...
Overview
In essence, a native policy is a custom policy/rule implementation for a specific PDP engine such as: drools DRL rules, xacml XML policies or apex JSON policies.
...
Taking XACML as another example, some policy authors may want to add custom XACML policies to achieve new guard or coordination or even classification functionalities that do not require TOSCA.customized guard, coordination, etc. XACML policies in which using a TOSCA Policy Type abstraction does not make sense or simply isn't required.
| Table of Contents |
|---|
1. Native
...
Policy Development Guidelines
1.1 Drools Native
...
Policies
1.1.1 DRL development
DRL development refers to the composition of drl file which contains one or more drools rules written in drools language. These drools rules work together to fulfill policy decision making logic required by new custom application.
Policy author should develop drl rules in IDE of choice, e.g. Eclipse/IntelliJ as well as necessary junit tests to ensure it can compile and make expected decisions.
After drl rule development, policy author should submit composed rules for git review then deploy the new jar containing new drl rules to the existing nexus repos that hold the released artifacts currently supported by the runtime PDP-D engines.
...
Dependency JAR developer should use development best practices/governance to test/deploy new and/or updated java artifacts to the nexus repo for drools PDP-D. These new java development should go through git review process and include necessary junit tests to make sure they will behave correctly as expected.
1.
...
Use editor of choice - existing XACML github jars etc. to validate/test
XACML native policies are encoded in XML which defines access control rules required by new XACML application. In particular, the access control rules include subject, action and resource specification (i.e. 'subject' wants to do 'action' to 'resource', can it be allowed?). Some of these fields can be wildcarded to match all the possibilities. XACML policy author should compose such rules/policies in XACML XML and validate it through using test tools that are supported in the GitHub:att/XACML project. After ensuring newly composed XACML policy can fit the need, XACML author can then call create native policy API to insert new XACML policy to policy framework.
1.3 APEX JSON
...
1.3 Drools controller configuration
Deploying a native policy to Drools PDP eseentially means assigning the policy to a Drools controller that manages the DRL rules and corresponding facts loading in desirable working memory. To avoid unnecessary fact/rule conflict, it might need to have separated working memory dedicated to the native policy required by certain use case. Hence, for some native policies (here, we assume one native policy could include multiple DRL rules), we need to instantiate independent Drools controller for each of them. Drools controller needs to be configured in terms of a custom controller name, source/sink topics, event serialization, serialization filter, etc. (more details will be presented in Sec.2.1.1). All these configurations are use case specific and can be specified in the native policy if policy designers have desirable configurations in mind already. Regarding other installation level configurations like dmaap server, aaf credentials, etc., they would be left in helm charts, instead of in native policy as they are applied over all use cases.
It is worthwhile to note that specifying Drools controller configuration in native policy is optional, which means it can be present or not. If they are not present, current native policy will be assigned to a default Drools controller that is specified in the helm charts and instantiated in Drools PDP when the PDP is up. If policy designers are aware of which existing Drools controller can work for the new native policy, they can specify the existing controller name only without replicating other configuration details. Alternatively, policy designers can also change the Drools controller configurations at runtime by calling exposed telemetry API, e.g. change a source/sink topic, if the current/default Drools controller setup cannot fit the needs.
1.2 XACML XML
XACML Policy Designers can use a text or XML editor of their choice to design and test their XACML Policies. The Github:att/XACML project has tools and a GUI available for creating policies and testing those policies.
1.3 APEX JSON
APEX policy development includes three parts - develop the state machine transition using APEX language (i.e. .apex file), develop I/O event schema to each state (i.e. .avro files) and develop processing logic in each state/task (i.e. javascript files). APEX policy developer should follow best practices to develop APEX policies and submit for git review once they are done. Then APEX command line tool can be used to generate the executable JSON for PDP-A.
TBC with Apex team
2. Policy Lifecycle API CRUD Enhancements
In order to designate between native policy/rule types, the REST header "Content-Type" is configured for each PDP engines specific content.
...
application/vnd.onap.drools+text
application/vnd.onap.drools.mvn+xml
...
Drools DRL text files. Question: Does Drools have a custom content-type already??
Maven XML dependency specification for a java artifact containing drools rules. Does maven have a custom content-type??
