summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorburdziak <olaf.burdziakowski@nokia.com>2019-04-05 14:06:20 +0200
committerburdziak <olaf.burdziakowski@nokia.com>2019-04-05 14:06:20 +0200
commite5b89c814733a3fc67f473f2bcb851bc95db2783 (patch)
tree675b42f13cca21ea201021e1ffee91112ba16a9c
parent81352e8c9570dc8e442ca61edfb991d34b62eb08 (diff)
Doc security after implementation update
Change-Id: Ie7eb2f7c03ffafd7644c2fbc8b622831fe0ddfe3 Issue-ID: DMAAP-1108 Signed-off-by: burdziak <olaf.burdziakowski@nokia.com>
-rw-r--r--docs/api.rst51
1 files changed, 51 insertions, 0 deletions
diff --git a/docs/api.rst b/docs/api.rst
index 9eab4da..7f187d4 100644
--- a/docs/api.rst
+++ b/docs/api.rst
@@ -4928,3 +4928,54 @@ Topic Model Structure
topicName | No | string | | | the short name used by humans, and utilized to construct the `FQTN`
version | No | string | | | a hook for any versioning needed for managing a `Topic` over time
+Security
+~~~~~~~~
+As default security is in Dmaap Bus Controller disabled.
+
+Enable
+------
+Settings to turn on security is in file dmaapbc.properties. The file is located in OOM project in path: ./oom/kubernetes/dmaap/components/dmaap-bc/resources/config/dmaapbc.properties
+During deployment the the file is placed into ConfigMap XXX-dmaap-bus-controller-config (XXX depend on deployment setup). The config map is linked to volume with read only permission so it can not be changed from pod level.
+Ater updating ConfigMap the bus controller pod needs to be restarted.
+
+Settings
+++++++++
+
+In the dmaapbc.properties for security settings there is a main flag:
+
+1.UseAAF: true
+
+If set to true then creating topic also will create required perms in AAF. The perms will be created in org.onap.dmaap.mr.
+The last element -mr- is related to another setting - MR.projectID .
+
+Example:
+ Topic name:
+ aSimpleTopic
+ Permitions
+ org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|pub
+ org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|sub
+ org.onap.dmaap.mr.topic|:topic.org.onap.dmaap.mr.aSimpleTopic|view
+
+
+Hint: User defined in the certificate of cadi (property:cadi.properties, user:dmaap-bc@dmaap-bc.onap.org) needs to have permissions to create and view such topics (org.onap.dmaap.mr.topic|*|*).
+
+
+Authentication is using CADI
+
+CADI confilguration is stored in CADI files. Location of the files is defined in varaible:
+cadi.properties: /opt/app/osaaf/local/org.onap.dmaap-bc.props
+
+The configuration is a mandatory and missing parameter or file cause exception.
+
+Authorization is done by CADI - configuration is required as above
+
+Call to bus controller needs to have given user credentials. The user ich checked in AAF for permission to call topic.
+The check is done in org.onap.dmaap-bc.api according to ApiNamespace setting.
+
+Hint: User defined in the certificate of cadi (property:cadi.properties, user:dmaap-bc@dmaap-bc.onap.org) needs to have permission to read the namespace (org.onap.dmaap-bc.api.access|*|read).
+
+
+2.UseAAF: false
+
+For backward compatibility, if AAF flag is turned off the previous implementation is enabled based on AuthorizationFilter and ApiPermission class.
+This filter switching has been made due to the technology differences: Jersey filters do not implement directly servlet API, but CADI filter is based on it. \ No newline at end of file