From 32cdd553a8668e6d03a9cf5b11b360d35a63c87f Mon Sep 17 00:00:00 2001 From: Instrumental Date: Thu, 19 Jul 2018 13:29:32 -0500 Subject: Configuration and Auto-Certificates Issue-ID: AAF-378 Change-Id: Ic820a4e43684a6130f00b28b415a974876099fc3 Signed-off-by: Instrumental --- auth/auth-cass/src/main/cql/build.sh | 6 ++++++ auth/auth-cass/src/main/cql/config.dat | 10 ++++++++++ auth/auth-cass/src/main/cql/osaaf.cql | 17 +++++++++++++++-- auth/auth-cass/src/main/cql/pull.sh | 5 +++++ auth/auth-cass/src/main/cql/push.sh | 5 +++++ .../org/onap/aaf/auth/direct/DirectAAFLur.java | 22 ++++++++++++++-------- 6 files changed, 55 insertions(+), 10 deletions(-) create mode 100644 auth/auth-cass/src/main/cql/build.sh create mode 100644 auth/auth-cass/src/main/cql/config.dat create mode 100644 auth/auth-cass/src/main/cql/pull.sh create mode 100644 auth/auth-cass/src/main/cql/push.sh (limited to 'auth/auth-cass/src') diff --git a/auth/auth-cass/src/main/cql/build.sh b/auth/auth-cass/src/main/cql/build.sh new file mode 100644 index 00000000..caa07494 --- /dev/null +++ b/auth/auth-cass/src/main/cql/build.sh @@ -0,0 +1,6 @@ +#!/bin/bash +CQLSH=/Volumes/Data/apache-cassandra-2.1.14/bin/cqlsh +DIR=. +for T in ns perm role user_role cred config; do + $CQLSH -e "COPY authz.$T TO '$DIR/$T.dat' WITH DELIMITER='|'" +done diff --git a/auth/auth-cass/src/main/cql/config.dat b/auth/auth-cass/src/main/cql/config.dat new file mode 100644 index 00000000..7eba23e1 --- /dev/null +++ b/auth/auth-cass/src/main/cql/config.dat @@ -0,0 +1,10 @@ +aaf|aaf_env|DEV +aaf|aaf_locate_url|https://meriadoc.mithril.sbc.com:8095 +aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US +aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect +aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/AAF_NS.token:2.1/token +aaf|aaf_url|https://AAF_LOCATE_URL/AAF_NS.service:2.1 +aaf|cadi_protocols|TLSv1.1,TLSv1.2 +aaf|cm_url|https://AAF_LOCATE_URL/AAF_NS.cm:2.1 +aaf|fs_url|https://AAF_LOCATE_URL/AAF_NS.fs.2.1 +aaf|gui_url|https://AAF_LOCATE_URL/AAF_NS.gui.2.1 diff --git a/auth/auth-cass/src/main/cql/osaaf.cql b/auth/auth-cass/src/main/cql/osaaf.cql index b3d895b9..51e6b908 100644 --- a/auth/auth-cass/src/main/cql/osaaf.cql +++ b/auth/auth-cass/src/main/cql/osaaf.cql @@ -51,10 +51,10 @@ INSERT INTO role(ns, name, perms, description) // OSAAF Root INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('aaf@aaf.osaaf.org','org.admin','2018-10-31','org','admin') using TTL 14400; + VALUES ('aaf@aaf.osaaf.org','org.admin','2018-10-31','org','admin'); INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin') using TTL 14400; + VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin'); // ONAP Specific Entities @@ -79,6 +79,19 @@ INSERT INTO perm(ns, type, instance, action, roles, description) INSERT INTO role(ns, name, perms, description) VALUES('org.onap.portal','admin',{'org.onap.portal.access|*|*'},'Portal Admins'); +// AAF Admin +insert into cred (id,type,expires,cred,notes,ns,other) values('aaf_admin@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('aaf_admin@people.