...
Per http://docs.oasis-open.org/xacml/xacml-rest/v1.0/cos01/xacml-rest-v1.0-cos01.html
...
2.1 PDP-D Content-Types
Two Content-Types can be used by policy authors to create native drools rules - "application/vnd.onap.drools+text" and "application/vnd.onap.drools.mvn+xml".
"application/vnd.onap.drools+text" refers to native drools drl text contents. When drools authors use this Content-Type in POST call, they only need to provide drl text contents into its payload. One payload example is shown as below:
...
The detailed documentation can be found here - https://onap.readthedocs.io/en/latest/submodules/policy/parent.git/docs/apex/apex.html
2. Policy Lifecycle API CRUD Enhancements
Native policies can be supported by TOSCA policy type and policy. As for native Drools policy, since native DRL is packaged in JAR which has been deployed to nexus repo along with other dependency JARs, TOSCA policy for native DRL only needs to include the pointer for native JAR as well as necessary information being used by Drools PDP to instantiate a new controller instance with native DRL loaded into memory. Corresponding policy type should be defined and pre-loaded into policy framework so that TOSCA policy for native policy type can then be created off. As for native XACML policy, its contents are basically encoded in XML which is all XACML PDP needs to load into engine and run. Thus, TOSCA policy for native XACML only needs to include this XML content. An URL-encoded string can be created off composed XACML XML and is populated to a string property.
2.1 Native Drools Policy Support
2.1.1 Policy Type for Native Drools Policy
Below is the policy type defined to support native Drools policies.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
package org.onap.policy.controlloop.ran; import org.onap.policy.controlloop.ran.event.SampleMsEvent; import org.onap.policy.controlloop.ran.Enodeb; import org.slf4j.LoggerFactory; import org.slf4j.Logger; declare Params closedLoopControlName: String end rule "INIT" when then Logger logger = LoggerFactory.getLogger(drools.getRule().getPackage()); logger.info("{}: {}", params.getClosedLoopControlName(), drools.getRule().getName());tosca_definitions_version: tosca_simple_yaml_1_0_0 policy_types: onap.policies.Native: derived_from: tosca.policies.Root description: a base policy type for all native PDP policies version: 1.0.0 onap.policies.native.Drools: Params params = new Params();derived_from: onap.policies.Native params.setClosedLoopControlName("example-name"); description: a policy insert(params); end rule "EVENT"type for native drools policies when $params version: Params( $clName : getClosedLoopControlName() )1.0.0 $event properties: SampleMsEvent( closedLoopControlName == $clName ) then Logger loggerrule_artifact: = LoggerFactory.getLogger(drools.getRule().getPackage()); logger.info("{}: {}", params.getClosedLoopControlName(), drools.getRule().getName()); Enodeb enb = new Enodeb($event);type: onap.datatypes.native.rule_artifact required: true description: specifies rule artifact pointer drools_controller: enb.reboot(); retract($event); end |
One limitation of "application/vnd.onap.drools+text" Content-Type is, the payload only contains native drl contents without other dependency information (i.e. dependency artifacts) also required to load into drools memory to support execution of the native rules. In aforementioned example, "SampleMsEvent", "Enodeb" and "Logger" are from other dependency artifacts. When Drools PDP-D receives this set of native rules deployed from PAP, it does not know how many dependencies to load into memory along with the rule itself to support the rule execution. If the deployed rules cannot be executed due to missing dependencies, PAP policy deployment API should return 400 Bad Request.
To bridge the gap, one solution is to use "application/vnd.onap.drools+text" Content-Type only when there is modification to the rules (i.e. updating the rules) and the new updates will not introduce new dependency. Given a set of rules are already running in PDP-D and all required dependencies are loaded as well, now we have new requirement that means to change a logic in one rule, e.g. changing to reset enodeb other than reboot. All I want to modify is line #34 in above example, changing enb.reboot() to enb.reset() given both reboot() and reset() are supported in org.onap.policy.controlloop.ran.Enodeb dependency model. In this case, I can call the PUT call and use "application/vnd.onap.drools+text" Content-Type to update the rules.
