| Instrumental | 68a514e | 2019-03-18 10:18:55 -0500 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | .. Copyright © 2017 AT&T Intellectual Property. All rights reserved. |
| 4 | |
| 5 | Trusting Other Authentication Entities |
| 6 | ========================================== |
| 7 | |
| 8 | Few Transactions in an Organization of any size touch only one service. This is even more true with MicroService Architecture. |
| 9 | |
| 10 | In AAF, EVERY Tranasction must be Authenticated from the Caller, but in App-to-App situations, not every Authorization should be |
| 11 | evaluated on the underlying caller. |
| 12 | |
| 13 | SERVICE Configuration |
| 14 | ---------------------- |
| 15 | 1) Define the Permission this App will use for Trust, and add to Service's "Cadi Properties" |
| 16 | Ex: |
| 17 | |
| 18 | cadi_trust_perm=org.onap.aai.user_chain|com.att|trust |
| 19 | |
| 20 | 2) In the AAF Service, user the AAF CMDline interface to create Permission that matches above, and role |
| 21 | |
| 22 | Given that an App may trust "ONAP Portal" to have validated an end-user, and that ONAP Portal's Identity is portal@portal.onap.org, |
| 23 | |
| 24 | role create org.onap.aai.trusted portal@portal.onap.org |
| 25 | perm create org.onap.aai.user_chain|org.onap|trust org.onap.aai.trusted |
| 26 | |
| 27 | Note: These instructions are for first Identity, which both creates Role and Perm, and adds User, Grants Perm. Admin may separate the commands of "create" and "grant"/"add", see CUI help. |
| 28 | |
| 29 | CLIENT Transaction |
| 30 | ------------------- |
| 31 | The CADI client, when used, will create USER_CHAIN property automatically, but not all CLIENTs are CADI. For NON-CADI HTTP Clients, do the following: |
| 32 | |
| 33 | * Create an HTTP Header property called “USER_CHAIN” |
| 34 | * The syntax for the value is: |
| 35 | |
| 36 | <AAF ID>:<service Reference>:<Authentication Type>[:AS][,<ID>:<reference>:<type>]* |
| 37 | |
| 38 | Where “:AS” is the indicator that you want the Service to treat the transaction as if it came from the end client. |
| 39 | <AAF_ID> is the Identity of the Calling Client (End Client) |
| 40 | <service Reference> should be the Service's AAF Namespace and microservice name, separated by '.' |
| 41 | <Authentication Type> should be how the Client was Authenticated |
| 42 | |
| 43 | BAth - BasicAuth |
| 44 | x509 - X509 Client Certificate |
| 45 | |
| 46 | <other Organization defined Types are acceptable, but should be 4 chars long for ease of use, and match any TAF Adapters used to validate> |
| 47 | |
| 48 | Example: |
| 49 | USER_CHAIN: demo@people.osaaf.org:org.onap.aai:BAth:AS |
| 50 | |
| 51 | What Happens: |
| 52 | Cadi Code (such as what is in CadiFilter) |
| 53 | * Reads the USER_CHAIN |
| 54 | * IF the last USER_CHAIN Entry ends with ":AS"... |
| 55 | * Checks to see if the Identity is the same as Service (nice for Model-View-Controller and multi-MS applications) OR |
| 56 | * if the incoming caller has the Permission specified in "cadi_trust_perm" |
| 57 | |
| 58 | * THEN a new "TrustPrincipal" is created, which takes on the identity of the ":AS" identified Identity for the purposes of Authentication. |
| 59 | |