From 79c5df5f97317a5712ebc8e9cbc72f7d49ee7d19 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Fri, 25 May 2018 20:54:35 -0500 Subject: Create Security Overview Issue-ID: AAF-331 Change-Id: If588c053710e35554aa31d7dd41d9191be155840 Signed-off-by: Instrumental --- docs/images/aaf-object-model.jpg | Bin 189989 -> 0 bytes docs/index.rst | 2 +- docs/sections/architecture/aaf-cm.png | Bin 149239 -> 0 bytes docs/sections/architecture/aaf-object-model.jpg | Bin 189989 -> 0 bytes docs/sections/architecture/aaf_architecture.rst | 4 +- .../architecture/images/SecurityArchAAF.svg | 55 +++++ .../architecture/images/SecurityArchAAFOrg.svg | 128 +++++++++++ .../architecture/images/SecurityArchBasic_1.svg | 48 ++++ .../architecture/images/SecurityArchBasic_TLS.svg | 62 +++++ .../architecture/images/SecurityArchCADI.svg | 64 ++++++ .../architecture/images/SecurityArchFull.svg | 255 +++++++++++++++++++++ docs/sections/architecture/images/aaf-cm.png | Bin 0 -> 149239 bytes .../architecture/images/aaf-object-model.jpg | Bin 0 -> 189989 bytes docs/sections/architecture/security.rst | 130 ++++++++++- 14 files changed, 738 insertions(+), 10 deletions(-) delete mode 100644 docs/images/aaf-object-model.jpg delete mode 100644 docs/sections/architecture/aaf-cm.png delete mode 100644 docs/sections/architecture/aaf-object-model.jpg create mode 100644 docs/sections/architecture/images/SecurityArchAAF.svg create mode 100644 docs/sections/architecture/images/SecurityArchAAFOrg.svg create mode 100644 docs/sections/architecture/images/SecurityArchBasic_1.svg create mode 100644 docs/sections/architecture/images/SecurityArchBasic_TLS.svg create mode 100644 docs/sections/architecture/images/SecurityArchCADI.svg create mode 100644 docs/sections/architecture/images/SecurityArchFull.svg create mode 100644 docs/sections/architecture/images/aaf-cm.png create mode 100644 docs/sections/architecture/images/aaf-object-model.jpg diff --git a/docs/images/aaf-object-model.jpg b/docs/images/aaf-object-model.jpg deleted file mode 100644 index 30caa7d5..00000000 Binary files a/docs/images/aaf-object-model.jpg and /dev/null differ diff --git a/docs/index.rst b/docs/index.rst index dacc9d06..3b903c24 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -32,7 +32,7 @@ AAF contains some elements of Role Based Authorization, but includes Attribute B |image0| -.. |image0| image:: images/aaf-object-model.jpg +.. |image0| image:: sections/architecture/images/aaf-object-model.jpg :height: 600px :width: 800px diff --git a/docs/sections/architecture/aaf-cm.png b/docs/sections/architecture/aaf-cm.png deleted file mode 100644 index 602f17e4..00000000 Binary files a/docs/sections/architecture/aaf-cm.png and /dev/null differ diff --git a/docs/sections/architecture/aaf-object-model.jpg b/docs/sections/architecture/aaf-object-model.jpg deleted file mode 100644 index 30caa7d5..00000000 Binary files a/docs/sections/architecture/aaf-object-model.jpg and /dev/null differ diff --git a/docs/sections/architecture/aaf_architecture.rst b/docs/sections/architecture/aaf_architecture.rst index 6e522888..b955ce10 100644 --- a/docs/sections/architecture/aaf_architecture.rst +++ b/docs/sections/architecture/aaf_architecture.rst @@ -11,7 +11,7 @@ To be effective during a computer transaction, Security must not only be secure, |image0| -.. |image0| image:: aaf-object-model.jpg +.. |image0| image:: images/aaf-object-model.jpg :height: 600px :width: 800px @@ -33,7 +33,7 @@ Every secure transaction requires 1) Encryption 2) Authentication 3) Authorizati |image1| -.. |image1| image:: aaf-cm.png +.. |image1| image:: images/aaf-cm.png :height: 768px :width: 1024px diff --git a/docs/sections/architecture/images/SecurityArchAAF.svg b/docs/sections/architecture/images/SecurityArchAAF.svg new file mode 100644 index 00000000..34b592ab --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchAAF.svg @@ -0,0 +1,55 @@ + + + + + + + + Service + + + + + + Cert Man + + + + + + OAuth + + + + + AAF + + (Application Authorization Framework) + + + + + Authn + + + + + + Authz + + + + + + Locator + + + + + + GUI + (Management) + + + + diff --git a/docs/sections/architecture/images/SecurityArchAAFOrg.svg b/docs/sections/architecture/images/SecurityArchAAFOrg.svg new file mode 100644 index 00000000..f003b810 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchAAFOrg.svg @@ -0,0 +1,128 @@ + + + + + + + + + + + + + + Sign + CSRs + + + Delegate + by Domain + + + + + + + + + + + Service + + + + + + Cert Man + + + + + + OAuth + + + + + AAF + + (Application Authorization Framework) + + + + + Authn + + + + + + Authz + + + + + + Locator + + + + + + GUI + (Management) + + + + + + + + Certificate + Authority + + + + + + DNS + (Externally + Visible) + + + + + + + + Formal + Organization + + + + + + Notification + System + + + + + + Identity/ + Hierarchy + + + + + + Company + Authn(s) + + + + + Organizationally Defined + + + diff --git a/docs/sections/architecture/images/SecurityArchBasic_1.svg b/docs/sections/architecture/images/SecurityArchBasic_1.svg new file mode 100644 index 00000000..1066f2c3 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchBasic_1.svg @@ -0,0 +1,48 @@ + + + + + + + Application + Two + + + + + + User One + (Person) + + + + + + + + + + + + Application + One + + + + Application + Two + + + + + + User One + (Person) + + + + Application + One + + + diff --git a/docs/sections/architecture/images/SecurityArchBasic_TLS.svg b/docs/sections/architecture/images/SecurityArchBasic_TLS.svg new file mode 100644 index 00000000..664593bd --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchBasic_TLS.svg @@ -0,0 +1,62 @@ + + + + + + TLS 1.2+ + + + TLS 1.2+ + + + HTTP/S + + + HTTP/S + + + + + + Application + Two + + + + + + User One + (Person) + + + + + + + + + + + + Application + One + + + + Application + Two + + + + + + User One + (Person) + + + + Application + One + + + diff --git a/docs/sections/architecture/images/SecurityArchCADI.svg b/docs/sections/architecture/images/SecurityArchCADI.svg new file mode 100644 index 00000000..b05a7f90 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchCADI.svg @@ -0,0 +1,64 @@ + + + + + + X509 Client + + + X509 Client + + + or BasicAuth + + + + + + + + CADI Filter + + + + + + + + + CADI Filter + + + + + Application + Two + + + + + + User One + (Person) + + + + HTTP/S + + + + + + + + + + + Application + One + + + HTTP/S + + + diff --git a/docs/sections/architecture/images/SecurityArchFull.svg b/docs/sections/architecture/images/SecurityArchFull.svg new file mode 100644 index 00000000..0093eaa1 --- /dev/null +++ b/docs/sections/architecture/images/SecurityArchFull.svg @@ -0,0 +1,255 @@ + + + + + + + + + + + + + + 1) User/Password + validation (if Basic Auth) + + + 2) Obtain + AAF Permissions + + + + + + + Batch + Maintenance + + + + + + + + Expiring + Events + + + + + + + + + + + + + + + Cassandra + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Sign + CSRs + + + Delegate + by Domain + + + + + + + + + + + Service + + + + + + Cert Man + + + + + + OAuth + + + + + AAF + + (Application Authorization Framework) + + + + + Authn + + + + + + Authz + + + + + + Locator + + + + + + GUI + (Management) + + + + + + + + Certificate + Authority + + + + + + DNS + (Externally + Visible) + + + + + + + + Formal + Organization + + + + + + Notification + System + + + + + + Identity/ + Hierarchy + + + + + + Company + Authn(s) + + + + + Organizationally Defined + + + + + X509 Client + + + X509 Client + + + or BasicAuth + + + + + + + + CADI Filter + + + + + + + + + CADI Filter + + + + + Application + Two + + + + + + User One + (Person) + + + + HTTP/S + + + + + + + + + + + Application + One + + + HTTP/S + + + diff --git a/docs/sections/architecture/images/aaf-cm.png b/docs/sections/architecture/images/aaf-cm.png new file mode 100644 index 00000000..602f17e4 Binary files /dev/null and b/docs/sections/architecture/images/aaf-cm.png differ diff --git a/docs/sections/architecture/images/aaf-object-model.jpg b/docs/sections/architecture/images/aaf-object-model.jpg new file mode 100644 index 