Versions Compared

Version Old Version 46 New Version 47
Changes made by

Chenfei Gao

Chenfei Gao

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageyml
titleNative XACML rules
linenumberstrue
collapsetrue
<Policy
	xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Test.policy" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
	<Target/>
	<Rule RuleId="Test.policy:rule" Effect="Permit">
		<Description>Default is to PERMIT if the policy matches.</Description>
		<Target>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">I should be matched</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1000</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matachableInteger" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">1.1</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableDouble" DataType="http://www.w3.org/2001/XMLSchema#double" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matachableBoolean" DataType="http://www.w3.org/2001/XMLSchema#boolean" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">match A</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableListString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
				</AllOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">match B</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableListString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
		</Target>
		<Condition>
			<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
				<Description>IF exists and is equal</Description>
				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
					<Description>Does the policy-type attribute exist?</Description>
					<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
						<Description>Get the size of policy-type attributes</Description>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Apply>
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
				</Apply>
				<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
					<Description>Is this policy-type in the list?</Description>
					<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">onap.policies.Test</AttributeValue>
					<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
				</Apply>
			</Apply>
		</Condition>
	</Rule>
	<Rule RuleId="Test.policy:rule:policy-type" Effect="Permit">
		<Description>Match on policy-type onap.policies.Test</Description>
		<Target>
			<AnyOf>
				<AllOf>
					<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
						<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">onap.policies.Test</AttributeValue>
						<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
					</Match>
				</AllOf>
			</AnyOf>
		</Target>
	</Rule>
	<ObligationExpressions>
		<ObligationExpression ObligationId="urn:org:onap:rest:body" FulfillOn="Permit">
			<AttributeAssignmentExpression AttributeId="urn:org:onap::obligation:monitoring:contents">
				<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{"type":"onap.policies.Test","type_version":"1.0.0","properties":{"nonmatachableString":"I am NON matchable","matchableString":"I should be matched","nonmatachableInteger":0,"matachableInteger":1000,"nonmatachableDouble":0,"matchableDouble":1.1,"nonmatachableBoolean":false,"matachableBoolean":true,"matchableListString":["match A","match B"]},"name":"Test.policy","version":"1.0.0","metadata":{"policy-id":"Test.policy","policy-version":"1"}}</AttributeValue>
			</AttributeAssignmentExpression>
		</ObligationExpression>
	</ObligationExpressions>
</Policy>

Note that DELETE call should remove TOSCA policy from DB as well as corresponding JAR from nexus.

Question: checking existence of pointed JAR in nexus should happen in API each time new policy is created/updated, or in PAP when this policy gets deployed, or in PDP only???

Question: do we need to return native policy contents, i.e. DRL or XACML XML when GET call is invoked? If not, what if end user wants to view native policy rules???

3. PAP Enhancements

PDP Engines must now register with PAP the new policy types for native policies they support in order for policies to be deployed by PAP to the PDP's. This will require an additional entry to be added into supported policy types list to indicate which native policy type each specific PDP engine can support.

...

Each PDP will need to be able to support native policies being deploy/undeployed to it as done today.

4.1 Drools PDP

TODO: Chenfei

4.2 XACML PDP

XACML PDP will need to be able to ingest a XACML XML Policy directly. One suggestion is to create an application specifically for the XACML natives rules by default. The opportunity exists where a policy designer could create a specific application that supports native XACML policies (with or without TOSCA Policy Types as an option) and uses the grouping of PDPs to differentiate itself from the default XACML native rule application. The XACML PDP should also be enhanced to support configuring of applications in order to provide flexibility to the policy designers as to where all of its possible policy types are deployed.

...

5.1 Drools native policies supported by the PDP-D engine

TODO: Chenfei
Create native DRL


Update native DRL

...