From bc299c00e5a86732c5a063a1d7c7bccf1d4ab21b Mon Sep 17 00:00:00 2001 From: Instrumental Date: Tue, 25 Sep 2018 06:42:31 -0500 Subject: More install to Container Issue-ID: AAF-517 Change-Id: I102f0214b077fca0c4f2712e3005bbe5569475bd Signed-off-by: Instrumental --- auth/auth-cass/cass_init/.gitignore | 1 + auth/auth-cass/cass_init/build.sh | 6 + auth/auth-cass/cass_init/cmd.sh | 89 +++++++++ auth/auth-cass/cass_init/config.dat | 9 + auth/auth-cass/cass_init/data.sh | 59 ++++++ auth/auth-cass/cass_init/extract.sh | 7 + auth/auth-cass/cass_init/init.cql | 273 ++++++++++++++++++++++++++ auth/auth-cass/cass_init/init2_1.cql | 7 + auth/auth-cass/cass_init/keyspace.cql | 11 ++ auth/auth-cass/cass_init/osaaf.cql | 132 +++++++++++++ auth/auth-cass/cass_init/pull.sh | 16 ++ auth/auth-cass/cass_init/push.sh | 24 +++ auth/auth-cass/cass_init/temp_identity.cql | 5 + auth/auth-cass/docker/Dockerfile.cass | 17 ++ auth/auth-cass/docker/cbackup.sh | 8 - auth/auth-cass/docker/dbuild.sh | 27 +++ auth/auth-cass/docker/dcqlsh.sh | 3 + auth/auth-cass/docker/dinstall.sh | 110 +---------- auth/auth-cass/docker/drun.sh | 37 ++++ auth/auth-cass/src/main/cql/.gitignore | 1 - auth/auth-cass/src/main/cql/build.sh | 6 - auth/auth-cass/src/main/cql/config.dat | 10 - auth/auth-cass/src/main/cql/init.cql | 273 -------------------------- auth/auth-cass/src/main/cql/init2_1.cql | 7 - auth/auth-cass/src/main/cql/keyspace.cql | 11 -- auth/auth-cass/src/main/cql/osaaf.cql | 132 ------------- auth/auth-cass/src/main/cql/pull.sh | 10 - auth/auth-cass/src/main/cql/push.sh | 8 - auth/auth-cass/src/main/cql/temp_identity.cql | 5 - 29 files changed, 726 insertions(+), 578 deletions(-) create mode 100644 auth/auth-cass/cass_init/.gitignore create mode 100644 auth/auth-cass/cass_init/build.sh create mode 100644 auth/auth-cass/cass_init/cmd.sh create mode 100644 auth/auth-cass/cass_init/config.dat create mode 100644 auth/auth-cass/cass_init/data.sh create mode 100644 auth/auth-cass/cass_init/extract.sh create mode 100644 auth/auth-cass/cass_init/init.cql create mode 100644 auth/auth-cass/cass_init/init2_1.cql create mode 100644 auth/auth-cass/cass_init/keyspace.cql create mode 100644 auth/auth-cass/cass_init/osaaf.cql create mode 100644 auth/auth-cass/cass_init/pull.sh create mode 100644 auth/auth-cass/cass_init/push.sh create mode 100644 auth/auth-cass/cass_init/temp_identity.cql create mode 100644 auth/auth-cass/docker/Dockerfile.cass delete mode 100644 auth/auth-cass/docker/cbackup.sh create mode 100644 auth/auth-cass/docker/dbuild.sh create mode 100644 auth/auth-cass/docker/dcqlsh.sh create mode 100644 auth/auth-cass/docker/drun.sh delete mode 100644 auth/auth-cass/src/main/cql/.gitignore delete mode 100644 auth/auth-cass/src/main/cql/build.sh delete mode 100644 auth/auth-cass/src/main/cql/config.dat delete mode 100644 auth/auth-cass/src/main/cql/init.cql delete mode 100644 auth/auth-cass/src/main/cql/init2_1.cql delete mode 100644 auth/auth-cass/src/main/cql/keyspace.cql delete mode 100644 auth/auth-cass/src/main/cql/osaaf.cql delete mode 100644 auth/auth-cass/src/main/cql/pull.sh delete mode 100644 auth/auth-cass/src/main/cql/push.sh delete mode 100644 auth/auth-cass/src/main/cql/temp_identity.cql (limited to 'auth/auth-cass') diff --git a/auth/auth-cass/cass_init/.gitignore b/auth/auth-cass/cass_init/.gitignore new file mode 100644 index 00000000..ce22752c --- /dev/null +++ b/auth/auth-cass/cass_init/.gitignore @@ -0,0 +1 @@ +temp.cql diff --git a/auth/auth-cass/cass_init/build.sh b/auth/auth-cass/cass_init/build.sh new file mode 100644 index 00000000..caa07494 --- /dev/null +++ b/auth/auth-cass/cass_init/build.sh @@ -0,0 +1,6 @@ +#!/bin/bash +CQLSH=/Volumes/Data/apache-cassandra-2.1.14/bin/cqlsh +DIR=. +for T in ns perm role user_role cred config; do + $CQLSH -e "COPY authz.$T TO '$DIR/$T.dat' WITH DELIMITER='|'" +done diff --git a/auth/auth-cass/cass_init/cmd.sh b/auth/auth-cass/cass_init/cmd.sh new file mode 100644 index 00000000..056faed7 --- /dev/null +++ b/auth/auth-cass/cass_init/cmd.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# +# Engage normal Cass Init, then check for data installation +# +if [ ! -e /aaf_cmd ]; then + ln -s /opt/app/aaf/cass_init/cmd.sh /aaf_cmd + chmod u+x /aaf_cmd +fi + +function install_cql { + # Now, make sure data exists + if [ "$(/usr/bin/cqlsh -e 'describe keyspaces' | grep authz)" = "" ]; then + for CNT in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do + if [ -z "$(grep 'listening for CQL clients' /var/log/cassandra/system.log)" ]; then + echo "Waiting for Cassandra to start... Sleep 10" + sleep 10 + else + break + fi + done + echo "Initializing Cassandra DB" + if [ "`/usr/bin/cqlsh -e 'describe keyspaces' | grep authz`" == "" ]; then + echo "Docker Installed Basic Cassandra on aaf_cass. Executing the following " + echo "NOTE: This creator provided is only a Single Instance. For more complex Cassandra, create independently" + echo "" + echo " cd /opt/app/aaf/cass_init" + cd /opt/app/aaf/cass_init + echo " cqlsh -f keyspace.cql" + /usr/bin/cqlsh -f keyspace.cql + echo " cqlsh -f init.cql" + /usr/bin/cqlsh -f init.cql + echo "" + echo "The following will give you a temporary identity with which to start working, or emergency" + echo " cqlsh -f temp_identity.cql" + fi + fi +} + +case "$1" in + start) + # Startup like normal + echo "Cassandra Startup" + /usr/local/bin/docker-entrypoint.sh + ;; + onap) + install_cql + + # Change date expiring dat files to more recent + ID_FILE=/opt/app/aaf/cass_init/sample.identities.dat + if [ -e $ID_FILE ]; then + DATE=$(date "+%Y-%m-%d %H:%M:%S.000+0000" -d "+6 months") + echo $DATE + CRED="/opt/app/aaf/cass_init/dats/cred.dat" + # Enter for People + echo "Default Passwords for Apps" + for ID in $(grep '|a|' $ID_FILE | sed -e "s/|.*//"); do + if [ "$ID" = "aaf" ]; then + DOMAIN="aaf.osaaf.org"; + else + DOMAIN="$ID.onap.org"; + fi + unset FIRST + for D in ${DOMAIN//./ }; do + if [ -z "$FIRST" ]; then + NS="$D" + FIRST="N" + else + NS="$D.$NS" + fi + done + echo "$ID@$DOMAIN|2|${DATE}|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|$NS|53344|" >> $CRED + done + + # Enter for People + for ID in $(grep '|e|' $ID_FILE | sed -e "s/|.