| .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| .. http://creativecommons.org/licenses/by/4.0 |
| |
| ********************* |
| HTTPS and AAF Support |
| ********************* |
| |
| .. contents:: |
| :depth: 3 |
| |
| The pap, console, pdp-x, brmsgw, and pdp-d components have been migrated from HTTP to HTTPS. Server certificates were derived from the AAF Root CA. |
| |
| AAF is supported for externally facing entry points into the Policy subsystem. These are: |
| |
| * PDP-D supports AAF for its telemetry and healthcheck APIs. |
| * PDP-X supports AAF for its external policy APIs. It is currently disabled as some of clients are not AAF-capable, and this is a global setting. |
| * Console (for Browser Portal redirects) supports AAF when accessed through Portal. |
| |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | Policy | Role | Remote |HTTPS| AAF | Notes | |
| +========+======+============+=====+=====+=================================+ |
| | pdp-d |server| \* |true |true |Healthcheck and Telemetry APIs | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pdp-d |client| aaf |true |true |Two-way TLS | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pdp-d |client| aai |true |true |Runtime Control Loop Execution | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pdp-d |client| dmaap |true |false|Runtime Control Loop Execution | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pdp-d |client| so |false|false|Not supported in so | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pdp-d |client| vfc |false|false|Not supported in vfc | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pdp-x |server| \* |true |false|Not all clients are AAF-capable | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | pap |server| \* |true |false|Not all clients are AAF-capable | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | console|server| portal |true |true |Redirected from portal | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| | brmsgw |client| dmaap |true |false|Runtime Control Loop Execution | |
| +--------+------+------------+-----+-----+---------------------------------+ |
| |
| AAF Configuration |
| ^^^^^^^^^^^^^^^^^ |
| |
| The default demo ONAP installation comes up bootstrapped with the following AAF data with regards to Policy. |
| |
| .. code-block:: bash |
| :caption: Bootstrapped AAF configuration |
| |
| Basic Permissions: |
| org.onap.policy.access * * |
| org.onap.policy.access * read |
| org.onap.policy.certman local request,ignoreIPs,showpass |
| |
| Portal Permissions (for UI purposes, administered by Portal team): |
| org.onap.policy.menu menu_admin * |
| org.onap.policy.menu menu_ajax * |
| org.onap.policy.menu menu_concept * |
| org.onap.policy.menu menu_customer * |
| org.onap.policy.menu menu_customer_create * |
| org.onap.policy.menu menu_doclib * |
| org.onap.policy.menu menu_feedback * |
| org.onap.policy.menu menu_help * |
| org.onap.policy.menu menu_home * |
| org.onap.policy.menu menu_itracker * |
| org.onap.policy.menu menu_job * |
| org.onap.policy.menu menu_job_create * |
| org.onap.policy.menu menu_job_designer * |
| org.onap.policy.menu menu_logout * |
| org.onap.policy.menu menu_map * |
| org.onap.policy.menu menu_notes * |
| org.onap.policy.menu menu_policy * |
| org.onap.policy.menu menu_process * |
| org.onap.policy.menu menu_profile * |
| org.onap.policy.menu menu_profile_create * |
| org.onap.policy.menu menu_profile_import * |
| org.onap.policy.menu menu_reports * |
| org.onap.policy.menu menu_sample * |
| org.onap.policy.menu menu_tab * |
| org.onap.policy.menu menu_task * |
| org.onap.policy.menu menu_task_search * |
| org.onap.policy.menu menu_test * |
| org.onap.policy.url doclib * |
