You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 13
Next »
This page is mostly a wishful thinking. It does not reflect the current state of ONAP security. It's rather where we would like to be.
ONAP introduction
ONAP from the milky way point of view
From the very optimistic perspective ONAP is an independent system in the outer space that provides interfaces for User, Admin and OSS/BSS system in the North and xNF in the South and uses interfaces provided by NFVI and xNF.
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjgxNDA2Njc3IiwiZGlhZ3JhbU5hbWUiOiJvbmFwX2RiIiwiYXNwZWN0IjoiIiwibGlua3MiOiJhdXRvIiwiY2VvTmFtZSI6Ik9OQVAgU2VjdXJpdHkgTW9kZWwiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjgxNDA2NjY5LCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjo4MTQwNzI5NCwicGFnZUlkIjoiIiwibGJveCI6dHJ1ZSwic2VydmVyQ29uZmlnIjp7ImVtYWlscHJldmlldyI6IjEifSwib2RyaXZlSWQiOiIiLCJyZXZpc2lvbiI6MSwibWFjcm9JZCI6IjlhNDM3Y2M0LTg0ZmUtNDRhOC1iOGMwLTA4NmZkODhmMjg1MyIsInByZXZpZXdOYW1lIjoib25hcF9kYi5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiNDExIiwic2ltcGxlVmlld2VyIjpmYWxzZSwibGFzdE1vZGlmaWVkIjoxNTg2ODkzMTE0MDAwLCJleGNlZWRQYWdlV2lkdGgiOmZhbHNlLCJvQ2xpZW50SWQiOiIifQ==
ONAP deployed on kubernetes
ONAP has to be deployed on some infra. Currently it's kubernetes.
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjgxNDA2NjcxIiwiZGlhZ3JhbU5hbWUiOiJvbmFwX21pbGt5d2F5IiwiYXNwZWN0IjoiIiwibGlua3MiOiJhdXRvIiwiY2VvTmFtZSI6Ik9OQVAgU2VjdXJpdHkgTW9kZWwiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjgxNDA2NjY5LCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjo4MTQwNzI5NCwicGFnZUlkIjoiIiwibGJveCI6dHJ1ZSwic2VydmVyQ29uZmlnIjp7ImVtYWlscHJldmlldyI6IjEifSwib2RyaXZlSWQiOiIiLCJyZXZpc2lvbiI6NSwibWFjcm9JZCI6IjIwYWNmZmU0LTc0NTUtNDQ2OC04MjkwLWRiNTcxMzM3MzNlMiIsInByZXZpZXdOYW1lIjoib25hcF9taWxreXdheS5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiNzAxIiwic2ltcGxlVmlld2VyIjpmYWxzZSwibGFzdE1vZGlmaWVkIjoxNTg2ODk1NDg2MDAwLCJleGNlZWRQYWdlV2lkdGgiOmZhbHNlLCJvQ2xpZW50SWQiOiIifQ==
ONAP deployed on kubernetes with external databases
As most of applications ONAP requires some persistence layer in form of databases. As ONAP follows micro-service architecture principle in theory each component could ship its own database but in practice in commercial deployments its desired to configure ONAP to use external DB engines already existing in operators infrastructure.
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjgxNDA2Njg2IiwiZGlhZ3JhbU5hbWUiOiJvbmFwX3dpdGhfZGIiLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiT05BUCBTZWN1cml0eSBNb2RlbCIsInRic3R5bGUiOiJ0b3AiLCJjYW5Db21tZW50IjpmYWxzZSwiZGlhZ3JhbVVybCI6IiIsImNzdkZpbGVVcmwiOiIiLCJib3JkZXIiOnRydWUsIm1heFNjYWxlIjoiMSIsIm93bmluZ1BhZ2VJZCI6ODE0MDY2NjksImVkaXRhYmxlIjpmYWxzZSwiY2VvSWQiOjgxNDA3Mjk0LCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjoxLCJtYWNyb0lkIjoiYmU1NWJjNjktMWEwMS00Y2E3LTg0YzEtNjcyYzM1YmQ2ZjczIiwicHJldmlld05hbWUiOiJvbmFwX3dpdGhfZGIucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6Ijc4MSIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTU4NzY0OTMzNDAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
ONAP deployed on kubernetes with external databases and external IAM
Obviously it's hard to imagine operator that would like to have one more identity DB to managed specifically for ONAP thus ONAP should have the ability to integrate with external IAM system.
