...
Policy author should develop drl rules in IDE of choice, e.g. Eclipse/IntelliJ as well as necessary junit tests to ensure it can compile and make expected decisions.
After drl rule development, policy author should submit composed rules for git review then deploy the new jar containing new drl rules to the existing nexus repos that hold the released artifacts currently supported by the runtime PDP-D engines.
...
2. Policy Lifecycle API CRUD Enhancements
In order to designate between native policy/rule types, the REST header "Content-Type" is configured for each PDP engines specific content.
...
application/vnd.onap.drools+text
application/vnd.onap.drools.mvn+xml
...
Drools DRL text files. Question: Does Drools have a custom content-type already??
Maven XML dependency specification for a java artifact containing drools rules. Does maven have a custom content-type??
...
Per http://docs.oasis-open.org/xacml/xacml-rest/v1.0/cos01/xacml-rest-v1.0-cos01.html
...
2.1 PDP-D Content-Types
Two Content-Types can be used by policy authors to create native drools rules - "application/vnd.onap.drools+text" and "application/vnd.onap.drools.mvn+xml".
"application/vnd.onap.drools+text" refers to native drools drl text contents. When drools authors use this Content-Type in POST call, they only need to provide drl text contents into its payload. One payload example is shown as below:
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
package org.onap.policy.controlloop.ran;
import org.onap.policy.controlloop.ran.event.SampleMsEvent;
import org.onap.policy.controlloop.ran.Enodeb;
import org.slf4j.LoggerFactory;
import org.slf4j.Logger;
declare Params
closedLoopControlName: String
end
rule "INIT"
when
then
Logger logger = LoggerFactory.getLogger(drools.getRule().getPackage());
logger.info("{}: {}", params.getClosedLoopControlName(), drools.getRule().getName());
Params params = new Params();
params.setClosedLoopControlName("example-name");
insert(params);
end
rule "EVENT"
when
$params : Params( $clName : getClosedLoopControlName() )
$event : SampleMsEvent( closedLoopControlName == $clName )
then
Logger logger = LoggerFactory.getLogger(drools.getRule().getPackage());
logger.info("{}: {}", params.getClosedLoopControlName(), drools.getRule().getName());
Enodeb enb = new Enodeb($event);
enb.reboot();
retract($event);
end |
One limitation of "application/vnd.onap.drools+text" Content-Type is, the payload only contains native drl contents without other dependency information (i.e. dependency artifacts) also required to load into drools memory to support execution of the native rules. In aforementioned example, "SampleMsEvent", "Enodeb" and "Logger" are from other dependency artifacts. When Drools PDP-D receives this set of native rules deployed from PAP, it does not know how many dependencies to load into memory along with the rule itself to support the rule execution. If the deployed rules cannot be executed due to missing dependencies, PAP policy deployment API should return 400 Bad Request.
To bridge the gap, one solution is to use "application/vnd.onap.drools+text" Content-Type only when there is modification to the rules (i.e. updating the rules) and the new updates will not introduce new dependency. Given a set of rules are already running in PDP-D and all required dependencies are loaded as well, now we have new requirement that means to change a logic in one rule, e.g. changing to reset enodeb other than reboot. All I want to modify is line #34 in above example, changing enb.reboot() to enb.reset() given both reboot() and reset() are supported in org.onap.policy.controlloop.ran.Enodeb dependency model. In this case, I can call the PUT call and use "application/vnd.onap.drools+text" Content-Type to update the rules.
Now the question is, how to bring in the new set of rules for a new application which has never run before in PDP-D? The second Content-Type "application/vnd.onap.drools.mvn+xml" is designed for this purpose. When policy author calls the POST call and use "application/vnd.onap.drools.mvn+xml" Content-Type, what they need to provide in the payload are, Maven XML dependency specification for a java artifact that contains new drl rules. Policy author needs to make sure that specified java artifact in this payload is already deployed to nexus repo used by runtime PDP-D engine before calling the POST API. Otherwise, this POST API should return 400 Bad Request if specified artifact is missing in nexus.
To be discuss, where should we put this artifact existence check, in API or PAP ???
