Hello AAI Experts, Jimmy Forsyth, et al, Need your help! When working with Casablanca version of AAI with AAF installed, I am getting ' *Access Denied* ' all the time. I am using the credentials defined here: https://github.com/onap/oom/blob/master/kubernetes/robot/values.yaml#L91-L127, so they should be inline with what's supported in Casablanca. The difference in our version of ONAP is the following:
* We are not using ' *onap* ' as the namespace * We are not using ' *302* ' as the nodePortPrefix * We are not using ' */dockerdata-nfs* ' as the persistent mountPath. Also, I have disabled aaf in aai charts, by putting "aafEnabled: false" and changed the following in aai values.yaml --> global. aaf: serverIp: <My K8s IP> serverHostname: aaf-service.<specific namespace> serverPort: {my-nodeportPrefix}47 With the above change, all the AAI pods are running fine after we adjusted the liveness and readiness timers for the AAI components. Here is the request and response: *Request with headers:* GET /aai/v14/cloud-infrastructure/cloud-regions HTTP/1.1 Host: 10.195.177.106:30733 Accept: application/json Content-Type: application/json X-FromAppId: AAI X-TransactionId: get_aai_subscr Authorization: Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== cache-control: no-cache Postman-Token: 993d9935-eeed-4dea-9349-ce2bc16c4787 *Response* : { "timestamp": 1542420538281, "status": 403, "error": "Forbidden", "message": "Access Denied", "path": "/aai/v14/cloud-infrastructure/cloud-regions" } I did some initial investigation: * After looking at AAI-Traversal logs at /opt/app/aai-traversal/logs/rest/sane.log or metrics.log, I found the following log printed again and again: * " 02:03:43.701 [qtp959869407-48] INFO org.onap.aai.config.aaf.AafFilter - User does not have permissions to run the query ". * Not sure why AafFilter class is invoked even though aaf is disabled? I drilled down further at the code and saw that AafFilter uses CadiFilter. Looking at cadi.properties (@/opt/app/aai-traversal/resources), it refers AAF_LOCATE_URL and AAF_NS but I don't see these variables present in the container's environment. Possible that I am going in an incorrect direction. Do we need to change anything in the AAI charts/configs (other than what I mentioned above), if we use a different namespace, nodePortPrefix or Persistent mountPath? Any pointers would be helpful. Thank you! Regards, Rahul -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#13825): https://lists.onap.org/g/onap-discuss/message/13825 Mute This Topic: https://lists.onap.org/mt/28195431/21656 Mute #aai: https://lists.onap.org/mk?hashtag=aai&subid=2740164 Group Owner: onap-discuss+ow...@lists.onap.org Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-