credentials. + * Certificate Manager + Since AAF has fine-grained information about Identities, it can provide Certificates with FQIs embedded. CADI Framework understands when and how to trust these FQIs. When used, these Certificates provide enhanced speed and additional resiliency to the system, as they do not require network connections to validate. + +.. image:: images/SecurityArchAAF.svg + :width: 30% + :align: center + +The Organization +---------------- + +AAF is only a tool to reflect the Organization it is setup for. AAF does not, for instance, know what IDs are acceptable to a particular company. Every Organization (or Company) will also likely have its own Certificate Authority and DNS. Most importantly, each Organzation will have a hierarchy of who is responsible for any give person or application. + + * AAF's Certman connects to the Organization's CA via SCEP protocol (Others can be created as well) + * AAF ties into the Organizational hierarchy. Currently, this is through a feed of IDs and relationships. + * AAF can process some Passwords, but delegate off others based on domain. + +.. image:: images/SecurityArchAAFOrg.svg + :width: 70% + :align: center + +The Whole Picture +----------------- + +CADI is a framework that enforces validations of Identities, and uses those Identities to obtain Authorization information for the Server. The CADI client ensures that the right information is passed during secure connections. + +AAF provides essential information based on the Organization to services in order to enable secure transactions between components. It also provides sustaining processing capabilities to ensure that Credentials and Authorization relationships are maintained. + +.. image:: images/SecurityArchFull.svg + :width: 90% + :align: center + + diff --git a/docs/sections/configuration/client.rst b/docs/sections/configuration/client.rst new file mode 100644 index 00000000..e0e88802 --- /dev/null +++ b/docs/sections/configuration/client.rst @@ -0,0 +1,212 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Client Configuration +==================== + +TEST version of "cadi.properties" +--------------------------------- +These properties point you to the ONAP TEST environment. + +Properties are separated into + + * etc + * main Property file which provides Client specific info. As a client, this could be put in container, or placed on Host Box + * The important thing is to LINK the property with Location and Certificate Properties, see "local" + * local + * where there is Machine specific information (i.e. GEO Location (Latitude/Longitude) + * where this is Machine specific Certificates (for running services) + * This is because the certificates used must match the Endpoint that the Container is running on + * Note Certificate Manager can Place all these components together in one place. + * For April, 2018, please write Jonathan.gathman@att.com for credentials until TEST Env with Certificate Manager is fully tested. Include + 1. AAF Namespace (you MUST be the owner for the request to be accepted) + 2. Fully Qualified App ID (ID + Namespace) + 3. Machine to be deployed on. + +Client Credentials +------------------ +For Beijing, full TLS is expected among all components. AAF provides the "Certificate Manager" which can "Place" Certificate information + +Example Source Code +------------------- +Note the FULL class is available in the authz repo, cadi_aaf/org/onap/aaf/client/sample/Sample.java + +.. code-block:: java + + + /** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + + package org.onap.aaf.client.sample; + + import java.io.IOException; + import java.security.Principal; + import java.util.ArrayList; + import java.util.List; + + import org.onap.aaf.cadi.Access; + import org.onap.aaf.cadi.CadiException; + import org.onap.aaf.cadi.LocatorException; + import org.onap.aaf.cadi.Permission; + import org.onap.aaf.cadi.PropAccess; + import org.onap.aaf.cadi.aaf.AAFPermission; + import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; + import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; + import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; + import org.onap.aaf.cadi.principal.UnAuthPrincipal; + import org.onap.aaf.cadi.util.Split; + import org.onap.aaf.misc.env.APIException; + + public class Sample { + private static Sample singleton; + final private AAFConHttp aafcon; + final private AAFLurPerm aafLur; + final private AAFAuthn<?> aafAuthn; + + /** + * This method is to emphasize the importance of not creating the AAFObjects over and over again. + * @return + */ + public static Sample singleton() { + return singleton; + } + + public Sample(Access myAccess) throws APIException, CadiException, LocatorException { + aafcon = new AAFConHttp(myAccess); + aafLur = aafcon.newLur(); + aafAuthn = aafcon.newAuthn(aafLur); + } + + /** + * Checking credentials outside of HTTP/S presents fewer options initially. There is not, for instance, + * the option of using 2-way TLS HTTP/S. + * + * However, Password Checks are still useful, and, if the Client Certificate could be obtained in other ways, the + * Interface can be expanded in the future to include Certificates. + * @throws CadiException + * @throws IOException + */ + public Principal checkUserPass(String fqi, String pass) throws IOException, CadiException { + String ok = aafAuthn.validate(fqi, pass); + if(ok==null) { + System.out.println("Success!"); + /* + UnAuthPrincipal means that it is not coming from the official Authorization chain. + This is useful for Security Plugins which don't use Principal as the tie between + Authentication and Authorization + + You can also use this if you want to check Authorization without actually Authenticating, as may + be the case with certain Onboarding Tooling. + */ + return new UnAuthPrincipal(fqi); + } else { + System.out.printf("Failure: %s\n",ok); + return null; + } + + + } + + /** + * An example of looking for One Permission within all the permissions user has. CADI does cache these, + * so the call is not expensive. + * + * Note: If you are using "J2EE" (Servlets), CADI ties this function to the method: + * HttpServletRequest.isUserInRole(String user) + * + * The J2EE user can expect that his servlet will NOT be called without a Validated Principal, and that + * "isUserInRole()" will validate if the user has the Permission designated. + * + */ + public boolean oneAuthorization(Principal fqi, Permission p) { + return aafLur.fish(fqi, p); + } + + public List<Permission> allAuthorization(Principal fqi) { + List<Permission> pond = new ArrayList<Permission>(); + aafLur.fishAll(fqi, pond); + return pond; + } + + + public static void main(String[] args) { + // Note: you can pick up Properties from Command line as well as VM Properties + // Code "user_fqi=... user_pass=..." (where user_pass can be encrypted) in the command line for this sample. + // Also code "perm=<perm type>|<instance>|<action>" to test a specific Permission + PropAccess myAccess = new PropAccess(args); + try { + /* + * NOTE: Do NOT CREATE new aafcon, aafLur and aafAuthn each transaction. They are built to be + * reused! + * + * This is why this code demonstrates "Sample" as a singleton. + */ + singleton = new Sample(myAccess); + String user = myAccess.getProperty("user_fqi"); + String pass= myAccess.getProperty("user_pass"); + + if(user==null || pass==null) { + System.err.println("This Sample class requires properties user_fqi and user_pass"); + } else { + pass = myAccess.decrypt(pass, false); // Note, with "false", decryption will only happen if starts with "enc:" + // See the CODE for Java Methods used + Principal fqi = Sample.singleton().checkUserPass(user,pass); + + if(fqi==null) { + System.out.println("OK, normally, you would cease processing for an " + + "unauthenticated user, but for the purpose of Sample, we'll keep going.