...
Create OPA policy
Deploy OPA policy
Un-Deploy OPA policy
Dynamic Data Update
Create OPA policy
The same Policy API for creating policy will be leveraged for OPA-PDP also. As we are supporting only Native policy for OPA, the rego file content will be encoded in base 64 format and provided in the policy field as shown.
...
| Code Block |
|---|
Tosca Definition for OPA
tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
policies:
- native.cell.consistency.opa:
type: onap.policies.native.opa
type_version: 1.0.0
properties:
data:
cell.consistency: >-
eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0=
policy:
cell.consistency: >-
cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5CmltcG9ydCByZWdvLnYxCmRlZmF1bHQgYWxsb3cgPSBmYWxzZQojIFJ1bGUgdG8gY2hlY2sgY2VsbCBjb25zaXN0ZW5jeQpjaGVja19jZWxsX2NvbnNpc3RlbmN5IGlmIHsKICAgIGlucHV0LmNlbGwgIT0gZGF0YS5jZWxsLmNvbnNpc3RlbmN5LmFsbG93ZWRDZWxsSWQKfQojIFJ1bGUgdG8gYWxsb3cgaWYgUENJIGlzIHdpdGhpbiByYW5nZSAxLTMwMDAKYWxsb3dfaWZfcGNpX2luX3JhbmdlICBpZiB7CiAgICBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCiAgICBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyAgaWZ7CiAgICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgICBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQ==
cell.consistency.topology: >-
cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5LnRvcG9sb2d5CmltcG9ydCByZWdvLnYxCiMgUnVsZSB0byBjaGVjayBjZWxsIGNvbnNpc3RlbmN5CmNoZWNrX2NlbGxfY29uc2lzdGVuY3kgaWYgewogICAgaW5wdXQuY2VsbCAhPSBkYXRhLmNlbGxjb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0=
name: native.cell.consistency.opa
version: 1.0.0
metadata:
policy-id: native.cell.consistency.opa
policy-version: 1.0.0 |
For e.g. consider a sample rego file having following contents
As in this below case, if there are multiple rego files. The policy name should contain the main rego file package name “cell.consistency” in this case. The main policy should be the first in the list and secondary rego file should have the name starting with main rego package name.
in this case “cell.consistency”.
| Code Block |
|---|
package cell.consistency
import rego.v1
default allow = false
# Rule to check cell consistency
check_cell_consistency if {
input.cell != data.cell.consistency.allowedCellId
}
# Rule to allow if PCI is within range 1-3000
allow_if_pci_in_range if {
input.PCI >= data.cellconsistency.minPCI
input.PCI <= data.cellconsistency.maxPCI
}
# Main rule to determine the final decision
allow if{
check_cell_consistency
allow_if_pci_in_range
}
---
package cell.consistency.topology
import rego.v1
# Rule to check cell consistency
check_cell_consistency if {
input.cell != data.cellconsistency.allowedCellId
} |
...
| Code Block |
|---|
{
"allowedCellId" : 445611193265040129,
"minPCI": 1,
"maxPCI": 3000
} |
Deploy OPA policy
The same Policy API for deploying policy will be leveraged for OPA-PDP also.
...
OPA PDP will send a PDP_STATUS message with the status of policy deployment.
Un-Deploy OPA policy
The same CRUD API for policy undeploy will be used here aswell to undeploy the policy
...
OPA-PDP will delete the data also, if PAP had deployed the data.
Data Deployment
OPA-PDP will support only dynamic update of data. This data will not be persisted in OPA-PDP. This facility is provided in case user want to fine tune the data configuration and validate. Once the configuration value is finalized , user can undeploy the existing policy and create data/policy with new configuration.
...
•Curl –u 'policyadmin:zb!XztG34' -X PUT -H "Content-Type":"application/yaml" –d @data.json http://policy-opa-pdp:8282/policy/pdpo/v1/data/{path:+}
Policy Deployment - In Memory Mode
...
Policy Deployment - Bundle Mode
...