Hi Prakas, Can't remember if it was you I talked to during the AAF Meeting, I think so, but if not, and for others watching this message, here's were we are.
First, For Beijing, when I arrived, a formal CA wasn't defined, so we had to make due with some Manual processes to get through. That obviously isn't at all optimal. For Casablanca, we have committed to making the whole Configuration start-up for both AAF users and AAF itself much simpler, with the expectation that AAF can manage the Certificates without manual intervention. Knowing this is needed ASAP, I have been working hard, and am in Local Testing mode (with a Container). I hope to have this simplified process done by EOW/End of Next week, in which I will spend writing documentation/informing in various venues how it works. It has been suggested I make a video which is an excellent suggestion, so I'll try to do that when doing the demo. 1) Part of the new Process is to create and setup all the CADI Property files onto a Persistent Drive. From there, you simply need to access that persistent Drive, and point to the initial Properties file for your client. This setup, btw, also includes Validation, so you can tell without writing a Simple Client that the Configs are correct (this ability was there before, but not simple for ONAP, which wants things more automated... now it is) 2) Security Team is driving for CADI Client as RESTful client, and I have refined the interface with SECCOM members. Finishing out requires, of course, the Configuration, which is, as mentioned, close to complete. This RESTful API is not only committed to, but mostly complete. 3) AAF runs Separately. When AAF is contacted depends on what element. If 2-way TLS Authentication, the primary method, there is no AAF interaction once the Cert is delivered (this is a value add for Certman... Authentication this way requires NO network hits, NO caching. . Basic Auth (user Password) (might be used for Portal GUIs, for instance) are cached. Authorizations for API Enforcement Point, or Fine-Grained needs, are pulled from AAF, but are, as you mention Cached. The Enforcement Point in discussion has been being designed and discussed in SECCOM, and would be delivered by a contributor. If this part isn't quite ready for Casablanca, we may add an AAF only piece that looks like it for Casablanca as time permits. 4) Roles and permissions are expected to be done by Applications (the "Namespace" admins) in the GUI. If this is something that needs automating, the Management API is available, and documented on the GUI itself (see Beijing Test Env) 5) GUI problem, please send issue via email to me so we can enter an iTrack ticket, or if you can do yourself, that's ok. Top priority, however, is the Configuration setup/Client API noted above, so ONAP entities can get to work. 6) See above... working the Demo, which includes Client usage for next week hopefully. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#11095): https://lists.onap.org/g/onap-discuss/message/11095 Mute This Topic: https://lists.onap.org/mt/23264081/21656 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