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjgxNDA2NjkxIiwiZGlhZ3JhbU5hbWUiOiJvbmFwX3dpdGhfaWFtIiwiYXNwZWN0IjoiIiwibGlua3MiOiJhdXRvIiwiY2VvTmFtZSI6Ik9OQVAgU2VjdXJpdHkgTW9kZWwiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjgxNDA2NjY5LCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjo4MTQwNzI5NCwicGFnZUlkIjoiIiwibGJveCI6dHJ1ZSwic2VydmVyQ29uZmlnIjp7ImVtYWlscHJldmlldyI6IjEifSwib2RyaXZlSWQiOiIiLCJyZXZpc2lvbiI6MiwibWFjcm9JZCI6ImI5Mjc5M2ExLWU0ZTAtNGY4Mi1hNDk3LTgzNTIyYjc5NTUyYiIsInByZXZpZXdOYW1lIjoib25hcF93aXRoX2lhbS5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiMTE0NiIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTU4Njg5NTkxNDAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
ONAP deployed on kubernetes with external databases and external IAM and external CA
Most of the operators probably already have Certificate Authority server running in their network and a requirement that all services should present a valid certificate signed by this CA. This means that ONAP should provide the ability to integrate with external CA instead of shipping own one.
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IktyenlzenRvZiBPcGFzaWFrIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjgxNDA2Njk2IiwiZGlhZ3JhbU5hbWUiOiJvbmFwX3dpdGhfY2EiLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiT05BUCBTZWN1cml0eSBNb2RlbCIsInRic3R5bGUiOiJ0b3AiLCJjYW5Db21tZW50IjpmYWxzZSwiZGlhZ3JhbVVybCI6IiIsImNzdkZpbGVVcmwiOiIiLCJib3JkZXIiOnRydWUsIm1heFNjYWxlIjoiMSIsIm93bmluZ1BhZ2VJZCI6ODE0MDY2NjksImVkaXRhYmxlIjpmYWxzZSwiY2VvSWQiOjgxNDA3Mjk0LCJwYWdlSWQiOiIiLCJsYm94Ijp0cnVlLCJzZXJ2ZXJDb25maWciOnsiZW1haWxwcmV2aWV3IjoiMSJ9LCJvZHJpdmVJZCI6IiIsInJldmlzaW9uIjozLCJtYWNyb0lkIjoiYWE3NTVlOTQtODE0Yy00YjNmLWI0YTUtN2NhM2I5MjRmNzVhIiwicHJldmlld05hbWUiOiJvbmFwX3dpdGhfY2EucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjExNDYiLCJzaW1wbGVWaWV3ZXIiOmZhbHNlLCJsYXN0TW9kaWZpZWQiOjE1ODY4OTY1OTMwMDAsImV4Y2VlZFBhZ2VXaWR0aCI6ZmFsc2UsIm9DbGllbnRJZCI6IiJ9
Defining system boundaries
Provided interfaces
- Admin/User/OSS/BSS interfaces are REST.
- xNF southbound interfaces are VES events (protocol depends on the collector used)
Used interfaces
- Kubernetes interface is REST. Exact supported version of kubernetes has to be specified by every ONAP release
- Database interface depends on DB type but only encrypted communication should be used
- xNF interface depends on particular xNF but all xNFs should support secure protocols for communication
- NFVI interface is REST (usually OpenStack or Kubernetes)
- IAM interface is Open ID Connect
- if operator already has OIDC compatible solution ONAP should just use it
- if operator has Identity Provider (LDAP/Kerberos/etc) external OIDC solution should be deployed (ie keycloak) with operator IdP configured as backend
- In testing environment external OIDC solution should be deployed and bootstraped with test users
- CA interface can be one of:
- Manual interaction by deployer that will retrieve certificates and the bootstrap ONAP instance with them
- One of automated certificate retrieval protocols (ACME, CMPv2 etc)
- In testing environment external CA (and ONAP should use automated certificate retrieval as described in b) solution should be deployed
Requirements towards used interfaces
Kubernetes
- Cluster should be configured according to CIS guideline
Databases
- Each DB should be configured according to corresponding CIS guideline
- All DB should be already created or ONAP should be provided with user that is capable of creating DB
- If ONAP creates a DB a dedicated user account with privileges limited to that DB should be created. Password used for this user cannot be hardcoded in ONAP source.
xNF
As defined in ONAP VNF security requirements
NFVI
As defined in CNTT Reference Architecture 1 & 2
IAM
- IAM has to support OpenID connect standard
CA
- If automated certificate retrieval is used one of .... has to be supported by the CA
Requirements towards exposed interfaces
- North and south interfaces should be separated (ie different instance of ingress controller) to allow to configure operator network policy properly
- All Northbound interfaces has to be protected using TLS
- All Northbound interfaces has to support SSO
- All Northbound interfaces has to support RBAC
- All roles used in ONAP have to be documented
- All forms should validate and sanitize their input provided by the user
- Southbound interfaces has to fulfill VNF security requirements
- ...
