From c23f2cdcda93f260e26781dfa59dfe2b89c77402 Mon Sep 17 00:00:00 2001 From: Instrumental Date: Fri, 20 Jul 2018 20:27:49 -0500 Subject: Client Config & Cert Documentation Issue-ID: AAF-378 Change-Id: Ic0c05803551f1874b230c5c9e031b5bf5ff03599 Signed-off-by: Instrumental --- auth/auth-cass/src/main/cql/pull.sh | 9 +- auth/auth-cass/src/main/cql/push.sh | 11 ++- .../onap/aaf/auth/gui/pages/CMArtifactShow.java | 4 +- auth/docker/agent.sh | 12 +-- docs/sections/installation/client_vol.rst | 98 ++++++++++++++++++---- 5 files changed, 104 insertions(+), 30 deletions(-) diff --git a/auth/auth-cass/src/main/cql/pull.sh b/auth/auth-cass/src/main/cql/pull.sh index f4db573a..01fa52bf 100644 --- a/auth/auth-cass/src/main/cql/pull.sh +++ b/auth/auth-cass/src/main/cql/pull.sh @@ -1,5 +1,10 @@ -for T in x509 ns_attrib config cred user_role perm role artifact ns; do +mkdir -p dats +cd dats +for T in ns ns_attrib cred user_role perm role config artifact ; do cqlsh -e "use authz; COPY $T TO '$T.dat' WITH DELIMITER='|';" done -tar -cvzf dat.gz *.dat +tar -cvzf ../dat.gz *.dat +rm *.dat +cd - +rmdir dats diff --git a/auth/auth-cass/src/main/cql/push.sh b/auth/auth-cass/src/main/cql/push.sh index 8026c9f9..330326d5 100644 --- a/auth/auth-cass/src/main/cql/push.sh +++ b/auth/auth-cass/src/main/cql/push.sh @@ -1,5 +1,8 @@ -tar -xvf dat.gz -for T in x509 ns_attrib config cred user_role perm role artifact ns; do - cqlsh -e "use authz; COPY $T FROM '$T.dat' WITH DELIMITER='|';" +mkdir -p dats +cd dats +tar -xvf ../dat.gz +for T in $(ls *.dat); do + cqlsh -e "use authz; COPY ${T%.dat} FROM '$T' WITH DELIMITER='|';" done - +cd - +rm -Rf dats diff --git a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java index d423731a..6d4e167a 100644 --- a/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java +++ b/auth/auth-gui/src/main/java/org/onap/aaf/auth/gui/pages/CMArtifactShow.java @@ -102,7 +102,7 @@ public class CMArtifactShow extends Page { "&machine='+machine.value,'_self');" ).end(js); hgen.leaf("input","id=machine","style=margin:1em 1em 1em 1em;width:30%").end(); - hgen.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newArtifact()","style=color:white;").text("New Machine").end(); + hgen.leaf(HTMLGen.A,"class=greenbutton","href=javascript:newArtifact()","style=color:white;").text("New FQDN").end(); } }); } @@ -146,7 +146,7 @@ public class CMArtifactShow extends Page { this.sc = sc; } - private static final String[] headers = new String[]{"Machine","Directory","CA","Renews","Expires",""}; + private static final String[] headers = new String[]{"FQDN","Directory","CA","Renews","Expires",""}; @Override public String[] headers() { return headers; diff --git a/auth/docker/agent.sh b/auth/docker/agent.sh index aa3db663..eb0bf3aa 100644 --- a/auth/docker/agent.sh +++ b/auth/docker/agent.sh @@ -40,11 +40,11 @@ done . ./aaf.props # Need AAF_FQDN's IP, because not might not be available in mini-container -if [ "$AAF_AAF_FQDN_IP" = "" ]; then - AAF_AAF_FQDN_IP=$(host $AAF_FQDN | grep "has address" | tail -1 | cut -f 4 -d ' ') - if [ "$AAF_AAF_FQDN_IP" = "" ]; then - read -p "IP of $AAF_FQDN: " AAF_AAF_FQDN_IP - echo "AAF_AAF_FQDN_IP=$AAF_AAF_FQDN_IP" >> ./aaf.props +if [ "$AAF_FQDN_IP" = "" ]; then + AAF_FQDN_IP=$(host $AAF_FQDN | grep "has address" | tail -1 | cut -f 4 -d ' ') + if [ "$AAF_FQDN_IP" = "" ]; then + read -p "IP of $AAF_FQDN: " AAF_FQDN_IP + echo "AAF_FQDN_IP=$AAF_FQDN_IP" >> ./aaf.props fi fi @@ -58,7 +58,7 @@ docker run \ -it \ --rm \ --mount 'type=volume,src='${VOLUME}',dst=/opt/app/osaaf,volume-driver='${DRIVER} \ - --add-host="$AAF_FQDN:$AAF_AAF_FQDN_IP" \ + --add-host="$AAF_FQDN:$AAF_FQDN_IP" \ --env AAF_FQDN=${AAF_FQDN} \ --env DEPLOY_FQI=${DEPLOY_FQI} \ --env DEPLOY_PASSWORD=${DEPLOY_PASSWORD} \ diff --git a/docs/sections/installation/client_vol.rst b/docs/sections/installation/client_vol.rst index ea98e5f2..fc33e1bb 100644 --- a/docs/sections/installation/client_vol.rst +++ b/docs/sections/installation/client_vol.rst @@ -26,8 +26,8 @@ Prerequisites | but it DOES have be accessible to the AAF Instance. * For ONAP, this means - * Windriver VPN - * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS + * Windriver VPN + * include "10.12.6.214 aaf-onap-test.osaaf.org" in your /etc/hosts or DNS ----------------------- Obtain the Agent Script @@ -49,22 +49,88 @@ In your chosen directory :: $ bash agent.sh -The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it +The Agent will look for "aaf.props", and if it doesn't exist, or is missing information, it will ask for it. +This file is available to reuse for multiple calls. More