*//"); do + echo "$ID@people.osaaf.org|2|${DATE}|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|" >> $CRED + done + + # Change UserRole + mv dats/user_role.dat tmp + sed "s/\(^.*|\)\(.*|\)\(.*|\)\(.*\)/\1${DATE}|\3\4/" tmp > dats/user_role.dat + + # Remove ID File, which is marker for initializing Creds + rm $ID_FILE + fi + bash push.sh + ;; +esac + diff --git a/auth/auth-cass/cass_init/config.dat b/auth/auth-cass/cass_init/config.dat new file mode 100644 index 00000000..0e705b92 --- /dev/null +++ b/auth/auth-cass/cass_init/config.dat @@ -0,0 +1,9 @@ +aaf|aaf_env|DEV +aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_9, OU=OSAAF, O=ONAP, C=US +aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect +aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/AAF_NS.token:2.1/token +aaf|aaf_url|https://AAF_LOCATE_URL/AAF_NS.service:2.1 +aaf|cadi_protocols|TLSv1.1,TLSv1.2 +aaf|cm_url|https://AAF_LOCATE_URL/AAF_NS.cm:2.1 +aaf|fs_url|https://AAF_LOCATE_URL/AAF_NS.fs.2.1 +aaf|gui_url|https://AAF_LOCATE_URL/AAF_NS.gui.2.1 diff --git a/auth/auth-cass/cass_init/data.sh b/auth/auth-cass/cass_init/data.sh new file mode 100644 index 00000000..0374e619 --- /dev/null +++ b/auth/auth-cass/cass_init/data.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# +# Copies of Repo data need to be added to "dats" dir for loading by push.sh +# +# Further, repo data has dates that are out of date. We need to update reasonable +# expiration dates +# + +DIR=/opt/app/aaf/cass_init +cd $DIR/dats +ID_FILE=$DIR/opt/app/aaf/cass_init/ + + if [ -e $ID_FILE ]; then + if [ "$(uname -s)" = "Darwin" ]; then + DATE=$(date "+%Y-%m-%d %H:%M:%S.000+0000" -v "+6m") + else + DATE=$(date "+%Y-%m-%d %H:%M:%S.000+0000" -d "+6 months") + fi + echo $DATE + CRED="cred.dat" + # Enter for People + echo "Default Passwords for People" + for ID in $(grep '|a|' $ID_FILE | sed -e "s/|.*//"); do + if [ "$ID" = "aaf" ]; then + DOMAIN="aaf.osaaf.org"; + else + DOMAIN="$ID.onap.org"; + fi + unset FIRST + for D in ${DOMAIN//./ }; do + if [ -z "$FIRST" ]; then + NS="$D" + FIRST="N" + else + NS="$D.$NS" + fi + done + echo "$ID@$DOMAIN|2|${DATE}|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|$NS|53344|" >> $CRED + done + + for ID in $(grep '|e|' $ID_FILE | sed -e "s/|.*//"); do + echo "$ID@people.osaaf.org|2|${DATE}|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|" >> $CRED + done + + mv user_role.dat tmp + sed "s/\(^.*|\)\(.*|\)\(.*|\)\(.*\)/\1${DATE}|\3\4/" tmp > user_role.dat + + for DAT in ns perm role ns_attrib user_role cred; do + $DOCKER container cp $DAT.dat aaf_cass:/tmp/$DAT.dat + $DOCKER exec aaf_cass bash /usr/bin/cqlsh -k authz -e "COPY authz.$DAT FROM '/tmp/$DAT.dat' WITH DELIMITER='|'" + $DOCKER exec -t aaf_cass rm /tmp/$DAT.dat + done + rm $CRED + mv tmp user_role.dat + else + echo DInstall requires access to 'identities.dat' + fi + cd - + diff --git a/auth/auth-cass/cass_init/extract.sh b/auth/auth-cass/cass_init/extract.sh new file mode 100644 index 00000000..cdebbc8d --- /dev/null +++ b/auth/auth-cass/cass_init/extract.sh @@ -0,0 +1,7 @@ +#!/bin/bash +cd /opt/app/cass_init +if [ -e dat.gz ]; then + tar -xvf dat.gz +else + echo "No data files" +fi diff --git a/auth/auth-cass/cass_init/init.cql b/auth/auth-cass/cass_init/init.cql new file mode 100644 index 00000000..bf75998d --- /dev/null +++ b/auth/auth-cass/cass_init/init.cql @@ -0,0 +1,273 @@ + +// Table Initialization +// First make sure the keyspace exists. + +USE authz; + +// +// CORE Table function +// + +// Namespace - establish hierarchical authority to modify +// Permissions and Roles +// "scope" is flag to determine Policy. Typical important scope +// is "company" (1) +CREATE TABLE ns ( + name varchar, + scope int, // deprecated 2.0.11 + description varchar, + parent varchar, + type int, + PRIMARY KEY (name) +); +CREATE INDEX ns_parent on ns(parent); + +CREATE TABLE ns_attrib ( + ns varchar, + key varchar, + value varchar, + PRIMARY KEY (ns,key) +); +create index ns_attrib_key on ns_attrib(key); + +// Will be cached +CREATE TABLE role ( + ns varchar, + name varchar, + perms set, // Use "Key" of "name|type|action" + description varchar, + PRIMARY KEY (ns,name) +); +CREATE INDEX role_name ON role(name); + +// Will be cached +CREATE TABLE perm ( + ns varchar, + type varchar, + instance varchar, + action varchar, + roles set, // Need to find Roles given Permissions + description varchar, + PRIMARY KEY (ns,type,instance,action) +); + +// This table is user for Authorization +CREATE TABLE user_role ( + user varchar, + role varchar, // deprecated: change to ns/rname after 2.0.11 + ns varchar, + rname varchar, + expires timestamp, + PRIMARY KEY(user,role) + ); +CREATE INDEX user_role_ns ON user_role(ns); +CREATE INDEX user_role_role ON user_role(role); + +// This table is only for the case where return User Credential (MechID) Authentication +CREATE TABLE cred ( + id varchar, + type int, + expires timestamp, + ns varchar, + other int, + notes varchar, + cred blob, + prev blob, + PRIMARY KEY (id,type,expires) + ); +CREATE INDEX cred_ns ON cred(ns); + +// Certificate Cross Table +// coordinated with CRED type 2 +CREATE TABLE cert ( + fingerprint blob, + id varchar, + x500 varchar, + expires timestamp, + PRIMARY KEY (fingerprint) + ); +CREATE INDEX cert_id ON cert(id); +CREATE INDEX cert_x500 ON cert(x500); + +CREATE TABLE notify ( + user text, + type int, + last timestamp, + checksum int, + PRIMARY KEY (user,type) +); + +CREATE TABLE x509 ( + ca text, + serial blob, + id text, + x500 text, + x509 text, + PRIMARY KEY (ca,serial) +); + + +CREATE INDEX x509_id ON x509 (id); +CREATE INDEX x509_x500 ON x509 (x500); + +// +// Deployment Artifact (for Certman) +// +CREATE TABLE artifact ( + mechid text, + machine text, + type Set, + sponsor text, + ca text, + dir text, + os_user text, + ns text, + notify text, + expires timestamp, + renewDays int, + sans Set, + PRIMARY KEY (mechid,machine) +); +CREATE INDEX artifact_machine ON artifact(machine); +CREATE INDEX artifact_ns ON artifact(ns); + +// +// Non-Critical Table functions +// +// Table Info - for Caching +CREATE TABLE cache ( + name varchar, + seg int, // cache Segment + touched timestamp, + PRIMARY KEY(name,seg) +); + +CREATE TABLE history ( + id timeuuid, + yr_mon int, + user varchar, + action varchar, + target