Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

OPA-PDP high level architecture

image-20241111-044344.png

Phase-1 implementation Details

In Phase-1 the OPA-PDP will be pre-loaded with sample policy, deployment of policy via PAP is not supported.

  • OPA-PDP implements a kafka listener, Publisher to receiving and sending messages to PAP

    • Once OPA-PDP is up it will send “Registration”( PDP_STATUS) message to PAP

    • Some of the information included in the message are:

    • pdpType the type of the PDP opa .

    • pdpGroup to which the PDP should belong to opaGroup defaultGroup

    • state the initial state of the PDP which is PASSIVE.

    • healthy whether the PDP is “HEALTHY” or not.

    • name a name that is unique to the PDP instance for e.g. “opa-f849384c-dd78-4016-a7b5-1c660fb6ee0e”

    • Code Block
      Sample Registration Message 
      {
        "messageName": "PDP_STATUS",
        "pdpType": "opa",
        "state": "PASSIVE",
        "healthy": "HEALTHY",
        "description": "Pdp Status Registration Message",
        "response": null,
        "policies": null,
        "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
        "requestId": "9fed8880-d023-4004-b6bf-647efd10a7df",
        "pdpGroup": "defaultGroup",
        "pdpSubgroup": null,
        "timestampMs": "1731335546889"
      }
  • On receiving the registration message from a PDP, PAP checks and assigns it to a subgroup under the group. PAP sends PDP_UPDATE message. PAP also sends the pdpHeartbeatIntervalMs which is the time interval in which PDPs should send heartbeats to PAP. Currently (In first phase) OPA-PDP handles only the pdpHeartbeatIntervalMs and starts a timer for sending STATUS messages periodically. OPA-PDP sends PDP_STATUS response to PDP_UPDATE message.

Note

OPA-PDP currently doesn’t handle the policies to be deployed sent in "policiesToBeDeployed" field in PDP_UPDATE

Example PDP_STATUS response

Code Block
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "PASSIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Response Message For Pdp Update",
  "response": {
    "responseTo": "06f6d05f-6045-48d9-bcd8-40364fb695ae",
    "responseStatus": "SUCCESS",
    "responseMessage": "PDP Update was Successful"
  },
  "policies": null,
  "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
  "requestId": "e6a0607f-5fc8-4d62-afca-3cb984d827a3",
  "pdpGroup": "defaultGroup",
  "pdpSubgroup": "opa",
  "timestampMs": "1731335550030",
  "deploymentInstanceInfo":""
}
Note

In Phase-1, OPA-PDP STATUS message will not include details on predefined policies (policy name and version). It will be assigned to “null”

  • PAP sends PDP_STATE_CHANGE message

...

In “ACTIVE” state OPA-PDP is in ready state to receive any decision requests

Example PDP_STATUS response for PDP_STATE_CHANGE

Code Block
{
  "messageName": "PDP_STATUS",
  "pdpType": "opa",
  "state": "ACTIVE",
  "healthy": "HEALTHY",
  "description": "Pdp Status Response Message to Pdp State Change",
  "response": {
    "responseTo": "3edbb47c-b015-4fd9-9572-26cde97cc23c",
    "responseStatus": "SUCCESS",
    "responseMessage": "PDP State Changed From PASSIVE TO Active"
  },
  "policies": null,
  "name": "opa-949018d3-cc9b-429b-96ae-46ca9c314e42",
  "requestId": "02b186a6-485d-4392-90fa-d4cac34be97a",
  "pdpGroup": "defaultGroup",
  "pdpSubgroup": "opa",
  "timestampMs": "1731335550069"
}

Currently OPA policies are pre-loaded in the docker setup.

  • Decision Requests are REST requests sent from ONAP components. Below is the format of Decision API request.

  • API endpoint :- policy/pdpx/v1/decision. Below is the snippet of Decision Request that will be received in Phase-1 .

    Code Block
    Decision Request 
     {
      	"OnapNameonapName": "CDS",
       "onapComponent": "CDS",
    	  "OnapComponentonapInstance": "CDS",
    	  "OnapInstancecurrentDate":  "CDS2024-component11-instance22",
     	 "RequestIdcurrentTime": "2024-11-22T11:34:56Z",
      "timeZone": "8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1UTC",
      	"timeOffset"Policy: "+05:30",
      "currentDateTime": "2024-11-22T12:08:00Z",
      "policyName": "roleaction/allow",
    	  "input": {
        "user": "alice",
      	  {
    	 "action": "delete",
        "usertype": "alice",
    	      "action":"read",
    	      "object":"id123",
    	      "type":"cat"}
    	  }
    }
    
    
    server"
      }
    }
    
    curl -u 'policyadmin:zb!XztG34' -H 'Content-Type: application/json' -H 'Accept: application/json' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -d '{"onapName":"CDS","onapComponent":"CDS","onapInstance":"CDS", "currentDate": "2024-11-22", "currentTime": "2024-11-22T11:34:56Z", "timeZone": "UTC", "timeOffset": "UTC+05:30", "currentDateTime": "2024-11-22T12:08:00Z","policyName":"action/allow","input":{"user":"alice","action":"delete","type":"server"}}' -X POST http://0.0.0.0:8282/policy/pdpx/v1/decision

Decision Response will contain following parameters

Code Block
{
  "decision":"PERMIT",
  "policyName":"action/allow",
  "statusMessage":"OPA Allowed"
}

Currently OPA-PDP will respond with either PERMIT, DENY or INDETERMINATE values .

The policies and data json are currently mounted as files in docker volume for OPA-PDP.

OPA-PDP will also support health check request. The end point for health check is policy/pdpx/v1/healthcheck

Code Block
Request 
curl -u 'policyadmin:zb!XztG34' -H 'Content-Type: application/json' -H 'Accept: application/json' -

...

X GET
http://0.0.0.0:8282/policy/pdpx/v1/healthcheck

Response 
{
  "name": "opa-e007a5f3-28f0-4e0d-84ac-51951550f790",
  "url": "self",
  "healthy": true,
  "code": 200,
  "message": "alive"
}

Statistics :Currently we support only following counters and other counters will be set as 0.

  • totalErrorCount

  • permitDecisionsCount

  • denyDecisionsCount

  • totalPolicyTypesCount      

Code Block
Request
curl -u 'policyadmin:zb!XztG34' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -X GET http://0.0.0.0:8282/policy/pdpx/v1/statistics
StatisticsReport
{ 
  "code":200,
  "

...

denyDecisionsCount":

...

10,
  "deployFailureCount":0,
  "deploySuccessCount":0,
  "indeterminantDecisionsCount":0,
  "permitDecisionsCount":18,
  "totalErrorCount":4,
  "totalPoliciesCount":0,
  "totalPolicyTypesCount":1,
  "undeployFailureCount":0,
  "undeploySuccessCount":0
  }

Health Check API Request/Response

Code Block
Reguest
curl -u 'policyadmin:zb!XztG34' --header 'X-ONAP-RequestID:8e6f784e-c9cb-42f6-bcc9-edb5d0af1ce1' -X GET http://0.0.0.0:8282/policy/pdpx/v1/

...

healthcheck
HealthCheckReport
{  
   "code":200,
   "healthy":true,
   "message":"alive",
   "name":"opa-9f0248ea-807e-45f6-8e0f-935e570b75cc",
   "url":"self"
}