summaryrefslogtreecommitdiffstats
path: root/docs/security/security.rst
blob: 1c11fceb5eb52b50e4e4713269dfeeeebf177240 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178

.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0

Security
=========

.. contents:: Table of Contents

SSL DmaaP Certificates and Configuration
----------------------------------------

Configuration related to ssl can be found in the ``dmaapbc.properties``.
File is located in the ``/opt/app/dmaapbc/etc`` on the dmaap-bc pod. Directory contains also truststore and keystore files used in the ssl setup.
Each change in the configuration file requires restart of the application container

.. code-block:: bash

    #
    #	Allow http access to API
    #
    HttpAllowed:	true
    #
    #	The port number for http as seen within the server
    #
    IntHttpPort:	8080
    #
    #	The port number for https as seen within the server
    #   Set to 0 if no certificate is available yet...
    #
    IntHttpsPort:	8443
    #
    #	The external port number for https taking port mapping into account
    #
    ExtHttpsPort:	443
    #
    #	The type of keystore for https
    #
    KeyStoreType:	jks
    #
    #	The path to the keystore for https
    #
    KeyStoreFile:	etc/keystore
    #
    #	The password for the https keystore
    #
    KeyStorePassword:	<keystore_password>
    #
    #	The password for the private key in the https keystore
    #
    KeyPassword:	<key_password>
    #
    #	The type of truststore for https
    #
    TrustStoreType:	jks
    #
    #	The path to the truststore for https
    #
    TrustStoreFile:	etc/org.onap.dmaap-bc.trust.jks
    #
    #	The password for the https truststore
    #
    TrustStorePassword:	<truststore_password>


AAF configuration
-----------------

Usage of AAF can be turned on/off by setting ``UseAAF`` flag to ``true/false`` in the ``dmaapbc.properties`` file. By default AFF usage is turned on.
Property ``cadi.properties`` points to absolute path of the property file generated by AAF for the DmaaP BC application (``dmaap-bc@dmaap-bc.onap.org`` user).
This file is one of the AAF configuration files enabling authentication and authorization for DmaaP BC REST API.

.. code-block:: bash

    #################
    # AAF Properties:
    UseAAF: true

    #################
    #
    # path to cadi.properties
    #
    cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props


Complete AAF configuration consist of following files:
    - org.onap.dmaap-bc.props - main configuration file
    - org.onap.dmaap-bc.location.props - geographic coordinates of the application
    - org.onap.dmaap-bc.cred.props - properties related to credentials, keystore and truststore
    - org.onap.dmaap-bc.keyfile - keyfile
    - org.onap.dmaap-bc.p12 - keystore
    - org.onap.dmaap-bc.trust.jks - truststore


All listed files are located in the ``/opt/app/dmaapbc/etc`` directory.
File ``org.onap.dmaap-bc.props`` links together all property files by defining them in the ``cadi_prop_files`` property.
By default all paths to other AAF related configuration points to ``/opt/app/osaaf/local/`` directory.
This directory is default location that can be changed during generation of configuration files in the AAF application.
In order to not duplicate mentioned files on the dmaap-bc pod following symbolic link is created in the filesystem:

.. code-block:: bash

    ln -s /opt/app/dmaapbc/etc /opt/app/osaaf/local


User configured and used in DmaaP BC
------------------------------------

dmaap-bc@dmaap-bc.onap.org
~~~~~~~~~~~~~~~~~~~~~~~~~~

It is main user for the DmaaP BC application. It has permissions to validate if user accessing DmaaP BC REST api has appropriate permissions to
perform an action.


AAF Permissions
+++++++++++++++

.. code-block:: bash

    List Permissions by User[dmaap-bc@dmaap-bc.onap.org]
    --------------------------------------------------------------------------------
    PERM Type                      Instance                       Action
    --------------------------------------------------------------------------------
    org.onap.dmaap-bc.api.access   *                              read
    org.onap.dmaap-bc.certman      local                          request,ignoreIPs,showpass
    org.onap.dmaap-dr.feed         *                              *
    org.onap.dmaap-dr.sub          *                              *
    org.onap.dmaap.mr.access       *                              *
    org.onap.dmaap.mr.topic        *                              *
    org.onap.dmaap.mr.topic        *                              view
    org.onap.dmaap.mr.topicFactory :org.onap.dmaap.mr.topic:org.onap.dmaap.mr create,destroy


dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

When ``UseAAF`` is set to true then creating topic also will create required perms in AAF. The perms will be created in ``org.onap.dmaap.mr`` namespace.
User ``dmaap-bc-topic-mgr`` is used in the process of creating such permissions.

**Example:**
    Topic name:
        aSimpleTopic

    Permissions
        org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view


AAF Permissions
+++++++++++++++

.. code-block:: bash

    List Permissions by User[dmaap-bc-topic-mgr@dmaap-bc-topic-mgr.onap.org]
    ---------------------------------------------------------------------------------------
    PERM Type                                  Instance                       Action
    ---------------------------------------------------------------------------------------
    org.onap.dmaap-dr.feed                     *                              *
    org.onap.dmaap-dr.sub                      *                              *
    org.onap.dmaap.mr.PNF_READY.access         *                              *
    org.onap.dmaap.mr.PNF_REGISTRATION.access  *                              *
    org.onap.dmaap.mr.access                   *                              *
    org.onap.dmaap.mr.dgl_ready.access         *                              *
    org.onap.dmaap.mr.mirrormaker              *                              admin
    org.onap.dmaap.mr.mirrormaker              *                              user
    org.onap.dmaap.mr.topic                    *                              view
    org.onap.dmaap.mr.topic        :topic.org.onap.dmaap.mr.mirrormakeragent pub
    org.onap.dmaap.mr.topic        :topic.org.onap.dmaap.mr.mirrormakeragent sub
    org.onap.dmaap.mr.topicFactory :org.onap.dmaap.mr.topic:org.onap.dmaap.mr create
    org.onap.dmaap.mr.topicFactory :org.onap.dmaap.mr.topic:org.onap.dmaap.mr destroy


aaf_admin@people.osaaf.org
~~~~~~~~~~~~~~~~~~~~~~~~~~

This user is used in the process of the post-installation during which appropriate namespaces and permissions are created in AAF.