varchar, // user, user_role, + subject varchar, // field for searching main portion of target key + memo varchar, //description of the action + reconstruct blob, //serialized form of the target + // detail Map, // additional information + PRIMARY KEY (id) +); +CREATE INDEX history_yr_mon ON history(yr_mon); +CREATE INDEX history_user ON history(user); +CREATE INDEX history_subject ON history(subject); + +// +// A place to hold objects to be created at a future time. +// +CREATE TABLE future ( + id uuid, // uniquify + target varchar, // Target Table + memo varchar, // Description + start timestamp, // When it should take effect + expires timestamp, // When not longer valid + construct blob, // How to construct this object (like History) + PRIMARY KEY(id) +); +CREATE INDEX future_idx ON future(target); +CREATE INDEX future_start_idx ON future(start); + + +CREATE TABLE approval ( + id timeuuid, // unique Key + ticket uuid, // Link to Future Record + user varchar, // the user who needs to be approved + approver varchar, // user approving + type varchar, // approver types i.e. Supervisor, Owner + status varchar, // approval status. pending, approved, denied + memo varchar, // Text for Approval to know what's going on + operation varchar, // List operation to perform + last_notified timestamp, // Timestamp for the last time approver was notified + PRIMARY KEY(id) + ); +CREATE INDEX appr_approver_idx ON approval(approver); +CREATE INDEX appr_user_idx ON approval(user); +CREATE INDEX appr_ticket_idx ON approval(ticket); +CREATE INDEX appr_status_idx ON approval(status); + +CREATE TABLE approved ( + id timeuuid, // unique Key + user varchar, // the user who needs to be approved + approver varchar, // user approving + type varchar, // approver types i.e. Supervisor, Owner + status varchar, // approval status. pending, approved, denied + memo varchar, // Text for Approval to know what's going on + operation varchar, // List operation to perform + PRIMARY KEY(id) + ); +CREATE INDEX approved_approver_idx ON approved(approver); +CREATE INDEX approved_user_idx ON approved(user); + +CREATE TABLE delegate ( + user varchar, + delegate varchar, + expires timestamp, + PRIMARY KEY (user) +); +CREATE INDEX delg_delg_idx ON delegate(delegate); + +// OAuth Tokens +CREATE TABLE oauth_token ( + id text, // Reference + client_id text, // Creating Client ID + user text, // User requesting + active boolean, // Active or not + type int, // Type of Token + refresh text, // Refresh Token + expires timestamp, // Expiration time/Date (signed long) + exp_sec bigint, // Seconds from Jan 1, 1970 + content text, // Content of Token + scopes Set, // Scopes + state text, // Context string (Optional) + req_ip text, // Requesting IP (for logging purpose) + PRIMARY KEY(id) +) with default_time_to_live = 21600; // 6 hours +CREATE INDEX oauth_token_user_idx ON oauth_token(user); + +CREATE TABLE locate ( + name text, // Component/Server name + hostname text, // FQDN of Service/Component + port int, // Port of Service + major int, // Version, Major + minor int, // Version, Minor + patch int, // Version, Patch + pkg int, // Version, Package (if available) + latitude float, // Latitude + longitude float, // Longitude + protocol text, // Protocol (i.e. http https) + subprotocol set, // Accepted SubProtocols, ie. TLS1.1 for https + port_key uuid, // Key into locate_ports + PRIMARY KEY(name,hostname,port) +) with default_time_to_live = 1200; // 20 mins + +CREATE TABLE locate_ports ( + id uuid, // Id into locate + port int, // SubPort + name text, // Name of Other Port + protocol text, // Protocol of Other (i.e. JMX, DEBUG) + subprotocol set, // Accepted sub protocols or versions + PRIMARY KEY(id, port) +) with default_time_to_live = 1200; // 20 mins; + +// +// Used by authz-batch processes to ensure only 1 runs at a time +// +CREATE TABLE run_lock ( + class text, + host text, + start timestamp, + PRIMARY KEY ((class)) +); + +CREATE TABLE config ( + name varchar, + tag varchar, + value varchar, + PRIMARY KEY (name,tag) +); diff --git a/auth/auth-cass/cass_init/init2_1.cql b/auth/auth-cass/cass_init/init2_1.cql new file mode 100644 index 00000000..701dd774 --- /dev/null +++ b/auth/auth-cass/cass_init/init2_1.cql @@ -0,0 +1,7 @@ +use authz; +CREATE TABLE config ( + name varchar, + tag varchar, + value varchar, + PRIMARY KEY (name,tag) +); diff --git a/auth/auth-cass/cass_init/keyspace.cql b/auth/auth-cass/cass_init/keyspace.cql new file mode 100644 index 00000000..52dc5ea7 --- /dev/null +++ b/auth/auth-cass/cass_init/keyspace.cql @@ -0,0 +1,11 @@ +// For Developer Machine single instance +// CREATE KEYSPACE authz +// WITH REPLICATION = {'class' : 'SimpleStrategy','replication_factor':1}; +// +// + +// Example of Network Topology, with Datacenter dc1 & dc2 +// CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'dc1': '2', 'dc2': '2' }; +// Out of the box Docker Cassandra comes with "datacenter1", one instance +CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'datacenter1': '1' }; +// diff --git a/auth/auth-cass/cass_init/osaaf.cql b/auth/auth-cass/cass_init/osaaf.cql new file mode 100644 index 00000000..51e6b908 --- /dev/null +++ b/auth/auth-cass/cass_init/osaaf.cql @@ -0,0 +1,132 @@ +USE authz; + +// Create 'org' root NS +INSERT INTO ns (name,description,parent,scope,type) + VALUES('org','Root Namespace','.',1,1); + +INSERT INTO role(ns, name, perms, description) + VALUES('org','admin',{'org.access|*|*'},'Org Admins'); + +INSERT INTO role(ns, name, perms, description) + VALUES('org','owner',{'org.access|*|read,approve'},'Org Owners'); + +INSERT INTO perm(ns, type, instance, action, roles, description) + VALUES ('org','access','*','read,approve',{'org.owner'},'Org Read Access'); + +INSERT INTO perm(ns, type, instance, action, roles, description) + VALUES ('org','access','*','*',{'org.admin'},'Org Write Access'); + + +// Create org.osaaf +INSERT INTO ns (name,description,parent,scope,type) + VALUES('org.osaaf','OSAAF Namespace','org',2,2); + +INSERT INTO role(ns, name, perms,description) + VALUES('org.osaaf','admin',{'org.osaaf.access|*|*'},'OSAAF Admins'); + +INSERT INTO perm(ns, type, instance, action, roles,description) + VALUES ('org.osaaf','access','*','*',{'org.osaaf.admin'},'OSAAF Write Access'); + +INSERT