Gitiles
Code Review Sign In
gerrit.nordix.org / onap / policy / engine / b874f123c5db37ed7eb2494d241e0d81559c04a5 / . / docs / platform / aaf.rst
blob: a64afae1621cdc3fe67b0bf7c1d457ef630568ad [file] [log] [blame]
Jorge Hernandez367c1e72018-11-19 17:04:45 -0600[diff] [blame]1.. This work is licensed under a Creative Commons Attribution 4.0 International License.
2.. http://creativecommons.org/licenses/by/4.0
3
4*********************
5HTTPS and AAF Support
6*********************
7
8.. contents::
9 :depth: 3
10
11The pap, console, pdp-x, brmsgw, and pdp-d components have been migrated from HTTP to HTTPS. Server certificates were derived from the AAF Root CA.
12
13AAF is supported for externally facing entry points into the Policy subsystem. These are:
14
15* PDP-D supports AAF for its telemetry and healthcheck APIs.
16* PDP-X supports AAF for its external policy APIs. It is currently disabled as some of clients are not AAF-capable, and this is a global setting.
17* Console (for Browser Portal redirects) supports AAF when accessed through Portal.
18
19+--------+------+------------+-----+-----+---------------------------------+
20| Policy | Role | Remote |HTTPS| AAF | Notes |
21+========+======+============+=====+=====+=================================+
22| pdp-d |server| \* |true |true |Healthchek and Telemetry APIs |
23+--------+------+------------+-----+-----+---------------------------------+
24| pdp-d |client| aaf |true |true |Two-way TLS |
25+--------+------+------------+-----+-----+---------------------------------+
26| pdp-d |client| aai |true |true |Runtime Control Loop Execution |
27+--------+------+------------+-----+-----+---------------------------------+
28| pdp-d |client| dmaap |true |false|Runtime Control Loop Execution |
29+--------+------+------------+-----+-----+---------------------------------+
30| pdp-d |client| so |false|false|Not supported in so |
31+--------+------+------------+-----+-----+---------------------------------+
32| pdp-d |client| vfc |false|false|Not supported in vfc |
33+--------+------+------------+-----+-----+---------------------------------+
34| pdp-x |server| \* |true |false|Not all clients are AAF-capable |
35+--------+------+------------+-----+-----+---------------------------------+
36| pap |server| \* |true |false|Not all clients are AAF-capable |
37+--------+------+------------+-----+-----+---------------------------------+
38| console|server| portal |true |true |Redirected from portal |
39+--------+------+------------+-----+-----+---------------------------------+
40| brmsgw |client| dmaap |true |false|Runtime Control Loop Execution |
41+--------+------+------------+-----+-----+---------------------------------+
42
43AAF Configuration
44^^^^^^^^^^^^^^^^^
45
46The default demo ONAP installation comes up bootstrapped with the following AAF data with regards to Policy.
47
48.. code-block:: bash
49 :caption: Bootstrapped AAF configuration
50
51 Basic Permissions:
52 org.onap.policy.access * *
53 org.onap.policy.access * read
54 org.onap.policy.certman local request,ignoreIPs,showpass
55
56 Portal Permissions (for UI purposes, administered by Portal team):
57 org.onap.policy.menu menu_admin *
58 org.onap.policy.menu menu_ajax *
59 org.onap.policy.menu menu_concept *
60 org.onap.policy.menu menu_customer *
