| Tomek Kaminski | 7782f9b | 2018-11-07 15:12:44 +0100 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | |
| 4 | .. _authorization: |
| 5 | |
| 6 | SSL/TLS Authentication & Authorization |
| 7 | ====================================== |
| 8 | |
| 9 | | PRH does not perform any authorization in AAF, as the only endpoint which is provided by the service is the healthcheck, which is unsecured. |
| 10 | | For authentication settings there is a possibility to change from default behavior to certificate-based solution independently for DMaaP and AAI communication. |
| 11 | |
| 12 | AAI authentication |
| 13 | ^^^^^^^^^^^^^^^^^^ |
| 14 | |
| 15 | Default |
| 16 | """"""" |
| 17 | | By default basic authentication is being used with following credentials: |
| 18 | | user=AAI |
| 19 | | password=AAI |
| 20 | |
| 21 | Certificate-based |
| 22 | """"""""""""""""" |
| 23 | | There is an option to enable certificate-based authentication for PRH towards AAI service calls. |
| 24 | | To achieve this secure flag needs to be turned on in PRH :ref:`configuration<prh_configuration>` : |
| 25 | |
| 26 | .. code-block:: json |
| 27 | security.enableAaiCertAuth=true |
| 28 | |
| 29 | DMaaP BC authentication |
| 30 | ^^^^^^^^^^^^^^^^^^^^^^^ |
| 31 | |
| 32 | Default |
| 33 | """"""" |
| 34 | | By default basic authentication is being used with following credentials (for both DMaaP consumer and DMaaP publisher endpoints): |
| 35 | | user=admin |
| 36 | | password=admin |
| 37 | |
| 38 | Certificate-based |
| 39 | """""""""""""""""" |
| 40 | | There is an option to enable certificate-based authentication for PRH towards DMaaP Bus Controller service calls. |
| 41 | | To achieve this secure flag needs to be turned on in PRH :ref:`configuration<prh_configuration>` : |
| 42 | |
| 43 | .. code-block:: json |
| 44 | --security.enableDmaapCertAuth=true |
| 45 | |
| 46 | PRH identity and certificate data |
| 47 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ |
| 48 | | PRH is using ``dcae`` identity when certificate-based authentication is turned on. |
| 49 | | It's the DCAEGEN2 responsibility to generate certificate for dcae identity and provide it to the collector. |
| 50 | | |
| 51 | | PRH by default expects that the volume ``tls-info`` is being mounted under path ``/opt/app/prh/etc/cert``. |
| 52 | | It's the component/collector responsibility to provide necessary inputs in Cloudify blueprint to get the volume mounted. |
| 53 | | See :doc:`../../tls_enablement` for detailed information. |
| 54 | | |
| 55 | | PRH is using four files from ``tls-info`` DCAE volume (``cert.jks, jks.pass, trust.jks, trust.pass``). |
| 56 | | Refer :ref:`configuration<prh_configuration>` for proper security attributes settings. |
| 57 | | |
| 58 | | **IMPORTANT** Even when certificate-based authentication security features are disabled, |
| 59 | | still all security settings needs to be provided in configuration to make PRH service start smoothly. |
| 60 | | Security attributes values are not validated in this case, and can point to non-existent data. |