INTO role(ns, name, perms,description) + VALUES('org.osaaf','owner',{'org.osaaf.access|*|read,approve'},'OSAAF Owners'); + +INSERT INTO perm(ns, type, instance, action, roles,description) + VALUES ('org.osaaf','access','*','read,appove',{'org.osaaf.owner'},'OSAAF Read Access'); + +// Create org.osaaf.aaf +INSERT INTO ns (name,description,parent,scope,type) + VALUES('org.osaaf.aaf','Application Authorization Framework','org.osaaf',3,3); + +INSERT INTO role(ns, name, perms, description) + VALUES('org.osaaf.aaf','admin',{'org.osaaf.aaf.access|*|*'},'AAF Admins'); + +INSERT INTO perm(ns, type, instance, action, roles, description) + VALUES ('org.osaaf.aaf','access','*','*',{'org.osaaf.aaf.admin'},'AAF Write Access'); + +INSERT INTO perm(ns, type, instance, action, roles, description) + VALUES ('org.osaaf.aaf','access','*','read,approve',{'org.osaaf.aaf.owner'},'AAF Read Access'); + +INSERT INTO role(ns, name, perms, description) + VALUES('org.osaaf.aaf','owner',{'org.osaaf.aaf.access|*|read,approve'},'AAF Owners'); + +// OSAAF Root +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('aaf@aaf.osaaf.org','org.admin','2018-10-31','org','admin'); + +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin'); + + +// ONAP Specific Entities +// ONAP initial env Namespace +INSERT INTO ns (name,description,parent,scope,type) + VALUES('org.onap','ONAP','org',2,2); + +INSERT INTO ns (name,description,parent,scope,type) + VALUES('org.onap.portal','ONAP Portal','org.onap.portal',3,3); + +INSERT INTO perm(ns, type, instance, action, roles, description) + VALUES ('org.onap.portal','access','*','read',{ + 'org.onap.portal.owner','org.onap.portal.designer','org.onap.portal.tester','org.onap.portal.ops','org.onap.portal.governor' + },'Portal Read Access'); + +INSERT INTO role(ns, name, perms, description) + VALUES('org.onap.portal','owner',{'org.onap.portal.access|*|read'},'Portal Owner'); + +INSERT INTO perm(ns, type, instance, action, roles, description) + VALUES ('org.onap.portal','access','*','*',{'org.onap.portal.admin'},'Portal Write Access'); + +INSERT INTO role(ns, name, perms, description) + VALUES('org.onap.portal','admin',{'org.onap.portal.access|*|*'},'Portal Admins'); + +// AAF Admin +insert into cred (id,type,expires,cred,notes,ns,other) values('aaf_admin@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('aaf_admin@people.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin'); + +// A Deployer +insert into cred (id,type,expires,cred,notes,ns,other) values('deployer@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO role(ns, name, perms, description) + VALUES('org.osaaf.aaf','deploy',{},'ONAP Deployment Role'); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('deployer@people.osaaf.org','org.osaaf.aaf.deploy','2018-10-31','org.osaaf.aaf','deploy'); + + +// DEMO ID (OPS) +insert into cred (id,type,expires,cred,notes,ns,other) values('demo@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('demo@people.osaaf.org','org.onap.portal.admin','2018-10-31','org.onap.portal','admin'); + +// ADMIN +insert into cred (id,type,expires,cred,notes,ns,other) values('jh0003@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('jh0003@people.osaaf.org','org.onap.portal.admin','2018-10-31','org.onap.portal','admin'); + +// DESIGNER +INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('cs0008@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO role(ns, name, perms, description) + VALUES('org.onap.portal','designer',{'org.onap.portal.access|*|read'},'Portal Designer'); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('cs0008@people.osaaf.org','org.onap.portal.designer','2018-10-31','org.onap.portal','designer'); + +// TESTER +INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('jm0007@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO role(ns, name, perms, description) + VALUES('org.onap.portal','tester',{'org.onap.portal.access|*|read'},'Portal Tester'); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('jm0007@people.osaaf.org','org.onap.portal.tester','2018-10-31','org.onap.portal','tester'); + +// OPS +INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('op0001@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO role(ns, name, perms, description) + VALUES('org.onap.portal','ops',{'org.onap.portal.access|*|read'},'Portal Operations'); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('op0001@people.osaaf.org','org.onap.portal.ops','2018-10-31','org.onap.portal','ops'); + +// GOVERNOR +INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('gv0001@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); +INSERT INTO role(ns, name, perms, description) + VALUES('org.onap.portal','governor',{'org.onap.portal.access|*|read'},'Portal Governor'); +INSERT INTO user_role(user,role,expires,ns,rname) + VALUES ('gv0001@people.osaaf.org','org.onap.portal.governor','2018-10-31','org.onap.portal','governor'); + diff --git a/auth/auth-cass/cass_init/pull.sh b/auth/auth-cass/cass_init/pull.sh new file mode 100644 index 00000000..94695ed1 --- /dev/null +++ b/auth/auth-cass/cass_init/pull.sh @@ -0,0 +1,16 @@ +#!/bin/bash +# +# Pull data from Cassandra into ".dat" files, and "gzip" them +# +DIR=/opt/app/aaf/cass_init +cd $DIR +mkdir -p dats +cd dats +TABLES="$(cqlsh -e "use authz; describe tables")" +for T in $TABLES ; do + cqlsh -e "use authz; COPY $T TO '$T.dat' WITH DELIMITER='|';" +done +cd $DIR +tar -cvzf dat.gz dats/*.dat +rm -Rf dats + diff --git a/auth/auth-cass/cass_init/push.sh b/auth/auth-cass/cass_init/push.sh new file mode 100644 index 00000000..48521699 --- /dev/null +++ b/auth/auth-cass/cass_init/push.