\n"); + fqi=new UnAuthPrincipal(user); + } + + // AGAIN, NOTE: If your client fails Authentication, the right behavior 99.9% + // of the time is to drop the transaction. We continue for sample only. + + // note, default String for perm + String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read"); + String[] permA = Split.splitTrim('|', permS); + if(permA.length>2) { + final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]); + // See the CODE for Java Methods used + if(singleton().oneAuthorization(fqi, perm)) { + System.out.printf("Success: %s has %s\n",fqi.getName(),permS); + } else { + System.out.printf("%s does NOT have %s\n",fqi.getName(),permS); + } + } + + + // Another form, you can get ALL permissions in a list + // See the CODE for Java Methods used + List<Permission> permL = singleton().allAuthorization(fqi); + if(permL.size()==0) { + System.out.printf("User %s has no Permissions THAT THE CALLER CAN SEE",fqi.getName()); + } else { + System.out.print("Success:\n"); + for(Permission p : permL) { + System.out.printf("\t%s has %s\n",fqi.getName(),p.getKey()); + } + } + } + } catch (APIException | CadiException | LocatorException | IOException e) { + e.printStackTrace(); + } + } + }
\ No newline at end of file diff --git a/docs/sections/configuration/index.rst b/docs/sections/configuration/index.rst new file mode 100644 index 00000000..cc65cad3 --- /dev/null +++ b/docs/sections/configuration/index.rst @@ -0,0 +1,12 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Configuration +============= +.. toctree:: + :maxdepth: 2 + :glob: + + * + diff --git a/docs/sections/configuration/service.rst b/docs/sections/configuration/service.rst new file mode 100644 index 00000000..8b48ddcb --- /dev/null +++ b/docs/sections/configuration/service.rst @@ -0,0 +1,362 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Service Configuration - Connecting to AAF +========================================== + + + +Methods to Connect +================== + +• If you are a Servlet in a Container, use CADI Framework with AAF Plugin. It's very easy, and includes BasicAuth for Services. +• Java Technologies +• Technologies using Servlet Filters +• DME2 (and other Servlet Containers) can use Servlet Filters +• Any WebApp can plug in CADI as a Servlet Filter +• Jetty can attach a Servlet Filter with Code, or as WebApp +• Tomcat 7 has a "Valve" plugin, which is similar and supported +• Use the AAFLur Code directly (shown) +• All Java Technologies utilize Configuration to set what Security elements are required +• example: Global Login can be turned on/off, AAF Client needs information to connect to AAF Service +• There are several specialty cases, which AAF can work with, including embedding all properties in a Web.xml, but the essentials needed are: +• CADI Jars +• cadi.properties file (configured the same for all technologies) +• Encrypt passwords with included CADI technology, so that there are no Clear Text Passwords in Config Files (ASPR) +• See CADI Deployment on how to perform this with several different technologies. +• AAF Restfully (see RESTFul APIS) + +IMPORTANT: If Direct RESTFul API is used, then it is the Client's responsibility to Cache and avoid making an AAF Service Calls too often +Example: A Tool like Cassandra will ask for Authentication hundreds of times a second for the same identity during a transaction. Calling the AAF Service for each would be slow for the client, and wasteful of Network and AAF Service Capacities. +Rogue Clients can and will be denied access to AAF. + + +J2EE (Servlet Filter) Method +============================ + +1. Per J2EE design, the Filter will deny any unauthenticated HTTP/S call; the Servlet will not even be invoked. +a. Therefore, the Servlet can depend on any transaction making it to their code set is Authenticated. +b. Identity can be viewed based on the HttpServletRequest Object (request.getUserPrincipal() ) +2. Per J2EE design, AAF Filter overloads the HttpServletRequest for a String related to "Role". (request.isUserInRole("...") ) +a. For AAF, do not put in "Role", but the three parts of requested "Permission", separated by "|", i.e. "org.onap.aaf.myapp.myperm|myInstance|myAction". +3. NOT REQUIRED: An added benefit, but not required, is a JASPI like interface, where you can add an Annotation to your Servlet. +a. When used, no transaction will come into your code if the listed Permissions are not Granted to the Incoming Transaction. +b. This might be helpful for covering separate Management Servlet implementations. + + + +Servlet Code Snippet +========================= + +.. code-block:: java + + public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException { + HttpServletRequest request; + try { + request = (HttpServletRequest)req; + } catch (ClassCastException e) { + throw new ServletException("Only serving HTTP today",e); + } + + // Note: CADI is OVERLOADING the concept of "isUserInRole".. You need to think "doesUserHavePermssion()" + // Assume that you have CREATED and GRANTED An AAF Permission in YOUR Namespace + // Example Permission: "org.onap.aaf.myapp.myPerm * write" + + // Think in your head, "Does user have write permission on any instance of org.onap.aaf.myapp.myPerm + if(request.isUserInRole("org.onap.aaf.myapp.myPerm|*|write")) { + // *** Do something here that someone with "myPerm write" permissions is allowed to do + } else { + // *** Do something reasonable if user is denied, like an Error Message + } + + } + +Here is a working TestServlet, where you can play with different Permissions that you own on the URL, i.e.: +https://<your machine:port>/caditest/testme?PERM=org.onap.aaf.myapp.myPerm|*|write + +Sample Servlet (Working example) +================================ + +.. code-block:: java + + package org.onap.aaf.cadi.debug; + import java.io.FileInputStream; + import java.io.IOException; + import java.net.InetAddress; + import java.net.UnknownHostException; + import java.util.HashMap; + import java.util.Map; + import java.util.Map.Entry; + import java.util.Properties; + import javax.servlet.Servlet; + import javax.servlet.ServletConfig; + import javax.servlet.ServletException; + import javax.servlet.ServletRequest; + import javax.servlet.ServletResponse; + import javax.servlet.http.HttpServletRequest; + import org.eclipse.jetty.server.Server; + import org.eclipse.jetty.server.ServerConnector; + import org.eclipse.jetty.server.handler.ContextHandler; + import org.eclipse.jetty.servlet.FilterHolder; + import org.eclipse.jetty.servlet.FilterMapping; + import org.eclipse.jetty.servlet.ServletContextHandler; + import org.eclipse.jetty.servlet.ServletHandler; + import org.onap.aaf.cadi.filter.CadiFilter; + import org.onap.aaf.cadi.filter.RolesAllowed; + import org.onap.aaf.cadi.jetty.MiniJASPIWrap; + + public class CSPServletTest { + public static void main(String[] args) { + // Go ahead and print Test reports in cadi-core first + Test.main(args); + String hostname=null; + try { + hostname = InetAddress.getLocalHost().getHostName(); + } catch (UnknownHostException e) { + e.printStackTrace(); + System.exit(1); + } + Properties props = new Properties(); + Map<String,String> map = new HashMap<String,String>(); + try { + FileInputStream fis = new FileInputStream("run/cadi.properties"); + try { + props.load(fis); + String key,value; + for( Entry<Object, Object> es : props.entrySet()) { + key = es.getKey().toString(); + value = es.getValue().toString(); + map.put(key,value); + if(key.startsWith("AFT_") || key.startsWith("DME2")) { + System.setProperty(key,value); + } + } + } finally { + fis.close(); + } + } catch(IOException e) { + System.err.println("Cannot load run/cadi.properties"); + System.exit(1); + } + String portStr = System.getProperty("port"); + int port = portStr==null?8080:Integer.parseInt(portStr); + try { + // Add ServletHolder(s) and Filter(s) to a ServletHandler + ServletHandler shand = new ServletHandler(); + + FilterHolder cfh = new FilterHolder(CadiFilter.class); + cfh.setInitParameters(map); + + shand.addFilterWithMapping(cfh, "/*", FilterMapping.ALL); + shand.addServletWithMapping(new MiniJASPIWrap(MyServlet.class),"/*"); + // call initialize after start + + ContextHandler ch = new ServletContextHandler(); + ch.setContextPath("/caditest"); + ch.setHandler(shand); + for( Entry<Object,Object> es : props.entrySet()) { + ch.getInitParams().put(es.getKey().toString(), es.getValue().toString()); + } + //ch.setErrorHandler(new MyErrorHandler()); + + // Create Server and Add Context Handler + final Server server = new Server(); + ServerConnector http = new ServerConnector(server); + http.setPort(port); + server.addConnector(http); + server.setHandler(ch); + + // Start + server.start(); + shand.initialize(); + + System.out.println("To test, put http://"+ hostname + ':' + port + "/caditest/testme in a browser or 'curl'"); + // if we were really a server, we'd block the main thread with this join... + // server.join(); + // But... since we're a test service, we'll block on StdIn + System.out.println("Press <Return> to end service..."); + System.in.read(); + server.stop(); + System.out.println("All done, have a good day!"); + } catch (Exception e) { + e.printStackTrace(); + System.exit(1); + } + } + @RolesAllowed({"org.onap.aaf.myapp.myPerm|myInstance|myAction"}) + public static class MyServlet implements Servlet { + private ServletConfig servletConfig; + + public void init(ServletConfig config) throws ServletException { + servletConfig = config; + } + + public ServletConfig getServletConfig() { + return servletConfig; + } + + public void service(ServletRequest req, ServletResponse res) throws ServletException, IOException { + HttpServletRequest request; + try { + request = (HttpServletRequest)req; + } catch (ClassCastException e) { + throw new ServletException("Only serving HTTP today",e); + } + + res.getOutputStream().print("<html><header><title>CSP Servlet Test</title></header><body><h1>You're good to go!</h1><pre>" + + request.getUserPrincipal()); + + String perm = request.getParameter("PERM"); + if(perm!=null) + if(request.isUserInRole(perm)) { + if(perm.indexOf('|')<0) + res.getOutputStream().print("\nCongrats!, You are in Role " + perm); + else + res.getOutputStream().print("\nCongrats!, You have Permission " + perm); + } else { + if(perm.indexOf('|')<0) + res.getOutputStream().print("\nSorry, you are NOT in Role " + perm); + else + res.getOutputStream().print("\nSorry, you do NOT have Permission " + perm); + } + + res.getOutputStream().print("</pre></body></html>"); + + } + + public String getServletInfo() { + return "MyServlet"; + } + + public void destroy() { + } + } + } + +Java Direct (AAFLur) Method +=========================== +The AAFLur is the exact component used within all the Plugins mentioned above. It is written so that it can be called standalone as well, see the Example as follows + +.. code-block:: java + + package org.onap.aaf.example; + + import java.util.ArrayList; + import java.util.List; + import java.util.Properties; + + import org.onap.aaf.cadi.Access; + import org.onap.aaf.cadi.Permission; + import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; + import org.onap.aaf.cadi.aaf.v2_0.AAFCon; + import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; + import org.onap.aaf.cadi.config.Config; + import org.onap.aaf.cadi.lur.aaf.AAFPermission; + import org.onap.aaf.cadi.lur.aaf.test.TestAccess; + + public class ExamplePerm2_0 { + public static void main(String args[]) { + // Normally, these should be set in environment. Setting here for clarity + Properties props = System.getProperties(); + props.setProperty("AFT_LATITUDE", "32.780140"); + props.setProperty("AFT_LONGITUDE", "-96.800451"); + props.setProperty("AFT_ENVIRONMENT", "AFTUAT"); + props.setProperty(Config.AAF_URL, + "https://DME2RESOLVE/service=org.onap.aaf.authz.AuthorizationService/version=2.0/envContext=TEST/routeOffer=BAU_SE" + ); + props.setProperty(Config.AAF_USER_EXPIRES,Integer.toString(5*60000)); // 5 minutes for found items to live in cache + props.setProperty(Config.AAF_HIGH_COUNT,Integer.toString(400)); // Maximum number of items in Cache); + props.setProperty(Config.CADI_KEYFILE,"keyfile"); //Note: Be sure to generate with java -jar <cadi_path>/lib/cadi-core*.jar keygen keyfile + // props.setProperty("DME2_EP_REGISTRY_CLASS","DME2FS"); + // props.setProperty("AFT_DME2_EP_REGISTRY_FS_DIR","../../authz/dme2reg"); + + + // Link or reuse to your Logging mechanism + Access myAccess = new TestAccess(); // + + // + try { + AAFCon<?> con = new AAFConDME2(myAccess); + + // AAFLur has pool of DME clients as needed, and Caches Client lookups + AAFLurPerm aafLur = con.newLur(); + // Note: If you need both Authn and Authz construct the following: + AAFAuthn<?> aafAuthn = con.newAuthn(aafLur); + + // Do not set Mech ID until after you construct AAFAuthn, + // because we initiate "401" info to determine the Realm of + // of the service we're after. + con.basicAuth("xxxx@aaf.abc.com", "XXXXXX"); + + try { + + // Normally, you obtain Principal from Authentication System. + // For J2EE, you can ask the HttpServletRequest for getUserPrincipal() + // If you use CADI as Authenticator, it will get you these Principals from + // CSP or BasicAuth mechanisms. + String id = "xxxx@aaf.abc.com"; //"cluster_admin@gridcore.abc.com"; + + // If Validate succeeds, you will get a Null, otherwise, you will a String for the reason. + String ok = aafAuthn.validate(id, "XXXXXX"); + if(ok!=null)System.out.println(ok); + + ok = aafAuthn.validate(id, "wrongPass"); + if(ok!=null)System.out.println(ok); + + + // AAF Style permissions are in the form + // Type, Instance, Action + AAFPermission perm = new AAFPermission("org.onap.aaf.grid.core.coh",":dev_cluster", "WRITE"); + + // Now you can ask the LUR (Local Representative of the User Repository about Authorization + // With CADI, in J2EE, you can call isUserInRole("org.onap.aaf.mygroup|mytype|write") on the Request Object + // instead of creating your own LUR + System.out.println("Does " + id + " have " + perm); + if(aafLur.fish(id, perm)) { + System.out.println("Yes, you have permission"); + } else { + System.out.println("No, you don't have permission"); + } + + System.out.println("Does Bogus have " + perm); + if(aafLur.fish("Bogus", perm)) { + System.out.println("Yes, you have permission"); + } else { + System.out.println("No, you don't have permission"); + } + + // Or you can all for all the Permissions available + List<Permission> perms = new ArrayList<Permission>(); + + aafLur.fishAll(id,perms); + for(Permission prm : perms) { + System.out.println(prm.getKey()); + } + + // It might be helpful in some cases to clear the User's identity from the Cache + aafLur.remove(id); + } finally { + aafLur.destroy(); + } + } catch (Exception e) { + e.printStackTrace(); + } + + } + } + + +There