61 org.onap.policy.menu menu_customer_create *
62 org.onap.policy.menu menu_doclib *
63 org.onap.policy.menu menu_feedback *
64 org.onap.policy.menu menu_help *
65 org.onap.policy.menu menu_home *
66 org.onap.policy.menu menu_itracker *
67 org.onap.policy.menu menu_job *
68 org.onap.policy.menu menu_job_create *
69 org.onap.policy.menu menu_job_designer *
70 org.onap.policy.menu menu_logout *
71 org.onap.policy.menu menu_map *
72 org.onap.policy.menu menu_notes *
73 org.onap.policy.menu menu_policy *
74 org.onap.policy.menu menu_process *
75 org.onap.policy.menu menu_profile *
76 org.onap.policy.menu menu_profile_create *
77 org.onap.policy.menu menu_profile_import *
78 org.onap.policy.menu menu_reports *
79 org.onap.policy.menu menu_sample *
80 org.onap.policy.menu menu_tab *
81 org.onap.policy.menu menu_task *
82 org.onap.policy.menu menu_task_search *
83 org.onap.policy.menu menu_test *
84 org.onap.policy.url doclib *
85 org.onap.policy.url doclib_admin *
86 org.onap.policy.url login *
87 org.onap.policy.url policy_admin *
88 org.onap.policy.url policy_dashboard *
89 org.onap.policy.url policy_dictionary *
90 org.onap.policy.url policy_editor *
91 org.onap.policy.url policy_pdp *
92 org.onap.policy.url policy_push *
93 org.onap.policy.url policy_roles *
94 org.onap.policy.url view_reports *
95
96 PDP-D Permissions for Telemetry REST API access:
97 org.onap.policy.pdpd.healthcheck * get
98 org.onap.policy.pdpd.healthcheck.configuration * get
99 org.onap.policy.pdpd.telemetry * delete
100 org.onap.policy.pdpd.telemetry * get
101 org.onap.policy.pdpd.telemetry * post
102 org.onap.policy.pdpd.telemetry * put
103
104 PDP-X Permissions for XACML REST APIs:
105 org.onap.policy.pdpx.config * *
106 org.onap.policy.pdpx.createDictionary * *
107 org.onap.policy.pdpx.createPolicy * *
108 org.onap.policy.pdpx.decision * *
109 org.onap.policy.pdpx.getConfig * *
110 org.onap.policy.pdpx.getConfigByPolicyName * *
111 org.onap.policy.pdpx.getDecision * *
112 org.onap.policy.pdpx.getDictionary * *
113 org.onap.policy.pdpx.getMetrics * *
114 org.onap.policy.pdpx.list * *
115 org.onap.policy.pdpx.listConfig * *
116 org.onap.policy.pdpx.listPolicy * *
117 org.onap.policy.pdpx.policyEngineImport * *
118 org.onap.policy.pdpx.pushPolicy * *
119 org.onap.policy.pdpx.sendEvent * *
120 org.onap.policy.pdpx.updateDictionary * *
121 org.onap.policy.pdpx.updatePolicy * *
122
123 Basic Namespace Admin Roles:
124 org.onap.policy.admin
125 org.onap.policy.owner
126 org.onap.policy.seeCerts
127
128 Portal Roles for UI:
129 org.onap.policy.Account_Administrator
130 org.onap.policy.Policy_Admin
131 org.onap.policy.Policy_Editor
132 org.onap.policy.Policy_Guest
133 org.onap.policy.Policy_Super_Admin
134 org.onap.policy.Policy_Super_Guest
135 org.onap.policy.Standard_User
136 org.onap.policy.System_Administrator
137
138 PDP-D Roles:
139 org.onap.policy.pdpd.admin
140 org.onap.policy.pdpd.monitor
141
142 PDP-X Roles:
143 org.onap.policy.pdpx.admin
144 org.onap.policy.pdpx.monitor
145
146 Users:
147 demo@people.osaaf.org
148 policy@policy.onap.org
149
150
151demo@people.osaaf.org and policy@policy.onap.org are properly configured with AAF in n a default ONAP installation. These are:
152
153
154.. code-block:: bash
155 :caption: Default permissions for demo and policy accounts.
