Initial drop of rProxy code

The Reverse Proxy sidecar is used to separate the responsibility of authentication and authorization away from the primary microservice. In conjunction with the Forward Proxy sidecar, it is responsible for controlling access to the REST URL endpoints exposed by the primary microservice, and propogating security credentials to downstream microservices. Change-Id: I5d80429e5422d7b3937cde73ac10c2ec00d264e8 Issue-ID: AAI-1604 Signed-off-by: Lee, Tian (tl5884) <TianL@amdocs.com>
author: Lee, Tian (tl5884) <TianL@amdocs.com> 2018-09-20 12:27:40 +0100
committer: Tian Lee <TianL@amdocs.com> 2018-09-24 09:25:29 +0000
commit: 0d7feec2e32f69a8e919f06f03df3ce46e78801d (patch)
tree: d712e56fb78bea085eb1bf9c04447a07d0f50341 /sidecar/rproxy/README.md
parent: 6c3031ea90d5b51ae44a599c0cd0d95c057cf633 (diff)
1 files changed, 96 insertions, 0 deletions
diff --git a/sidecar/rproxy/README.md b/sidecar/rproxy/README.md
new file mode 100644
index 0000000..c8c22fe
--- /dev/null
+++ b/sidecar/rproxy/README.md
@@ -0,0 +1,96 @@
+# Introduction
+
+The AAF Reverse Proxy is a proxy microservice which intercepts incoming REST requests by, extracting the credentials from the request and authenticate/authorises
+with a configured security provider. It is one of two components (along with the Forward proxy) deployed as a Kubernetes sidecar to
+separate the responsibility of authentication and authorization away from the primary microservice, this service is responsible for
+controlling access to the REST URL endpoints exposed by the primary microservice, and propogating security credentials to downstream microservices. 
+
+## Features
+
+Reverse Proxy:
+
+* The service will intercept all incoming REST requests to the primary service, extract and cache the token credentials in the Forward proxy.
+* Invokes the authentication and authorisation providers to validate the extracted tokens, and retrieve its list of authorisations
+* Invokes the enforcement point filter to determine whether the incoming request URI and retrieved permissions match the list of granted URIs and permissions
+  configured in the URI authorisation file. If authorisation is successful, forward the request to the primary service.
+
+## Configuring the rProxy service
+The rProxy service is configured through property and json files that resides under the ${CONFIG_HOME} environment variable.
+
+The files have the following configurable properties:
+
+###cadi.properties
+
+cadi_loglevel log level of the cadi filter, e.g. DEBUG, INFO
+cadi_keyfile  location to the cadi key file
+cadi_truststore 
+cadi_truststore_password
+aaf_url hostname and port of the server hosting the AAF service, e.g. https://aaf.osaaf.org:30247
+aaf_env AAF environment type, e.g. DEV, PROD
+aaf_id aafadmin user, e.g. demo@people.osaaf.org
+aaf_password aafadmin user password encrypted with the cadi_keyfile, e.g. enc:92w4px0y_rrm265LXLpw58QnNPgDXykyA1YTrflbAKz
+cadi_x509_issuers colon separated list of client cert issuers
+
+###reverse-proxy.properties
+
+transactionid.header.name	This is the name of the header in incoming requests that will contain the transaction ID.	X-TransactionId
+
+###primary-service.properties
+
+primary-service.protocol http protocol of the primary service e.g. https
+primary-service.host location of the primary service, since this sidecar resides in the same pod of the primary service. localhost
+primary-service.port port of the primary service
+
+###forward-proxy.properties
+
+forward-proxy.protocol http protocol of the fproxy service e.g. https
+forward-proxy.host location of the fproxy service, since this sidecar resides in the same pod of the primary service. localhost
+forward-proxy.port port of the fproxy service
+forward-proxy.cacheurl URI to the store credential cache. /credential-cache
+
+### auth/uri-authorization.json
+This file contains the list of required AAF permissions authorised for the request URI, permissions will be tested against the first matching URI.
+If the user doesn't have those permissions then the next matching URI will be tested until the list of URIs is exhausted.
+URIs will be matched in order as positioned in the configuration file. Wildcarding is supported as standard regular expression matches for both URIs and permissions.
+
+[
+    {
+      "uri": "URI 1",
+      "permissions": [
+        "permission 1",
+        "permission 2",
+        "..."]
+    },
+    {
+      "uri": "URI 2",
+      "permissions": [
+        "permission 3",
+        "permission 4",
+        "..."]     
+    }
+]
+
+e.g.
+[
+    {
+      "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions$",
+      "permissions": [
+        "org.onap.osaaf.resources.access|rest|read"
+       ]
+    },
+    {
+      "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+$*",
+      "permissions": [
+        "org.onap.osaaf.resources.access|clouds|read",
+        "org.onap.osaaf.auth.resources.access|tenants|read"
+      ]     
+    },
+    {
+      "uri": "\/aai\/v13\/cloud-infrastructure\/cloud-regions\/cloud-region\/[^\/]+[\/][^\/]+\/tenants/tenant/[^\/]+/vservers/vserver/[^\/]+$",
+      "permissions": [
+        "org.onap.osaaf.auth.resources.access|clouds|read",
+        "org.onap.osaaf.auth.resources.access|tenants|read",
+        "org.onap.osaaf.auth.resources.access|vservers|read"
+      ]     
+    }
+]
+\ No newline at end of file
author	Lee, Tian (tl5884) <TianL@amdocs.com>	2018-09-20 12:27:40 +0100
committer	Tian Lee <TianL@amdocs.com>	2018-09-24 09:25:29 +0000
commit	0d7feec2e32f69a8e919f06f03df3ce46e78801d (patch)
tree	d712e56fb78bea085eb1bf9c04447a07d0f50341 /sidecar/rproxy/README.md
parent	6c3031ea90d5b51ae44a599c0cd0d95c057cf633 (diff)