are two current AAF Lurs which you can utilize: +• Org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm is the default, and will fish based on the Three-fold "Permission" standard in AAF +To run this code, you will need from a SWM deployment (org.onap.aaf.cadi:cadi, then soft link to jars needed): +• cadi-core-<version>.jar +• cadi-aaf-<version>-full.jar + or by Maven +<dependency> +<groupId>org.onap.aaf.cadi</groupId> +<artifactId>aaf-cadi-aaf</artifactId> +<version>THE_LATEST_VERSION</version> +<classifier>full</classifier> +</dependency> + + diff --git a/docs/sections/installation/AAF-Integration-Guide.rst b/docs/sections/installation/AAF-Integration-Guide.rst new file mode 100644 index 00000000..97327646 --- /dev/null +++ b/docs/sections/installation/AAF-Integration-Guide.rst @@ -0,0 +1,76 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +AAF Integration Guide +============================ +.. code:: bash + + cadi.properties Template + # This is a normal Java Properties File + # Comments are with Pound Signs at beginning of lines, + # and multi-line expression of properties can be obtained by backslash at end of line + #hostname= + + cadi_loglevel=WARN + cadi_keyfile=conf/keyfile + + + # Configure AAF + aaf_url=http://172.18.0.2:8101 + #if you are running aaf service from a docker image you have to use aaf service IP and port number + aaf_id=<yourAPPID>@onap.org + aaf_password=enc:<encrypt> + + aaf_dme_timeout=5000 + # Note, User Expires for not Unit Test should be something like 900000 (15 mins) default is 10 mins + # 15 seconds is so that Unit Tests don't delay compiles, etc + aaf_user_expires=15000 + # High count... Rough top number of objects held in Cache per cycle. If high is reached, more are + # recycled next time. Depending on Memory usage, 2000 is probably decent. 1000 is default + aaf_high_count=100 + + +How to create CADI Keyfile & Encrypt Password +--------------------------------------------- + +Password Encryption +------------------- +CADI provides a method to encrypt data so that Passwords and other sensitive data can be stored safely. + +Keygen (Generate local Symmetrical Key) +A Keyfile is created by Cadi Utility. + +.. code:: bash + + java -jar cadi-core-<version>.jar keygen <keyfile> +Given this key file unlocks any passwords created, it should be stored in your configuration directory and protected with appropriate access permissions. For instance, if your container is Tomcat, and runs with a "tomcat" id, then you should: + +.. code:: bash + + java -jar cadi-core-<version>.jar keygen keyfile + chmod 400 keyfile + chown tomcat:tomcat keyfile + +Digest - Encrypt a Password +--------------------------- +The password is obtained by using the Cadi digest Utility (contained in the cadi-core-<version>.jar). + +.. code:: bash + + java -jar cadi-core-<version>.jar digest <your_password> <keyfile> + • "<keyfile>" is created by Cadi Utility, #keygen + • Understand that if you change the keyfile, then you need to rerun "digest" on passwords used in the users/groups definitions. + • Note: You cannot mix versions of cadi; the version used to digest your password must be the same version used at runtime. + +CADI PROPERTIES + CADI properties, typically named "cadi.properties", must have passwords encrypted. + 1. Take the results of the "Digest" command and prepend "enc:" + 2. Use this as the value of your property + +Example: aaf_password=enc:fMKMBfKHlRWL68cxD5XSIWNKRNYi5dih2LEHRFMIsut + diff --git a/docs/sections/installation/AAF_Environment_Beijing.rst b/docs/sections/installation/AAF_Environment_Beijing.rst new file mode 100644 index 00000000..3061c90a --- /dev/null +++ b/docs/sections/installation/AAF_Environment_Beijing.rst @@ -0,0 +1,252 @@ +AAF Environment - Beijing +========================= + +Access +~~~~~~ + +You must be connected to the WindRiver "pod-onap-01" VPN to gain access +to AAF Beijing + +DNS (/etc/hosts) +~~~~~~~~~~~~~~~~ + +At this time, there is no known DNS available for ONAP Entities. It is +recommended that you add the following entry into your "/etc/hosts" on +your accessing machine: + + /etc/hosts: + + 10.12.6.214 aaf-onap-beijing-test aaf-onap-beijing-test.osaaf.org + +Environment Artifacts (AAF FS) +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + AAF has an HTTP Fileserver to gain access to needed public info. + + http://aaf-onap-beijing-test.osaaf.org/- + +Credentials +~~~~~~~~~~~ + + AAF does support User/Password, and allows additional plugins as it + did in Amsterdam, however, User/Password credentials are inferior to + PKI technology, and does not match the ONAP Design goal of TLS and + PKI Identity across the board. Therefore, while an individual + organization might avail themselves of the User/Password facilities + within AAF, for ONAP, we are avoiding. + + THEREFORE: **GO WITH CERTIFICATE IDENTITY** + +Certificates +~~~~~~~~~~~~ + +Root Certificate +^^^^^^^^^^^^^^^^ + + `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__ + +AAF CA +^^^^^^ + + At time of Beijing, an official Certificate Authority for ONAP was + not declared, installed or operationalized. Secure TLS requires + certificates, so for the time being, the Certificate Authority is + being run by AAF Team. + +Root Certificate +'''''''''''''''' + + | The Root Certificate for ONAP Certificate Authority used by AAF + is \ `AAF\_RootCA.cer <http://aaf-onap-beijing-test.osaaf.org/AAF_RootCA.cer>`__ + | Depending on your Browser/ Operating System, clicking on this link + will allow you to install this Cert into your Browser for GUI + access (see next) + + This Root Certificate is also available in "truststore" form, ready + to be used by Java or other processes: + +- + + - + + - `truststoreONAP.p12 <http://aaf-onap-beijing-test.osaaf.org/truststoreONAP.p12>`__ + - This Truststore has ONLY the ONAP AAF\_RootCA in it. + + - `truststoreONAPall.jks <http://aaf-onap-beijing-test.osaaf.org/truststoreONAPall.jks>`__ + - This Truststore has the ONAP AAF\_RootCA in it PLUS all + the Public CA Certs that are in Java 1.8.131 (note: this is + in jks format, because the original JAVA truststore was in + jks format) + + Note: as of Java 8, pkcs12 format is recommended, rather than jks. + Java's "keytool" utility provides a conversion for .jks for Java 7 + and previous. + +Identity +'''''''' + + Certificates certify nothing if there is no identity or process to + verify the Identity. Typically, for a company, an HR department + will establish the formal organization, specifically, who reports to + whom. For ONAP, at time of Beijing, no such formalized "Org Chart" + existed, so we'll be building this up as we go along. + + Therefore, with each Certificate Request, we'll need identity + information as well, that will be entered into an ONAP Identity + file. Again, as a real company, this can be derived or accessed + real-time (if available) as an "Organization Plugin". Again, as + there appears to be no such central formal system in ONAP, though, + of course, Linux Foundation logins have some of this information for + ALL LF projects. Until ONAP declares such a system or decides how + we might integrate with LF for Identity and we have time to create + an Integration strategy, AAF will control this data. + + For each Identity, we'll need: + + People + + + | # 0 - unique ID (for Apps, just make sure it is unique, for + People, one might consider your LinuxFoundation ID) + | # 1 - full name (for App, name of the APP) + | # 2 - first name (for App, + | # 3 - last name + | # 4 - phone + | # 5 - official email + | # 6 - type - person + | # 7 - reports to: If you are working as part of a Project, list + the PTL of your Project. If you are PTL, just declare you are the + PTL + + Applications + + + | # 0 - unique ID - For ONAP Test, this will be the same a the App + Acronym. + | # 1 - full name of the App + | # 2 - App Acronym + | # 3 - App Description, or just "Application" + | # 5 - official email - a Distribution list for the Application, or + the Email of the Owner + | # 6 - type - application + | # 7 - reports to: give the Application Owner's Unique ID. Note, + this should also be the Owner in AAF Namespace + +Obtaining a Certificate +''''''''''''''''''''''' + + There are 3 types of Certificates available for AAF and ONAP + community through AAF. People, App Client-only, and App Service + (can be used for both Client and Service) + +Process (This process may fluctuate, or move to iTrack, so revisit this page for each certificate you request) + + +1. + + 1. + + 1. + + 1. Email the AAF Team + (jonathan.gathman@`att.com <http://att.com>`__, for now) + + 2. Put "REQUEST ONAP CERTIFICATE" in the Subject Line + + 3. If you have NOT established an Identity, see above, put the + Identity information in first + + 4. Then declare which of the three kinds of Certificates you + want. + + 1. **People** and **App Client-only** certificates will be + Manual + + 1. You will receive a reply email with instructions on + creating and signing a CSR, with a specific Subject. + + 2. Reply back with the CSR attached. DO NOT CHANGE the + Subject. + + 1. Subject is NOT NEGOTIABLE. If it does not match the + original Email, you will be rejected, and will + waste everyone's time. + + 3. You will receive back the certificate itself, and some + openssl instructions to build a .p12 file (or maybe a + ready-to-run Shell Script) + + 2. *App Service Certificate* is supported by AAF's Certman + + 1. However, this requires the establishment of Deployer + Identities, as no Certificate is deployed without + Authorization. + + 2. Therefore, for now, follow the "Manual" method, + described in 4.a, but include the Machine to be the + "cn=" + +People + + + People Certificates can be used for browsers, curl, etc. + + Automation and tracking of People Certificates will be proposed for + Casablanca. + + In the meantime, for testing purposes, you may request a certificate + from AAF team, see process. + +Application Client-only + + + Application Client-only certificates are not tied to a specific + machine. They function just like people, only it is expected that + they are used within "keystores" as identity when talking to AAF + enabled components. + + PLEASE USE your APP NAME IN CI/CD (OOM, etc) in your request. That + makes the most sense for identity. + + Automation and tracking of Application Certificates will be proposed + for Casablanca. + + In the meantime, for testing purposes, you may request a certificate + from AAF team, see process. + +Application Service + + + This kind of Certificate must have the Machine Name in the "CN=" + position. + + AAF supports Automated Certificate Deployment, but this has not been + integrated with OOM at this time (April 12, 2018). + +- + + - Please request Manual Certificate, but specify the Machine as + well. Machine should be a name, so you might need to provide + your Clients with instructions on adding to /etc/hosts until + ONAP address Name Services for ONAP Environments (i.e. DNS) + + **GUI** + + https://aaf-onap-beijing-test.osaaf.org + + Note: this link is actually to the AAF Locator, which redirects you + to an available GUI + + The GUI uses the ONAP AAF Certificate Authority (private). Before + you can use the Browser, you will need to + +- + + - Accept the `Root + Certificate <#AAFEnvironment-Beijing-RootCertificate>`__ + + - Obtain a Personal Certificate above + + - Add the Personal Certificate/Private key to your Browser. + Typically, this is done by having it packaged in a + P\ https://zoom.us/j/793296315 diff --git a/docs/sections/installation/Bootstrapping-AAF-Components.rst b/docs/sections/installation/Bootstrapping-AAF-Components.rst new file mode 100644 index 00000000..2bb329d6 --- /dev/null +++ b/docs/sections/installation/Bootstrapping-AAF-Components.rst @@ -0,0 +1,256 @@ +.. contents:: + :depth: 3 +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Summary +Essentials +Technologies required to run AAF +Optional Technologies for special cases +Data Definitions +AAF Data Definitions +ILM (Identity Lifecycle Management) +Initializing Default Implementation +Extract Sample Configuration +Certificate Authority +Creating your own Certificate Authority (if desired) +Create your Intermediate CAs +Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA) +Copy initializations to Host Machine +Load Data and/or Meta-Data into Cassandra +Build Source +Run Java + +Summary +------- + +AAF Components are all Java(tm) HTTP/S based RESTful services, with the following exceptions: + + - AAF GUI component is an HTTP/S HTML5 generating component. It uses the same code base, but isn't strictly RESTful according to definition. + - AAF FS component is a FileServer, and is HTTP only (not TLS), so it can deliver publicly accessible artifacts without Authentication. + +Essentials +========== + +Technologies required to run AAF +-------------------------------- + + - Java(tm). Version 8.121+ + - Oracle Java previous to Oracle Java SE 8 to version 8 Update 121 is vulnerable to "SWEET32" attack. + + 1369383 - CVE-2016-2183 SSL/TLS: Birthday attack against 64-bit block ciphers (SWEET32) + + - Cassandra, Version 2.1.14+ + - X509 Certificates (at minimum to support HTTP/S TLS transactions (TLS1.1 and TLS1.2 are default, but can be configured). + +Optional Technologies for special cases +--------------------------------------- + + - Build your own Certificate Authority for Bootstrapping and/or Certificate Manager component. + - openssl + - bash + +Data Definitions +---------------- + +AAF Data Definitions + + - AAF is Data Driven, and therefore, needs to have some structure around the Initial Data so that it can function. You will need to define: + +Your Organization: + - Example: Are you a company? Do you already have a well known internet URL? + - If so, you should set up AAF Namespaces with this in mind. Example: + + - for "Kumquat Industries, LTD", with internet presence "kumquats4you.com" (currently, a fictitious name), you would want all your AAF Namespaces to start with: + +"com.kumquats4you" +The examples all use + +"org.osaaf" + +However it is recommended that you change this once you figure out your organizations' structure. +Your AAF Root Namespace +This can be within your company namespace, i.e. + +"com.kumquats4you.aaf" + +but you might consider putting it under different root structure. +Again, the bootstrapping examples use: + +"org.osaaf.aaf" + +While creating these, recognize that +2nd position of the Namespace indicates company/organization +3rd+ position are applications within that company/organization + +"com.kumquats4you.dmaap" + +Following this "positional" structure is required for expected Authorization behavior. + + +ILM (Identity Lifecycle Management) +Neither Authentication nor Authorization make any sense outside the context of Identity within your Organization. + +Some organizations or companies will have their own ILM managers. + +If so you may write your own implementation of "Organization" +Ensure the ILM of choice can be access real-time, or consider exporting the data into File Based mechanism (see entry) +AAF comes with a "DefaultOrganization", which implements a file based localization of ILM in a simple text file + +Each line represents an identity in the organization, including essential contact information, and reporting structure +This file can be updated by bringing in the entire file via ftp or other file transfer protocol, HOWEVER +Provide a process that +Validates no corruption has occurred +Pulls the ENTIRE file down before moving into the place where AAF Components will see it. +Take advantage of UNIX File System behaviors, by MOVING the file into place (mv), rather than copying while AAF is Active +Note: This file-based methodology has been shown to be extremely effective for a 1 million+ Identity organization +TBA-how to add an entry + +TBA-what does "sponsorship mean" + +Initializing Default Implementation +This is recommended for learning/testing AAF. You can modify and save off this information for your Organizational use at your discretion. + +Extract Sample Configuration +On your Linux box (creating/setting permissions as required) + +mkdir -p /opt/app/osaaf + +cd /opt/app/osaaf + +# Download AAF_sample_config_v1.zip (TBA) + +jar -xvf AAF_sample_config_v1.zip + +Certificate Authority +You need to identify a SAFE AND SECURE machine when working with your own Certificate Authority. Realize that if a hacker gets the private keys of your CA or Intermediate CAs, you will be TOTALLY Compromised. + +For that reason, many large companies will isolate any machines dealing with Certificates, and that is the recommendation here as well... However, this page cannot explain what works best for you. JSCEP is an option if you have this setup already. + +If you choose to make your own CA, at the very least, once you create your private key for your Root Cert, and your Intermediate Certs, you might consider saving your Private Keys off line and removing from the exposed box. Again, this is YOUR responsibility, and must follow your policy. + + + +IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat + +Creating your own Certificate Authority (if desired) +1) Obtain all the Shell Scripts from the "conf/CA" directory which you can get the from the git repo. + +For this example, we'll put everything in /opt/app/osaaf + +mkdir /opt/app/osaaf/CA, if required + +$ cd /opt/app/osaaf/CA + +view README.txt for last minute info + +view an/or change "subject.aaf" for your needs. This format will be used on all generated certs from the CA. + +$ cat subject.aaf + +If you will be using PKCS11 option, review the "cfg.pkcs11" file as well + +$ cat cfg.pkcs11 + +$ bash newca.sh + +Obviously, save off your passphrase in an encrypted place... how you do this is your procedure + +At this point, your Root CA information has been created. If you want to start over, you may use "bash clean.sh" + +Create your Intermediate CAs +2) You do NOT sign regular Cert requests with your Root. You only sign with Intermediate CA. The "intermediate.sh" will create a NEW Intermediate CA Directory and copy appropriate Shell scripts over. Do this for as many Intermediate CAs as you need. + +$ bash newIntermediate.sh + +creates directories in order, intermediate_1, intermediate_2, etc. + +Use the Intermediate CA for creating Service/Identity Certs (can be utilized by Certman with LocalCA) +3) When creating a Manual Certificate, DO THIS from the Intermediate CA needed + +$ cd intermediate_1 + +4) Create initial Certificate for AAF + +IMPORTANT! As you create Certificates for Identities, the Identities you use MUST be identities in your ILM. See /opt/app/aaf/osaaf/data/identities.dat + +To create LOCALLY, meaning create the CSR, and submit immediately, do the following + +$ bash manual.sh <machine-name> -local + +FQI (Fully Qualified Identity): + +<identity from identities.dat>@<domain, ex: aaf.osaaf.org> + +To create Information suitable for Emailing, and signing the returned CSR + +$ bash manual.sh <machine-name> + +FQI (Fully Qualified Identity): + +<identity from identities.dat>@<domain, ex: aaf.osaaf.org> + +5) Create p12 file for AAF + +REMAIN in the intermediate directory... + +$ bash p12.sh <machine-name> + +Copy initializations to Host Machine +AAF is setup so it can run + +On the O/S, using Java +On Docker +On K8 +In each case, even for Docker/K8, we utilize the File O/S for host specific information. This is because + +Many things are Host Specific +The Hostname required for TLS interactions +Cassandra specific information (when external/clustered) +Logging (if logging is done in container, it will be lost if container goes down) +To make things simpler, we are assuming that the file structure will be "/opt/app/osaaf". The code supports changing this, but documentation will wait until use cases arises for ONAP. + +Steps: + +1) Copy "osaaf.zip" to your Host Machine, where osaaf.zip is provided by AAF SME. // TODO POST SAMPLE HERE + +2) Copy your "p12" file generated by your CA (see above), and place in your "certs" directory + +3) SSH (or otherwise login) to your Docker/K8 Host Machine + +4) setup your directories (you might need to be root, then adjust what you need for O/S File Permissions + +$ mkdir /opt/app/osaaf + +$ cd /opt/app/osaaf + +$ mkdir cred logs + +$ unzip ~/osaaf.zip + +$ mv ~/<p12 file from CA above> cred + +$ + +Unzip the "osaaf.zip" so it goes into the /opt/app/osaaf directory (should have "etc", "data", "public" and "certs" directories) + +4) Modify "org.osaaf.props" to have + + + +Load Data and/or Meta-Data into Cassandra +Setting this initial Data can be done directly onto Cassadra using "cqlsh" using the following "cql" files: + +init<version>.cql (whatever is latest in the "zip" file) +osaaf.cql + This file contains initial Authorization Structures, see AAF Data Structures. + This is where you would modify your own initial Structures. +Build Source +(if not done already) + +Run Java +Note: If you have a Kubernets requirement (support), it is STILL RECOMMENDED you run AAF as stand-alone Java Components on your system, and work out any modifications required BEFORE trying to run in Kubernetes. + +TBA <java -Dcadi_prop_files=/opt/app/osaaf/etc/org.osaaf.locator.props -cp <path> File> + diff --git a/docs/sections/installation/Installation.rst b/docs/sections/installation/Installation.rst new file mode 100644 index 00000000..dc4c6a40 --- /dev/null +++ b/docs/sections/installation/Installation.rst @@ -0,0 +1,103 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+Installation
+============
+This document will illustrates how to build and deploy all AAF components.
+
+Clone AAF Code:
+Build AAF with settings.xml:
+Build Docker Images:
+Modify the properties file:
+Mount the sample to /opt/app/osaaf:
+Run the docker containers:
+Clone AAF Code:
+bharath@bharath:~$ git clone https://git.onap.org/aaf/authz
+
+
+Build AAF with settings.xml:
+---------------------------
+Copy the settings.xml from here and paste in ~/.m2/settings.xml
+
+Then run the following command
+
+.. code:: bash
+
+ bharath@bharath:~$ cd authz && mvn clean install -DskipTests
+
+
+If the build is successful, then you can see a folder in "authz/auth" called "aaf_VERSION-SNAPSHOT" which contains all binaries of the components
+
+.. code:: bash
+
+ bharath@bharath:~/authz/auth$ ls
+aaf_2.1.1-SNAPSHOT auth-cass auth-cmd auth-deforg auth-gui auth-locate auth-service pom.xml target
+auth-batch auth-certman auth-core auth-fs auth-hello auth-oauth docker sample
+
+Build Docker Images:
+-------------------
+Now after building binaries, the next step is to build docker images for each aaf component.
