PAGE STATUS: UNDER CONSTRUCTION
STATUS: Project Approved (next step is Architecture ApprovalDraft (seeking PTL approval)
AAF (Application Authorization Framework):
...
| draw.io Diagram | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
The CLAMP functional entity provides the capability to manage runtime control loops. It provides the capability to
- Create control loop from DCAE blueprint sent by SDC
- Create configuration policy from the policy Tosca sent by SDC
- Configure DCAE applications of the control loop
- Associate µService configuration policies to the DCAE application
- Configure the operations to be taken by the control loop (by creating/updating/deleting operational policies)
- Deploy/un-deploy control loop flow (blueprints) to DCAE
- Control loop visualization.
CLAMP relies on Policy to communicate to App-C/VF-C/SDN-C/SO in runtime, hence these are not part of CLAMP
|
AAF (Application Authentication Framework) provides the services for The AAF functional entity provides authentication, authorization and certificate management services for the ONAP components. It provides the capability to:
...
services to the ONAP components to manage the lifecycle of authentication and authorization elements such as Permissions, Roles and Credentials. It supports:
- Manage authentication and authorization elements such as: Perminssions, Roles, :
- Permissions
- Roles Credentials
- Access to organizational identities
- There is a default set of identities each ONAP component for use in ONAP Test Systems
- Store credentials for organizational identities
- Passwords
- AAF provides secure password storage for test/lab use only
- AAF has ability to delegate authentication to external authenticator
- Certificates
- These certificates have unique Authorized Identity embedded, which supports 2 way TLS Authentication
- These certificates can also be used as Server side certificates
- Passwords
- Manage fine grained permissions
- Provide ONAP components or other enforcement points with APP configured permissions
- Manage roles
- AAF provides roles for identities that include any granted permissions
- Validate and provide introspection of OAuth tokens
- Currently unused by ONAP
- Provide locator services through the AAF Locator
- AAF Components and ports can be found globally
- Locator facts
- Locator is not technically restricted to AAF. It can register (protected by Authentication/Authorization) any running process/port/interface
- Registrations include global coordinates, allowing clients to pick the "closest" one
- Locator is independent of any cluster or container mechanisms, which gives accessibility to any network accessible component
- Global - Components can reside anywhere in the world
- Scalable - A new instances can be started anywhere and instantly increase capacity and usage
- "For best results", use Cassandra scaling
- Resilient - VMs, clusters, data centers, K8S could go down, and AAF is still accessible.
- Provide a globally accessible file server to get public security information. For example,
- RCLs
- Root Certificates (any the Organization wants to publish)
- Organizational approved truststores
- Process approvals
- Authorize UI and API requests (REST interface)
- Authenticate users (human and application) (REST interface)
- Manage AAF components (REST interface)
- Auto-Generation of ONAP certificates
- For ONAP test/lab use, AAF Certman provides a local certificate authority (CA)
- AAF Certman can integrate with any certificate authority (CA) that supports the Simple Certificate Enrollment Protocol (SCEP). ONAP does not test this functionality
- Auto-configuration of ONAP certificates for ONAP clients
- as part of "Bare Metal"
- on Docker volumes
Additionally, AAF provides a Java client called CADI, which simplifies AAF use by an ONAP component. The CADI framework is a Java client that:
- Includes all AAF interactions: authentication, authorization, management
- Provides the following authentications: X509, BasicAuth and OAuth
- Provides adapter interfaces for external authenticators
- Includes a Shiro adapter to support ONAP use of ODL
- entities
- Manage the lifecycle of passwords and certificates
- Access to external credential authoriites (e.g. CA)
- Autogenerate ONAP certificates
2. API definitions
AAF provides real-time REST interfaces for
- Authorization
- Authentication, if local AAF authentication is used
- Management API for all AAF components, protected by strong authentication and authorization
CLAMP provides the following interfaces: TO BE UPDATED
| Interface Name | Interface Definition | Interface Capabilities |
|---|
| Version | Status | Consumed Models |
|---|---|---|
| AAFE-1 |
| Application Authorization Framework Management Interface |
| A user interface for: |
| |||
| AAFE-2 | Application Authorization Framework Authentication and Authorization Interface | An interface for the ONAP components to:
|
Display and update:
Events received and actions taken on the control loop
|
Note: xxxI interface is a Component internal interface. xxxxE interface is a component external interfaceThe current API documents can be found at:
The provided UI interfaces are found at: CLAMP latest user guide
- CLAMP internal APIs can be found: clamp swagger pdf
AAF Consumes no Interfaces:
| Interface Name | Purpose Reason For Use |
|---|---|
| AAFE-3 |
...
| : AAF External Credential Interface | An interface to retrieve and authenticate using credentials from a credential supplier external to ONAP. |
The current API documents can be found at:
AAFE-1 (to be added)
- AAFE2 (to be added)
- AAFE3 (to be added)
3. Component Description:
Link to read the docs
A more detailed figure and description of the component.
<< For later inclusion >>
4. known system limitations: (IN PROGRESS)
Runtime: NoneClamp data redundancy is dependent on Kubernetes and the persistent volume.
Clamp application redundancy HA relies on Kubernetes
5. Used Models: (
...
N/A)
AAF uses the following models:
- Service model (received from SDC)
- VNF model (received from SDC)
- Policy Model.
6. System Deployment Architecture:
...
FFS
AAF consists of x containers:
- CLAMP container
- MariaDB container
- Kibana container
- E_Search container
- LogStash container
draw.io Diagram border true viewerToolbar true fitWindow false diagramName CLAMP runtime architectrue simpleViewer false diagramWidth 821 revision 1
7. New Capabilities in this Release
This release, AAF adds the following capabilities:
...
AAF Locator differentiates public fully qualified domain name (FQDN) from Kubernetes FQDN
- Internal Kubernetes FQDN generated when client declares its container namespace
- Public FQDN are accessible for both:
- GUIs/Management outside cluster
- Non-ONAP entities outside the cluster
- Other clusters
...
- Example "Helm" init containers to setup volumes
...
- Analysis of expiring credentials and Roles
- Generation of approval records
- Notification of approvals, credentials and roles to support configurable integration with external services.
8. References
- AAF Overview & User Guide: https://onap.readthedocs.io/en/latest/submodules/clampaaf/authz.git/docs/index.html AAF internal interfaces: https://onap.readthedocs.io/en/latest/_downloads/d3c9f924c6586fe411d40a05ad9b1bb7/swagger.pdf