Hey Rahul,you are going in the right direction (somewhat).If you
want to disable AAF in AAI you have to go to values.yaml in the AAI chart and
replace the word aaf-auth with one-way-ssl as shown in this commit
https://gerrit.onap.org/r/gitweb?p=oom.git;a=commitdiff;h=b6b6adcc92a531e391b11fb6d27124e5d0c0af56I
am not sure if your aim is to have AAF disabled though. Having a different
namespace than “onap” was causing authentication problems (I don’t know if this
is still the case) because AAF certs are bound to that name (namespace is part
of the aaf hostname).Changing any settings means you are not on the happy path,
I recommend trying first with default values.BrPavel---- On Sat, 17 Nov 2018
18:56:44 +0100 Rahul Sharma<[email protected]> wrote ----Hello AAI
Experts, Jimmy Forsyth, et al,Need your help! When working with Casablanca
version of AAI with AAF installed, I am getting 'Access Denied' all the time. I
am using the credentials defined here:
https://github.com/onap/oom/blob/master/kubernetes/robot/values.yaml#L91-L127,
so they should be inline with what's supported in Casablanca. The difference
in our version of ONAP is the following: We are not using 'onap' as the
namespace We are not using '302' as the nodePortPrefix We are not using
'/dockerdata-nfs' as the persistent mountPath. Also, I have disabled aaf in
aai charts, by putting "aafEnabled: false" and changed the following in aai
values.yaml --> global. aaf: serverIp: <My K8s IP>
serverHostname: aaf-service.<specific namespace> serverPort:
{my-nodeportPrefix}47 With the above change, all the AAI pods are running fine
after we adjusted the liveness and readiness timers for the AAI components.
Here is the request and response: Request with headers: GET
/aai/v14/cloud-infrastructure/cloud-regions HTTP/1.1 Host: 10.195.177.106:30733
Accept: application/json Content-Type: application/json X-FromAppId: AAI
X-TransactionId: get_aai_subscr Authorization: Basic
YWFpQGFhaS5vbmFwLm9yZzpkZW1vMTIzNDU2IQ== cache-control: no-cache Postman-Token:
993d9935-eeed-4dea-9349-ce2bc16c4787 Response: { "timestamp":
1542420538281, "status": 403, "error": "Forbidden", "message":
"Access Denied", "path": "/aai/v14/cloud-infrastructure/cloud-regions" }
I did some initial investigation: After looking at AAI-Traversal logs at
/opt/app/aai-traversal/logs/rest/sane.log or metrics.log, I found the following
log printed again and again: "02:03:43.701 [qtp959869407-48] INFO
org.onap.aai.config.aaf.AafFilter - User does not have permissions to run the
query". Not sure why AafFilter class is invoked even though aaf is disabled?
I drilled down further at the code and saw that AafFilter uses CadiFilter.
Looking at cadi.properties (@/opt/app/aai-traversal/resources), it refers
AAF_LOCATE_URL and AAF_NS but I don't see these variables present in the
container's environment. Possible that I am going in an incorrect direction.Do
we need to change anything in the AAI charts/configs (other than what I
mentioned above), if we use a different namespace, nodePortPrefix or Persistent
mountPath? Any pointers would be helpful.Thank you!Regards,Rahul
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#13826): https://lists.onap.org/g/onap-discuss/message/13826
Mute This Topic: https://lists.onap.org/mt/28195431/21656
Mute #aai: https://lists.onap.org/mk?hashtag=aai&subid=2740164
Group Owner: [email protected]
Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
