AAF documentation
Change-Id: I3cab80a2305578625f550ed591135f19227a3afb
Issue-ID: POLICY-1259
Signed-off-by: Jorge Hernandez <jorge.hernandez-herrero@att.com>
diff --git a/docs/platform/aaf.rst b/docs/platform/aaf.rst
new file mode 100644
index 0000000..a64afae
--- /dev/null
+++ b/docs/platform/aaf.rst
@@ -0,0 +1,267 @@
+.. This work is licensed under a Creative Commons Attribution 4.0 International License.
+.. http://creativecommons.org/licenses/by/4.0
+
+*********************
+HTTPS and AAF Support
+*********************
+
+.. contents::
+ :depth: 3
+
+The pap, console, pdp-x, brmsgw, and pdp-d components have been migrated from HTTP to HTTPS. Server certificates were derived from the AAF Root CA.
+
+AAF is supported for externally facing entry points into the Policy subsystem. These are:
+
+* PDP-D supports AAF for its telemetry and healthcheck APIs.
+* PDP-X supports AAF for its external policy APIs. It is currently disabled as some of clients are not AAF-capable, and this is a global setting.
+* Console (for Browser Portal redirects) supports AAF when accessed through Portal.
+
++--------+------+------------+-----+-----+---------------------------------+
+| Policy | Role | Remote |HTTPS| AAF | Notes |
++========+======+============+=====+=====+=================================+
+| pdp-d |server| \* |true |true |Healthchek and Telemetry APIs |
++--------+------+------------+-----+-----+---------------------------------+
+| pdp-d |client| aaf |true |true |Two-way TLS |
++--------+------+------------+-----+-----+---------------------------------+
+| pdp-d |client| aai |true |true |Runtime Control Loop Execution |
++--------+------+------------+-----+-----+---------------------------------+
+| pdp-d |client| dmaap |true |false|Runtime Control Loop Execution |
++--------+------+------------+-----+-----+---------------------------------+
+| pdp-d |client| so |false|false|Not supported in so |
++--------+------+------------+-----+-----+---------------------------------+
+| pdp-d |client| vfc |false|false|Not supported in vfc |
++--------+------+------------+-----+-----+---------------------------------+
+| pdp-x |server| \* |true |false|Not all clients are AAF-capable |
++--------+------+------------+-----+-----+---------------------------------+
+| pap |server| \* |true |false|Not all clients are AAF-capable |
++--------+------+------------+-----+-----+---------------------------------+
+| console|server| portal |true |true |Redirected from portal |
++--------+------+------------+-----+-----+---------------------------------+
+| brmsgw |client| dmaap |true |false|Runtime Control Loop Execution |
++--------+------+------------+-----+-----+---------------------------------+
+
+AAF Configuration
+^^^^^^^^^^^^^^^^^
+
+The default demo ONAP installation comes up bootstrapped with the following AAF data with regards to Policy.
+
+.. code-block:: bash
+ :caption: Bootstrapped AAF configuration
+
+ Basic Permissions:
+ org.onap.policy.access * *
+ org.onap.policy.access * read
+ org.onap.policy.certman local request,ignoreIPs,showpass
+
+ Portal Permissions (for UI purposes, administered by Portal team):
+ org.onap.policy.menu menu_admin *
+ org.onap.policy.menu menu_ajax *