One example payload with "application/vnd.onap.drools.mvn+xml" Content-Type is shown as below, reusing aforementioned rule example.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<dependencies>
<dependency>
<groupId>org.onap.policy.native</groupId>
<artifactId>policy-ran-optimization</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
</dependencies>
</project> |
2.2 PDP-X Content-Types
"application/xacml+xml; version=3.0" is designed to be the custom Content-Type for XACML native policy. Typically, it is an XML with XACML reserved keywords. For native XACML policy CRUD, this Content-Type would be used to encode the policy content. Below is one example of native XACML policy under "application/xacml+xml; version=3.0" Content-Type.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
policy-id="urn:oasis:names:tc:xacml:2.0:example:IIA009:policy"
RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os
access_control-xacml-2.0-policy-schema-os.xsd">
<Description>
Example Policy for Illustration.
</Description>
<Target/>
<Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:example:IIA009:rule">
<Description>
Julius Hibbert can read or write Bart Simpson's medical record.
</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">riddle me this</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:some-attribute" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
</Policy> |
2.3 PDP-A Content-Types
TBA
2.4 Endpoint Details
The Policy Lifecycle API will need to support new endpoints that consume these PDP specific Content-Type's as well as the ability to save them to the database.
...
Creates a native drools policy.
Returns the id, version and created drl contents.
Note: policy-id is the same as <artifactId> specified in the payload; version is the same as <version> specified in the payload; <groupId> specified in the payload could be a fixed one for all native drools policies, e.g. org.onap.policy.native.
200
| Code Block |
|---|
{
"policy-id": "example-policy",
"policy-version": "1.0.0",
"Content-Type": "drools"
} |
...
Updates a native drools policy.
Return the id, version and updated drl contents.
Note: version is an auto-increased version off the original one. For example. the original version is "1.0.0". After this PUT call, the version returned could be "1.0.1".
200
| Code Block |
|---|
{
"policy-id": "example-policy",
"policy-version": "1.0.1",
"Content-Type": "drools"
} |
...
Create a native xacml policy
200
| Code Block |
|---|
{
"policy-id": "example-policy",
"policy-version": "1.0.1",
"Content-Type": "xacml"
} |
...
200
| Code Block |
|---|
{
"policy-id": "example-policy",
"policy-version": "1.0.1",
"Content-Type": "apex"
} |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
"policies": [
{ "policy-id": "id-1",
"policy-version": "1.0.0",
"Content-Type": "drools"
},
{
"policy-id": "id-2",
"policy-version": "1.1.0",
"Content-Type": "xacml"
},
{
"policy-id": "id-3",
"policy-version": "1.2.0",
"Content-Type": "apex"
}
]
} |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
"policies": [
{ "policy-id": "id-1",
"policy-version": "1.0.0",
"Content-Type": "drools"
},
{
"policy-id": "id-1",
"policy-version": "1.0.1",
"Content-Type": "drools"
},
{
"policy-id": "id-1",
"policy-version": "1.0.2",
"Content-Type": "drools"
}
]
} |
...
application/vnd.onap.drools+text
application/xacml+xml; version=3.0
application/vnd.onap.apex+json
...
200
| Code Block |
|---|
policy text in DRL/XACML-XML/APEX-JSON |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
"policy-id": "example-policy",
"policy-version": "1.0.1",
"Content-Type": "drools"
} |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
("pdpGroup1","1.0.0"): [
{
"policy-id": "example-policy",
"policy-version": "1.0.0",
"Content-Type": "drools"
},
{
"policy-id": "example-policy",
"policy-version": "1.1.0",
"Content-Type": "drools"
}
]
} |
...
application/vnd.onap.drools+text
application/xacml+xml; version=3.0
application/vnd.onap.apex+json
...
200
| Code Block |
|---|
policy text in DRL/XACML-XML/APEX-JSON |
A safety net should be implemented for DELETE. That is, if a policy version is deployed in any PDP, it cannot be deleted. A 409 Conflict should be returned along with message saying this policy id:version is deployed in which PDP.
3. PAP Enhancements
PDP Engines must now register with the PAP the native Content-Type's they support in order for policies to be deployed by the PAP engine to the PDP's. This will require an additional parameter in the Group Deploy/Undeploy to list the supported Content-Type's for the PDP engine. The proposal is to add a field "supportedContentTypes".