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# +# Push data from Cassandra ".dat" files +# These are obtained from "gzipped" files, or pre-placed (i.e. initialization) +# in the "dats" directory +# +DIR=/opt/app/aaf/cass_init +cd $DIR +if [ ! -e dats ]; then + if [ -e dat.gz ]; then + tar -xvf dat.gz + else + echo "No Data to push for Cassandra" + exit + fi +fi +cd dats +for T in $(ls *.dat); do + if [ -s $T ]; then + cqlsh -e "use authz; COPY ${T%.dat} FROM '$T' WITH DELIMITER='|';" + fi +done +cd $DIR +#rm -Rf dats diff --git a/auth/auth-cass/cass_init/temp_identity.cql b/auth/auth-cass/cass_init/temp_identity.cql new file mode 100644 index 00000000..3032372b --- /dev/null +++ b/auth/auth-cass/cass_init/temp_identity.cql @@ -0,0 +1,5 @@ +USE authz; +// Create Root pass +INSERT INTO cred (id,ns,type,cred,expires) + VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf',1,0xdd82c1882969461de74b46427961ea2c,'2099-12-31') using TTL 14400; + diff --git a/auth/auth-cass/docker/Dockerfile.cass b/auth/auth-cass/docker/Dockerfile.cass new file mode 100644 index 00000000..1f2b2b13 --- /dev/null +++ b/auth/auth-cass/docker/Dockerfile.cass @@ -0,0 +1,17 @@ +FROM nexus3.onap.org:10001/cassandra:3.11 +MAINTAINER AAF Team, AT&T 2018 +ENV VERSION=${AAF_VERSION} + +LABEL description="aaf_cass" +LABEL version=${AAF_VERSION} + +COPY cass_init/*.cql /opt/app/aaf/cass_init/ +COPY cass_init/*.sh /opt/app/aaf/cass_init/ +COPY cass_init/*.dat /opt/app/aaf/cass_init/ +COPY cass_data /opt/app/aaf/cass_init/dats/ +COPY sample.identities.dat /opt/app/aaf/cass_init/ + +ENTRYPOINT ["/bin/bash","/opt/app/aaf/cass_init/cmd.sh"] +CMD ["start"] +# Default is to start up like normal + diff --git a/auth/auth-cass/docker/cbackup.sh b/auth/auth-cass/docker/cbackup.sh deleted file mode 100644 index 9c91d0c6..00000000 --- a/auth/auth-cass/docker/cbackup.sh +++ /dev/null @@ -1,8 +0,0 @@ -cd /opt/app/cass_backup -DATA="ns role perm ns_attrib user_role cred cert x509 delegate approval approved future notify artifact health history" -PWD=cassandra -CQLSH="cqlsh -u cassandra -k authz -p $PWD" -for T in $DATA ; do - echo "Creating $T.dat" - $CQLSH -e "COPY authz.$T TO '$T.dat' WITH DELIMITER='|'" -done diff --git a/auth/auth-cass/docker/dbuild.sh b/auth/auth-cass/docker/dbuild.sh new file mode 100644 index 00000000..df58144d --- /dev/null +++ b/auth/auth-cass/docker/dbuild.sh @@ -0,0 +1,27 @@ +#!/bin/bash +# +# Build AAF Cass Docker Script +# +# Pull in AAF Env Variables from AAF install +if [ -e ../../docker/d.props ]; then + . ../../docker/d.props +else + . ../../docker/d.props.init +fi + +echo "Building Container for aaf_cass:$VERSION" + +DIR=$(pwd) +cd .. +sed -e 's/${AAF_VERSION}/'${VERSION}'/g' $DIR/Dockerfile.cass > Dockerfile +cd .. +cp -Rf sample/cass_data auth-cass/cass_data +cp sample/data/sample.identities.dat auth-cass + +docker build -t ${ORG}/${PROJECT}/aaf_cass:${VERSION} auth-cass +cd - +rm Dockerfile +rm -Rf cass_data +rm sample.identities.dat +cd $DIR + diff --git a/auth/auth-cass/docker/dcqlsh.sh b/auth/auth-cass/docker/dcqlsh.sh new file mode 100644 index 00000000..a6c08643 --- /dev/null +++ b/auth/auth-cass/docker/dcqlsh.sh @@ -0,0 +1,3 @@ +#!/bin/bash +docker exec -it aaf_cass /usr/bin/cqlsh -k authz + diff --git a/auth/auth-cass/docker/dinstall.sh b/auth/auth-cass/docker/dinstall.sh index 6d7f949e..045d5f2f 100644 --- a/auth/auth-cass/docker/dinstall.sh +++ b/auth/auth-cass/docker/dinstall.sh @@ -1,111 +1,7 @@ #!/bin/bash -if [ -e /usr/bin/docker ]; then - DOCKER=/usr/bin/docker -elif [ -e /usr/local/bin/docker ]; then - DOCKER=/usr/local/bin/docker -else - echo Docker not available in /usr/bin or /usr/local/bin - exit -fi -if [ "$($DOCKER volume ls | grep aaf_cass_data)" = "" ]; then - $DOCKER volume create aaf_cass_data - echo "Created Cassandra Volume aaf_cass_data" -fi +. drun.sh -echo "Running DInstall" -if [ "`$DOCKER ps -a | grep aaf_cass`" == "" ]; then - echo "starting Cass from 'run'" - # NOTE: These HEAP Sizes are minimal. Not set for full organizations. - $DOCKER run \ - --name aaf_cass \ - -e HEAP_NEWSIZE=512M \ - -e MAX_HEAP_SIZE=1024M \ - -e CASSANDRA_DC=dc1 \ - -e CASSANDRA_CLUSTER_NAME=osaaf \ - --mount 'type=volume,src=aaf_cass_data,dst=/var/lib/cassandra,volume-driver=local' \ - -d cassandra:3.11 - # Set on local Disk - # -v /opt/app/cass:/var/lib/cassandra - echo "aaf_cass Starting" - for CNT in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do - if [ "`$DOCKER container logs aaf_cass | grep 'listening for CQL clients'`" == "" ]; then - echo "Sleep 10" - sleep 10 - else - break - fi - done - - echo "Running Phase 2 DInstall" - $DOCKER container ps - - echo "Creating /opt/app/cass_init dir on aaf_cass" - $DOCKER exec aaf_cass mkdir -p /opt/app/cass_init - echo "cp the following files to /opt/app/cass_init dir on aaf_cass" - $DOCKER cp "../src/main/cql/." aaf_cass:/opt/app/cass_init - echo "The following files are on /opt/app/cass_init dir on aaf_cass" - $DOCKER exec aaf_cass ls /opt/app/cass_init - - if [ "`$DOCKER exec aaf_cass /usr/bin/cqlsh -e 'describe keyspaces' | grep authz`" == "" ]; then - echo "Docker Installed Basic Cassandra on aaf_cass. Executing the following " - echo "NOTE: This creator provided is only a Single Instance. For more complex Cassandra, create independently" - echo "" - echo " cd /opt/app/cass_init" - echo " cqlsh -f keyspace.cql" - echo " cqlsh -f init.cql" - echo "" - echo "The following will give you a temporary identity with which to start working, or emergency" - echo " cqlsh -f temp_identity.cql" - echo "Create Keyspaces and Tables" - $DOCKER exec aaf_cass bash /usr/bin/cqlsh -f /opt/app/cass_init/keyspace.cql - $DOCKER exec aaf_cass bash /usr/bin/cqlsh -e 'describe keyspaces' - $DOCKER exec aaf_cass bash /usr/bin/cqlsh -f /opt/app/cass_init/init.cql - cd ../../sample/cass_data - ID_FILE=../data/identities.dat - if [ -e $ID_FILE ]; then - DATE=$(date "+%Y-%m-%d %H:%M:%S.000+0000" -d "+6 months") - echo $DATE - CRED="cred.dat" - # Enter for People - echo "Default Passwords for People" - for ID in $(grep '|a|' $ID_FILE | sed -e "s/|.*//"); do - if [ "$ID" = "aaf" ]; then - DOMAIN="aaf.osaaf.org"; - else - DOMAIN="$ID.onap.org"; - fi - unset FIRST - for D in ${DOMAIN//./ }; do - if [ -z "$FIRST" ]; then - NS="$D" - FIRST="N" - else - NS="$D.$NS" - fi - done - echo "$ID@$DOMAIN|2|${DATE}|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|$NS|53344|" >> $CRED - done - - for ID in $(grep '|e|' $ID_FILE | sed -e "s/|.*//"); do - echo "$ID@people.osaaf.org|2|${DATE}|0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95|Initial ID|org.osaaf.people|53344|" >> $CRED - done - - mv user_role.dat tmp - sed "s/\(^.*|\)\(.*|\)\(.*|\)\(.*\)/\1${DATE}|\3\4/" tmp > user_role.dat +echo $DOCKER +docker exec -it aaf_cass bash aaf_cmd onap - for DAT in ns perm role ns_attrib user_role cred; do - $DOCKER container cp $DAT.dat aaf_cass:/tmp/$DAT.dat - $DOCKER exec aaf_cass bash /usr/bin/cqlsh -k authz -e "COPY authz.