importantly, you should use it as a template for auto-configuration. (In ONAP, these are HEAT templates and OOM Helm Charts) ---------------- --------------- -Tag Value ---------------- --------------- -CADI Version Defaults to CADI version of this -AAF's FQDN PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org' -Deployer's FQI deployer@people.osaaf.org. In a REAL system, this would be a person or process -App's Root FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap -App's FQI Fully Qualified ID given by Organization and with AAF NS/domain. ex: clamp@clamp.onap.org -App's Volume Volume to put the data, see above. ex: clamp_aaf -DRIVER Docker Volume type... See Docker Volume documentation -LATITUDE Global latitude coordinate of Node (best guess for Kubernetes) -LONGITUDE Global longitude coordinate of Node (best guess for Kubernetes) ---------------- --------------- +--------------------- +'aaf.prop' Properties +--------------------- +=================== =============== ============ +Query Tag Description +=================== =============== ============ +CADI Version VERSION Defaults to CADI version of this +AAF's FQDN AAF_FQDN PUBLIC Name for AAF. For ONAP Test, it is 'aaf-onap-test.osaaf.org' +Deployer's FQI DEPLOY_FQI deployer@people.osaaf.org. In a REAL system, this would be a person or process +App's Root FQDN APP_FQDN This will show up in the Cert Subject, and should be the name given by Docker. i.e. clamp.onap +App's FQI APP_FQI Fully Qualified ID given by Organization and with AAF NS/domain. ex: clamp@clamp.onap.org +App's Volume VOLUME Volume to put the data, see above. ex: clamp_aaf +DRIVER DRIVER Docker Volume type... See Docker Volume documentation +LATITUDE of Node LATITUDE Global latitude coordinate of Node (best guess in Kubernetes) +LONGITUDE of Node LONGITUDE Global longitude coordinate of Node (best guess in Kubernetes) +=================== =============== ============ + +--------------------- +Dynamic Properties +--------------------- + +These Properties do not automatically save in 'aaf.props', because... + + | Passwords should not be stored clear text, with the possible exception of constant Environment Recreation, where it is impractical. + | The IP of the AAF's FQDN is looked up, if possible. It can be set, however, when lookup isn't available. + +=================== =============== ============ +Query Tag Description +=================== =============== ============ +Deployer's Password DEPLOY_PASSWORD Password for the Deployer. Avoids storing, except where impossible otherwise. +IP of AAF_FQDN_IP IP for Name of AAF FQDN, if not available by normal lookup means +=================== =============== ============ + +----------------------- +ONAP Entity Info in AAF +----------------------- + +============================= =========================== ======================= +ONAP Namespaces APP FQI APP FQDN +============================= =========================== ======================= +org.onap.aaf-sms aaf-sms@aaf-sms.onap.org aaf-sms +org.onap.aai aai@aai.onap.org aai +org.onap.appc appc@appc.onap.org appc +org.onap.clamp clamp@clamp.onap.org clamp +org.onap.dcae dcae@dcae.onap.org dcae +org.onap.dmaap-bc dmaap-bc@dmaap-bc.onap.org dmaap-bc +org.onap.dmaap-mr dmaap-mr@dmaap-mr.onap.org dmaap-mr +org.onap.oof oof@oof.onap.org oof +org.onap.sdnc sdnc@sdnc.onap.org sdnc +============================= =========================== ======================= + +*Note: FQDNs are set in AAF's Credential Artifact data, accessible in "Cred Details" from Namespace Page* + +If something goes wrong, and Certificate is not created, you can adjust the data, remove the data from the Container's /opt/app/osaaf/local dir, and it will generate again. :: + + root@77777:/opt/app/osaaf/local# rm * + root@77777:/opt/app/osaaf/local# exit + $ bash agent.sh bash + +------------- +Informational +------------- + +There are two sets of Credentials at play here. The ability to create the Certificate belongs to one of + + * The person responsible for the ID in the Organization + * A delegated deployer + +It is expected in large organizations that Individual Employees are given the responsibility of an ID for an APP they are responsible for. + + In ONAP test, to simplify create/tear-down environment... + | The **Owner** is always "mmanager@people.osaaf.org". + | The **Sponsor** is always "aaf_admin@people.osaaf.org". + +In a large org, there are probably many Operations teams to support many different apps. + + In ONAP test, + The **Deployer** is always set to "deploy@people.osaaf.org" for all Apps. -- cgit 1.2.3-korg