Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Overview

•OPA-PDP will be integrated as a new Policy Engine in the existing ONAP Policy Framework

•The OPA PDP Engine will utilize the open source implementation of Open Policy Agent to enable fine-grained policy decisions in ONAP

•It will support Rego version 1 for both policies and requests/responses for access control decisions

•Only Native Policy will be supported (Policy Type : onap.policies.native.opa)

•OPA-PDP will be compatible with all messaging interfaces towards PAP, similar to other Policy engines.

•OPA PDP will provide a Decision API that can be used to render decisions for ONAP components.

ONAP OPA PDP Supported Policy Types

Currently only Native Policy will be supported .This Policy type is used by any client or ONAP component who has the need of native OPA evaluation.

onap.policies.native.opa

Policy Type

Action

Description

onap.policies.native.opa

native

any client or ONAP component

How OPA-PDP fits in ONAP Policy Framework

...

OPA-PDP high level architecture

image-20241111-044344.pngImage Added

Phase-1 implementation Details

In Phase-1 the OPA-PDP will be pre-loaded with sample policy, deployment of policy via PAP is not supported.

  • OPA-PDP implements a kafka listener, Publisher to receiving and sending messages to PAP

    • Once OPA-PDP is up it will send “Registration”( PDP_STATUS) message to PAP

    • Some of the information included in the message are:

    • pdpType the type of the PDP opa .

    • pdpGroup to which the PDP should belong to defaultGroup

    • state the initial state of the PDP which is PASSIVE.

    • healthy whether the PDP is “HEALTHY” or not.

    • name a name that is unique to the PDP instance for e.g. “opa-f849384c-dd78-4016-a7b5-1c660fb6ee0e”

    • Code Block
      Sample Registration Message 
      {
        "messageName": "PDP_STATUS",
        "pdpType": "opa",
        "state": "PASSIVE",
        "healthy": "HEALTHY",
        "description": "Pdp Status Registration Message",
        "response": null,
        "policies": null,
        "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
        "requestId": "9fed8880-d023-4004-b6bf-647efd10a7df",
        "pdpGroup": "defaultGroup",
        "pdpSubgroup": null,
        "timestampMs": "1731335546889"
      }
  • On receiving the registration message from a PDP, PAP checks and assigns it to a subgroup under the group. PAP sends PDP_UPDATE message. PAP also sends the pdpHeartbeatIntervalMs which is the time interval in which PDPs should send heartbeats to PAP. Currently (In first phase) OPA-PDP handles only the pdpHeartbeatIntervalMs and starts a timer for sending STATUS messages periodically. OPA-PDP sends PDP_STATUS response to PDP_UPDATE message.

Note

OPA-PDP currently doesn’t handle the policies to be deployed sent in "policiesToBeDeployed" field in PDP_UPDATE

Example PDP_STATUS response

Code Block
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "PASSIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Response Message For Pdp Update",
  "response": {
    "responseTo": "06f6d05f-6045-48d9-bcd8-40364fb695ae",
    "responseStatus": "SUCCESS",
    "responseMessage": "PDP Update was Successful"
  },
  "policies": null,
  "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
  "requestId": "e6a0607f-5fc8-4d62-afca-3cb984d827a3",
  "pdpGroup": "defaultGroup",
  "pdpSubgroup": "opa",
  "timestampMs": "1731335550030",
  "deploymentInstanceInfo":""
}
Note

In Phase-1, OPA-PDP STATUS message will not include details on predefined policies (policy name and version). It will be assigned to “null”

  • PAP sends PDP_STATE_CHANGE message

OPA-PDP handles PDP_STATE_CHANGE. PAP sends PDP_STATE_CHANGE message to PDPs to change the state from PASSIVE to active or ACTIVE to PASSIVE. After registration is complete, PAP makes a PDP ACTIVE by default. OPA-PDP sends PDP_STATUS response to PDP_STATE_CHANGE. PDP updates its state as per the PDP_STATE_CHANGE received from PAP. When a PDP is changed to ACTIVE, any policies that are already pushed to the PDP start execution and start processing events as per the policies deployed.

