diff options
| -rw-r--r-- | docs/index.rst | 101 | ||||
| -rw-r--r-- | docs/release-notes.rst | 4 | ||||
| -rw-r--r-- | pom.xml | 17 | ||||
| -rw-r--r-- | releases/4.1.2-container.yaml | 14 | ||||
| -rw-r--r-- | releases/4.1.2.yaml | 5 | ||||
| -rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_config.yml | 102 | ||||
| -rw-r--r-- | src/main/docker/elasticsearch/config/sg/sg_roles.yml | 14 |
7 files changed, 89 insertions, 168 deletions
diff --git a/docs/index.rst b/docs/index.rst index 1f41485ea..548e277f4 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -112,18 +112,20 @@ There are one datasource for Clamp. By default, it will try to connect to the lo .. code-block:: json { - "spring.datasource.cldsdb.url": "jdbc:mariadb://anotherDB.onap.org:3306/cldsdb4?verifyServerCertificate=false&useSSL=false&requireSSL=false&autoReconnect=true", - "spring.datasource.cldsdb.username": "admin", - "spring.datasource.cldsdb.password": "password", - - "clamp.config.dcae.inventory.url": "http://dcaegen2.host:8080", - "clamp.config.dcae.dispatcher.url": "http://dcaegen2.host:8188", - "clamp.config.policy.pdpUrl1": "https://policy-pdp.host:9091/pdp/ , testpdp, alpha123", - "clamp.config.policy.pdpUrl2": "https://policy-pdp.host:9091/pdp/ , testpdp, alpha123", - "clamp.config.policy.papUrl": "https://policy-pap.host:8443/pap/ , testpap, alpha123", - "clamp.config.policy.clientKey": "5CE79532B3A2CB4D132FC0C04BF916A7", - "clamp.config.files.sdcController":"file:/opt/clamp/config/sdc-controllers-config.json", - "clamp.config.cadi.aafLocateUrl": "https://aaf-locate.onap:8095", + "spring.datasource.cldsdb.url": "jdbc:mariadb:sequential://clampdb.{{ include "common.namespace" . }}:3306/cldsdb4?autoReconnect=true&connectTimeout=10000&socketTimeout=10000&retriesAllDown=3", + "clamp.config.files.sdcController": "file:/opt/clamp/sdc-controllers-config.json", + "clamp.config.dcae.inventory.url": "https://inventory.{{ include "common.namespace" . }}:8080", + "clamp.config.dcae.dispatcher.url": "https4://deployment-handler.{{ include "common.namespace" . }}:8443", + "clamp.config.dcae.deployment.url": "https4://deployment-handler.{{ include "common.namespace" . }}:8443", + "clamp.config.dcae.deployment.userName": "none", + "clamp.config.dcae.deployment.password": "none", + "clamp.config.policy.api.url": "https4://policy-api.{{ include "common.namespace" . }}:6969", + "clamp.config.policy.api.userName": "healthcheck", + "clamp.config.policy.api.password": "zb!XztG34", + "clamp.config.policy.pap.url": "https4://policy-pap.{{ include "common.namespace" . }}:6969", + "clamp.config.policy.pap.userName": "healthcheck", + "clamp.config.policy.pap.password": "zb!XztG34", + "clamp.config.cadi.aafLocateUrl": "https://aaf-locate.{{ include "common.namespace" . }}:8095", "com.att.eelf.logging.path": "/opt/clamp", "com.att.eelf.logging.file": "logback.xml" } @@ -133,38 +135,39 @@ SDC-Controllers config This file is a JSON that must be specified to Spring config, here is an example: .. code-block:: json - { - "sdc-connections":{ - "sdc-controller1":{ - "user": "clamp", - "consumerGroup": "consumerGroup1", - "consumerId": "consumerId1", - "environmentName": "AUTO", - "sdcAddress": "localhost:8443", - "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", - "pollingInterval":30, - "pollingTimeout":30, - "activateServerTLSAuth":"false", - "keyStorePassword":"", - "keyStorePath":"", - "messageBusAddresses":["dmaaphost.com"] - }, - "sdc-controller2":{ - "user": "clamp", - "consumerGroup": "consumerGroup1", - "consumerId": "consumerId1", - "environmentName": "AUTO", - "sdcAddress": "localhost:8443", - "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", - "pollingInterval":30, - "pollingTimeout":30, - "activateServerTLSAuth":"false", - "keyStorePassword":"", - "keyStorePath":"", - "messageBusAddresses":["dmaaphost.com"] + + { + "sdc-connections":{ + "sdc-controller1":{ + "user": "clamp", + "consumerGroup": "consumerGroup1", + "consumerId": "consumerId1", + "environmentName": "AUTO", + "sdcAddress": "localhost:8443", + "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", + "pollingInterval":30, + "pollingTimeout":30, + "activateServerTLSAuth":"false", + "keyStorePassword":"", + "keyStorePath":"", + "messageBusAddresses":["dmaaphost.com"] + }, + "sdc-controller2":{ + "user": "clamp", + "consumerGroup": "consumerGroup1", + "consumerId": "consumerId1", + "environmentName": "AUTO", + "sdcAddress": "localhost:8443", + "password": "b7acccda32b98c5bb7acccda32b98c5b05D511BD6D93626E90D18E9D24D9B78CD34C7EE8012F0A189A28763E82271E50A5D4EC10C7D93E06E0A2D27CAE66B981", + "pollingInterval":30, + "pollingTimeout":30, + "activateServerTLSAuth":"false", + "keyStorePassword":"", + "keyStorePath":"", + "messageBusAddresses":["dmaaphost.com"] + } + } } - } - } Multiple controllers can be configured so that Clamp is able to receive the notifications from different SDC servers. Each Clamp existing in a cluster should have different consumerGroup and consumerId so that they can each consume the SDC notification. @@ -174,11 +177,12 @@ If the sdcAddress is not specified or not available (connection failure) the mes Administration -------------- -A user can access CLAMP UI at the following URL : https://localhost:8443/designer/index.html. +A user can access CLAMP UI at the following URL : https://localhost:443/designer/index.html. (in this URL 'localhost' must be replaced by the actual host where CLAMP has been installed if it is not your current localhost) -For OOM, the URL is https://<host-ip>:30258/designer/index.html +For OOM, the URL is https://<host-ip>:30258 .. code-block:: html + - Without AAF, the credentials are Default username : admin Default password : password @@ -187,6 +191,13 @@ For OOM, the URL is https://<host-ip>:30258/designer/index.html ca path: src/main/resources/clds/aaf/org.onap.clamp.p12, password "China in the Spring" Or get it from this page : https://wiki.onap.org/display/DW/Control+Loop+Flows+and+Models+for+Casablanca +A user can access the Control-Loop DashBoard (ELK stack based) at the following URL : https://localhost:5601 . +(in this URL 'localhost' must be replaced by the actual host where CLAMP has been installed if it is not your current localhost) +For OOM, the URL is https://<host-ip>:30290. Since El Alto release, User access is protected using the Search Guard plugin, community Edition!, +for Kibana and ElasticSearch. The initial users and credentials provided by the Search Guard plugins are used by default. +(take a look at the files in the ElasticSearch docker image located in the folder: /usr/share/elasticsearch/config/sg/, +especially the file "sg_internal_users.yml"). + Human Interfaces ---------------- .. Basic info on the interface type, ports/protocols provided over, etc. diff --git a/docs/release-notes.rst b/docs/release-notes.rst index c3c3fef48..b6c91bbb9 100644 --- a/docs/release-notes.rst +++ b/docs/release-notes.rst @@ -8,7 +8,7 @@ Release Notes Version: 4.1.2 -------------- -:Release Date: 2019-09-16 +:Release Date: 2019-09-18 **New Features** @@ -25,6 +25,8 @@ The main goal of the El Alto release was to: **Known Issues** + - `CLAMP-506 <https://jira.onap.org/browse/CLAMP-506>`_ Elastic Search Clamp image cannot be built anymore(SearchGuard DMCA issue) + **Security Notes** @@ -972,7 +972,6 @@ </configuration> </execution> </executions> - </plugin> <plugin> <groupId>io.fabric8</groupId> @@ -1090,22 +1089,6 @@ </build> </image> <image> - <name>onap/clamp-dashboard-elasticsearch</name> - <alias>onap-clamp-dashboard-elasticsearch</alias> - <run> - <skip>true</skip> - </run> - <build> - <cleanup>true</cleanup> - <tags> - <tag>latest</tag> - <tag>${project.docker.latesttagtimestamp.version}</tag> - <tag>${project.docker.latesttag.version}</tag> - </tags> - <dockerFile>elasticsearch/Dockerfile</dockerFile> - </build> - </image> - <image> <name>onap/clamp-dashboard-logstash</name> <alias>onap-clamp-dashboard-logstash</alias> <run> diff --git a/releases/4.1.2-container.yaml b/releases/4.1.2-container.yaml new file mode 100644 index 000000000..9eae7d7cf --- /dev/null +++ b/releases/4.1.2-container.yaml @@ -0,0 +1,14 @@ +distribution_type: 'container' +container_release_tag: '4.1.2' +project: 'clamp' +log_dir: 'clamp-maven-docker-stage-master/121/' +ref: 9fb87912f025e85b26c238d286d87e0e1c9c767a +containers: + - name: 'clamp-backend' + version: '4.1-STAGING-20190916T192828Z' + - name: 'clamp-frontend' + version: '4.1-STAGING-20190916T192828Z' + - name: 'clamp-dashboard-logstash' + version: '4.1-STAGING-20190916T192828Z' + - name: 'clamp-dashboard-kibana' + version: '4.1-STAGING-20190916T192828Z' diff --git a/releases/4.1.2.yaml b/releases/4.1.2.yaml new file mode 100644 index 000000000..845a675f7 --- /dev/null +++ b/releases/4.1.2.yaml @@ -0,0 +1,5 @@ +--- +distribution_type: 'maven' +version: '4.1.2' +project: 'clamp' +log_dir: 'clamp-maven-stage-master/133/'
\ No newline at end of file diff --git a/src/main/docker/elasticsearch/config/sg/sg_config.yml b/src/main/docker/elasticsearch/config/sg/sg_config.yml index 7d3a933fa..9a16a8239 100644 --- a/src/main/docker/elasticsearch/config/sg/sg_config.yml +++ b/src/main/docker/elasticsearch/config/sg/sg_config.yml @@ -37,20 +37,22 @@ # HTTP # basic (challenging) # proxy (not challenging, needs xff) -# kerberos (challenging) NOT FREE FOR COMMERCIAL # clientcert (not challenging, needs https) -# jwt (not challenging) NOT FREE FOR COMMERCIAL # host (not challenging) #DEPRECATED, will be removed in a future version. # host based authentication is configurable in sg_roles_mapping # Authc # internal # noop -# ldap NOT FREE FOR COMMERCIAL USE # Authz -# ldap NOT FREE FOR COMMERCIAL USE # noop +# +# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; +# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration +# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's +# license details before enabling any additional features here. + searchguard: dynamic: @@ -59,7 +61,6 @@ searchguard: # Set filtered_alias_mode to 'nowarn' to allow more than 2 filtered aliases per index silently #filtered_alias_mode: warn #kibana: - # Kibana multitenancy - NOT FREE FOR COMMERCIAL USE # see https://github.com/floragunncom/search-guard-docs/blob/master/multitenancy.md # To make this work you need to install https://github.com/floragunncom/search-guard-module-kibana-multitenancy/wiki #multitenancy_enabled: true @@ -80,20 +81,6 @@ searchguard: ###### and here https://tools.ietf.org/html/rfc7239 ###### and https://tomcat.apache.org/tomcat-8.0-doc/config/valve.html#Remote_IP_Valve authc: - kerberos_auth_domain: - http_enabled: false - transport_enabled: false - order: 6 - http_authenticator: - type: kerberos # NOT FREE FOR COMMERCIAL USE - challenge: true - config: - # If true a lot of kerberos/security related debugging output will be logged to standard out - krb_debug: false - # If true then the realm will be stripped from the user name - strip_realm_from_principal: true - authentication_backend: - type: noop basic_internal_auth_domain: http_enabled: true transport_enabled: true @@ -141,84 +128,7 @@ searchguard: challenge: false authentication_backend: type: noop - ldap: - http_enabled: false - transport_enabled: false - order: 5 - http_authenticator: - type: basic - challenge: false - authentication_backend: - # LDAP authentication backend (authenticate users against a LDAP or Active Directory) - type: ldap # NOT FREE FOR COMMERCIAL USE - config: - # enable ldaps - enable_ssl: false - # enable start tls, enable_ssl should be false - enable_start_tls: false - # send