-
Task
-
Resolution: Done
-
Highest
-
Casablanca Release
-
Casablanca-RC0 (10/11/18)
We need to understand better AAF configuration before is fully enabled for policy access.
There are 2 main topics of discussion:
1. What is AAF is going to come up preconfigured with in a default vanilla ONAP installation?
2. Commands to guide users to use that configuration?
Regarding #1
The current working assumptions is that the "org.onap.policy" will be pre-created with x.509 certificate based credentials for policy@policy.onap.org, similar to how it is pre-configured in the windriver reference test lab: aaf-onap-test.osaaf.org.
If AAF does not get stood up based on the previous assumption, we need command line references to go into the UI to enable them, or sample scripts to automate this activity.
Regarding #2
We are using org.onap.aaf.authz:aaf-cadi-aaf:2.1.2-SNAPSHOT ** dependency, and generated the cadi configuration files and certificate stores using the procedures outline in the AAF documentation.
Problem 1:
Unable to create additional password based credentials to use in some use cases in aaf-onap-test.osaaf.org ** host for user policy@policy.onap.org. The UI is accessed with aaf_admin@people.osaaf.org account, and does not allow to create those types of credentials.
Problem 2:
Provided that we are enable to use policy@policy.onap.org with password based auth permissions, the "overarching" demo@people.osaaf.org configuration used in multiple namespaces is tried to be used to give it appropriate permissions to access policy resources. The configuration seems intuitively correct as CADI CLI reports the user having the following permissions:
> perm list user demo@people.osaaf.org List Permissions by User[demo@people.osaaf.org] -------------------------------------------------------------------------------- PERM Type Instance Action -------------------------------------------------------------------------------- ..... org.onap.policy.access * * org.onap.policy.access * read org.onap.policy.pdpd.telemetry * delete org.onap.policy.pdpd.telemetry * get org.onap.policy.pdpd.telemetry * post org.onap.policy.pdpd.telemetry * put org.onap.policy.pdpd.telemetry newton get ......
The AAF CadiFilter works well when used in our system that performs authentication for the demo user, as can be seen in the cadi related logging:
[2018-09-21T15:42:40.578+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.578-0500 DEBUG [cadi] BasicHttpTaf: demo@people.osaaf.org authenticated by AAF password, ms=2342.377441 [2018-09-21T15:42:40.579+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.579-0500 INFO [cadi] Authenticated: demo@people.osaaf.org authenticated by AAF password from 127.0.0.1:35898 [2018-09-21T15:42:40.810+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.810-0500 INFO [cadi] AAFLurPerm: Loaded demo@people.osaaf.org perms from AAF in 226.575348 ms, remote=225.842010
After the CadiFilter, the next step in processing will call "isUserInRole", according to the previous permission configuration, it is expected that authorization will be successful bat it does not succeed.
[2018-09-21T15:42:40.811+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.811-0500 DEBUG [cadi] isUserInRole: demo@people.osaaf.org does not have org.onap.policy.pdpd.telemetry|newton|get, 227.899979 ms [2018-09-21T15:42:40.812+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.812-0500 WARN [cadi] Trans: user=demo@people.osaaf.org[BAth],ip=127.0.0.1,ms=2589.691406,validate=2358.256836,code=229.388519
These are cadi initialization entries for reference:
[2018-09-21T15:37:56.299+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.299-0500 INIT [cadi] Loading CADI Properties from /home/policy/snapshot/config/aaf.properties [2018-09-21T15:37:56.300+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.300-0500 INIT [cadi] Loading CADI Properties from /home/policy/snapshot/config/aaf-credentials.properties [2018-09-21T15:37:56.301+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.301-0500 INIT [cadi] Loading CADI Properties from /home/policy/snapshot/config/aaf-location.properties [2018-09-21T15:37:56.304+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.303-0500 INIT [cadi] cadi_keyfile points to /home/policy/snapshot/config/aaf-cadi.keyfile [2018-09-21T15:37:56.313+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.308-0500 INIT [cadi] cadi_keyfile points to /home/policy/snapshot/config/aaf-cadi.keyfile [2018-09-21T15:37:56.333+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.333-0500 INIT [cadi] hostname is set to newton [2018-09-21T15:37:56.333+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.333-0500 INIT [cadi] basic_realm is set to newton [2018-09-21T15:37:56.334+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.334-0500 INIT [cadi] aaf_default_realm is set to newton [2018-09-21T15:37:56.334+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:56.334-0500 INIT [cadi] aaf_id is set to policy@policy.onap.org [2018-09-21T15:37:57.101+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.101-0500 INIT [cadi] cadi_protocols is set to TLSv1.1,TLSv1.2 [2018-09-21T15:37:57.140+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.140-0500 INIT [cadi] aaf_oauth2_token_url is set to https://AAF_LOCATE_URL/AAF_NS.token:2.1/token [2018-09-21T15:37:57.140+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.140-0500 INIT [cadi] aaf_oauth2_introspect_url is set to https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect [2018-09-21T15:37:57.164+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.164-0500 INIT [cadi] cadi_keyfile points to /home/policy/snapshot/config/aaf-cadi.keyfile [2018-09-21T15:37:57.306+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.305-0500 INIT [cadi] AAF/OAuth