00000000..30caa7d5 Binary files /dev/null and b/docs/sections/architecture/images/aaf-object-model.jpg differ diff --git a/docs/sections/architecture/security.rst b/docs/sections/architecture/security.rst index fd10dc98..7c4ef85d 100644 --- a/docs/sections/architecture/security.rst +++ b/docs/sections/architecture/security.rst @@ -9,21 +9,137 @@ Communicating When one compute process needs to communicate to another, it does so with networking. The service side is always compute process, but the client can be of two types: - - People (via browser, or perhaps command line tool) - - Compute process talking to another computer process. + * People (via browser, or perhaps command line tool) + * Compute process talking to another computer process. -Thus, the essential building blocks of any networked system is made up of +In larger systems, it is atypical to have just one connection, but will the call initiated by the initial actor will cause additional calls after it. Thus, we demonstrate both a client call, and a subsequent call in the following: +Thus, the essential building blocks of any networked system is made up of a caller and any subsquent calls. + +.. image:: images/SecurityArchBasic_1.svg + :width: 70% + :align: center -In larger systems, it is atypical Communicating *Securely* ------------------------ Whenever two processing entities exist that need to communicate securely, it is *essential* that - - The communications between the two are encrypted - - The identities of the caller and callee are established (authentication) - - The caller must be allowed to do what it is asking to do (authorization) + * The communications between the two are encrypted + * The identities of the caller and callee are established (authentication) + * The caller must be allowed to do what it is asking to do (authorization) + + +**Encryption** + +Encryption is provided by HTTP/S with the TLS 1.2+ protocol. Lesser protocols can also be added, but it is highly recommended that the protocol go no lower than TLS 1.1 + +.. image:: images/SecurityArchBasic_TLS.svg + :width: 70% + :align: center + +**Establishing Identity** + +*Client Side* + +In order to be secure of the Server Identity, the client will: + * Carefully select the Endpoint for the server (URL) + * The Service side Certificate chain obtained by TLS must ultimately be signed by a Certificate Authority that is trusted. + +*Server Side* + +The server side is a little harder to accomplish, because, while a client can choose carefully whom he contacts, the server, ultimately, might be contacted by literally anyone. + +To solve this difficult problem, the CADI Framework Filter is attached to the incoming transaction before any code by Application 1 or Application 2 is invoked. The CADI Framework does the following: + A) Establishes the claimed Identity (this differs by Protocol) + + i) The Identity needs to be a Fully Qualified Identity (FQI), meaning it has + + #) An ID approved by Organization (such as bob) + #) A Domain establishing where the Credential is defined (ex: @bobs.garage.com) + #) FQI Example: bob@bobs.garage.com + + B) Validates the credential of the FQI ( *Authentication* ) + + i) Basic Auth (User/Password) is validated against the system supporting the domain + ii) AAF Certman can create a fine-grained X509 certificate, which can derive FQI + iii) If the FQI fails the Credential test in any way, the transaction is terminated + + C) Obtain *Authorization* information + + i) This might include a call to AAF which will return all the Permissions of the User per Application Context + ii) This might involve pulling these from Cache + iii) This also might be pulled from Token + +.. image:: images/SecurityArchCADI.svg + :width: 70% + :align: center + +Enabling the Client to Send Securely +------------------------------------ + +Once a secure scenario is in place, the client must provide more information, or he will be rejected by the secured server. + + * FQI (Fully Qualified Identity) + * Credential + * If