| org.onap.policy.url doclib_admin * |
| org.onap.policy.url login * |
| org.onap.policy.url policy_admin * |
| org.onap.policy.url policy_dashboard * |
| org.onap.policy.url policy_dictionary * |
| org.onap.policy.url policy_editor * |
| org.onap.policy.url policy_pdp * |
| org.onap.policy.url policy_push * |
| org.onap.policy.url policy_roles * |
| org.onap.policy.url view_reports * |
| |
| PDP-D Permissions for Telemetry REST API access: |
| org.onap.policy.pdpd.healthcheck * get |
| org.onap.policy.pdpd.healthcheck.configuration * get |
| org.onap.policy.pdpd.telemetry * delete |
| org.onap.policy.pdpd.telemetry * get |
| org.onap.policy.pdpd.telemetry * post |
| org.onap.policy.pdpd.telemetry * put |
| |
| PDP-X Permissions for XACML REST APIs: |
| org.onap.policy.pdpx.config * * |
| org.onap.policy.pdpx.createDictionary * * |
| org.onap.policy.pdpx.createPolicy * * |
| org.onap.policy.pdpx.decision * * |
| org.onap.policy.pdpx.getConfig * * |
| org.onap.policy.pdpx.getConfigByPolicyName * * |
| org.onap.policy.pdpx.getDecision * * |
| org.onap.policy.pdpx.getDictionary * * |
| org.onap.policy.pdpx.getMetrics * * |
| org.onap.policy.pdpx.list * * |
| org.onap.policy.pdpx.listConfig * * |
| org.onap.policy.pdpx.listPolicy * * |
| org.onap.policy.pdpx.policyEngineImport * * |
| org.onap.policy.pdpx.pushPolicy * * |
| org.onap.policy.pdpx.sendEvent * * |
| org.onap.policy.pdpx.updateDictionary * * |
| org.onap.policy.pdpx.updatePolicy * * |
| |
| Basic Namespace Admin Roles: |
| org.onap.policy.admin |
| org.onap.policy.owner |
| org.onap.policy.seeCerts |
| |
| Portal Roles for UI: |
| org.onap.policy.Account_Administrator |
| org.onap.policy.Policy_Admin |
| org.onap.policy.Policy_Editor |
| org.onap.policy.Policy_Guest |
| org.onap.policy.Policy_Super_Admin |
| org.onap.policy.Policy_Super_Guest |
| org.onap.policy.Standard_User |
| org.onap.policy.System_Administrator |
| |
| PDP-D Roles: |
| org.onap.policy.pdpd.admin |
| org.onap.policy.pdpd.monitor |
| |
| PDP-X Roles: |
| org.onap.policy.pdpx.admin |
| org.onap.policy.pdpx.monitor |
| |
| Users: |
| demo@people.osaaf.org |
| policy@policy.onap.org |
| |
| |
| demo@people.osaaf.org and policy@policy.onap.org are properly configured with AAF in n a default ONAP installation. These are: |
| |
| |
| .. code-block:: bash |
| :caption: Default permissions for demo and policy accounts. |
| |
| List Permissions by User[policy@policy.onap.org] |
| -------------------------------------------------------------------------------- |
| PERM Type Instance Action |
| -------------------------------------------------------------------------------- |
| org.onap.policy.access * * |
| org.onap.policy.access * read |
| org.onap.policy.certman local request,ignoreIPs,showpass |
| org.onap.policy.pdpd.healthcheck * get |
| org.onap.policy.pdpd.healthcheck.configuration * get |
| org.onap.policy.pdpd.telemetry * delete |
| org.onap.policy.pdpd.telemetry * get |
| org.onap.policy.pdpd.telemetry * post |
| org.onap.policy.pdpd.telemetry * put |
| org.onap.policy.pdpx.createDictionary * * |
| org.onap.policy.pdpx.createPolicy * * |
| org.onap.policy.pdpx.decision * * |
| org.onap.policy.pdpx.getConfig * * |
| org.onap.policy.pdpx.getConfigByPolicyName * * |
| org.onap.policy.pdpx.getDecision * * |
| org.onap.policy.pdpx.getDictionary * * |
| org.onap.policy.pdpx.getMetrics * * |
| org.onap.policy.pdpx.list * * |
| org.onap.policy.pdpx.listConfig * * |
| org.onap.policy.pdpx.listPolicy * * |
| org.onap.policy.pdpx.policyEngineImport * * |
| org.onap.policy.pdpx.pushPolicy * * |
| org.onap.policy.pdpx.sendEvent * * |
| org.onap.policy.pdpx.updateDictionary * * |
| org.onap.policy.pdpx.updatePolicy * * |
| |