LUR is not instantiated. aaf_password is required for OAuth Access java.lang.reflect.InvocationTargetException [2018-09-21T15:37:57.308+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.308-0500 INIT [cadi] aaf_url is set to https://AAF_LOCATE_URL/AAF_NS.service:2.1 [2018-09-21T15:37:57.308+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.308-0500 INIT [cadi] aaf_lur_class is set to org.onap.aaf.cadi.aaf.v2_0.AAFLurPerm [2018-09-21T15:37:57.438+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.438-0500 INFO [cadi] AAFLocator enabled using https://aaf-onap-test.osaaf.org:8095 [2018-09-21T15:37:57.439+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.439-0500 INIT [cadi] aaf_id is not explicitly set [2018-09-21T15:37:57.445+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.445-0500 INIT [cadi] Cleaning Thread initialized with interval of 60000 ms and max objects of 1000 [2018-09-21T15:37:57.446+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.446-0500 INIT [cadi] AAF LUR Configured to https://AAF_LOCATE_URL/AAF_NS.service:2.1 [2018-09-21T15:37:57.446+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.446-0500 INIT [cadi] aaf_debug_ids is not explicitly set [2018-09-21T15:37:57.449+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.449-0500 INIT [cadi] hostname is not explicitly set [2018-09-21T15:37:57.449+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.449-0500 INIT [cadi] Hostname set to newton [2018-09-21T15:37:57.451+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.451-0500 INIT [cadi] cadi_truststore is set to /home/policy/snapshot/etc/ssl/policy-truststore [2018-09-21T15:37:57.454+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.454-0500 INIT [cadi] Trusting Identity for Certificates signed by "CN=intermediateCA_1, OU=OSAAF, O=ONAP, C=US" [2018-09-21T15:37:57.454+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.454-0500 INIT [cadi] Trusting Identity for Certificates signed by "CN=intermediateCA_7, OU=OSAAF, O=ONAP, C=US" [2018-09-21T15:37:57.781+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.781-0500 INIT [cadi] cadi_protocols is set to TLSv1.1,TLSv1.2 [2018-09-21T15:37:57.782+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.782-0500 INIT [cadi] Certificate Authorization enabled [2018-09-21T15:37:57.782+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.782-0500 INIT [cadi] basic_realm is not explicitly set [2018-09-21T15:37:57.784+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.784-0500 INIT [cadi] aaf_user_expires is set to 600000 [2018-09-21T15:37:57.784+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.784-0500 INIT [cadi] Local Basic Authorization is disabled. Enable by setting basicRealm=<appropriate realm, i.e. my.att.com> [2018-09-21T15:37:57.784+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.784-0500 INIT [cadi] aaf_taf_class is set to org.onap.aaf.cadi.aaf.v2_0.AAFTaf [2018-09-21T15:37:57.787+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.787-0500 INIT [cadi] AAF TAF Configured to https://AAF_LOCATE_URL/AAF_NS.service:2.1 [2018-09-21T15:37:57.787+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.787-0500 INIT [cadi] aaf_oauth2_token_url is set to https://AAF_LOCATE_URL/AAF_NS.token:2.1/token [2018-09-21T15:37:57.788+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.788-0500 INIT [cadi] java.lang.ClassNotFoundException: org.onap.auth.oauth.OAuthDirectTAF [2018-09-21T15:37:57.788+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.788-0500 INIT [cadi] aaf_oauth2_introspect_url is set to https://AAF_LOCATE_URL/AAF_NS.introspect:2.1/introspect [2018-09-21T15:37:57.789+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.789-0500 INIT [cadi] aaf_locate_url is set to https://aaf-onap-test.osaaf.org:8095 [2018-09-21T15:37:57.902+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.902-0500 INFO [cadi] AAFLocator enabled using preloaded PropertyLocator [2018-09-21T15:37:57.903+00:00|INFO|ROOT|SECURED-CONFIG-9696] 2018-09-21T10:37:57.903-0500 INIT [cadi] cadi_loglevel is set to DEBUG
For keeping all together when the auth request to AAF is done (logs shown above) but splitted between authentication and authorization):
[2018-09-21T15:42:40.570+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.570-0500 DEBUG [cadi] DenialOfServiceTaf: Not processing this transaction: This Transaction is not denied, ms=0.215868
[2018-09-21T15:42:40.577+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.577-0500 DEBUG [cadi] X509Taf: No Certificate Info on Transaction, ms=0.602257
[2018-09-21T15:42:40.578+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.578-0500 DEBUG [cadi] BasicHttpTaf: demo@people.osaaf.org authenticated by AAF password, ms=2342.377441
[2018-09-21T15:42:40.579+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.579-0500 INFO [cadi] Authenticated: demo@people.osaaf.org authenticated by AAF password from 127.0.0.1:35898
[2018-09-21T15:42:40.810+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.810-0500 INFO [cadi] AAFLurPerm: Loaded demo@people.osaaf.org perms from AAF in 226.575348 ms, remote=225.842010
[2018-09-21T15:42:40.811+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.811-0500 DEBUG [cadi] isUserInRole: demo@people.osaaf.org does not have org.onap.policy.pdpd.telemetry|newton|get, 227.899979 ms
[2018-09-21T15:42:40.812+00:00|INFO|ROOT|qtp1139700454-23] 2018-09-21T10:42:40.812-0500 WARN [cadi] Trans: user=demo@people.osaaf.org[BAth],ip=127.0.0.1,ms=2589.691406,validate=2358.256836,code=229.388519
- relates to
-
POLICY-1216 PDP-D: enable AAF at startup and disable default authentication
- Closed
-
POLICY-1217 PDP-X: enable AAF at startup and disable default authentication
- Closed
-
AAF-536 Portal and others request Bootstrap Data update
- Closed