$DAT FROM '/tmp/$DAT.dat' WITH DELIMITER='|'" - $DOCKER exec -t aaf_cass rm /tmp/$DAT.dat - done - rm $CRED - mv tmp user_role.dat - else - echo DInstall requires access to 'identities.dat' - fi - cd - - fi -else - $DOCKER start aaf_cass -fi diff --git a/auth/auth-cass/docker/drun.sh b/auth/auth-cass/docker/drun.sh new file mode 100644 index 00000000..4f2499c7 --- /dev/null +++ b/auth/auth-cass/docker/drun.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# Pull in AAF Env Variables from AAF install +if [ -e ../../docker/d.props ]; then + . ../../docker/d.props +else + . ../../docker/d.props.init +fi + +if [ -e /usr/bin/docker ]; then + DOCKER=/usr/bin/docker +elif [ -e /usr/local/bin/docker ]; then + DOCKER=/usr/local/bin/docker +else + echo Docker not available in /usr/bin or /usr/local/bin + exit +fi + +if [ "$($DOCKER volume ls | grep aaf_cass_data)" = "" ]; then + $DOCKER volume create aaf_cass_data + echo "Created Cassandra Volume aaf_cass_data" +fi + +if [ "`$DOCKER ps -a | grep aaf_cass`" == "" ]; then + echo "starting Cass from 'run'" + # NOTE: These HEAP Sizes are minimal. Not set for full organizations. + $DOCKER run \ + --name aaf_cass \ + -e HEAP_NEWSIZE=512M \ + -e MAX_HEAP_SIZE=1024M \ + -e CASSANDRA_DC=dc1 \ + -e CASSANDRA_CLUSTER_NAME=osaaf \ + --mount 'type=volume,src=aaf_cass_data,dst=/var/lib/cassandra,volume-driver=local' \ + -d ${ORG}/${PROJECT}/aaf_cass:${VERSION} +else + $DOCKER start aaf_cass +fi diff --git a/auth/auth-cass/src/main/cql/.gitignore b/auth/auth-cass/src/main/cql/.gitignore deleted file mode 100644 index ce22752c..00000000 --- a/auth/auth-cass/src/main/cql/.gitignore +++ /dev/null @@ -1 +0,0 @@ -temp.cql diff --git a/auth/auth-cass/src/main/cql/build.sh b/auth/auth-cass/src/main/cql/build.sh deleted file mode 100644 index caa07494..00000000 --- a/auth/auth-cass/src/main/cql/build.sh +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/bash -CQLSH=/Volumes/Data/apache-cassandra-2.1.14/bin/cqlsh -DIR=. -for T in ns perm role user_role cred config; do - $CQLSH -e "COPY authz.$T TO '$DIR/$T.dat' WITH DELIMITER='|'" -done diff --git a/auth/auth-cass/src/main/cql/config.dat b/auth/auth-cass/src/main/cql/config.dat deleted file mode 100644 index 7eba23e1..00000000 --- a/auth/auth-cass/src/main/cql/config.dat +++ /dev/null @@ -1,10 +0,0 @@ -aaf|aaf_env|DEV -aaf|aaf_locate_url|https://meriadoc.mithril.sbc.com:8095 -aaf|cadi_x509_issuers|CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US:CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US -aaf|aaf_oauth2_introspect_url|https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect -aaf|aaf_oauth2_token_url|https://AAF_LOCATE_URL/AAF_NS.token:2.1/token -aaf|aaf_url|https://AAF_LOCATE_URL/AAF_NS.service:2.1 -aaf|cadi_protocols|TLSv1.1,TLSv1.2 -aaf|cm_url|https://AAF_LOCATE_URL/AAF_NS.cm:2.1 -aaf|fs_url|https://AAF_LOCATE_URL/AAF_NS.fs.2.1 -aaf|gui_url|https://AAF_LOCATE_URL/AAF_NS.gui.2.1 diff --git a/auth/auth-cass/src/main/cql/init.cql b/auth/auth-cass/src/main/cql/init.cql deleted file mode 100644 index bf75998d..00000000 --- a/auth/auth-cass/src/main/cql/init.cql +++ /dev/null @@ -1,273 +0,0 @@ - -// Table Initialization -// First make sure the keyspace exists. - -USE authz; - -// -// CORE Table function -// - -// Namespace - establish hierarchical authority to modify -// Permissions and Roles -// "scope" is flag to determine Policy. Typical important scope -// is "company" (1) -CREATE TABLE ns ( - name varchar, - scope int, // deprecated 2.0.11 - description varchar, - parent varchar, - type int, - PRIMARY KEY (name) -); -CREATE INDEX ns_parent on ns(parent); - -CREATE TABLE ns_attrib ( - ns varchar, - key varchar, - value varchar, - PRIMARY KEY (ns,key) -); -create index ns_attrib_key on ns_attrib(key); - -// Will be cached -CREATE TABLE role ( - ns varchar, - name varchar, - perms set, // Use "Key" of "name|type|action" - description varchar, - PRIMARY KEY (ns,name) -); -CREATE INDEX role_name ON role(name); - -// Will be cached -CREATE TABLE perm ( - ns varchar, - type varchar, - instance varchar, - action varchar, - roles set, // Need to find Roles given Permissions - description varchar, - PRIMARY KEY (ns,type,instance,action) -); - -// This table is user for Authorization -CREATE TABLE user_role ( - user varchar, - role varchar, // deprecated: change to ns/rname after 2.0.11 - ns varchar, - rname varchar, - expires timestamp, - PRIMARY KEY(user,role) - ); -CREATE INDEX user_role_ns ON user_role(ns); -CREATE INDEX user_role_role ON user_role(role); - -// This table is only for the case where return User Credential (MechID) Authentication -CREATE TABLE cred ( - id varchar, - type int, - expires timestamp, - ns varchar, - other int, - notes varchar, - cred blob, - prev blob, - PRIMARY KEY (id,type,expires) - ); -CREATE INDEX cred_ns ON cred(ns); - -// Certificate Cross Table -// coordinated with CRED type 2 -CREATE TABLE cert ( - fingerprint blob, - id varchar, - x500 varchar, - expires timestamp, - PRIMARY KEY (fingerprint) - ); -CREATE INDEX cert_id ON cert(id); -CREATE INDEX cert_x500 ON cert(x500); - -CREATE TABLE notify ( - user text, - type int, - last timestamp, - checksum int, - PRIMARY KEY (user,type) -); - -CREATE TABLE x509 ( - ca text, - serial blob, - id text, - x500 text, - x509 text, - PRIMARY KEY (ca,serial) -); - - -CREATE INDEX x509_id ON x509 (id); -CREATE INDEX x509_x500 ON x509 (x500); - -// -// Deployment Artifact (for Certman) -// -CREATE TABLE artifact ( - mechid text, - machine text, - type Set, - sponsor text, - ca text, - dir text, - os_user text, - ns text, - notify text, - expires timestamp, - renewDays int, - sans Set, - PRIMARY KEY (mechid,machine) -); -CREATE INDEX artifact_machine ON artifact(machine); -CREATE INDEX artifact_ns ON artifact(ns); - -// -// Non-Critical Table functions -// -// Table Info - for Caching -CREATE TABLE cache ( - name varchar, - seg int, // cache Segment - touched timestamp, - PRIMARY KEY(name,seg) -); - -CREATE TABLE history ( - id timeuuid, - yr_mon int, - user varchar, - action varchar, - target varchar, // user, user_role, - subject varchar, // field for searching main portion of target key - memo varchar, //description of the action - reconstruct blob, //serialized form of the target - // detail Map, // additional information - PRIMARY KEY (id) -); -CREATE INDEX history_yr_mon ON history(yr_mon); -CREATE INDEX history_user ON history(user); -CREATE INDEX history_subject ON history(subject); - -// -// A place to hold objects to be created at a future time. -// -CREATE TABLE future ( - id uuid, // uniquify - target varchar, // Target Table - memo varchar, // Description - start timestamp, // When it should take effect - expires timestamp, // When not longer valid - construct blob, // How to construct this object (like History) - PRIMARY KEY(id) -); -CREATE INDEX future_idx ON future(target); -CREATE INDEX future_start_idx ON future(start); - - -CREATE TABLE approval ( - id timeuuid, // unique Key - ticket uuid, // Link to Future Record - user varchar, // the user who needs to be approved - approver varchar, // user approving - type varchar, // approver types i.e. Supervisor, Owner - status varchar, // approval status. pending, approved, denied - memo varchar, // Text for Approval to know what's going on - operation varchar, // List operation to perform - last_notified timestamp, // Timestamp for the last time approver was notified - PRIMARY KEY(id) - ); -CREATE INDEX appr_approver_idx ON approval(approver); -CREATE INDEX appr_user_idx ON approval(user); -CREATE INDEX appr_ticket_idx ON approval(ticket); -CREATE INDEX appr_status_idx ON approval(status); - -CREATE TABLE approved ( - id timeuuid, // unique Key - user varchar, // the user who needs to be approved - approver varchar, // user approving - type varchar, // approver types i.e. Supervisor, Owner - status varchar, // approval status. pending, approved, denied - memo varchar, // Text for Approval to know what's going on - operation varchar, // List operation to perform - PRIMARY KEY(id) - ); -CREATE INDEX approved_approver_idx ON approved(approver); -CREATE INDEX approved_user_idx ON approved(user); - -CREATE TABLE delegate ( - user varchar, - delegate varchar, - expires timestamp, - PRIMARY KEY (user) -); -CREATE INDEX delg_delg_idx ON delegate(delegate); - -// OAuth Tokens -CREATE TABLE oauth_token ( - id text, // Reference - client_id text, // Creating Client ID - user text, // User requesting - active boolean, // Active or not - type int, // Type of Token - refresh text, // Refresh Token - expires timestamp, // Expiration time/Date (signed long) - exp_sec bigint, // Seconds from Jan 1, 1970 - content text, // Content of Token - scopes Set, // Scopes - state text, // Context string (Optional) - req_ip text, // Requesting IP (for logging purpose) - PRIMARY KEY(id) -) with default_time_to_live = 21600; // 6 hours -CREATE INDEX oauth_token_user_idx ON oauth_token(user); - -CREATE TABLE locate ( - name text, // Component/Server name - hostname text, // FQDN of Service/Component - port int, // Port of Service - major int, // Version, Major - minor int, // Version, Minor - patch int, // Version, Patch - pkg int, // Version, Package (if available) - latitude float, // Latitude - longitude float, // Longitude - protocol text, // Protocol (i.e. http https) - subprotocol set, // Accepted SubProtocols, ie. TLS1.1 for https - port_key uuid, // Key into locate_ports - PRIMARY KEY(name,hostname,port) -) with default_time_to_live = 1200; // 20 mins - -CREATE TABLE locate_ports ( - id uuid, // Id into locate - port int, // SubPort - name text, // Name of Other Port - protocol text, // Protocol of Other (i.e. JMX, DEBUG) - subprotocol set, // Accepted sub protocols or versions - PRIMARY KEY(id, port) -) with default_time_to_live = 1200; // 20 mins; - -// -// Used by authz-batch processes to ensure only 1 runs at a time -// -CREATE TABLE run_lock ( - class text, - host text, - start timestamp, - PRIMARY KEY ((class)) -); - -CREATE TABLE config ( - name varchar, - tag varchar, - value varchar, - PRIMARY KEY (name,tag) -); diff --git a/auth/auth-cass/src/main/cql/init2_1.cql b/auth/auth-cass/src/main/cql/init2_1.cql deleted file mode 100644 index 701dd774..00000000 --- a/auth/auth-cass/src/main/cql/init2_1.cql +++ /dev/null @@ -1,7 +0,0 @@ -use authz; -CREATE TABLE config ( - name varchar, - tag varchar, - value varchar, - PRIMARY KEY (name,tag) -); diff --git a/auth/auth-cass/src/main/cql/keyspace.cql b/auth/auth-cass/src/main/cql/keyspace.cql deleted file mode 100644 index 52dc5ea7..00000000 --- a/auth/auth-cass/src/main/cql/keyspace.cql +++ /dev/null @@ -1,11 +0,0 @@ -// For Developer Machine single instance -// CREATE KEYSPACE authz -// WITH REPLICATION = {'class' : 'SimpleStrategy','replication_factor':1}; -// -// - -// Example of Network Topology, with Datacenter dc1 & dc2 -// CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'dc1': '2', 'dc2': '2' }; -// Out of the box Docker Cassandra comes with "datacenter1", one instance -CREATE KEYSPACE authz WITH replication = { 'class': 'NetworkTopologyStrategy', 'datacenter1': '1' }; -// diff --git a/auth/auth-cass/src/main/cql/osaaf.cql b/auth/auth-cass/src/main/cql/osaaf.cql deleted file mode 100644 index 51e6b908..00000000 --- a/auth/auth-cass/src/main/cql/osaaf.cql +++ /dev/null @@ -1,132 +0,0 @@ -USE authz; - -// Create 'org' root NS -INSERT INTO ns (name,description,parent,scope,type) - VALUES('org','Root Namespace','.',1,1); - -INSERT INTO role(ns, name, perms, description) - VALUES('org','admin',{'org.access|*|*'},'Org Admins'); - -INSERT INTO role(ns, name, perms, description) - VALUES('org','owner',{'org.access|*|read,approve'},'Org Owners'); - -INSERT INTO perm(ns, type, instance, action, roles, description) - VALUES ('org','access','*','read,approve',{'org.owner'},'Org Read Access'); - -INSERT INTO perm(ns, type, instance, action, roles, description) - VALUES ('org','access','*','*',{'org.admin'},'Org Write Access'); - - -// Create org.osaaf -INSERT INTO ns (name,description,parent,scope,type) - VALUES('org.osaaf','OSAAF Namespace','org',2,2); - -INSERT INTO role(ns, name, perms,description) - VALUES('org.osaaf','admin',{'org.osaaf.access|*|*'},'OSAAF Admins'); - -INSERT INTO perm(ns, type, instance, action, roles,description) - VALUES ('org.osaaf','access','*','*',{'org.osaaf.admin'},'OSAAF Write Access'); - -INSERT INTO