diff options
Diffstat (limited to 'docs/sections/services')
| -rw-r--r-- | docs/sections/services/dfc/architecture.rst | 6 | ||||
| -rw-r--r-- | docs/sections/services/dfc/http-notes.rst | 75 | ||||
| -rw-r--r-- | docs/sections/services/dfc/troubleshooting.rst | 25 | ||||
| -rw-r--r-- | docs/sections/services/pm-mapper/configuration.rst | 38 |
4 files changed, 141 insertions, 3 deletions
diff --git a/docs/sections/services/dfc/architecture.rst b/docs/sections/services/dfc/architecture.rst index cbd1876d..75913dbb 100644 --- a/docs/sections/services/dfc/architecture.rst +++ b/docs/sections/services/dfc/architecture.rst @@ -30,7 +30,11 @@ Interaction """"""""""" DFC will interact with the DMaaP Message Router, using json, and with the Data Router, using metadata in the header and file in the body, via secured protocol. -So far, the implemented protocols to communicate with xNFs are http (with basic authentication), sftp and ftpes. +So far, the implemented protocols to communicate with xNFs are http, https, sftp and ftpes. +When HTTP protocol protocol is used, following ways of authentication are supported: basic authentication and bearer token +(e.g. JWT) authentication. +When HTTPS protocol protocol is used, following ways of authentication are supported: client certificate authentication, +basic authentication, bearer token (e.g. JWT) authentication and no authentication. Retry mechanism """"""""""""""" diff --git a/docs/sections/services/dfc/http-notes.rst b/docs/sections/services/dfc/http-notes.rst index bd297b14..c45c7bd8 100644 --- a/docs/sections/services/dfc/http-notes.rst +++ b/docs/sections/services/dfc/http-notes.rst @@ -1,8 +1,8 @@ .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 -HTTP notes -========== +HTTP/HTTPS notes +================ HTTP Basic Authentication in FileReady messages """"""""""""""""""""""""""""""""""""""""""""""" @@ -61,3 +61,74 @@ Example file ready message is as follows: Note, more than one file from the same location can be added to the "arrayOfNamedHashMap". If so, they are downloaded from the endpoint through single http connection. + +HTTPS connection with DFC +""""""""""""""""""""""""" +The file ready message for https server is the same as used in other protocols and http. The only difference is that the scheme is set to +"https": + +.. code-block:: bash + + ... + "arrayOfNamedHashMap": [ + { + "name": "C_28532_measData_file.xml", + "hashMap": { + "location": "https://login:password@server.com:443/file.xml.gz", + ... + +The processed uri depends on the https connection type that has to be established (client certificate authentication, basic +authentication, and no authentication). + +For client certificate authentication: + +.. code-block:: bash + + scheme://host:port/path + i.e. + https://example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz + +Authentication is based on the certificate used by the DFC. + +For basic authentication: + +.. code-block:: bash + + scheme://userinfo@host:port/path + i.e. + https://demo:demo123456!@example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz + +Authentication is based on the "userinfo" applied within the link. + +If no authentication is required: + +.. code-block:: bash + + scheme://host:port/path + i.e. + https://example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz + +Note, effective way of authentication depends of uri provided and http server configuration. + +If port number was not supplied , port 443 is used by default. +Every file is sent through separate https connection. + +JWT token in HTTP/HTTPS connection +"""""""""""""""""""""""""""""""""" + +JWT token is processed, if it is provided as a ``access_token`` in the query part of the **location** entry: + +.. code-block:: bash + + scheme://host:port/path?access_token=<token> + i.e. + https://example.com:443/C20200502.1830+0200-20200502.1845+0200_195500.xml.gz?access_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJkZW1vIiwiaWF0IjoxNTE2MjM5MDIyfQ.MWyG1QSymi-RtG6pkiYrXD93ZY9NJzaPI-wS4MEpUto + +JWT