Now the question is, how to bring in the new set of rules for a new application which has never run before in PDP-D? The second Content-Type "application/vnd.onap.drools.mvn+xml" is designed for this purpose. When policy author calls the POST call and use "application/vnd.onap.drools.mvn+xml" Content-Type, what they need to provide in the payload are, Maven XML dependency specification for a java artifact that contains new drl rules. Policy author needs to make sure that specified java artifact in this payload is already deployed to nexus repo used by runtime PDP-D engine before calling the POST API. Otherwise, this POST API should return 400 Bad Request if specified artifact is missing in nexus.
To be discuss, where should we put this artifact existence check, in API or PAP ???
One example payload with "application/vnd.onap.drools.mvn+xml" Content-Type is shown as below, reusing aforementioned rule example.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
<modelVersion>4.0.0</modelVersion>
<dependencies>
<dependency>
<groupId>org.onap.policy.native</groupId>
<artifactId>policy-ran-optimization</artifactId>
<version>1.0.0-SNAPSHOT</version>
</dependency>
</dependencies>
</project> |
2.2 PDP-X Content-Types
"application/xacml+xml; version=3.0" is designed to be the custom Content-Type for XACML native policy. Typically, it is an XML with XACML reserved keywords. For native XACML policy CRUD, this Content-Type would be used to encode the policy content. Below is one example of native XACML policy under "application/xacml+xml; version=3.0" Content-Type.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<?xml version="1.0" encoding="UTF-8" standalone="no"?> <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" PolicyId="urn:oasis:names:tc:xacml:2.0:example:IIA009:policy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xsi:schemaLocation="urn:oasis:names:tc:xacml:3.0:policy:schema:os access_control-xacml-2.0-policy-schema-os.xsd"> <Description> Example Policy for Illustration. </Description> <Target/> <Rule Effect="Permit" RuleId="urn:oasis:names:tc:xacml:2.0:example:IIA009:rule"> <Description> Julius Hibbert can read or write Bart Simpson's medical record. </Description> <Target> type: onap.datatypes.native.drools_controller required: false description: specifies information for drools controller instantiation data_types: onap.datatypes.native.rule_artifact: derived_from: tosca.datatypes.Root properties: groupId: type: string required: true artifactId: type: string required: true version: type: string required: true onap.datatypes.native.drools_controller: derived_from: tosca.datatypes.Root properties: controllerName: type: string required: true isNewController: type: boolean required: true description: a flag to indicate if the controller is a new one to instantiate or not sourceTopics: type: list required: false entry_schema: type: onap.datatypes.native.dmaap_config sinkTopics: type: list required: false entry_schema: type: onap.datatypes.native.dmaap_config onap.datatypes.native.dmaap_config: derived_from: tosca.datatypes.Root properties: topicName: type: string required: true serialization: type: list required: true entry_schema: type: onap.datatypes.native.dmaap.serialization onap.datatypes.native.dmaap.serialization: derived_from: tosca.datatypes.Root properties: eventCanonicalName: type: string required: true eventFilter: type: string required: false customSerializer: type: string required: false |
2.1.2 TOSCA Policy for Native Drools Rules
Below is an example of TOSCA policy for native Drools rules
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
tosca_definitions_version: tosca_simple_yaml_1_0_0
topology_template:
policies:
-
Example_policy_name:
type: onap.policies.native.Drools
version: 1.0.0
metadata:
policy-id: Example_policy_name
properties:
rule_artifact:
groupId: org.onap.policy.native
artifactId: example_controlloop
version: 1.0.0-SNAPSHOT
drools_controller:
controllerName: example_controller_name
isNewController: true
sourceTopics:
-
topicName: POLICY_INPUT
serialization:
-
eventCanonicalName: org.onap.policy.controlloop.event.ControlLoopEvent
eventFilter: [?($.closedLoopControlName == 'example_controlloop_name')]
customSerializer: org.onap.policy.controlloop.utils.serializer,gson
-
topicName: SDNR_TO_POLICY
serialization:
-
eventCanonicalName: org.onap.policy.controlloop.event.Response
eventFilter: [?($.closedLoopControlName == 'example_controlloop_name' && $.action == 'example_action')]
customSerializer: org.onap.policy.controlloop.utils.serializer,gson
sinkTopics:
-
topicName: POLICY_TO_SDNR
serialization:
-
eventCanonicalName: org.onap.policy.controlloop.event.Request
eventFilter: [?($.closedLoopControlName == 'example_controlloop_name' && $.action == 'example_action')]