3.1 Example of PDP Register
Only change needed is to add "supportedContentTypes" to PDP status message when it registers itself with PAP. For example
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{
"pdpType": "xacml",
"state": "PASSIVE",
"healthy": "HEALTHY",
"supportedPolicyTypes": [
{
"name": "onap.Monitoring",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.cdap.tca.hi.lo.app",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.docker.sonhandler.app",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.FrequencyLimiter",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.MinMax",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.Blacklist",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.AffinityPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.DistancePolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.HpaPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.OptimizationPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.PciPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.QueryPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.SubscriberPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.Vim_fit",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.VnfPolicy",
"version": "1.0.0"
}
],
"supportedContentTypes": [
{
"name": "application/xacml+xml; version=3.0",
"version": "1.0.0"
}
],
"policies": [],
"messageName": "PDP_STATUS",
"requestId": "77f42778-f19a-47a6-a9a1-984cbb125d96",
"timestampMs": 1571244733313,
"name": "FLCDTL02JH7358"
} |
...
| language | js |
|---|---|
| title | Example Drools PDP status message when it registers itself with PAP |
| linenumbers | true |
| collapse | true |
...
3. PAP Enhancements
PDP Engines must now register with PAP the new policy types for native policies they support in order for policies to be deployed by PAP to the PDP's. This will require an additional entry to be added into supported policy types list to indicate which native policy type each specific PDP engine can support.
3.1 Example of PDP Register
Only change needed is to add a new supported policy type to PDP status message when it registers itself with PAP. For XACML PDP, new policy type "onap.policies.controlloop.native.Xacml" should be added. Likewise, new policy type "onap.policies.controlloop.native.Drools" should be added when Drools PDP registers itself with PAP. For example
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "pdpType": "xacml", "state": "PASSIVE", "healthy": "HEALTHY", "supportedPolicyTypes": [ { "name": "onap.Monitoring", "version": "1.0.0" }, { "name": "onap.policies.monitoring.cdap.tca.hi.lo.app", "version": "1.0.0" }, { "name": "onap.policies.controlloop.Operational.monitoring.dcaegen2.collectors.datafile.datafile-app-server", "version": "1.0.0" } ], "supportedContentTypes": [ { "name": "application/vnd.onap.drools+textonap.policies.monitoring.docker.sonhandler.app", "version": "1.0.0" }, { "name": "application/vnd.onap.drools.mvn+xmlonap.policies.controlloop.guard.FrequencyLimiter", "version": "1.0.0" }, ], "policies": [],{ "messageName": "PDP_STATUS", "requestIdname": "8ae9fe00-8979-460f-83b2-92d7bd517c34", "timestampMs": 1571244753326, "name": "XGIQPQ96FL9182" } |
Question: Do we need a version attached to the native content-type? Might be easier to keep it around.
3.2 Example PDP Group Deploy
Only change needed is to add "supportedContentTypes in each "pdpSubGroups" to indicate what kind of native policies it can support. Typically, Drools PDP will support both "application/vnd.onap.drools+text" and "application/vnd.onap.drools.mvn+xml". XACML PDP will need to support "application/xacml+xml; version=3.0" and APEX PDP will need to support "application/vnd.onap.apex+json". Likewise, the same "supportedContentTypes" also needs to be added into PDP group query return.
Below is one example to deploy a PDP group.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "groups": [ { onap.policies.controlloop.guard.MinMax", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.Blacklist", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "version": "1.0.0" }, { "name": "defaultGrouponap.policies.optimization.AffinityPolicy", "descriptionversion": "1.0.0"The default group that registers all supported policy types and pdps." }, { "pdpGroupStatename": "ACTIVEonap.policies.optimization.DistancePolicy", "version": "1.0.0" "properties": {}, { "name": "pdpSubgroups": [onap.policies.optimization.HpaPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.OptimizationPolicy", "pdpTypeversion": "apex1.0.0", }, { "supportedPolicyTypesname": ["onap.policies.optimization.PciPolicy", "version": "1.0.0" }, { { "name": "onap.policies.optimization.QueryPolicy", "version": "1.0.0" }, { "name": "onap.policies.controlloopoptimization.operational.ApexSubscriberPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.Vim_fit", "version": "1.0.0" }, { "name": "onap.policies.optimization.VnfPolicy", } "version": "1.0.0" }, { ], "supportedContentTypes": [ { "name": "onap.policies.controlloop.native.Xacml", "version": "1.0.0" } ], "policies": [], "messageName": "PDP_STATUS", "requestId": "77f42778-f19a-47a6-a9a1-984cbb125d96", "timestampMs": 1571244733313, "name": "FLCDTL02JH7358" } |
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "pdpType": "drools", "state": "PASSIVE", "healthy": "HEALTHY", "supportedPolicyTypes": [ { "name": "onap.policies.controlloop.Operational", "version": "1.0.0" }, { "name": "application/vnd.onap.apex+jsononap.policies.controlloop.native.Drools", "version": "1.0.0" } ], "policies": [], "messageName": "PDP_STATUS", "versionrequestId": "1.0.0"8ae9fe00-8979-460f-83b2-92d7bd517c34", "timestampMs": 1571244753326, "name": "XGIQPQ96FL9182" } |
3.2 Example PDP Group Deploy
Like PDP registration message, the same native policy type should be added into supported policy types list to indicate which type of native policies each pdpSubGroup can support.