| List Permissions by User[demo@people.osaaf.org] |
| -------------------------------------------------------------------------------- |
| PERM Type Instance Action |
| -------------------------------------------------------------------------------- |
| org.onap.policy.access |
| org.onap.policy.access * read |
| org.onap.policy.menu menu_admin * |
| org.onap.policy.menu menu_ajax * |
| org.onap.policy.menu menu_customer * |
| org.onap.policy.menu menu_customer_create * |
| org.onap.policy.menu menu_feedback * |
| org.onap.policy.menu menu_help * |
| org.onap.policy.menu menu_home * |
| org.onap.policy.menu menu_itracker * |
| org.onap.policy.menu menu_job * |
| org.onap.policy.menu menu_job_create * |
| org.onap.policy.menu menu_logout * |
| org.onap.policy.menu menu_notes * |
| org.onap.policy.menu menu_process * |
| org.onap.policy.menu menu_profile * |
| org.onap.policy.menu menu_profile_create * |
| org.onap.policy.menu menu_profile_import * |
| org.onap.policy.menu menu_reports * |
| org.onap.policy.menu menu_sample * |
| org.onap.policy.menu menu_tab * |
| org.onap.policy.menu menu_test * |
| org.onap.policy.pdpd.healthcheck * get |
| org.onap.policy.pdpd.healthcheck.configuration * get |
| org.onap.policy.pdpd.telemetry * delete |
| org.onap.policy.pdpd.telemetry * get |
| org.onap.policy.pdpd.telemetry * post |
| org.onap.policy.pdpd.telemetry * put |
| org.onap.policy.pdpx.config * * |
| org.onap.policy.pdpx.createDictionary * * |
| org.onap.policy.pdpx.createPolicy * * |
| org.onap.policy.pdpx.decision * * |
| org.onap.policy.pdpx.getConfig * * |
| org.onap.policy.pdpx.getConfigByPolicyName * * |
| org.onap.policy.pdpx.getDecision * * |
| org.onap.policy.pdpx.getDictionary * * |
| org.onap.policy.pdpx.getMetrics * * |
| org.onap.policy.pdpx.list * * |
| org.onap.policy.pdpx.listConfig * * |
| org.onap.policy.pdpx.listPolicy * * |
| org.onap.policy.pdpx.policyEngineImport * * |
| org.onap.policy.pdpx.pushPolicy * * |
| org.onap.policy.pdpx.sendEvent * * |
| org.onap.policy.pdpx.updateDictionary * * |
| org.onap.policy.pdpx.updatePolicy * * |
| org.onap.policy.url doclib * |
| org.onap.policy.url doclib_admin * |
| org.onap.policy.url login * |
| |
| Disabling AAF |
| ^^^^^^^^^^^^^ |
| |
| AAF is enabled by default in PDP-D installations. Set the AAF installation variable to false to disable it. |
| |
| +---------------+-------------------------+----------+---------------------------+ |
| | Repository | Install File | Variable | Notes | |
| +===============+=========================+==========+===========================+ |
| | policy/docker | config/drools/base.conf | AAF | Heat Installation | |
| +---------------+-------------------------+----------+---------------------------+ |
| | oom | config/drools/base.conf | AAF | OOM Installation | |
| +---------------+-------------------------+----------+---------------------------+ |
| |
| AAF can also be disabled at runtime within the PDP-D container by modifying the following files. |
| |
| +----------------------------------------------------+-----------------------------------------+ |
| | File | Property | |
| +====================================================+=========================================+ |
| | $POLICY_HOME/config/policy-engine.properties | http.server.services.SECURED-CONFIG.aaf | |
| +----------------------------------------------------+-----------------------------------------+ |
| | $POLICY_HOME/config/feature-healthcheck.properties | http.server.services.HEALTHCHECK.aaf | |
| +----------------------------------------------------+-----------------------------------------+ |
| |
| After modifying these files, restart the container with "policy stop; policy start" |
| |
| |
| |
| End of Document |