Versions Compared

Version Old Version 14 New Version Current
Changes made by

Deena Mukundan

Deena Mukundan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

For Create/Update Policy, In the tosca template the rego contents will be encoded and added in policy field. All the data key needs to be prefixed by “node”.

Code Block
Tosca Definition for OPA

tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
  policies:
    - native.cell.consistency.opa:
        type: onap.policies.native.opa
        type_version: 1.0.0
        properties:
          data:
            node.cell.consistency: >-
              eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0=
          policy:
            cell.consistency: >-
              cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5CmltcG9ydCByZWdvLnYxCmRlZmF1bHQgYWxsb3cgPSBmYWxzZQojIFJ1bGUgdG8gY2hlY2sgY2VsbCBjb25zaXN0ZW5jeQpjaGVja19jZWxsX2NvbnNpc3RlbmN5IGlmIHsKICAgIGlucHV0LmNlbGwgIT0gZGF0YS5jZWxsLmNvbnNpc3RlbmN5LmFsbG93ZWRDZWxsSWQKfQojIFJ1bGUgdG8gYWxsb3cgaWYgUENJIGlzIHdpdGhpbiByYW5nZSAxLTMwMDAKYWxsb3dfaWZfcGNpX2luX3JhbmdlICBpZiB7CiAgICBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCiAgICBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyAgaWZ7CiAgICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgICBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQ==
            cell.consistency.topology: >-
              cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5LnRvcG9sb2d5CmltcG9ydCByZWdvLnYxCiMgUnVsZSB0byBjaGVjayBjZWxsIGNvbnNpc3RlbmN5CmNoZWNrX2NlbGxfY29uc2lzdGVuY3kgaWYgewogICAgaW5wdXQuY2VsbCAhPSBkYXRhLmNlbGxjb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0=
        name: native.cell.consistency.opa
        version: 1.0.0
        metadata:
          policy-id: native.cell.consistency.opa
          policy-version: 1.0.0

For e.g. consider a sample rego file having following contents

...

Code Block
package cell.consistency
import rego.v1
default allow = false
# Rule to check cell consistency
check_cell_consistency if {
    input.cell != data.cell.consistency.allowedCellId
}
import data.cell.consistency.topology
 
default allow = false
 
# Rule to allow if PCI is within range 1-3000
allow_if_pci_in_range  if {
    input.PCI >= data.cellconsistencynode.cell.consistency.minPCI
    input.PCI <= data.node.cellconsistencycell.consistency.maxPCI
}
# Main rule to determine the final decision
allow  if{
    topology.check_cell_consistency
    allow_if_pci_in_range
}

---
package cell.consistency.topology
import rego.v1
# Rule to check cell consistency
check_cell_consistency if {
    input.cell != data.cellconsistencynode.cell.consistency.allowedCellId
}

data.json

Code Block
{   
  "allowedCellId" : 445611193265040129, 
  "minPCI": 1, 
  "maxPCI": 3000  
 }

Deploy OPA policy

The same Policy API for deploying policy will be leveraged for OPA-PDP also.

The same CRUD API for policy creation will be used here as well to create a policy

curl -u 'policyadmin:zb!XztG34' -X POST -H "Content-Type":"application/json" -d @deploy-policy.json http://policy-pap:6969/policy/pap/v1/pdps/policies

Code Block
Contents of deploy-policy.json is shown
{ 
   "policies" : [
     {
      "policy-id": "cellconsistency",
      "policy-version": "1.0.0"
    }
  ]
}

OPA PDP after receiving the message on KAFKA will parse the message, extract policy, perform base64 decoding and deploys the policy to OPA. OPA PDP will send a PDP_STATUS message with the status of  policy deployment.

Tip

The package name and policy name should be same. If not, OPA-PDP will fail to deploy

In the above case, OPA-PDP will create following directory structure and store policy and data files. The “.” mentioned in the policy will translate to subdirectories in OPA-PDP pod. This will also ensure each policy is referenced by the main rego file, this will avoid collision in case we have same library file used in multiple main rego files.

Directory structure

Code Block
- /opt/policies
  - cell/  
  - consistency/
      - policy.rego  // package cell.consistency will be stored here 
      - topology/ 
        - policy.rego  // package  cell.consistency.topology will be stored here 
- /opt/data
  - cell/
    - consistency/
      - data.json  // data will be stored here

OPA PDP will send a PDP_STATUS message with the status of  policy deployment.

Un-Deploy OPA policy

The same CRUD API for policy undeploy will be used here aswell to undeploy the policy

curl -u 'policyadmin:zb!XztG34' -X DELETE http://policy-pap:6969/policy/pap/v1/pdps/policies/native.cellconsistency.opa

OPA-PDP will receive PDP_UPDATE message and read the policies to be undeployed. policiesToBeUndeployed":[{"name":"cellconsistency","version":"1.0.0"}]

OPA-PDP will remove the directories /cell/consistency and polciy.rego file from the persistent storage and undeploy the policy from OPA SDK.

OPA-PDP will delete the data also, if PAP had deployed the data.

Data Deployment

OPA-PDP will support only dynamic update of data. This data will not be persisted in OPA-PDP. This facility is provided in case user want to fine tune the data configuration and validate. Once the configuration value is finalized , user can undeploy the existing policy and create data/policy with new configuration.

Modify existing Data ( whole or part data) using below CURD API

...

}