diff --git a/api-ref/source/v1/parameters_vnflcm.yaml b/api-ref/source/v1/parameters_vnflcm.yaml index 4d54100a5..27726540a 100644 --- a/api-ref/source/v1/parameters_vnflcm.yaml +++ b/api-ref/source/v1/parameters_vnflcm.yaml @@ -195,11 +195,7 @@ authentication_auth_type: an OAuth 2.0 bearer token, obtained using the client credentials grant type. - TLS_CERT: Every HTTP request to the - notification endpoint is sent over a mutually - authenticated TLS session, i.e. not only the - server is authenticated, but also the client is - authenticated during the TLS tunnel setup. + TLS_CERT is not supported. in: body required: true type: string diff --git a/api-ref/source/v2/parameters_vnffm.yaml b/api-ref/source/v2/parameters_vnffm.yaml index 938b16bc4..d6be697f6 100644 --- a/api-ref/source/v2/parameters_vnffm.yaml +++ b/api-ref/source/v2/parameters_vnffm.yaml @@ -72,6 +72,63 @@ authentication: in: body required: false type: string +authentication_auth_type: + description: | + Defines the types of Authentication/Authorization which + the API consumer is willing to accept when receiving a + notification. + Permitted values: + + BASIC: In every HTTP request to the + notification endpoint, use HTTP Basic + authentication with the client credentials. + + OAUTH2_CLIENT_CREDENTIALS: In every HTTP request + to the notification endpoint, use an OAuth 2.0 token, + obtained using the client credentials grant type + after authenticating using client identifier and + client password towards the token endpoint. + + OAUTH2_CLIENT_CERT: In every HTTP request to + the notification endpoint, use an OAuth 2.0 token, + obtained using the client credentials grant type + after mutually authenticating using client identifier + and X.509 certificates towards the token endpoint. + + TLS_CERT is not supported. + in: body + required: true + type: array +authentication_params_basic: + description: | + Parameters for authentication/authorization using BASIC. + Shall be present if authType is "BASIC" and the + contained information has not been provisioned out of + band. Shall be absent otherwise. + in: body + required: false + type: object +authentication_params_oauth2_client_cert: + description: | + Parameters for authentication/authorization using + OAUTH2_CLIENT_CERT. + Shall be present if authType is "OAUTH2_CLIENT_CERT" and the + contained information has not been provisioned out of band. + Shall be absent otherwise. + in: body + required: false + type: object +authentication_params_oauth2_client_credentials: + description: | + Parameters for authentication/authorization using + OAUTH2_CLIENT_CREDENTIALS. + Shall be present if authType is + "OAUTH2_CLIENT_CREDENTIALS" and the contained + information has not been provisioned out of band. + Shall be absent otherwise. + in: body + required: false + type: object callback_uri: description: | The URI of the endpoint to send the notification to. @@ -229,6 +286,85 @@ object_instance: in: body required: false type: object +params_oauth2_client_cert_certificate_ref: + description: | + Fingerprint of the client certificate. The hash function + shall use SHA256 or higher. Shall be present if it has not + been provisioned out of band. + in: body + required: true + type: object +params_oauth2_client_cert_client_id: + description: | + Client identifier to be used in the access token request + of the OAuth 2.0 client credentials grant type. Shall be + present if it has not been provisioned out of band. + in: body + required: true + type: string +params_oauth2_client_cert_token_endpoint: + description: | + The token endpoint from which the access token can be + obtained. Shall be present if it has not been provisioned + out of band. + in: body + required: true + type: string +params_oauth2_client_cert_type: + description: | + The type of fingerprint. + Permitted values: + + x5t#S256: The SHA-256 thumbprint of the X.509 certificate + as defined in section 4.1.8 of IETF RFC 7515. + in: body + required: true + type: string +params_oauth2_client_cert_value: + description: | + The fingerprint value as defined by the type. Shall be + present if it has not been provisioned out of band. + in: body + required: true + type: string +params_oauth2_client_credentials_client_id: + description: | + Client identifier to be used in the access token request + of the OAuth 2.0 client credentials grant type. Shall be + present if it has not been provisioned out of band. + in: body + required: false + type: string +params_oauth2_client_credentials_client_password: + description: | + Client password to be used in the access token request + of the OAuth 2.0 client credentials grant type. Shall be + present if it has not been provisioned out of band. + in: body + required: false + type: string +params_oauth2_client_credentials_token_endpoint: + description: | + The token endpoint from which the access token can be + obtained. Shall be present if it has not been provisioned + out of band. + in: body + required: false + type: string +paramsBasic_password: + description: | + Password to be used in HTTP Basic authentication. + Shall be present if it has not been provisioned out of band. + in: body + required: false + type: string +paramsBasic_userName: + description: | + Username to be used in HTTP Basic authentication. + Shall be present if it has not been provisioned out of band. + in: body + required: false + type: string perceived_severity: description: | Perceived severity of the managed object failure. CRITICAL,MAJOR,MINOR, diff --git a/api-ref/source/v2/parameters_vnflcm.yaml b/api-ref/source/v2/parameters_vnflcm.yaml index 62843009e..f7eb8a97f 100644 --- a/api-ref/source/v2/parameters_vnflcm.yaml +++ b/api-ref/source/v2/parameters_vnflcm.yaml @@ -269,11 +269,7 @@ authentication_auth_type: after mutually authenticating using client identifier and X.509 certificates towards the token endpoint. - TLS_CERT: Every HTTP request to the - notification endpoint is sent over a mutually - authenticated TLS session, i.e. not only the - server is authenticated, but also the client is - authenticated during the TLS tunnel setup. + TLS_CERT is not supported. in: body required: true type: array diff --git a/api-ref/source/v2/parameters_vnfpm.yaml b/api-ref/source/v2/parameters_vnfpm.yaml index 8cf138248..e5fa3cfd0 100644 --- a/api-ref/source/v2/parameters_vnfpm.yaml +++ b/api-ref/source/v2/parameters_vnfpm.yaml @@ -44,11 +44,7 @@ authentication_auth_type: after mutually authenticating using client identifier and X.509 certificates towards the token endpoint. - TLS_CERT: Every HTTP request to the - notification endpoint is sent over a mutually - authenticated TLS session, i.e. not only the - server is authenticated, but also the client is - authenticated during the TLS tunnel setup. + TLS_CERT is not supported. in: body required: true type: array diff --git a/api-ref/source/v2/vnffm.inc b/api-ref/source/v2/vnffm.inc index 5074c0a57..baa5cbb8f 100644 --- a/api-ref/source/v2/vnffm.inc +++ b/api-ref/source/v2/vnffm.inc @@ -263,6 +263,20 @@ Request Parameters - probableCauses: filter_probable_causes - callbackUri: callback_uri - authentication: authentication + - authType: authentication_auth_type + - paramsBasic: authentication_params_basic + - userName: paramsBasic_userName + - password: paramsBasic_password + - paramsOauth2ClientCredentials: authentication_params_oauth2_client_credentials + - clientId: params_oauth2_client_credentials_client_id + - clientPassword: params_oauth2_client_credentials_client_password + - tokenEndpoint: params_oauth2_client_credentials_token_endpoint + - paramsOauth2ClientCert: authentication_params_oauth2_client_cert + - clientId: params_oauth2_client_cert_client_id + - certificateRef: params_oauth2_client_cert_certificate_ref + - type: params_oauth2_client_cert_type + - value: params_oauth2_client_cert_value + - tokenEndpoint: params_oauth2_client_cert_token_endpoint Request Example --------------- diff --git a/doc/source/user/v2/vnf/chg_vnfpkg/index.rst b/doc/source/user/v2/vnf/chg_vnfpkg/index.rst index 16c0dc501..beccc9025 100644 --- a/doc/source/user/v2/vnf/chg_vnfpkg/index.rst +++ b/doc/source/user/v2/vnf/chg_vnfpkg/index.rst @@ -230,7 +230,7 @@ You can set following parameter in additionalParams: * ``vnfdId`` is the VNFD id of the new VNF package you uploaded. * ``lcm-operation-coordinate-old-vnf`` and ``lcm-operation-coordinate-new-vnf`` are unique implementations of Tacker - to simulate the coordination interface in `ETSI SOL002 v3.5.1`_. Mainly a + to simulate the coordination interface in `ETSI SOL002 v3.6.1`_. Mainly a script that can communicate with the VM after the VM is created, perform special customization of the VM or confirm the status of the VM. * ``vimConnectionInfo`` is an optional parameter. @@ -1174,7 +1174,7 @@ The samples make the following updates: .. _Heat CLI reference: https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/heat.html -.. _ETSI SOL002 v3.5.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.05.01_60/gs_nfv-sol002v030501p.pdf +.. _ETSI SOL002 v3.6.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.06.01_60/gs_nfv-sol002v030601p.pdf .. _test_instantiate_vnf_with_old_image_or_volume for 2023.2 Bobcat: https://opendev.org/openstack/tacker/src/branch/stable/2023.2/tacker/tests/functional/sol_v2_common/samples/test_instantiate_vnf_with_old_image_or_volume .. _test_change_vnf_pkg_with_new_image for 2023.2 Bobcat: diff --git a/doc/source/user/v2/vnf/chg_vnfpkg_with_standard/index.rst b/doc/source/user/v2/vnf/chg_vnfpkg_with_standard/index.rst index f44269ba7..3964b562a 100644 --- a/doc/source/user/v2/vnf/chg_vnfpkg_with_standard/index.rst +++ b/doc/source/user/v2/vnf/chg_vnfpkg_with_standard/index.rst @@ -259,7 +259,7 @@ definition file before running command. * ``lcm-operation-coordinate-old-vnf`` and ``lcm-operation-coordinate-new-vnf`` are unique implementations of Tacker to simulate the coordination interface in - `ETSI NFV-SOL002 v3.5.1`_. + `ETSI NFV-SOL002 v3.6.1`_. Mainly a script that can communicate with the VM after the VM is created, perform special customization of the VM or confirm the status of the VM. @@ -1112,7 +1112,7 @@ The samples make the following updates: .. _Heat CLI reference: https://docs.openstack.org/python-openstackclient/latest/cli/plugin-commands/heat.html -.. _ETSI NFV-SOL002 v3.5.