Topics

Boostrapping AAF permissions and roles #aai #aaf

Jimmy Forsyth
 

Hi, Jonathan or other AAF SMEs,

 

What is your recommendation for seeding application permissions and assigning identities to roles?  Should AAI provide a set of roles/permissions that can be included with the seed scripts that are being run when instantiating demo environments? 

 

We want to do something like this (taken from Pavel Paroulek’s page on the wiki, https://wiki.onap.org/x/c4JlAg)

 

role create org.onap.aai.resources_all

perm create org.onap.aai.resources * get org.onap.aai.resources_all

perm create org.onap.aai.resources * put org.onap.aai.resources_all

perm create org.onap.aai.resources * post org.onap.aai.resources_all

perm create org.onap.aai.resources * patch org.onap.aai.resources_all

perm create org.onap.aai.resources * delete org.onap.aai.resources_all

user role add demo@... org.onap.aai.resources_all #just an example, add role to the correct user

role create org.onap.aai.resources_readonly

perm create org.onap.aai.resources * get org.onap.aai.resources_readonly

 

Thanks,

jimmy

 

Dominic Lunanuova
 

Adding #dmaap to Subject

 

I am also interested in this answer since apps need to define a Role which will be granted perm to pub/sub on a specific DMaaP MR topic.

I am currently assuming that the topic perm creation and grant steps will be done by Buscontroller as a result of calls to its API at deployment time. 

But, need to understand what is done in “seed scripts” first.

 

-Dom

 

From: onap-discuss@... [mailto:onap-discuss@...] On Behalf Of FORSYTH, JAMES
Sent: Thursday, September 6, 2018 1:10 PM
To: onap-discuss@...
Subject: [onap-discuss] Boostrapping AAF permissions and roles #aaf #aai

 

***Security Advisory: This Message Originated Outside of AT&T ***
Reference http://cso.att.com/EmailSecurity/IDSP.html for more information.

Hi, Jonathan or other AAF SMEs,

 

What is your recommendation for seeding application permissions and assigning identities to roles?  Should AAI provide a set of roles/permissions that can be included with the seed scripts that are being run when instantiating demo environments? 

 

We want to do something like this (taken from Pavel Paroulek’s page on the wiki, https://wiki.onap.org/x/c4JlAg)

 

role create org.onap.aai.resources_all

perm create org.onap.aai.resources * get org.onap.aai.resources_all

perm create org.onap.aai.resources * put org.onap.aai.resources_all

perm create org.onap.aai.resources * post org.onap.aai.resources_all

perm create org.onap.aai.resources * patch org.onap.aai.resources_all

perm create org.onap.aai.resources * delete org.onap.aai.resources_all

user role add demo@... org.onap.aai.resources_all #just an example, add role to the correct user

role create org.onap.aai.resources_readonly

perm create org.onap.aai.resources * get org.onap.aai.resources_readonly

 

Thanks,

jimmy