Trusting Other Authentication Entities¶
Few Transactions in an Organization of any size touch only one service. This is even more true with MicroService Architecture.
In AAF, EVERY Tranasction must be Authenticated from the Caller, but in App-to-App situations, not every Authorization should be evaluated on the underlying caller.
Define the Permission this App will use for Trust, and add to Service’s “Cadi Properties” Ex:
In the AAF Service, user the AAF CMDline interface to create Permission that matches above, and role
Given that an App may trust “ONAP Portal” to have validated an end-user, and that ONAP Portal’s Identity is firstname.lastname@example.org,
role create org.onap.aai.trusted email@example.com perm create org.onap.aai.user_chain|org.onap|trust org.onap.aai.trusted
Note: These instructions are for first Identity, which both creates Role and Perm, and adds User, Grants Perm. Admin may separate the commands of “create” and “grant”/”add”, see CUI help.
The CADI client, when used, will create USER_CHAIN property automatically, but not all CLIENTs are CADI. For NON-CADI HTTP Clients, do the following:
Create an HTTP Header property called “USER_CHAIN” * The syntax for the value is:
<AAF ID>:<service Reference>:<Authentication Type>[:AS][,<ID>:<reference>:<type>]*
- Where “:AS” is the indicator that you want the Service to treat the transaction as if it came from the end client.
<AAF_ID> is the Identity of the Calling Client (End Client) <service Reference> should be the Service’s AAF Namespace and microservice name, separated by ‘.’ <Authentication Type> should be how the Client was Authenticated
BAth - BasicAuth x509 - X509 Client Certificate
<other Organization defined Types are acceptable, but should be 4 chars long for ease of use, and match any TAF Adapters used to validate>
- USER_CHAIN: firstname.lastname@example.org:org.onap.aai:BAth:AS
- What Happens:
- Cadi Code (such as what is in CadiFilter)
- Reads the USER_CHAIN
- IF the last USER_CHAIN Entry ends with “:AS”…
- Checks to see if the Identity is the same as Service (nice for Model-View-Controller and multi-MS applications) OR
- if the incoming caller has the Permission specified in “cadi_trust_perm”
- THEN a new “TrustPrincipal” is created, which takes on the identity of the “:AS” identified Identity for the purposes of Authentication.