tokens are consumed both in HTTP and HTTPS connections. Using JWT token is optional. If it is provided, its +**validity is not verified**. Token is extracted to the HTTP header as ``Authorization: Bearer <token>`` and is **NOT** +used in URL in HTTP GET call. Only single JWT token entry in the query is acceptable. If more than one ''access_token'' +entry is found in the query, such situation is reported as error and DFC tries to download file without token. Another +query parameters are not modified at all and are used in URL in HTTP GET call. + +If both JWT token and basic authentication are provided, JWT token has the priority. Such situation is considered +as fault and is logged on warning level. diff --git a/docs/sections/services/dfc/troubleshooting.rst b/docs/sections/services/dfc/troubleshooting.rst index 96816228..680bf1ff 100644 --- a/docs/sections/services/dfc/troubleshooting.rst +++ b/docs/sections/services/dfc/troubleshooting.rst @@ -167,3 +167,28 @@ When StrictHostKeyChecking is enabled and DFC cannot find a known_hosts file, th |WARN |StrictHostKeyChecking is enabled but environment variable KNOWN_HOSTS_FILE_PATH is not set or points to not existing file [/home/datafile/.ssh/known_hosts] --> falling back to StrictHostKeyChecking='no'. To resolve this warning, provide a known_hosts file or disable StrictHostKeyChecking, see DFC config page - :ref:`strict_host_checking_config`. + +Inability to download file from xNF due to certificate problem +"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" + +When collecting files using HTTPS and DFC contains certs from CMPv2 server, an exception like "unable to find valid +certification path to requested target" may occur. Except obvious certificates problems make sure, that xNF which +are connecting to the DFC are supplied with certificates coming from the same CMPv2 server and the same CA which +is configured on ONAP side and used by DFC. + +Inability to properly run DFC (v1.5.3 and above) +"""""""""""""""""""""""""""""""""""""""""""""""" + +Note, since DFC 1.5.3 FTPeS/HTTPS config blueprint was slighly changed. + +.. code-block:: json + + "dmaap.ftpesConfig.*" + +was changed with + +.. code-block:: json + + "dmaap.certificateConfig.*" + +Container update without updating DFC config (or blueprint) will result in inability to run DFC with FTPeS and HTTPS. diff --git a/docs/sections/services/pm-mapper/configuration.rst b/docs/sections/services/pm-mapper/configuration.rst index c699a35b..df7423a5 100644 --- a/docs/sections/services/pm-mapper/configuration.rst +++ b/docs/sections/services/pm-mapper/configuration.rst @@ -4,6 +4,44 @@ Configuration and Performance ============================= +Files Processing Configuration +"""""""""""""""""""""""""""""" +The PM Mapper consumes the 3GPP XML files from DMaaP-DR, and processes them. It is possible to process it in parallel. +In order to parallel processing, new configuration env has been introduced: + +- PROCESSING_LIMIT_RATE (optional, default value: 1) - allows to limit the rate of processing files through channel. + +- THREADS_MULTIPLIER (optional, default value: 1) - allows to specify multiplier to calculate the amount of threads. + +- PROCESSING_THREADS_COUNT (optional, default value: number of threads available to JVM) - allows to specify number of threads that will be used for files processing. + + +Envs should be specified in section "envs:" in blueprint. Example part of blueprint configuration: + +:: + + ... + pm-mapper: + type: dcae.nodes.ContainerizedServiceComponentUsingDmaap + interfaces: + cloudify.interfaces.lifecycle: + create: + inputs: + ports: + - '8443:0' + - '8081:0' + envs: + PROCESSING_LIMIT_RATE: "1" + THREADS_MULTIPLIER: "2" + PROCESSING_THREADS_COUNT: "3" + relationships: + - type: dcaegen2.relationships.subscribe_to_files + target: pm-feed + - type: dcaegen2.relationships.publish_events + target: pm-topic + ... + + PM Mapper Filtering """"""""""""""""""" The PM Mapper performs data reduction, by filtering the PM telemetry data it receives. |