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin'); + +// A Deployer +insert into cred (id,type,expires,cred,notes,ns,other) values('deployer@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO role(ns, name, perms, description) + VALUES('org.osaaf.aaf','deploy',{},'ONAP Deployment Role'); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('deployer@people.osaaf.org','org.osaaf.aaf.deploy','2018-10-31','org.osaaf.aaf','deploy'); + + // DEMO ID (OPS) insert into cred (id,type,expires,cred,notes,ns,other) values('demo@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); INSERT INTO user_role(user,role,expires,ns,rname) diff --git a/auth/auth-cass/src/main/cql/pull.sh b/auth/auth-cass/src/main/cql/pull.sh new file mode 100644 index 00000000..f4db573a --- /dev/null +++ b/auth/auth-cass/src/main/cql/pull.sh @@ -0,0 +1,5 @@ +for T in x509 ns_attrib config cred user_role perm role artifact ns; do + cqlsh -e "use authz; COPY $T TO '$T.dat' WITH DELIMITER='|';" +done +tar -cvzf dat.gz *.dat + diff --git a/auth/auth-cass/src/main/cql/push.sh b/auth/auth-cass/src/main/cql/push.sh new file mode 100644 index 00000000..8026c9f9 --- /dev/null +++ b/auth/auth-cass/src/main/cql/push.sh @@ -0,0 +1,5 @@ +tar -xvf dat.gz +for T in x509 ns_attrib config cred user_role perm role artifact ns; do + cqlsh -e "use authz; COPY $T FROM '$T.dat' WITH DELIMITER='|';" +done + diff --git a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java index 5bdb215e..eb44e143 100644 --- a/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java +++ b/auth/auth-cass/src/main/java/org/onap/aaf/auth/direct/DirectAAFLur.java @@ -28,16 +28,16 @@ import java.util.List; import org.onap.aaf.auth.dao.cass.NsSplit; import org.onap.aaf.auth.dao.cass.PermDAO; -import org.onap.aaf.auth.dao.cass.Status; import org.onap.aaf.auth.dao.cass.PermDAO.Data; +import org.onap.aaf.auth.dao.cass.Status; import org.onap.aaf.auth.dao.hl.Question; import org.onap.aaf.auth.env.AuthzEnv; import org.onap.aaf.auth.env.AuthzTrans; import org.onap.aaf.auth.env.NullTrans; import org.onap.aaf.auth.layer.Result; +import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.Lur; import org.onap.aaf.cadi.Permission; -import org.onap.aaf.cadi.Access.Level; import org.onap.aaf.cadi.lur.LocalPermission; import org.onap.aaf.misc.env.util.Split; @@ -52,17 +52,23 @@ public class DirectAAFLur implements Lur { } @Override - public boolean fish(Principal bait, Permission pond) { + public boolean fish(Principal bait, Permission ... pond) { return fish(env.newTransNoAvg(),bait,pond); } - public boolean fish(AuthzTrans trans, Principal bait, Permission pond) { + public boolean fish(AuthzTrans trans, Principal bait, Permission ... pond) { + boolean rv = false; Result> pdr = question.getPermsByUser(trans, bait.getName(),false); switch(pdr.status) { case OK: for(PermDAO.Data d : pdr.value) { - if(new PermPermission(d).match(pond)) { - return true; + if(!rv) { + for (Permission p : pond) { + if(new PermPermission(d).match(p)) { + rv=true; + break; + } + } } } break; @@ -72,7 +78,7 @@ public class DirectAAFLur implements Lur { default: trans.error().log("Can't access Cassandra to fulfill Permission Query: ",pdr.status,"-",pdr.details); } - return false; + return rv; } @Override @@ -94,7 +100,7 @@ public class DirectAAFLur implements Lur { } @Override - public boolean handlesExclusively(Permission pond) { + public boolean handlesExclusively(Permission ... pond) { return false; } -- cgit 1.2.3-korg