Versions Compared

Old Version 26

changes.mady.by.user Stephen Terrill

Saved on

compared with

New Version 27

changes.mady.by.user Stephen Terrill

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

1 Introduction

This section captures recommendations for handling certain security questions that are studied by the security sub-committee.  These recommendations, when implemented, can lead to new best practices.  The recommendation states are:

...

    • Credentials for ONAP users to access ONAP.  These are referred to as ONAP_USER credentials.
    • Credentials for using the APIs exposed by ONAP. These are referred to as ONAP_ExtAPI credentials.
    • Credentials for ONAP to communicate to other ONAP components.  These are referred to as ONAP Component credentials.
      • Note: This includes credentials for VNF SDK to package the artefacts onboarded into SDC.
    • Credentials for ONAP to communicate with other systems.  These are referred to as ONAP_Foreign credentials.
      • As an example, if ONAP is to communicate to an external SDN controller or a cloud infrastructure, these credentials need to be managed.
    • Credentials for the ONAP operational staff to access ONAP.  These are referred to as ONAP_Admin credentials 

2.2 Credential Lifecycle


It is useful to consider the lifecycle of the credentials.  This section describes the considered lifecycle steps of the credentials (note the usage of the credentials are out-of-scope of the credential management):

...

For ONAP_User Credentials, two uses cases are shown.

...

  1. Provisioning the credentials

The provisioning of the user credentials

2. Authenticating a user.

<< Insert here >>

For  ONAP_ExtAPI credentials:

For ONAP_ExtAPI credentials, 3 use cases are described

 1. Provisioning the credentials 

<< insert here >>

 2. Distributing the credentials

<< Insert here >>

3. Retrieving the credentials

<< Insert here >>

For ONAP_Component credentials:

For ONAP_Component credentials, two use cases are described

 The ONAP_Admin credentials are directly provisioned.  The root administrator can create the onap admininstrator user-identifier and credentials.  Intially a temporary credential is created and the ONAP operational staff can update their credentials.

The credentials are securely stored (in a hashed format???)

2. Authenticating the user

When a ONAP operational staff attempts to log in for the first time.  ONAP challenges the user (with xxxxx).  This is done by comparing the hash of the entered credentials with the stored hash of the credentials.


For  ONAP_ExtAPI credentials:

There are two cases here.  The first case is when the user credentials have to be specifically provisioned.  The second case is when an identity management scheme is used.  What do we want to describe.

For ONAP_ExtAPI credentials, 3 use cases are described

 1. Provisioning the credentials 1. Provisioning the credentials

<< insert here >>

 2. Distributing the credentials

<< Insert here >>

3. Retrieving the credentials

<< Insert here >>

For ONAP_Component credentials:

For ONAP_Component credentials, two use cases are described

1. Provisioning the credentials

<< insert here >>

2. Retrieving the credentials 2. Retrieving the credentials to use for internal communication

...

  1. Provisioning the credentials
    <<insert here>>
  2.   Retrieving the credentials

For ONAP_Admin credentials:

...

For models and packages to be onboarded:

  • The solution MUST support the credential management solution and MUST NOT be tied to any particular credential management scheme.
  • The soluction MUST allow Service Design and Creation to validate the package from a security perspective. 

 

...

onboarded:

  • The solution MUST support the credential management solution and MUST NOT be tied to any particular credential management scheme.
  • The soluction MUST allow Service Design and Creation to validate the package from a security perspective. 

 

6. ONAP known vulnerability management

Status: Draft

 Background:

Sonatype Nexus can provide a number of reports.  One report it can provide is identification of components with known vulnerabilities.

Policies can be provisioned for different types of vulnerabilities to identify them as critical, severe, moderate, etc.

A process is required to support this.  A project with a component that has a known vulnerability can do one of two things.  1. It can upgrade the component to a component version that does not have the vulnerability.  Alternatively, the project can investigate the vulnerability to and conclude that it doesn't effect the project due to the way it uses the component or the part of the component is uses.

A process is required to support this.

Next Steps

 Investigate the policies that should be applied and make a proposal.  Once agreed, anchor with LF

Propose a process.  Consider the following:

  • Informing Actions that a project has to do at the release milestones.

 

(tmp) input to the S3P (carrier grade) discussions from a security perspective

Status: Draft

Note: This will be removed when the feedback is sent back.

...