Project Overview
AAF is first-order Security Infrastructure being used for the following:
VF-C leverages ETSI NFV MANO architecture and information model as a reference, and implements full life cycle management and FCAPS of VNF and NS.
- support NS and VNF lifecycle management based on the ONAP tosca data model and workflow
- support integration with multi VNFMs via drivers, which include vendors VNFM and generic VNFM
- support integration with multi VNFs via generic VNFM, which does not provide VNFM function
- support integration with multi VIMS via Multi-VIM, which include the opensource and commercial VIMs
- support microservice architecture and model driven orchestration and management
VF-C has two main components: - NFV-O Component,
- GVNFM Component
There is no scope and architecture changes for VF-C in Dublin release. For a more detailed overview - https://wiki.onap.org/pages/viewpage.action?pageId=3247130 - AAF allows each ONAP Component to have a "Namespace" to set up their important Security Authentication and Authorization elements
- Permissions
- Roles
- Credentials
- AAF provides Access to Organizational Identities
- There is a maintained set of Identities for use in ONAP Test Systems for each ONAP Component
- Credentials for this Identities
- Passwords as appropriate
- AAF has ability to Delegate to Organization, but houses all Passwords For ONAP Testing.
- Certificates
- These certificates have unique Authorized Identity embedded, which supports 2 way TLS Authentication
- These certificates can also be used as Server side certificates
- Passwords as appropriate
- Authorizations (Fine Grained)
- AAF provides Applications or other Enforcement Points with APP configured Permissions
- Roles
- AAF provides Roles for Identities that include any Granted Permissions
- OAuth Tokens and Introspection
- Currently unused by ONAP
- Locator
- AAF Components and ports can be found Globally
- AAF Team would like Arch Team to know the following about the Locator
- "Locator" is not technically restricted to AAF. It can register (protected by Authentication/Authorization) any running process/port/interface
- Registrations include Global Coordinates, allowing Clients to pick the "closest" one
- Locator is independent of any "Cluster" or "Container" mechanisms, which gives accessibility to any network accessible component
- Globally - Components can reside anywhere in the world
- Scalable - You can start any new instances anywhere and instantly increase capacity and usage
- "For best results", use Cassandra in Scalable way.
- Resilient - VMs, Clusters, Datacenters, K8s could go down, and Authentication/Authorization is still accessible.
- Security FS
- AAF provides a globally accessible Fileserver to get public security information ex:
- RCLs
- Root Certificates (any the Organization wants to publish)
- Organizational approved Truststores, etc
- AAF provides a globally accessible Fileserver to get public security information ex:
- Approval Processing mechanisms
- AAF provides real-time RESTful based
- fast evaluation of Security Authorization (and Authentication, if housed in AAF)
- Management API for all AAF components, protected by Stringent Authentication and Authorization
- AAF provides Java Client Infrastructure
- CADI Framework, primarily Java
- Includes all AAF interactions
- Is able to process MULTIPLE kinds of Authentication in the same Client (X509, BasicAuth and OAuth included, Adapter Interfaces for Company based elements)
- Shiro Adapter included for ONAP use of ODL
- CADI Framework, primarily Java
- AAF provides Auto-Configuration for Clients, and Auto-Generation of ONAP Certs
- as part of "Bare Metal"
- on Docker "volumes"
- ROOT CA Acess
- For ONAP, AAF is proving "Root CA Capabilities" by Using AAF Certman to generate Certs from Issuer CA. This is for TEST only AAF has the ability to use an "SCEP" protocol to CAs (example CA, Windows Server). However, this is not provided or validated by ONAP.
New component capabilities for Dublin, i.e. the functional enhancements
...
AAF Locator can now differentiate Public FQDNs from K8S FQDNs
- When Clients declare their Container NS, they get the Internal K8S FQDN
- Public FQDNs are simultaneously accessible for
- GUIs/Management outside Cluster
- Non-ONAP entities (typical usage of AAF is use by large organizations... They don't house everything in one K8S.