+ org.onap.policy.menu menu_concept *
+ org.onap.policy.menu menu_customer *
+ org.onap.policy.menu menu_customer_create *
+ org.onap.policy.menu menu_doclib *
+ org.onap.policy.menu menu_feedback *
+ org.onap.policy.menu menu_help *
+ org.onap.policy.menu menu_home *
+ org.onap.policy.menu menu_itracker *
+ org.onap.policy.menu menu_job *
+ org.onap.policy.menu menu_job_create *
+ org.onap.policy.menu menu_job_designer *
+ org.onap.policy.menu menu_logout *
+ org.onap.policy.menu menu_map *
+ org.onap.policy.menu menu_notes *
+ org.onap.policy.menu menu_policy *
+ org.onap.policy.menu menu_process *
+ org.onap.policy.menu menu_profile *
+ org.onap.policy.menu menu_profile_create *
+ org.onap.policy.menu menu_profile_import *
+ org.onap.policy.menu menu_reports *
+ org.onap.policy.menu menu_sample *
+ org.onap.policy.menu menu_tab *
+ org.onap.policy.menu menu_task *
+ org.onap.policy.menu menu_task_search *
+ org.onap.policy.menu menu_test *
+ org.onap.policy.url doclib *
+ org.onap.policy.url doclib_admin *
+ org.onap.policy.url login *
+ org.onap.policy.url policy_admin *
+ org.onap.policy.url policy_dashboard *
+ org.onap.policy.url policy_dictionary *
+ org.onap.policy.url policy_editor *
+ org.onap.policy.url policy_pdp *
+ org.onap.policy.url policy_push *
+ org.onap.policy.url policy_roles *
+ org.onap.policy.url view_reports *
+
+ PDP-D Permissions for Telemetry REST API access:
+ org.onap.policy.pdpd.healthcheck * get
+ org.onap.policy.pdpd.healthcheck.configuration * get
+ org.onap.policy.pdpd.telemetry * delete
+ org.onap.policy.pdpd.telemetry * get
+ org.onap.policy.pdpd.telemetry * post
+ org.onap.policy.pdpd.telemetry * put
+
+ PDP-X Permissions for XACML REST APIs:
+ org.onap.policy.pdpx.config * *
+ org.onap.policy.pdpx.createDictionary * *
+ org.onap.policy.pdpx.createPolicy * *
+ org.onap.policy.pdpx.decision * *
+ org.onap.policy.pdpx.getConfig * *
+ org.onap.policy.pdpx.getConfigByPolicyName * *
+ org.onap.policy.pdpx.getDecision * *
+ org.onap.policy.pdpx.getDictionary * *
+ org.onap.policy.pdpx.getMetrics * *
+ org.onap.policy.pdpx.list * *
+ org.onap.policy.pdpx.listConfig * *
+ org.onap.policy.pdpx.listPolicy * *
+ org.onap.policy.pdpx.policyEngineImport * *
+ org.onap.policy.pdpx.pushPolicy * *
+ org.onap.policy.pdpx.sendEvent * *
+ org.onap.policy.pdpx.updateDictionary * *
+ org.onap.policy.pdpx.updatePolicy * *
+
+ Basic Namespace Admin Roles:
+ org.onap.policy.admin
+ org.onap.policy.owner
+ org.onap.policy.seeCerts
+
+ Portal Roles for UI:
+ org.onap.policy.Account_Administrator
+ org.onap.policy.Policy_Admin
+ org.onap.policy.Policy_Editor
+ org.onap.policy.Policy_Guest
+ org.onap.policy.Policy_Super_Admin
+ org.onap.policy.Policy_Super_Guest
+ org.onap.policy.Standard_User
+ org.onap.policy.System_Administrator
+
+ PDP-D Roles:
+ org.onap.policy.pdpd.admin
+ org.onap.policy.pdpd.monitor
+
+ PDP-X Roles:
+ org.onap.policy.pdpx.admin
+ org.onap.policy.pdpx.monitor
+
+ Users:
+ demo@people.osaaf.org
+ policy@policy.onap.org
+
+
+demo@people.osaaf.org and policy@policy.onap.org are properly configured with AAF in n a default ONAP installation. These are:
+
+
+.. code-block:: bash
+ :caption: Default permissions for demo and policy accounts.
