From 014bacae0fbb76c6e6baf83f267258211e28d3cc Mon Sep 17 00:00:00 2001 From: pawel Date: Thu, 7 Nov 2019 11:15:00 +0100 Subject: Update authentication types description Issue-ID: DCAEGEN2-1913 Signed-off-by: pawel Change-Id: Ic8b611a65c1c7eb781265b2481f60952b7abfb24 --- docs/sections/services/ves-http/architecture.rst | 2 +- docs/sections/services/ves-http/installation.rst | 4 +--- .../services/ves-http/tls-authentication.rst | 20 ++------------------ 3 files changed, 4 insertions(+), 22 deletions(-) diff --git a/docs/sections/services/ves-http/architecture.rst b/docs/sections/services/ves-http/architecture.rst index 41f3e8f1..960c9cc5 100644 --- a/docs/sections/services/ves-http/architecture.rst +++ b/docs/sections/services/ves-http/architecture.rst @@ -33,7 +33,7 @@ Features Supported ------------------ - VES collector deployed as docker containers - Acknowledgement to sender with appropriate response code (both successful and failure) -- Authentication of the events posted to collector (support 4 types of authentication setting) +- Authentication of the events posted to collector (support 2 types of authentication setting) - Support single or batch JSON events input - Schema validation (against standard VES definition) - Multiple schema support and backward compatibility diff --git a/docs/sections/services/ves-http/installation.rst b/docs/sections/services/ves-http/installation.rst index 3f8f943a..0e399301 100644 --- a/docs/sections/services/ves-http/installation.rst +++ b/docs/sections/services/ves-http/installation.rst @@ -34,9 +34,7 @@ Authentication Support VES Collector support following authentication types * *auth.method=noAuth* default option - no security (http) - * *auth.method=certOnly* is used to enable mutual TLS authentication (https) * *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication - * *auth.method=basicAuth* is used to enable basic HTTPs authentication Default ONAP deployed VESCOllector is configured for "noAuth". If VESCollector instance need to be deployed with authentication enabled, follow below setup @@ -218,7 +216,7 @@ In this case blueprint can be deleted explicitly using this command. cfy blueprint delete ves-tls -Known Issue : When VESCollector is required to be deployed with authentication enabled *auth.method=certOnly* or *auth.method: certBasicAuth* or *auth.method: basicAuth* +Known Issue : When VESCollector is required to be deployed with authentication enabled *auth.method: certBasicAuth* the blueprint currently disables healthcheck parameters configuration (below). This causes no readiness probe to be deployed in K8S when VES Collector is deployed with authentication enabled. diff --git a/docs/sections/services/ves-http/tls-authentication.rst b/docs/sections/services/ves-http/tls-authentication.rst index 1ace3937..12301383 100644 --- a/docs/sections/services/ves-http/tls-authentication.rst +++ b/docs/sections/services/ves-http/tls-authentication.rst @@ -22,18 +22,10 @@ Of course, mutual TLS authentication requires also server certificates, so follo * *collector.keystore.file.location* - a path to jks key store containing certificates which can be used for TLS handshake * *collector.keystore.passwordfile* - a path to file containing a password for the key store -Property *auth.method* is used to manage security mode, possible configuration: noAuth, basicAuth, certOnly, certBasicAuth +Property *auth.method* is used to manage security mode, possible configuration: noAuth, certBasicAuth * *auth.method=noAuth* default option - no security (http) - * *auth.method=certOnly* is used to enable mutual TLS authentication (https) - - * client without cert and without basic auth = :red:`Authentication failure` - * client without cert and wrong basic auth = :red:`Authentication failure` - * client without cert and correct basic auth = :red:`Authentication failure` - * client with cert and without/wrong basic auth = :green:`Authentication successful` - * client with cert and correct basic auth = :green:`Authentication successful` - * *auth.method=certBasicAuth* is used to enable mutual TLS authentication or/and basic HTTPs authentication * client without cert and without basic auth = :red:`Authentication failure` @@ -42,13 +34,5 @@ Property *auth.method* is used to manage security mode, possible configuration: * client with cert and without/wrong basic auth = :green:`Authentication successful` * client with cert and correct basic auth = :green:`Authentication successful` - * *auth.method=basicAuth* is used to enable basic HTTPs authentication - - * client without cert and without basic auth = :red:`Authentication failure` - * client without cert and wrong basic auth = :red:`Authentication failure` - * client without cert and correct basic auth = :green:`Authentication successful` - * client with cert and without/wrong basic auth = :red:`Authentication failure` - * client with cert and correct basic auth = :green:`Authentication successful` - -When application is in certOnly or certBasicAuth mode then certificates are also validated by regexp in /etc/certSubjectMatcher.properties, +When application is in certBasicAuth mode then certificates are also validated by regexp in /etc/certSubjectMatcher.properties, only SubjectDn field in certificate description are checked. Default regexp value is .* means that we approve all SubjectDN values. -- cgit 1.2.3-korg