role(ns, name, perms,description) - VALUES('org.osaaf','owner',{'org.osaaf.access|*|read,approve'},'OSAAF Owners'); - -INSERT INTO perm(ns, type, instance, action, roles,description) - VALUES ('org.osaaf','access','*','read,appove',{'org.osaaf.owner'},'OSAAF Read Access'); - -// Create org.osaaf.aaf -INSERT INTO ns (name,description,parent,scope,type) - VALUES('org.osaaf.aaf','Application Authorization Framework','org.osaaf',3,3); - -INSERT INTO role(ns, name, perms, description) - VALUES('org.osaaf.aaf','admin',{'org.osaaf.aaf.access|*|*'},'AAF Admins'); - -INSERT INTO perm(ns, type, instance, action, roles, description) - VALUES ('org.osaaf.aaf','access','*','*',{'org.osaaf.aaf.admin'},'AAF Write Access'); - -INSERT INTO perm(ns, type, instance, action, roles, description) - VALUES ('org.osaaf.aaf','access','*','read,approve',{'org.osaaf.aaf.owner'},'AAF Read Access'); - -INSERT INTO role(ns, name, perms, description) - VALUES('org.osaaf.aaf','owner',{'org.osaaf.aaf.access|*|read,approve'},'AAF Owners'); - -// OSAAF Root -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('aaf@aaf.osaaf.org','org.admin','2018-10-31','org','admin'); - -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin'); - - -// ONAP Specific Entities -// ONAP initial env Namespace -INSERT INTO ns (name,description,parent,scope,type) - VALUES('org.onap','ONAP','org',2,2); - -INSERT INTO ns (name,description,parent,scope,type) - VALUES('org.onap.portal','ONAP Portal','org.onap.portal',3,3); - -INSERT INTO perm(ns, type, instance, action, roles, description) - VALUES ('org.onap.portal','access','*','read',{ - 'org.onap.portal.owner','org.onap.portal.designer','org.onap.portal.tester','org.onap.portal.ops','org.onap.portal.governor' - },'Portal Read Access'); - -INSERT INTO role(ns, name, perms, description) - VALUES('org.onap.portal','owner',{'org.onap.portal.access|*|read'},'Portal Owner'); - -INSERT INTO perm(ns, type, instance, action, roles, description) - VALUES ('org.onap.portal','access','*','*',{'org.onap.portal.admin'},'Portal Write Access'); - -INSERT INTO role(ns, name, perms, description) - VALUES('org.onap.portal','admin',{'org.onap.portal.access|*|*'},'Portal Admins'); - -// AAF Admin -insert into cred (id,type,expires,cred,notes,ns,other) values('aaf_admin@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('aaf_admin@people.osaaf.org','org.osaaf.aaf.admin','2018-10-31','org.osaaf.aaf','admin'); - -// A Deployer -insert into cred (id,type,expires,cred,notes,ns,other) values('deployer@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO role(ns, name, perms, description) - VALUES('org.osaaf.aaf','deploy',{},'ONAP Deployment Role'); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('deployer@people.osaaf.org','org.osaaf.aaf.deploy','2018-10-31','org.osaaf.aaf','deploy'); - - -// DEMO ID (OPS) -insert into cred (id,type,expires,cred,notes,ns,other) values('demo@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('demo@people.osaaf.org','org.onap.portal.admin','2018-10-31','org.onap.portal','admin'); - -// ADMIN -insert into cred (id,type,expires,cred,notes,ns,other) values('jh0003@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('jh0003@people.osaaf.org','org.onap.portal.admin','2018-10-31','org.onap.portal','admin'); - -// DESIGNER -INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('cs0008@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO role(ns, name, perms, description) - VALUES('org.onap.portal','designer',{'org.onap.portal.access|*|read'},'Portal Designer'); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('cs0008@people.osaaf.org','org.onap.portal.designer','2018-10-31','org.onap.portal','designer'); - -// TESTER -INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('jm0007@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO role(ns, name, perms, description) - VALUES('org.onap.portal','tester',{'org.onap.portal.access|*|read'},'Portal Tester'); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('jm0007@people.osaaf.org','org.onap.portal.tester','2018-10-31','org.onap.portal','tester'); - -// OPS -INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('op0001@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO role(ns, name, perms, description) - VALUES('org.onap.portal','ops',{'org.onap.portal.access|*|read'},'Portal Operations'); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('op0001@people.osaaf.org','org.onap.portal.ops','2018-10-31','org.onap.portal','ops'); - -// GOVERNOR -INSERT INTO cred (id,type,expires,cred,notes,ns,other) values('gv0001@people.osaaf.org',2,'2019-05-01',0xd993c5617486296f1b99d04de31633332b8ba1a550038e23860f9dbf0b2fcf95,'Initial ID','org.osaaf.people',53344); -INSERT INTO role(ns, name, perms, description) - VALUES('org.onap.portal','governor',{'org.onap.portal.access|*|read'},'Portal Governor'); -INSERT INTO user_role(user,role,expires,ns,rname) - VALUES ('gv0001@people.osaaf.org','org.onap.portal.governor','2018-10-31','org.onap.portal','governor'); - diff --git a/auth/auth-cass/src/main/cql/pull.sh b/auth/auth-cass/src/main/cql/pull.sh deleted file mode 100644 index 01fa52bf..00000000 --- a/auth/auth-cass/src/main/cql/pull.sh +++ /dev/null @@ -1,10 +0,0 @@ -mkdir -p dats -cd dats -for T in ns ns_attrib cred user_role perm role config artifact ; do - cqlsh -e "use authz; COPY $T TO '$T.dat' WITH DELIMITER='|';" -done -tar -cvzf ../dat.gz *.dat -rm *.dat -cd - -rmdir dats - diff --git a/auth/auth-cass/src/main/cql/push.sh b/auth/auth-cass/src/main/cql/push.sh deleted file mode 100644 index 330326d5..00000000 --- a/auth/auth-cass/src/main/cql/push.sh +++ /dev/null @@ -1,8 +0,0 @@ -mkdir -p dats -cd dats -tar -xvf ../dat.gz -for T in $(ls *.dat); do - cqlsh -e "use authz; COPY ${T%.dat} FROM '$T' WITH DELIMITER='|';" -done -cd - -rm -Rf dats diff --git a/auth/auth-cass/src/main/cql/temp_identity.cql b/auth/auth-cass/src/main/cql/temp_identity.cql deleted file mode 100644 index 3032372b..00000000 --- a/auth/auth-cass/src/main/cql/temp_identity.cql +++ /dev/null @@ -1,5 +0,0 @@ -USE authz; -// Create Root pass -INSERT INTO cred (id,ns,type,cred,expires) - VALUES ('aaf@aaf.osaaf.org','org.osaaf.aaf',1,0xdd82c1882969461de74b46427961ea2c,'2099-12-31') using TTL 14400; - -- cgit 1.2.3-korg