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.05.01_60/gs_nfv-sol002v030501p.pdf +.. _ETSI NFV-SOL002 v3.6.1: https://www.etsi.org/deliver/etsi_gs/NFV-SOL/001_099/002/03.06.01_60/gs_nfv-sol002v030601p.pdf .. _userdata_standard for 2023.2 Bobcat: https://opendev.org/openstack/tacker/src/branch/stable/2023.2/tacker/tests/functional/sol_v2_common/samples/userdata_standard .. _userdata_standard_change_vnfpkg_nw for 2023.2 Bobcat: diff --git a/tacker/sol_refactored/api/schemas/common_types.py b/tacker/sol_refactored/api/schemas/common_types.py index feef8b823..6f716b1cf 100644 --- a/tacker/sol_refactored/api/schemas/common_types.py +++ b/tacker/sol_refactored/api/schemas/common_types.py @@ -122,7 +122,7 @@ _IpAddresses = { 'additionalProperties': True } -# SOL013 v3.5.1 8.3.4 +# SOL013 v3.4.1 8.3.4 SubscriptionAuthentication = { 'type': 'object', 'properties': { @@ -131,8 +131,11 @@ SubscriptionAuthentication = { 'items': { 'type': 'string', 'enum': [ + # NOTE: 'TLS_CERT' is not supported 'BASIC', 'OAUTH2_CLIENT_CREDENTIALS', + # NOTE: 'OAUTH2_CLIENT_CERT' is defined + # in NFV-SOL 013 v3.5.1 8.3.4 'OAUTH2_CLIENT_CERT'] } }, @@ -151,6 +154,8 @@ SubscriptionAuthentication = { 'tokenEndpoint': {'type': 'string'} } }, + # NOTE: 'paramsOauth2ClientCert' is defined + # in NFV-SOL 013 v3.5.1 8.3.4 'paramsOauth2ClientCert': { 'type': 'object', 'properties': { diff --git a/tacker/sol_refactored/api/schemas/vnflcm_v2.py b/tacker/sol_refactored/api/schemas/vnflcm_v2.py index 557dde940..a9d94af11 100644 --- a/tacker/sol_refactored/api/schemas/vnflcm_v2.py +++ b/tacker/sol_refactored/api/schemas/vnflcm_v2.py @@ -157,7 +157,7 @@ ChangeExtVnfConnectivityRequest_V200 = { 'additionalProperties': True, } -# SOL013 v3.5.1 8.3.4 +# SOL013 v3.4.1 8.3.4 _SubscriptionAuthentication = { 'type': 'object', 'properties': { @@ -166,8 +166,11 @@ _SubscriptionAuthentication = { 'items': { 'type': 'string', 'enum': [ + # NOTE: 'TLS_CERT' is not supported 'BASIC', 'OAUTH2_CLIENT_CREDENTIALS', + # NOTE: 'OAUTH2_CLIENT_CERT' is defined + # in NFV-SOL 013 v3.5.1 8.3.4 'OAUTH2_CLIENT_CERT'] } }, @@ -192,6 +195,8 @@ _SubscriptionAuthentication = { # band is not supported. 'required': ['clientId', 'clientPassword', 'tokenEndpoint'] }, + # NOTE: 'paramsOauth2ClientCert' is defined + # in NFV-SOL 013 v3.5.1 8.3.4 'paramsOauth2ClientCert': { 'type': 'object', 'properties': { diff --git a/tacker/sol_refactored/objects/common/subscription_authentication.py b/tacker/sol_refactored/objects/common/subscription_authentication.py index 34115a09d..96a37410f 100644 --- a/tacker/sol_refactored/objects/common/subscription_authentication.py +++ b/tacker/sol_refactored/objects/common/subscription_authentication.py @@ -18,7 +18,7 @@ from tacker.sol_refactored.objects import fields # NFV-SOL 013 -# - v3.5.1 Table 8.3.4-1 +# - v3.4.1 Table 8.3.4-1 @base.TackerObjectRegistry.register class SubscriptionAuthentication(base.TackerObject, base.TackerObjectDictCompat): @@ -31,7 +31,10 @@ class SubscriptionAuthentication(base.TackerObject, valid_values=[ 'BASIC', 'OAUTH2_CLIENT_CREDENTIALS', + # NOTE: 'OAUTH2_CLIENT_CERT' is defined + # in NFV-SOL 013 v3.5.1 Table 8.3.4-1 'OAUTH2_CLIENT_CERT', + # `TLS_CERT` is not supported 'TLS_CERT', ], nullable=False), @@ -39,6 +42,8 @@ class SubscriptionAuthentication(base.TackerObject, 'SubscriptionAuthentication_ParamsBasic', nullable=True), 'paramsOauth2ClientCredentials': fields.ObjectField( 'SubscriptionAuthentication_ParamsOauth2', nullable=True), + # NOTE: 'paramsOauth2ClientCert' is defined + # in NFV-SOL 013 v3.5.1 Table 8.3.4-1 'paramsOauth2ClientCert': fields.ObjectField( 'SubscriptionAuthentication_ParamsOauth2ClientCert', nullable=True),