Below is one example to deploy a PDP group.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "groups": [ { } ]"name": "defaultGroup", "policies"description": [],"The default group that registers all supported policy types "currentInstanceCount": 0, and pdps.", "desiredInstanceCountpdpGroupState": 1, "ACTIVE", "properties": {}, : {}, "pdpInstancespdpSubgroups": [ { { "pdpType": "apex", "instanceId": "apex_35", "supportedPolicyTypes": [ "pdpState": "ACTIVE", { "healthyname": "HEALTHYonap.policies.controlloop.operational.Apex", "messageversion": "Pdp Heartbeat"1.0.0" }, { "name": "onap.policies.controlloop.native.Apex", "version": "1.0.0" } ], }, "policies": [], { "pdpType"currentInstanceCount": "drools"0, "supportedPolicyTypesdesiredInstanceCount": [1, { "properties": {}, "namepdpInstances": "onap.policies.controlloop.Operational", [ "version": "1.0.0" { } "instanceId": "apex_35", ], "supportedContentTypespdpState": ["ACTIVE", {"healthy": "HEALTHY", "namemessage": "application/vnd.onap.drools+text",Pdp Heartbeat" } "version": "1.0.0" ] }, }, { "pdpType": "drools", "name": "application/vnd.onap.drools.mvn+xml" "supportedPolicyTypes": [ "version": "1.0.0" { } "name": "onap.policies.controlloop.Operational", ], "policiesversion": [], "1.0.0" }, { "name": "onap.policies.controlloop.native.Drools", "currentInstanceCount "version": 0, "1.0.0" } "desiredInstanceCount": 1], "propertiespolicies": {}[], "pdpInstancescurrentInstanceCount": [0, { "desiredInstanceCount": 1, "instanceIdproperties": "dev-policy-drools-0", {}, "pdpState"pdpInstances": "ACTIVE",[ { "healthy": "HEALTHY" } "instanceId": "dev-policy-drools-0", ] }, "pdpState": "ACTIVE", { "pdpTypehealthy": "xacmlHEALTHY", "supportedPolicyTypes": [ } { ] }, "name": "onap.policies.controlloop.guard.FrequencyLimiter", { "versionpdpType": "1.0.0xacml", "supportedPolicyTypes": [ }, { "name": "onap.policies.controlloop.guard.MinMaxFrequencyLimiter", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.BlacklistMinMax", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecondBlacklist", "version": "1.0.0" }, { "name": "onap.Monitoring.policies.controlloop.guard.coordination.FirstBlocksSecond", "version": "1.0.0" }, { "name": "onap.policies.monitoring.cdap.tca.hi.lo.appMonitoring", "version": "1.0.0" }, { "name": "onap.policies.monitoring.cdap.dcaegen2tca.collectorshi.datafilelo.datafile-app-server", "version": "1.0.0" }, { "name": "onap.policies.monitoring.dcaegen2.dockercollectors.sonhandlerdatafile.datafile-app-server", "version": "1.0.0" }, { "name": "onap.policies.monitoring.docker.optimizationsonhandler.AffinityPolicyapp", "version": "1.0.0" }, { "name": "onap.policies.optimization.DistancePolicyAffinityPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.HpaPolicyDistancePolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.OptimizationPolicyHpaPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.PciPolicyOptimizationPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.QueryPolicyPciPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.SubscriberPolicyQueryPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.Vim_fitSubscriberPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.VnfPolicy", "version": "1.0.0" Vim_fit", } "version": "1.0.0" ], "supportedContentTypes": [}, { "name": "application/xacml+xml; version=3.0onap.policies.optimization.VnfPolicy", "version": "1.0.0" }, { "name": "onap.policies.controlloop.native.Xacml", "version": "1.0.0" } ], "policies": [], "currentInstanceCount": 1, "desiredInstanceCount": 1, "properties": {}, "pdpInstances": [ { "instanceId": "dev-policy-policy-xacml-pdp-558c478477-g85jl", "pdpState": "ACTIVE", "healthy": "HEALTHY" } ] } ] } ] } |
...