References
- onap-seccom list: https://lists.onap.org/g/onap-seccom/message/1368
- aaf-hello demonstration application
- DDF event https://wiki.lfnetworking.org/display/LN/2019+June+Event+Topic+Proposals
- https://wiki.lfnetworking.org/download/attachments/15630468/Cert%20mgmt%20and%20secure%20storage%20ONAP%20F2F%20Kista.pptx?version=1&modificationDate=1560418135343&api=v2
- https://wiki.lfnetworking.org/download/attachments/15630468/Certificate%20handling%20and%20secure%20key%20storage%20discussion%20Kista%20ONAP%20F2F%202019-06-12.mp4?version=1&modificationDate=1560417944352&api=v2
- JIRA
- AAF Repository
- aaf/authz/auth/docker/drun.sh
- aaf/authz/auth/helm/aaf-hello/Chart.yaml
- aaf/authz/auth/helm/aaf-hello/templates/aaf-hello.yaml
- aaf/authz/auth/helm/aaf-hello/values.yaml
- aaf/authz/auth/sample/cass_data/artifact.dat
Discussion
- Between Amsterdam release and Dublin release, certificates have been replaced at least 4 times.
- One of those was in the emergency Casablanca Maintenance Release because the certificate expiry date was very soon after the Casablanca Release date.
- ONAP is moving towards a higher-security system, e.g. adding more encryption by replacing HTTP with HTTPS, resulting in more certificates being required.
- Current process is for each ONAP project to manually generate certificates for their own microservices.
- The aaf-hello demonstration application shows how certificates can be automatically generated when the pod is deployed.
- Goal is to understand how this works and how to integrate similar techniques into other pods, such as AAI-Resources, AAI-Traversal, etc.
- tbc
Analysis
- aaf-hello application
- aaf/authz/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/
- GET,"/hello/:perm*"
- POST,"/resthello/:id"
- GET,"/resthello/:id"
- PUT,"/resthello/:id"
- DELETE,"/resthello/:id"
- Prints out simple message including actual authorisation information e.g.
- req.getUserPrincipal().getName()
- req.isUserInRole(perm)
- trans.getUserPrincipal().getClass().getSimpleName()
- Provides simple proof that application is authorised through AAF
- aaf/authz/auth/auth-hello/src/main/java/org/onap/aaf/auth/hello/
- aaf-hello Docker
- aaf/authz/auth/docker/Dockerfile.hello
COPY bin/pod_wait.sh /opt/app/aaf/bin/ (shell scripts apparently from aaf/authz/auth/sample/bin/pod_wait.sh)
COPY etc /opt/app/osaaf/etc (property files apparently from aaf/authz/auth/sample/etc/)
RUN mkdir -p /opt/app/aaf/status (used by pod_wait.sh to communicate between processes in the pod)
- based on aaf/authz/auth/docker/Dockerfile.core
COPY lib /opt/app/aaf/lib
COPY bin /opt/app/aaf/bin
COPY theme /opt/app/aaf/theme
- based on aaf/authz/auth/docker/Dockerfile.base
add bash, openssl, curl
based on openjdk:8-jre-alpine
- aaf/authz/auth/docker/Dockerfile.hello
- aaf Helm charts
- aaf/authz/auth/helm/aaf-hello/
- values.yaml
- Chart.yaml
- aaf.sh
- tbc
- aaf/authz/auth/helm/aaf-hello/
- It has been documented in the wiki now as Application Config & Cert Documentation (Temporary)