In “ACTIVE” state OPA-PDP is in ready state to receive any decision requests

Example PDP_STATUS response for PDP_STATE_CHANGE

Code Block
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "ACTIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Response Message to Pdp State Change",
  "response": {
    "responseTo": "3edbb47c-b015-4fd9-9572-26cde97cc23c",
    "responseStatus": "SUCCESS",
    "responseMessage": "PDP State Changed From PASSIVE TO Active"
  },
  "policies": null,
  "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
  "requestId": "02b186a6-485d-4392-90fa-d4cac34be97a",
  "pdpGroup": "defaultGroup",
  "pdpSubgroup": "opa",
  "timestampMs": "1731335550069"
}

Currently OPA policies are pre-loaded in the docker setup.

  • Decision Requests are REST requests sent from ONAP components. Below is the format of Decision API request.

  • API endpoint :- policy/pdpx/v1/decision. Below is the snippet of Decision Request that will be received in Phase-1 .

    Code Block
    Decision Request 
     {
      "onapName": "CDS",
      "onapComponent": "CDS",
      "onapInstance": "CDS",
      "currentDate": "2024-11-22",
      "currentTime": "2024-11-22T11:34:56Z",
      "timeZone": "UTC",
      "timeOffset": "+05:30",
      "currentDateTime": "2024-11-22T12:08:00Z",
      "policyName": "action/allow",
      "input": {
        "user": "alice",
        "action": "delete",
        "type": "server"
      }
    }
    
    curl -u 'policyadmin:zb!XztG34' -H 'Content-Type: application/json' -H 'Accept: application/json' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -d '{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS", "currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "UTC+05:30", "currentDateTime": "2024-11-22T12:08:00Z","policyName":"action/allow","input":{"user":"alice","action":"delete","type":"server"}}' -X POST http://0.0.0.0:8282/policy/pdpx/v1/decision

Decision Response will contain following parameters

Code Block
{
  "decision":"PERMIT",
  "policyName":"action/allow",
  "statusMessage":"OPA Allowed"
}

Currently OPA-PDP will respond with either PERMIT, DENY or INDETERMINATE values .

The policies and data json are currently mounted as files in docker volume for OPA-PDP.

OPA-PDP will also support health check request. The end point for health check is policy/pdpx/v1/healthcheck

Code Block
Request 
curl -u 'policyadmin:zb!XztG34' -H 'Content-Type: application/json' -H 'Accept: application/json' -X GET
http://0.0.0.0:8282/policy/pdpx/v1/healthcheck

Response 
{
  "name": "opa-e007a5f3-28f0-4e0d-84ac-51951550f790",
  "url": "self",
  "healthy": true,
  "code": 200,
  "message": "alive"
}

Statistics :Currently we support only following counters and other counters will be set as 0.

  • totalErrorCount

  • permitDecisionsCount

  • denyDecisionsCount

  • totalPolicyTypesCount      

Code Block
Request
curl -u 'policyadmin:zb!XztG34' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -X GET http://0.0.0.0:8282/policy/pdpx/v1/statistics
StatisticsReport
{ 
  "code":200,
  "denyDecisionsCount":10,
  "deployFailureCount":0,
  "deploySuccessCount":0,
  "indeterminantDecisionsCount":0,
  "permitDecisionsCount":18,
  "totalErrorCount":4,
  "totalPoliciesCount":0,
  "totalPolicyTypesCount":1,
  "undeployFailureCount":0,
  "undeploySuccessCount":0
  }

Health Check API Request/Response

Code Block
Reguest
curl -u 'policyadmin:zb!XztG34' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -X GET http://0.0.0.0:8282/policy/pdpx/v1/healthcheck
HealthCheckReport
{  
   "code":200,
   "healthy":true,
   "message":"alive",
   "name":"opa-9f0248ea-807e-45f6-8e0f-935e570b75cc",
   "url":"self"
}