Versions Compared

Version Old Version 5 New Version 6
Changes made by

Deena Mukundan

Deena Mukundan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For e.g. consider a sample rego file having following contents

Code Block
consistency.rego
package cellconsistencycell.consistency
default allow = false

# Rule to check cell consistency
check_cell_consistency {
    input.cell != data.cellconsistencycell.consistency.allowedCellId
}
# Rule to allow if PCI is within range 1-3000
allow_if_pci_in_range {
    input.PCI >= data.cellconsistency.minPCI
    input.PCI <= data.cellconsistency.maxPCI
}
# Main rule to determine the final decision
allow {
    check_cell_consistency
    allow_if_pci_in_range
}
------------------------------
topology.rego
package cell.consistency.topology
import rego.v1
 
# Rule to check cell consistency
check_cell_consistency if {
    input.cell != data.cellconsistency.allowedCellId
}

data.json

Code Block
{   
  "allowedCellId" : 445611193265040129, 
  "minPCI": 1, 
  "maxPCI": 3000  
 }

...

In the tosca template the rego contents will be encoded and added in policy field

Code Block
Tosca Definition for OPA

tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
    policies:
        - native.cellconsistencycell.consistency.opa:
              type: onap.policies.native.opa
              type_version: 1.0.0
              properties:
                  data: 
 policy: cGFja2FnZSBjZWxsY29uc2lzdGVuY3kKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCiMgUnVsZSB0byBjaGVjayBjZWxsIGNvbnNpc3RlbmN5CmNoZWNrX2NlbGxfY29uc2lzdGVuY3kgewogICAgaW5wdXQuY2VsbCAhPSBkYXRhLmNlbGxjb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0KIyBSdWxlIHRvIGFsbG93IGlmIFBDSSBpcyB3aXRoaW4gcmFuZ2UgMS0zMDAwCmFsbG93X2lmX3BjaV9pbl9yYW5nZSB7CiAgICBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCiAgICBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyB7CiAgICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgICBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQo=                    cell.consistency: eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0=                       
                               
                  policy: 
                    cell.consistency: cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5CmRlZmF1bHQgYWxsb3cgPSBmYWxzZQoKIyBSdWxlIHRvIGNoZWNrIGNlbGwgY29uc2lzdGVuY3kKY2hlY2tfY2VsbF9jb25zaXN0ZW5jeSB7CsKgwqDCoCBpbnB1dC5jZWxsICE9IGRhdGEuY2VsbC5jb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0KIyBSdWxlIHRvIGFsbG93IGlmIFBDSSBpcyB3aXRoaW4gcmFuZ2UgMS0zMDAwCmFsbG93X2lmX3BjaV9pbl9yYW5nZSB7CsKgwqDCoCBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCsKgwqDCoCBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyB7CsKgwqDCoCBjaGVja19jZWxsX2NvbnNpc3RlbmN5CsKgwqDCoCBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQ==      
                    cell.conistency.topology : cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5LnRvcG9sb2d5CmltcG9ydCByZWdvLnYxCiAKIyBSdWxlIHRvIGNoZWNrIGNlbGwgY29uc2lzdGVuY3kKY2hlY2tfY2VsbF9jb25zaXN0ZW5jeSBpZiB7CiAgICBpbnB1dC5jZWxsICE9IGRhdGEuY2VsbGNvbnNpc3RlbmN5LmFsbG93ZWRDZWxsSWQKfQ==   
              name: native.cell.cellconsistencyconsistency.opa
              version: 1.0.0
              metadata:
                  policy-id: native.cell.cellconsistencyconsistency.opa
                  policy-version: 1.0.0

OPA PDP after receiving the message on KAFKA will parse the message, extract policy, perform base64 decoding and deploys the policy to OPA. OPA PDP will send a PDP_STATUS message with the status of  policy deployment.

In the above case, OPA-PDP will create following directory structure and store policy and data files. The “.” mentioned in the policy will translate to subdirectories in OPA-PDP pod. This will also ensure each policy is referenced by the main rego file, this will avoid collision in case we have same library file used in multiple main rego files.