- Other Clusters (if so desired)
- AAF is providing more documentation and enhanced configuration helps for ONAP Components
- Example: Providing example "Helm" init containers to setup Volumes
- AAF is refactoring existing maintenance processes online for Open Source (meaning non company specific), including
- Analysis of expiring Creds and Roles
- Generation of Approval records
- Notification of Approvals, Creds and Roles in an external company configurable way.
New or modified interfaces
...
Interface naming
AAF Interfaces are
1) RESTful
2) Relate to AAF Structures (i.e. Perm, Role, etc)
NOTE: Because AAF is critical Infrastructure, AAF can FULLY support MORE THAN Interface version at runtime. (example, 2.0, 2.1, etc)
3) Most AAF Access is done by supplied "CADI Framework", because it already provides
a) Required Caching
b) Authentication/Authorization requirements.
Note: AAF currently supports "SCEP" Protocol to an External CA.
Reference to the interfaces
AAF's is documented primarily in the AAF GUI, protected by Authentication (with the intention of Consistent Organizational Usage... API where you need to use it)
https://aaf-onap-test.osaaf.org:8200/gui/api
Note: You need "Winriver" access to get to this system, but any running AAF System will have the same info
...
What are the system limits
When configured as originally designed (on VMs), recent analysis shows
- Currently observing 9,000,000 trans a day on the Service (note, CADI Caching means AAF is used many, many times that, up to 100-200x s)
- Top limit of 6,000,000,000 trans a day on 15 VMs.
- It is questionable that any K8S cluster could handle this kind of load.
Involved use cases, architectural capabilities or functional requirements
enhancements
Functional enhancements
- OOF Integration Optimization
Optimize the methodology for VNF(vdu) placement, add the process for placement with selected candidates(VIM) - SOL005 Interface alignment
a. existing APIs alignment
b. add the APIs which supported in SOL005, such as package subscription and notification - Upgrade Mutlicloud API invocation to support Centralized Representation and Consistent Identification of Cloud Region functional requirement
Platform enhancements
Mysql DB migrates to OOM shared MariaDB Galera Cluster which can be used to meet S3P HA requirements.
- Update VF-C DB Helm Chart
- Update VF-C component to leverage new MariaDB Galera Cluster
- Docker configuration update
- DB script migrate
- Other work
- Configuration Improvement
- Investigate all VF-C configuration could be automatically injected through OOM.
- Data Persistence
Add data persistent storage to avoid data loss due to pod restart
New or modified interfaces
Update VF-C Northbound APIs to align SOL005.
If they are modified, are the backwards compatible?
Yes, almost APIs required parameters has been supported by previous version,the alignment will add more optional parameter support which can comply with previous APIs.
Interface naming
VF-C supports the following APIs:
- NSLCM APIs (Create/Instantiate/terminate/delete/scale/heal....), such as
api/nslcm/v1/ns
api/nslcm/v1/ns/(?P<ns_instance_id>[0-9a-zA-Z_-]+)/instantiate
api/nslcm/v1/subscriptions
api/nslcm/v1/ns_lcm_op_occs - Package management APIs( VNF/PNF/NS package create/upload/delete/update ....), such as
api/vnfpkgm/v1/vnf_packages
api/vnfpkgm/v1/subscriptions
Reference to the interfaces
What are the system limits
Now the component Redundancy and scaling depends on Kubernetes.
Involved use cases, architectural capabilities or functional requirements
Use case support
Functional Requirements support
a. Centralized Representation and Consistent Identification of Cloud Regions In ONAP
b. Hardware Platform Enablement In ONAP
Platform Maturity Targets
- CII Badge silver is the stretch goal (lack resource)
- 55% code coverage, all repos have already passed
...
Working "Container" modification requirements
...
Listing of new or impacted models used by the project (for information only)
...
Support for service/VNF DM and align with the above data model proposed by the modelling subcommittee in Dublin release