client certificate - enable_ssl_client_auth: false - # verify ldap hostname - verify_hostnames: true - hosts: - - localhost:8389 - bind_dn: null - password: null - userbase: 'ou=people,dc=example,dc=com' - # Filter to search for users (currently in the whole subtree beneath userbase) - # {0} is substituted with the username - usersearch: '(sAMAccountName={0})' - # Use this attribute from the user as username (if not set then DN is used) - username_attribute: null authz: - roles_from_myldap: - http_enabled: false - transport_enabled: false - authorization_backend: - # LDAP authorization backend (gather roles from a LDAP or Active Directory, you have to configure the above LDAP authentication backend settings too) - type: ldap # NOT FREE FOR COMMERCIAL USE - config: - # enable ldaps - enable_ssl: false - # enable start tls, enable_ssl should be false - enable_start_tls: false - # send client certificate - enable_ssl_client_auth: false - # verify ldap hostname - verify_hostnames: true - hosts: - - localhost:8389 - bind_dn: null - password: null - rolebase: 'ou=groups,dc=example,dc=com' - # Filter to search for roles (currently in the whole subtree beneath rolebase) - # {0} is substituted with the DN of the user - # {1} is substituted with the username - # {2} is substituted with an attribute value from user's directory entry, of the authenticated user. Use userroleattribute to specify the name of the attribute - rolesearch: '(member={0})' - # Specify the name of the attribute which value should be substituted with {2} above - userroleattribute: null - # Roles as an attribute of the user entry - userrolename: disabled - #userrolename: memberOf - # The attribute in a role entry containing the name of that role, Default is "name". - # Can also be "dn" to use the full DN as rolename. - rolename: cn - # Resolve nested roles transitive (roles which are members of other roles and so on ...) - resolve_nested_roles: true - userbase: 'ou=people,dc=example,dc=com' - # Filter to search for users (currently in the whole subtree beneath userbase) - # {0} is substituted with the username - usersearch: '(uid={0})' - # Skip users matching a user name, a wildcard or a regex pattern - #skip_users: - # - 'cn=Michael Jackson,ou*people,o=TEST' - # - '/\S*/' - roles_from_another_ldap: - enabled: false - authorization_backend: - type: ldap # NOT FREE FOR COMMERCIAL USE - #config goes here ... # auth_failure_listeners: # ip_rate_limiting: # type: ip diff --git a/src/main/docker/elasticsearch/config/sg/sg_roles.yml b/src/main/docker/elasticsearch/config/sg/sg_roles.yml index 6902fba2c..1a3a80ce5 100644 --- a/src/main/docker/elasticsearch/config/sg/sg_roles.yml +++ b/src/main/docker/elasticsearch/config/sg/sg_roles.yml @@ -32,15 +32,11 @@ # Reason is that we currently parse the config file into a elasticsearch settings object which cannot cope with dots in keys. # Workaround: Just configure something like '?kibana' instead of '.kibana' or 'my?index' instead of 'my.index' # This limitation will likely removed with Search Guard 6 - -# DLS (Document level security) - NOT FREE FOR COMMERCIAL -# http://docs.search-guard.com/v6/document-level-security - -# FLS (Field level security) - NOT FREE FOR COMMERCIAL -# http://docs.search-guard.com/v6/field-level-security - -# Kibana multitenancy - NOT FREE FOR COMMERCIAL -# http://docs.search-guard.com/v6/kibana-multi-tenancy +# +# Some SearchGuard functionality is licensed under Apache-2.0, while other functionality is non-free; +# see https://github.com/floragunncom/search-guard. The functionality enabled in this configuration +# file only include those that are licensed under Apache-2.0. Please use care and review SearchGuard's +# license details before enabling any additional features here. # Allows everything, but no changes to searchguard configuration index sg_all_access: |