+
+.. code:: bash
+
+ bharath@bharath:~/authz/auth/docker$ chmod +x *.sh
+ bharath@bharath:~/authz/auth/docker$ ./dbuild.sh
+
+The above command will build the following images:
+
+aaf_service
+aaf_oauth
+aaf_locate
+aaf_hello
+aaf_gui
+aaf_fs
+aaf_cm
+Modify the properties file:
+Modify the contents of the "authz/auth/docker/d.props
+
+.. code:: bash
+
+ bharath@bharath:~/authz/auth/docker$ cat d.props
+
+# Variables for building Docker entities
+ORG=onap
+PROJECT=aaf
+DOCKER_REPOSITORY=nexus3.onap.org:10003
+OLD_VERSION=2.1.0-SNAPSHOT
+VERSION=2.1.1-SNAPSHOT
+CONF_ROOT_DIR=/opt/app/osaaf
+
+
+# Local Env info
+HOSTNAME="<HOSTNAME>"
+HOST_IP="<HOST_IP>"
+CASS_HOST="cass"
+
+Replace the <HOSTNAME> with your hostname and HOST_IP with your host IP.
+
+Add the following entry to your /etc/hosts file
+
+
+
+127.0.0.1 aaf.osaaf.org
+Mount the sample to /opt/app/osaaf:
+As you can see there is a parameter "CONF_ROOT_DIR" which is set to "/opt/app/osaaf". So we have to create a folder "/opt/app/osaaf" and copy the contents of authz/auth/sample to /opt/app/osaaf
+
+.. code:: bash
+
+ bharath@bharath:~/authz/auth$ mkdir -p /opt/app/osaaf
+ bharath@bharath:~/authz/auth$ cp -r sample/* /opt/app/osaaf/
+
+Run the docker containers:
+--------------------------
+.. code:: bash
+
+ bharath@bharath:~/authz/auth/docker$ ls
+ dbash.sh dbuild.sh dclean.sh Dockerfile d.props dpush.sh drun.sh dstart.sh dstop.sh
+ bharath@bharath:~/authz/auth/docker$ ./drun.sh
+
+
+
+
+
+
diff --git a/docs/sections/installation/fromsource.rst b/docs/sections/installation/fromsource.rst new file mode 100644 index 00000000..19ac6221 --- /dev/null +++ b/docs/sections/installation/fromsource.rst @@ -0,0 +1,190 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +AAF From Source Code +==================== + +Example Source Code +------------------- +Note the FULL class is available in the authz repo, cadi_aaf/org/onap/aaf/client/sample/Sample.java + +.. code-block:: java + + + /** + * ============LICENSE_START==================================================== + * org.onap.aaf + * =========================================================================== + * Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. + * =========================================================================== + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END==================================================== + * + */ + + package org.onap.aaf.client.sample; + + import java.io.IOException; + import java.security.Principal; + import java.util.ArrayList; + import java.util.List; + + import org.onap.aaf.cadi.Access; + import org.onap.aaf.cadi.CadiException; + import org.onap.aaf.cadi.LocatorException; + import org.onap.aaf.cadi.Permission; + import org.onap.aaf.cadi.PropAccess; + import org.onap.aaf.cadi.aaf.AAFPermission; + import org.onap.aaf.cadi.aaf.v2_0.AAFAuthn; + import org.onap.aaf.cadi.aaf.v2_0.AAFConHttp; + import org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm; + import org.onap.aaf.cadi.principal.UnAuthPrincipal; + import org.onap.aaf.cadi.util.Split; + import org.onap.aaf.misc.env.APIException; + + public class Sample { + private static Sample singleton; + final private AAFConHttp aafcon; + final private AAFLurPerm aafLur; + final private AAFAuthn<?> aafAuthn; + + /** + * This method is to emphasize the importance of not creating the AAFObjects over and over again. + * @return + */ + public static Sample singleton() { + return singleton; + } + + public Sample(Access myAccess) throws APIException, CadiException, LocatorException { + aafcon = new AAFConHttp(myAccess); + aafLur = aafcon.newLur(); + aafAuthn = aafcon.newAuthn(aafLur); + } + + /** + * Checking credentials outside of HTTP/S presents fewer options initially. There is not, for instance, + * the option of using 2-way TLS HTTP/S. + * + * However, Password Checks are still useful, and, if the Client Certificate could be obtained in other ways, the + * Interface can be expanded in the future to include Certificates. + * @throws CadiException + * @throws IOException + */ + public Principal checkUserPass(String fqi, String pass) throws IOException, CadiException { + String ok = aafAuthn.validate(fqi, pass); + if(ok==null) { + System.out.println("Success!"); + /* + UnAuthPrincipal means that it is not coming from the official Authorization chain. + This is useful for Security Plugins which don't use Principal as the tie between + Authentication and Authorization + + You can also use this if you want to check Authorization without actually Authenticating, as may + be the case with certain Onboarding Tooling. + */ + return new UnAuthPrincipal(fqi); + } else { + System.out.printf("Failure: %s\n",ok); + return null; + } + + + } + + /** + * An example of looking for One Permission within all the permissions user has. CADI does cache these, + * so the call is not expensive. + * + * Note: If you are using "J2EE" (Servlets), CADI ties this function to the method: + * HttpServletRequest.isUserInRole(String user) + * + * The J2EE user can expect that his servlet will NOT be called without a Validated Principal, and that + * "isUserInRole()" will validate if the user has the Permission designated. + * + */ + public boolean oneAuthorization(Principal fqi, Permission p) { + return aafLur.fish(fqi, p); + } + + public List<Permission> allAuthorization(Principal fqi) { + List<Permission> pond = new ArrayList<Permission>(); + aafLur.fishAll(fqi, pond); + return pond; + } + + + public static void main(String[] args) { + // Note: you can pick up Properties from Command line as well as VM Properties + // Code "user_fqi=... user_pass=..." (where user_pass can be encrypted) in the command line for this sample. + // Also code "perm=<perm type>|<instance>|<action>" to test a specific Permission + PropAccess myAccess = new PropAccess(args); + try { + /* + * NOTE: Do NOT CREATE new aafcon, aafLur and aafAuthn each transaction. They are built to be + * reused! + * + * This is why this code demonstrates "Sample" as a singleton. + */ + singleton = new Sample(myAccess); + String user = myAccess.getProperty("user_fqi"); + String pass= myAccess.getProperty("user_pass"); + + if(user==null || pass==null) { + System.err.println("This Sample class requires properties user_fqi and user_pass"); + } else { + pass = myAccess.decrypt(pass, false); // Note, with "false", decryption will only happen if starts with "enc:" + // See the CODE for Java Methods used + Principal fqi = Sample.singleton().checkUserPass(user,pass); + + if(fqi==null) { + System.out.println("OK, normally, you would cease processing for an " + + "unauthenticated user, but for the purpose of Sample, we'll keep going.\n"); + fqi=new UnAuthPrincipal(user); + } + + // AGAIN, NOTE: If your client fails Authentication, the right behavior 99.9% + // of the time is to drop the transaction. We continue for sample only. + + // note, default String for perm + String permS = myAccess.getProperty("perm","org.osaaf.aaf.access|*|read"); + String[] permA = Split.splitTrim('|', permS); + if(permA.length>2) { + final Permission perm = new AAFPermission(permA[0],permA[1],permA[2]); + // See the CODE for Java Methods used + if(singleton().oneAuthorization(fqi, perm)) { + System.out.printf("Success: %s has %s\n",fqi.getName(),permS); + } else { + System.out.printf("%s does NOT have %s\n",fqi.getName(),permS); + } + } + + + // Another form, you can get ALL permissions in a list + // See the CODE for Java Methods used + List<Permission> permL = singleton().allAuthorization(fqi); + if(permL.size()==0) { + System.out.printf("User %s has no Permissions THAT THE CALLER CAN SEE",fqi.getName()); + } else { + System.out.print("Success:\n"); + for(Permission p : permL) { + System.out.printf("\t%s has %s\n",fqi.getName(),p.getKey()); + } + } + } + } catch (APIException | CadiException | LocatorException | IOException e) { + e.printStackTrace(); + } + } + }
