Hello AAI Experts, Jimmy Forsyth, et al,
Need your help!
When working with Casablanca version of AAI with AAF installed, I am getting '
*Access Denied* ' all the time.
I am using the credentials defined here:
https://github.com/onap/oom/blob/master/kubernetes/robot/values.yaml#L91-L127,
so they should be inline with what's supported in Casablanca.
The difference in our version of ONAP is the following:
* We are not using ' *onap* ' as the namespace
* We are not using ' *302* ' as the nodePortPrefix
* We are not using ' */dockerdata-nfs* ' as the persistent mountPath.
Also, I have disabled aaf in aai charts, by putting "aafEnabled: false" and
changed the following in aai values.yaml --> global.
aaf:
serverIp: <My K8s IP>
serverHostname: aaf-service.<specific namespace>
serverPort: {my-nodeportPrefix}47
With the above change, all the AAI pods are running fine after we adjusted the
liveness and readiness timers for the AAI components.
Here is the request and response:
*Request with headers:*
GET /aai/v14/cloud-infrastructure/cloud-regions HTTP/1.1
Host: 10.195.177.106:30733
Accept: application/json
Content-Type: application/json
X-FromAppId: AAI
X-TransactionId: get_aai_subscr
Authorization: Basic YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ==
cache-control: no-cache
Postman-Token: 993d9935-eeed-4dea-9349-ce2bc16c4787
*Response* :
{
"timestamp": 1542420538281,
"status": 403,
"error": "Forbidden",
"message": "Access Denied",
"path": "/aai/v14/cloud-infrastructure/cloud-regions"
}
I did some initial investigation:
* After looking at AAI-Traversal logs at
/opt/app/aai-traversal/logs/rest/sane.log or metrics.log, I found the following
log printed again and again:
* " 02:03:43.701 [qtp959869407-48] INFO org.onap.aai.config.aaf.AafFilter -
User does not have permissions to run the query ".
* Not sure why AafFilter class is invoked even though aaf is disabled?
I drilled down further at the code and saw that AafFilter uses CadiFilter.
Looking at cadi.properties (@/opt/app/aai-traversal/resources), it refers
AAF_LOCATE_URL and AAF_NS but I don't see these variables present in the
container's environment.
Possible that I am going in an incorrect direction.
Do we need to change anything in the AAI charts/configs (other than what I
mentioned above), if we use a different namespace, nodePortPrefix or Persistent
mountPath? Any pointers would be helpful.
Thank you!
Regards,
Rahul
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13825): https://lists.onap.org/g/onap-discuss/message/13825
Mute This Topic: https://lists.onap.org/mt/28195431/21656
Mute #aai: https://lists.onap.org/mk?hashtag=aai&subid=2740164
Group Owner: onap-discuss+ow...@lists.onap.org
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
