The following describes the SO API Security matrix for the Dublin release.
- Most of the SO interfaces support HTTP Basic Authentication without using HTTPs. Since the HTTP Basic Authentication password is encoded, not encrypted, use of HTTPS is a must.
- Authorization support is being verified, but it seems that most of them do not apply the authorization mechanism.
- Related JIRA: SO-2066 - Getting issue details... STATUS
| Component Pair | Communication Protocol | Authentication | Authorization | Comments |
|---|---|---|---|---|
| NBI | ||||
| VID ↔ SO | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
| UUI ↔ SO | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
| ExtAPI ↔ SO | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
| Ext Client ↔ SO Monitoring UI | HTTP | No | No | |
| Inter-ONAP Components | ||||
| SO ↔ SDC via DMaaP | HTTP | user+password | No | |
| SO ↔ SDC Query | HTTPs (one-way TLSv1.1 or v1.2), HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | Role? need to verify | check if SDC certificate is expired. If so, use HTTP |
| SO ↔ AAI | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | ? Permission specified by: type :instance :action :role | need to verify authorization |
| SO ↔ SDNC | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | role? need to verify | |
| SO ↔ MultiCloud | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
| SO ↔ VFC | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
| SO ↔ OOF | HTTPS | HTTP basic authentication with clear password | No | |
| SO ↔ Sniro | HTTP | HTTP basic authentication with clear password | No | |
| SO ↔ Policy (Scaling) | HTTP | HTTP Basic Authentication | No | |
| SO ↔ APPC | HTTP | Secret | No | verify it |
| SO ↔ LOG | ? | |||
| CMSO ↔ SO | ? | |||
| SO ↔ DMaaP | HTTP | ConsumerGroup+Id | ||
| PRH ↔ SO via DMaaP | HTTP | user+password | ||
| SO ↔ DCAE (?) | ? | Does SO have this interface? | ||
| SO ↔ Camunda DB | JDBC | id+clear text password | use of MariaDB authorization | |
| BPMN Infra ↔ OOF | HTTPS | user+password | No | |
| BPMN Infra ↔ Sniro | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ Policy | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ SDNC | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ AAI | HTTPs | HTTP Basic Authentication | No | |
| BPMN Infra ↔ CDS | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ Camunda BPM | HTTP | Id+clear text password | No | |
| BPMN Infra ↔ DMaaP | HTTP | ConsumerGroup+Id | ||
| Openstack Adapter ↔ AAI | HTTPS | HTTP Basic Authentication | No | |
| Openstack Adapter ↔ BPMN-infra | HTTP | HTTP Basic Authentication | No | |
| Openstack Adapter ↔ Catalog DB Adapter | HTTP | HTTP Basic Authentication | No | |
| VFC-Adapter ↔ Request DB | JDBC | user+password | use of Maria DB authorization | |
| VFC-Adapter ↔ Request DB Adapter | HTTPS | HTTP Basic Authentication | No | |
| VNFM Adapter ↔ SDC | HTTPS | User+password | No | |
| SOL003 VNFM Adapter ↔ AAI | HTTPS | HTTP Basic Authentication | ||
| SOL003 VNFM Adapter ↔ SDC | HTTP | HTTP Basic Authentication | No | SDC Certificate is expired, so it uses HTTP |
| SDC Controller ↔ SDC | HTTP | ConsumerGroup+Id | No | |
| Intra-SO Components | ||||
| SO ↔ db-secrets | N/A | db_admin-User+clear text password db_username+clear text password | N/A | secrets for mariadb |
| SDC Controller ↔ CatalogDB Adapter | HTTP | HTTP Basic Authentication | No | |
| SDC Controller ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
| SDC Controller ↔ Request DB | JDBC | user+password | use of Maria DB authorization | for mariadb |
| SDNC Adapter ↔ Catalog DB Adapter | HTTP | HTTP Basic Authentication | No | |
| Request Handler ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
| Request Handler ↔ BPMN Infra | HTTP | HTTP Basic Authentication | No | |
| SO Monitoring UI ↔ Monitoring Service | HTTP | No | No | |
| SO Monitoring Service ↔ BPMN Infra | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ Catalog DB Adapter | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
| BPMN Infra ↔ SDNC Adapter | HTTP | HTTP Basic Authentication | No | verify it |
| BPNN Infra ↔ OpenStack Adapter | HTTP | HTTP Basic Authentication | No | verify it |
| BPMN Infra ↔ VFC Adapter | HTTP | HTTP Basic Authentication | No | verify it |
| BPMN Infra ↔ SOL003 VNFM Adapter | HTTP | No | No | Currently, it is intra-SO communication. |
| SDNC Adapter ↔ Catalog DB adapter | HTTP | HTTP Basic Authentication | No | |
| VFC Adapter ↔ Request DB Adapter | HTTP | HTTP Basic Authentication | No | |
| SBI | ||||
| SDNC Adapter ↔ SDNC | HTTP | HTTP Basic Authentication | Role | |
| SOL003 VNFM Adapter ↔ SVNFM | HTTP | No | No | |
| SOL003 VNFM Adapter ↔ VNFM Simulator | HTTP | No | No | |
| VFC Adapter ↔ VFC | HTTPs, HTTP (only in dev) | HTTP Basic Authentication, Server-side certificates | No | |
| APPC Client ↔ APPC | HTTP | secrets | No | |