...
OPA-PDP high level architecture
Phase-1 implementation Details
In Phase-1 the OPA-PDP will be pre-loaded with sample policy, deployment of policy via PAP is not supported.
OPA-PDP implements a kafka listener, Publisher to receiving and sending messages to PAP
Once OPA-PDP is up it will send “Registration”( PDP_STATUS) message to PAP
Some of the information included in the message are:
pdpType the type of the PDP opa .
pdpGroup to which the PDP should belong to opaGroup defaultGroup
state the initial state of the PDP which is PASSIVE.
healthy whether the PDP is “HEALTHY” or not.
name a name that is unique to the PDP instance for e.g. “opa-f849384c-dd78-4016-a7b5-1c660fb6ee0e”
Code Block Sample Registration Message { "messageName": "PDP_STATUS", "pdpType": "opa", "state": "PASSIVE", "healthy": "HEALTHY", "description": "Pdp Status Registration Message", "response": null, "policies": null, "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42", "requestId": "9fed8880-d023-4004-b6bf-647efd10a7df", "pdpGroup": "defaultGroup", "pdpSubgroup": null, "timestampMs": "1731335546889" }
On receiving the registration message from a PDP, PAP checks and assigns it to a subgroup under the group. PAP sends PDP_UPDATE message. PAP also sends the pdpHeartbeatIntervalMs which is the time interval in which PDPs should send heartbeats to PAP. Currently (In first phase) OPA-PDP handles only the pdpHeartbeatIntervalMs and starts a timer for sending STATUS messages periodically. OPA-PDP sends PDP_STATUS response to PDP_UPDATE message.
Note |
---|
OPA-PDP currently doesn’t handle the policies to be deployed sent in |
Example PDP_STATUS response
Code Block |
---|
{
"messageName": "PDP_STATUS",
"pdpType": "opa",
"state": "PASSIVE",
"healthy": "HEALTHY",
"description": "Pdp Status Response Message For Pdp Update",
"response": {
"responseTo": "06f6d05f-6045-48d9-bcd8-40364fb695ae",
"responseStatus": "SUCCESS",
"responseMessage": "PDP Update was Successful"
},
"policies": null,
"name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
"requestId": "e6a0607f-5fc8-4d62-afca-3cb984d827a3",
"pdpGroup": "defaultGroup",
"pdpSubgroup": "opa",
"timestampMs": "1731335550030",
"deploymentInstanceInfo":""
} |
Note |
---|
In Phase-1, OPA-PDP STATUS message will not include details on predefined policies (policy name and version). It will be assigned to “null” |
PAP sends PDP_STATE_CHANGE message
...
In “ACTIVE” state OPA-PDP is in ready state to receive any decision requests
Example PDP_STATUS response for PDP_STATE_CHANGE
Code Block |
---|
{
"messageName": "PDP_STATUS",
"pdpType": "opa",
"state": "ACTIVE",
"healthy": "HEALTHY",
"description": "Pdp Status Response Message to Pdp State Change",
"response": {
"responseTo": "3edbb47c-b015-4fd9-9572-26cde97cc23c",
"responseStatus": "SUCCESS",
"responseMessage": "PDP State Changed From PASSIVE TO Active"
},
"policies": null,
"name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
"requestId": "02b186a6-485d-4392-90fa-d4cac34be97a",
"pdpGroup": "defaultGroup",
"pdpSubgroup": "opa",
"timestampMs": "1731335550069"
} |
Currently OPA policies are pre-loaded in the docker setup.
Decision Requests are REST requests sent from ONAP components. Below is the format of Decision API request.
API endpoint :- policy/pdpx/v1/decision. Below is the snippet of Decision Request that will be received in Phase-1 .
Code Block Decision Request { "OnapNameonapName": "CDS", "onapComponent": "CDS", "OnapComponentonapInstance": "CDS", "OnapInstancecurrentDate": "CDS2024-component11-instance22", "RequestIdcurrentTime": "2024-11-22T11:34:56Z", "timeZone": "8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1UTC", "timeOffset"Policy: "+05:30", "currentDateTime": "2024-11-22T12:08:00Z", "policyName": "roleaction/allow", "input": { "user": "alice", { "action": "delete", "usertype": "alice", "action":"read", "object":"id123", "type":"cat"} } } server" } } curl -u 'policyadmin:zb!XztG34' -H 'Content-Type: application/json' -H 'Accept: application/json' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -d '{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS", "currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "UTC+05:30", "currentDateTime": "2024-11-22T12:08:00Z","policyName":"action/allow","input":{"user":"alice","action":"delete","type":"server"}}' -X POST http://0.0.0.0:8282/policy/pdpx/v1/decision
Decision Response will contain following parameters
Code Block |
---|
{
"decision":"PERMIT",
"policyName":"action/allow",
"statusMessage":"OPA Allowed"
} |
Currently OPA-PDP will respond with either PERMIT, DENY or INDETERMINATE values .
The policies and data json are currently mounted as files in docker volume for OPA-PDP.
OPA-PDP will also support health check request. The end point for health check is policy/pdpx/v1/healthcheck
Code Block |
---|
Request curl -u 'policyadmin:zb!XztG34' -H 'Content-Type: application/json' -H 'Accept: application/json' - |
...
X GET
http://0.0.0.0:8282/policy/pdpx/v1/healthcheck
Response
{
"name": "opa-e007a5f3-28f0-4e0d-84ac-51951550f790",
"url": "self",
"healthy": true,
"code": 200,
"message": "alive"
} |
Statistics :Currently we support only following counters and other counters will be set as 0.
totalErrorCount
permitDecisionsCount
denyDecisionsCount
totalPolicyTypesCount
Code Block |
---|
Request curl -u 'policyadmin:zb!XztG34' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -X GET http://0.0.0.0:8282/policy/pdpx/v1/statistics StatisticsReport { "code":200, " |
...
denyDecisionsCount": |
...
10,
"deployFailureCount":0,
"deploySuccessCount":0,
"indeterminantDecisionsCount":0,
"permitDecisionsCount":18,
"totalErrorCount":4,
"totalPoliciesCount":0,
"totalPolicyTypesCount":1,
"undeployFailureCount":0,
"undeploySuccessCount":0
} |
Health Check API Request/Response
Code Block |
---|
Reguest curl -u 'policyadmin:zb!XztG34' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -X GET http://0.0.0.0:8282/policy/pdpx/v1/ |
...
healthcheck
HealthCheckReport
{
"code":200,
"healthy":true,
"message":"alive",
"name":"opa-9f0248ea-807e-45f6-8e0f-935e570b75cc",
"url":"self"
} |