\ No newline at end of file diff --git a/docs/sections/installation/index.rst b/docs/sections/installation/index.rst new file mode 100644 index 00000000..a3aeddec --- /dev/null +++ b/docs/sections/installation/index.rst @@ -0,0 +1,12 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. Copyright © 2017 AT&T Intellectual Property. All rights reserved. + +Installation +============ +.. toctree:: + :maxdepth: 2 + :glob: + + * + diff --git a/docs/sections/logging.rst b/docs/sections/logging.rst new file mode 100644 index 00000000..9064b597 --- /dev/null +++ b/docs/sections/logging.rst @@ -0,0 +1,70 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +Logging +======= + +.. note:: + * This section is used to describe the informational or diagnostic messages emitted from + a software component and the methods or collecting them. + + * This section is typically: provided for a platform-component and sdk; and + referenced in developer and user guides + + * This note must be removed after content has been added. + + +Where to Access Information +--------------------------- +AAF uses log4j framework to generate logs and all the logs are stored in a persistent volume. + +Error / Warning Messages +------------------------ +Following are the error codes + +| Create a Permission - Expected=201, Explicit=403, 404, 406, 409 +| Set Description for Permission - Expected=200, Explicit=404, 406 +| Delete a Permission Expected=200, Explicit=404, 406 +| Update a Permission - Expected=200, Explicit==04, 406, 409 +| Get Permissions by Type - Expected=200, Explicit=404, 406 +| Get Permissions by Key - Expected=200, Explicit=404, 406 +| Get PermsByNS - Expected=200, Explicit==404, 406 +| Get Permissions by Role - Expected=200, Explicit=404, 406 +| Get Permissions by User, Query AAF Perms - Expected=200, Explicit=404, 406 +| Get Permissions by User - Expected=200, Explicit=404, 406 +| Create Role - Expected=201, Explicit=403, 404, 406, 409 +| Set Description for role= - Expected=200, Explicit=404, 406 +| Delete Role - Expected=200, Explicit==404, 406 +| Delete Permission from Role - Expected=200, Explicit=404, 406 +| Add Permission to Role - Expected=201, Explicit=403, 404, 406, 409 +| Set a Permission's Roles - Expected=201, Explicit=403, 404, 406, 409 +| GetRolesByFullName - Expected=200, Explicit=404, 406 +| GetRolesByNameOnly - Expected=200, Explicit=404, 406 +| GetRolesByNS - Expected=200, Explicit=404, 406 +| GetRolesByPerm - Expected=200, Explicit=404, 406 +| GetRolesByUser - Expected=200, Explicit=404, 406 +| Request User Role Access - Expected=201, Explicit=403, 404, 406, 409 +| Get if User is In Role - Expected=200, Explicit=403, 404, 406 +| Delete User Role - Expected=200, Explicit=403, 404, 406 +| Update Users for a role - Expected=200, Explicit=403, 404, 406 +| Update Roles for a user - Expected=200, Explicit=403, 404, 406 +| Get UserRoles by Role - Expected=200, Explicit=404, 406 +| Get UserRoles by User - Expected=200, Explicit=404, 406 +| Create a Namespace - Expected=201, Explicit=403, 404, 406, 409 +| Set a Description for a Namespace - Expected=200, Explicit=403, 404, 406 +| Delete a Namespace - Expected=200, Explicit=403, 404, 424 +| Add an Admin to a Namespace - Expected=201, Explicit=403, 404, 406, 409 +| Remove an Admin from a Namespace - Expected=200, Explicit=403, 404 +| Delete an Attribute from a Namespace - Expected=200, Explicit=403, 404 +| Add an Attribute from a Namespace - Expected=201, Explicit=403, 404, 406, 409 +| update an Attribute from a Namespace - Expected=200, Explicit=403, 404 +| Add a Responsible Identity to a Namespace - Expected=201, Explicit=403, 404, 406, 409 +| Remove a Responsible Identity from Namespace - Expected=200, Explicit=403, 404 +| get Ns Key List From Attribute - Expected=200, Explicit=403, 404 +| Return Information about Namespaces - Expected=200, Explicit=404, 406 +| Return Child Namespaces - Expected=200, Explicit=403, 404 +| Get Users By Permission - Expected=200, Explicit=404, 406 +| Get Users By Role - Expected=200, Explicit=403, 404, 406 +| Is given BasicAuth valid? - Expected=200, Explicit=403 +| Is given Credential valid? - Expected=200, Explicit=403 + diff --git a/docs/sections/release-notes.rst b/docs/sections/release-notes.rst new file mode 100644 index 00000000..c3f74ade --- /dev/null +++ b/docs/sections/release-notes.rst @@ -0,0 +1,72 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + + +Release Notes +============= + + + +Version: 2.1.0 +-------------- + + +:Release Date: 2018-06-07 + + + +**New Features** + +This release fixes the packaging and security issues. + +**Bug Fixes** + NA +**Known Issues** + NA + +**Security Notes** + +AAF code has been formally scanned during build time using NexusIQ and all Critical vulnerabilities have been addressed, items that remain open have been assessed for risk and determined to be false positive. The AAF open Critical security vulnerabilities and their risk assessment have been documented as part of the `project <https://wiki.onap.org/pages/viewpage.action?pageId=28380057>`_. + +Quick Links: + - `AAF project page <https://wiki.onap.org/display/DW/Application+Authorization+Framework+Project>`_ + + - `Passing Badge information for AAF <https://bestpractices.coreinfrastructure.org/en/projects/1758>`_ + + - `Project Vulnerability Review Table for AAF <https://wiki.onap.org/pages/viewpage.action?pageId=28380057>`_ + +**Upgrade Notes** + NA + +**Deprecation Notes** + +Version: 1.0.1 + +Release Date: 2017-11-16 + + +New Features: + + - Service (primary) – All the Authorization information (more on that in a bit) + - Locate – how to find ANY OR ALL AAF instances across any geographic distribution + - OAuth 2.0 – new component providing Tokens and Introspection (no time to discuss here) + - GUI – Tool to view and manage Authorization Information, and create Credentials + - Certman – Certificate Manger, create and renew X509 with Fine-Grained Identity + - FS – File Server to provide access to distributable elements (like well known certs) + - Hello - Test your client access (certs, OAuth 2.0, etc) + + + + +Bug Fixes + - `AAF-290 <https://jira.onap.org/browse/AAF-290>`_ Fix aaf trusrstore + - `AAF-270 <https://jira.onap.org/browse/AAF-270>`_ AAF fails health check on HEAT deployment + - `AAF-286 <https://jira.onap.org/browse/AAF-286>`_ SMS fails health check on OOM deployment + - `AAF-273 <https://jira.onap.org/browse/AAF-273>`_ Cassandra pod running over 8G heap - or 10% of ONAP ram (for 135 other pods on 256G 4 node cluster) + + +Known Issues + - + +Other + |