Directory structure

Code Block
- /opt/policies
  - cell/
    - consistency/
      - policy.rego  // package cell.consistency will be stored here 
      - topology/ 
        - policy.rego  // package  cell.consistency.topology will be stored here 
- /opt/data
  - cell/
    - consistency/
      - data.json  // data will be stored here

Policy Deployment - In Memory Mode

Drawio
mVer2
zoom1
simple0
zoominComment10
inCommentcustContentId082215397
pageId81264688
custContentIdlbox822153971
diagramDisplayNameUntitled Diagram-1734262495141.drawiolbox1
contentVer2
revision2
baseUrlhttps://lf-onap.atlassian.net/wiki
diagramNameUntitled Diagram-1734262495141.drawio
pCenter0
width694.5
links
tbstyle
height391.5

Policy Deployment - Bundle Mode

Drawio
mVer2
zoom1
simple0
zoominComment10
inCommentcustContentId082084473
pageId81264688
custContentIdlbox820844731
diagramDisplayNameUntitled Diagram-1734262495141.drawiolbox1
contentVer2
revision2
baseUrlhttps://lf-onap.atlassian.net/wiki
diagramName1734271988361-Untitled Diagram-1734262495141.drawio
pCenter0
width724.5
links
tbstyle
height453.5

...

Code Block
tosca_definitions_version: tosca_simple_yaml_1_1_0
policy_types:
  onap.policies.Native:
    derived_from: tosca.policies.Root
    description: a base policy type for all native PDP policies
    version: 1.0.0
    name: onap.policies.Native
  onap.policies.native.opa:
    derived_from: onap.policies.Native
    version: 1.0.0
    name: onap.policies.native.opa
    description: a policy type for native opa policies
    properties:
      data: 
        type: string map
        type_version: 0.0.0
        description: DataThe data for correspondingPolicy
Rego policy         required: false
        metadata:
          encoding: Base64
      policy:
        type: listmap
         type_version: 0.0.0
        description: The Regorego PolicySet or Policy
        required: true
        metadata:
          encoding: Base64

Create policy tosca definition for OPA

Code Block
Tosca Definition for OPA

tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
    policies:
        - native.cellconsistency.opa:
              type: onap.policies.native.opa
              type_version: 1.0.0
              properties:                  			        	     policy: cGFja2FnZSBjZWxsY29uc2lzdGVuY3kKCmltcG9ydCByZWdvLnYxCmRlZmF1bHQgYWxsb3cgPSBmYWxzZQojIFJ1bGUgdG8gY2hlY2sgY2VsbCBjb25zaXN0ZW5jeQpjaGVja19jZWxsX2NvbnNpc3RlbmN5IGlmIHsKICAgIGlucHV0LmNlbGwgPT0gZGF0YS5jZWxsY29uc2lzdGVuY3kuYWxsb3dlZENlbGxJZAp9CiMgUnVsZSB0byBhbGxvdyBpZiBQQ0kgaXMgd2l0aGluIHJhbmdlIDEtMzAwMAphbGxvd19pZl9wY2lfaW5fcmFuZ2UgaWYgewogICAgaW5wdXQuUENJID49IGRhdGEuY2VsbGNvbnNpc3RlbmN5Lm1pblBDSQogICAgaW5wdXQuUENJIDw9IGRhdGEuY2VsbGNvbnNpc3RlbmN5Lm1heFBDSQp9CiMgTWFpbiBydWxlIHRvIGRldGVybWluZSB0aGUgZmluYWwgZGVjaXNpb24KYWxsb3cgaWYgewogICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgIGFsbG93X2lmX3BjaV9pbl9yYW5nZQp9

                 data: eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0K
              name: native.cellconsistency.opa
              version: 1.0.0
              metadata:
                  policy-id: native.cellconsistency.opa
                  policy-version: 1.0.0