+
+ List Permissions by User[policy@policy.onap.org]
+ --------------------------------------------------------------------------------
+ PERM Type Instance Action
+ --------------------------------------------------------------------------------
+ org.onap.policy.access * *
+ org.onap.policy.access * read
+ org.onap.policy.certman local request,ignoreIPs,showpass
+ org.onap.policy.pdpd.healthcheck * get
+ org.onap.policy.pdpd.healthcheck.configuration * get
+ org.onap.policy.pdpd.telemetry * delete
+ org.onap.policy.pdpd.telemetry * get
+ org.onap.policy.pdpd.telemetry * post
+ org.onap.policy.pdpd.telemetry * put
+ org.onap.policy.pdpx.createDictionary * *
+ org.onap.policy.pdpx.createPolicy * *
+ org.onap.policy.pdpx.decision * *
+ org.onap.policy.pdpx.getConfig * *
+ org.onap.policy.pdpx.getConfigByPolicyName * *
+ org.onap.policy.pdpx.getDecision * *
+ org.onap.policy.pdpx.getDictionary * *
+ org.onap.policy.pdpx.getMetrics * *
+ org.onap.policy.pdpx.list * *
+ org.onap.policy.pdpx.listConfig * *
+ org.onap.policy.pdpx.listPolicy * *
+ org.onap.policy.pdpx.policyEngineImport * *
+ org.onap.policy.pdpx.pushPolicy * *
+ org.onap.policy.pdpx.sendEvent * *
+ org.onap.policy.pdpx.updateDictionary * *
+ org.onap.policy.pdpx.updatePolicy * *
+
+ List Permissions by User[demo@people.osaaf.org]
+ --------------------------------------------------------------------------------
+ PERM Type Instance Action
+ --------------------------------------------------------------------------------
+ org.onap.policy.access
+ org.onap.policy.access * read
+ org.onap.policy.menu menu_admin *
+ org.onap.policy.menu menu_ajax *
+ org.onap.policy.menu menu_customer *
+ org.onap.policy.menu menu_customer_create *
+ org.onap.policy.menu menu_feedback *
+ org.onap.policy.menu menu_help *
+ org.onap.policy.menu menu_home *
+ org.onap.policy.menu menu_itracker *
+ org.onap.policy.menu menu_job *
+ org.onap.policy.menu menu_job_create *
+ org.onap.policy.menu menu_logout *
+ org.onap.policy.menu menu_notes *
+ org.onap.policy.menu menu_process *
+ org.onap.policy.menu menu_profile *
+ org.onap.policy.menu menu_profile_create *
+ org.onap.policy.menu menu_profile_import *
+ org.onap.policy.menu menu_reports *
+ org.onap.policy.menu menu_sample *
+ org.onap.policy.menu menu_tab *
+ org.onap.policy.menu menu_test *
+ org.onap.policy.pdpd.healthcheck * get
+ org.onap.policy.pdpd.healthcheck.configuration * get
+ org.onap.policy.pdpd.telemetry * delete
+ org.onap.policy.pdpd.telemetry * get
+ org.onap.policy.pdpd.telemetry * post
+ org.onap.policy.pdpd.telemetry * put
+ org.onap.policy.pdpx.config * *
+ org.onap.policy.pdpx.createDictionary * *
+ org.onap.policy.pdpx.createPolicy * *
+ org.onap.policy.pdpx.decision * *
+ org.onap.policy.pdpx.getConfig * *
+ org.onap.policy.pdpx.getConfigByPolicyName * *
+ org.onap.policy.pdpx.getDecision * *
+ org.onap.policy.pdpx.getDictionary * *
+ org.onap.policy.pdpx.getMetrics * *
+ org.onap.policy.pdpx.list * *
+ org.onap.policy.pdpx.listConfig * *
+ org.onap.policy.pdpx.listPolicy * *
+ org.onap.policy.pdpx.policyEngineImport * *
+ org.onap.policy.pdpx.pushPolicy * *
+ org.onap.policy.pdpx.sendEvent * *
+ org.onap.policy.pdpx.updateDictionary * *
+ org.onap.policy.pdpx.updatePolicy * *
+ org.onap.policy.url doclib *
+ org.onap.policy.url doclib_admin *
+ org.onap.policy.url login *
+
+Disabling AAF
+^^^^^^^^^^^^^
+
+AAF is enabled by default in PDP-D installations. Set the AAF installation variable to false to disable it.
+
++---------------+-------------------------+----------+---------------------------+
+| Repository | Install File | Variable | Notes |
++===============+=========================+==========+===========================+
+| policy/docker | config/drools/base.conf | AAF | Heat Installation |
++---------------+-------------------------+----------+---------------------------+
+| oom | config/drools/base.conf | AAF | OOM Installation |
++---------------+-------------------------+----------+---------------------------+
+
+AAF can also be disabled at runtime within the PDP-D container by modifying the following files.
+
++----------------------------------------------------+-----------------------------------------+
+| File | Property |
++====================================================+=========================================+
+| $POLICY_HOME/config/policy-engine.properties | http.server.services.SECURED-CONFIG.aaf |
++----------------------------------------------------+-----------------------------------------+
+| $POLICY_HOME/config/feature-healthcheck.properties | http.server.services.HEALTHCHECK.aaf |
++----------------------------------------------------+-----------------------------------------+
+
+After modifying these files, restart the container with "policy stop; policy start"
+
+
+
+End of Document