User/Password, then the client must send via "BasicAuth" Protocol + * If two-way X509 identity, then the client must load the Cert and Private Key into the Client Software outside of the calling process. + * If Token based Identity, such as OAuth2, the token must be placed on the call in just the right way. + * Upstream Identity + * Application Two might well want to process Authorizations based on the *end-user*, not the current caller. In this scenario, Application One must provide the End User FQI in addition to its own before Application Two will accept. + +In order to do this efficiently, ONAP services will use the CADI Client, which includes + * Connection Information by Configuration + * Encryption of any sensitive information in Configuration, such as Password, so that Configuration files will have no clear-text secrets. + * Highly scalable Endpoint information (at the very least, of AAF components) + * The ability to propogate the Identity of originating Caller (User One) + +Obtaining Security Information +------------------------------ + +In order for the client and server to perform securely, the need information they can trust, including + * TLS needs X509 Certificate for the Server and any Client wishing to authenticate using Certificates + * Any User/Password Credentials need to be validated real time + * The server needs comprehensible Authorization information, preferably at the Application Scope + * The client needs to find a server, even if the server must be massively geo-scaled + +The AAF Suite provides the following elements: + * AAF Service + This service provides fine-grained Authorization information, and can, if required, also provide specialized Passwords for Applications (that allow for configuration migrations without a maintainance window) + * OAuth + AAF provides Token and Introspection service, but can also delegate to Organizatinally defined OAuth Services as well. + * Locator + Provides machine and port information by geo-location for massively scalable services. This is optional for ONAP services, but required for AAF as part of its reliability and scalability solution. + * GUI + AAF provides a GUI for managing Namespaces (for Applications), Roles, Permissions and Credentials. + * Certificate Manager + Since AAF has fine-grained information about Identities, it can provide Certificates with FQIs embedded. CADI Framework understands when and how to trust these FQIs. When used, these Certificates provide enhanced speed and additional resiliency to the system, as they do not require network connections to validate. + +.. image:: images/SecurityArchAAF.svg + :width: 30% + :align: center + +The Organization +---------------- + +AAF is only a tool to reflect the Organization it is setup for. AAF does not, for instance, know what IDs are acceptable to a particular company. Every Organization (or Company) will also likely have its own Certificate Authority and DNS. Most importantly, each Organzation will have a hierarchy of who is responsible for any give person or application. + + * AAF's Certman connects to the Organization's CA via SCEP protocol (Others can be created as well) + * AAF ties into the Organizational hierarchy. Currently, this is through a feed of IDs and relationships. + * AAF can process some Passwords, but delegate off others based on domain. + +.. image:: images/SecurityArchAAFOrg.svg + :width: 70% + :align: center + +The Whole Picture +----------------- + +CADI is a framework that enforces validations of Identities, and uses those Identities to obtain Authorization information for the Server. The CADI client ensures that the right information is passed during secure connections. +AAF provides essential information based on the Organization to services in order to enable secure transactions between components. It also provides sustaining processing capabilities to ensure that Credentials and Authorization relationships are maintained. +.. image:: images/SecurityArchFull.svg + :width: 90% + :align: center -- cgit 1.2.3-korg