156
157 List Permissions by User[policy@policy.onap.org]
158 --------------------------------------------------------------------------------
159 PERM Type Instance Action
160 --------------------------------------------------------------------------------
161 org.onap.policy.access * *
162 org.onap.policy.access * read
163 org.onap.policy.certman local request,ignoreIPs,showpass
164 org.onap.policy.pdpd.healthcheck * get
165 org.onap.policy.pdpd.healthcheck.configuration * get
166 org.onap.policy.pdpd.telemetry * delete
167 org.onap.policy.pdpd.telemetry * get
168 org.onap.policy.pdpd.telemetry * post
169 org.onap.policy.pdpd.telemetry * put
170 org.onap.policy.pdpx.createDictionary * *
171 org.onap.policy.pdpx.createPolicy * *
172 org.onap.policy.pdpx.decision * *
173 org.onap.policy.pdpx.getConfig * *
174 org.onap.policy.pdpx.getConfigByPolicyName * *
175 org.onap.policy.pdpx.getDecision * *
176 org.onap.policy.pdpx.getDictionary * *
177 org.onap.policy.pdpx.getMetrics * *
178 org.onap.policy.pdpx.list * *
179 org.onap.policy.pdpx.listConfig * *
180 org.onap.policy.pdpx.listPolicy * *
181 org.onap.policy.pdpx.policyEngineImport * *
182 org.onap.policy.pdpx.pushPolicy * *
183 org.onap.policy.pdpx.sendEvent * *
184 org.onap.policy.pdpx.updateDictionary * *
185 org.onap.policy.pdpx.updatePolicy * *
186
187 List Permissions by User[demo@people.osaaf.org]
188 --------------------------------------------------------------------------------
189 PERM Type Instance Action
190 --------------------------------------------------------------------------------
191 org.onap.policy.access
192 org.onap.policy.access * read
193 org.onap.policy.menu menu_admin *
194 org.onap.policy.menu menu_ajax *
195 org.onap.policy.menu menu_customer *
196 org.onap.policy.menu menu_customer_create *
197 org.onap.policy.menu menu_feedback *
198 org.onap.policy.menu menu_help *
199 org.onap.policy.menu menu_home *
200 org.onap.policy.menu menu_itracker *
201 org.onap.policy.menu menu_job *
202 org.onap.policy.menu menu_job_create *
203 org.onap.policy.menu menu_logout *
204 org.onap.policy.menu menu_notes *
205 org.onap.policy.menu menu_process *
206 org.onap.policy.menu menu_profile *
207 org.onap.policy.menu menu_profile_create *
208 org.onap.policy.menu menu_profile_import *
209 org.onap.policy.menu menu_reports *
210 org.onap.policy.menu menu_sample *
211 org.onap.policy.menu menu_tab *
212 org.onap.policy.menu menu_test *
213 org.onap.policy.pdpd.healthcheck * get
214 org.onap.policy.pdpd.healthcheck.configuration * get
215 org.onap.policy.pdpd.telemetry * delete
216 org.onap.policy.pdpd.telemetry * get
217 org.onap.policy.pdpd.telemetry * post
218 org.onap.policy.pdpd.telemetry * put
219 org.onap.policy.pdpx.config * *
220 org.onap.policy.pdpx.createDictionary * *
221 org.onap.policy.pdpx.createPolicy * *
222 org.onap.policy.pdpx.decision * *
223 org.onap.policy.pdpx.getConfig * *
224 org.onap.policy.pdpx.getConfigByPolicyName * *
225 org.onap.policy.pdpx.getDecision * *
226 org.onap.policy.pdpx.getDictionary * *
227 org.onap.policy.pdpx.getMetrics * *
228 org.onap.policy.pdpx.list * *
229 org.onap.policy.pdpx.listConfig * *
230 org.onap.policy.pdpx.listPolicy * *
231 org.onap.policy.pdpx.policyEngineImport * *
232 org.onap.policy.pdpx.pushPolicy * *
233 org.onap.policy.pdpx.sendEvent * *
234 org.onap.policy.pdpx.updateDictionary * *
235 org.onap.policy.pdpx.updatePolicy * *
236 org.onap.policy.url doclib *
237 org.onap.policy.url doclib_admin *
238 org.onap.policy.url login *
239
240Disabling AAF
241^^^^^^^^^^^^^
242
243AAF is enabled by default in PDP-D installations. Set the AAF installation variable to false to disable it.
244
245+---------------+-------------------------+----------+---------------------------+
246| Repository | Install File | Variable | Notes |
247+===============+=========================+==========+===========================+
248| policy/docker | config/drools/base.conf | AAF | Heat Installation |
249+---------------+-------------------------+----------+---------------------------+
250| oom | config/drools/base.conf | AAF | OOM Installation |
251+---------------+-------------------------+----------+---------------------------+
252
253AAF can also be disabled at runtime within the PDP-D container by modifying the following files.
254
255+----------------------------------------------------+-----------------------------------------+
256| File | Property |
257+====================================================+=========================================+
258| $POLICY_HOME/config/policy-engine.properties | http.server.services.SECURED-CONFIG.aaf |
259+----------------------------------------------------+-----------------------------------------+
260| $POLICY_HOME/config/feature-healthcheck.properties | http.server.services.HEALTHCHECK.aaf |
261+----------------------------------------------------+-----------------------------------------+
262
263After modifying these files, restart the container with "policy stop; policy start"
264
265
266
267End of Document