customSerializer: org.onap.policy.controlloop.utils.serializer,gson |
2.2 Native XACML Policy Support
2.2.1 Policy Type for Native XACML Policies
Below is the policy type defined to support native XACML policies.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
tosca_definitions_version: tosca_simple_yaml_1_0_0
policy_types:
onap.policies.Native:
derived_from: tosca.policies.Root
description: a base policy type for all native PDP policies
version: 1.0.0
onap.policies.native.Xacml:
derived_from: onap.policies.Native
description: a policy type for native xacml policies
version: 1.0.0
properties:
policy:
type: String
required: true
description: The XML XACML 3.0 PolicySet or Policy
metadata:
encoding: URL |
2.2.2 TOSCA Policy for Native XACML Rules
Below is an example of TOSCA policy for native XACML rules
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
tosca_definitions_version: tosca_simple_yaml_1_0_0
topology_template:
policies:
-
usecase_foo_xacml_policy:
policy: "%3CPolicy+xmlns%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Acore%3Aschema%3Awd-17%22+PolicyId%3D%22Test.policy%22+Version%3D%221%22+RuleCombiningAlgId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Arule-combining-algorithm%3Afirst-applicable%22%3E%0D%0A++++%3CTarget%2F%3E%0D%0A++++%3CRule+RuleId%3D%22Test.policy%3Arule%22+Effect%3D%22Permit%22%3E%0D%0A++++++++%3CDescription%3EDefault+is+to+PERMIT+if+the+policy+matches.%3C%2FDescription%3E%0D%0A++++++++%3CTarget%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3EI+should+be+matched%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableString%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Ainteger-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23integer%22%3E1000%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatachableInteger%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23integer%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Adouble-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23double%22%3E1.1%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableDouble%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23double%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Aboolean-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23boolean%22%3Etrue%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatachableBoolean%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23boolean%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Ematch+A%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableListString%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Ematch+B%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableListString%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++%3C%2FTarget%3E%0D%0A++++++++%3CCondition%3E%0D%0A++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Aor%22%3E%0D%0A++++++++++++++++%3CDescription%3EIF+exists+and+is+equal%3C%2FDescription%3E%0D%0A++++++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Ainteger-equal%22%3E%0D%0A++++++++++++++++++++%3CDescription%3EDoes+the+policy-type+attribute+exist%3F%3C%2FDescription%3E%0D%0A++++++++++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-bag-size%22%3E%0D%0A++++++++++++++++++++++++%3CDescription%3EGet+the+size+of+policy-type+attributes%3C%2FDescription%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Apolicy-type%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FApply%3E%0D%0A++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23integer%22%3E0%3C%2FAttributeValue%3E%0D%0A++++++++++++++++%3C%2FApply%3E%0D%0A++++++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-is-in%22%3E%0D%0A++++++++++++++++++++%3CDescription%3EIs+this+policy-type+in+the+list%3F%3C%2FDescription%3E%0D%0A++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Eonap.policies.Test%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Apolicy-type%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++%3C%2FApply%3E%0D%0A++++++++++++%3C%2FApply%3E%0D%0A++++++++%3C%2FCondition%3E%0D%0A++++%3C%2FRule%3E%0D%0A++++%3CRule+RuleId%3D%22Test.policy%3Arule%3Apolicy-type%22+Effect%3D%22Permit%22%3E%0D%0A++++++++%3CDescription%3EMatch+on+policy-type+onap.policies.Test%3C%2FDescription%3E%0D%0A++++++++%3CTarget%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Eonap.policies.Test%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Apolicy-type%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++%3C%2FTarget%3E%0D%0A++++%3C%2FRule%3E%0D%0A++++%3CObligationExpressions%3E%0D%0A++++++++%3CObligationExpression+ObligationId%3D%22urn%3Aorg%3Aonap%3Arest%3Abody%22+FulfillOn%3D%22Permit%22%3E%0D%0A++++++++++++%3CAttributeAssignmentExpression+AttributeId%3D%22urn%3Aorg%3Aonap%3A%3Aobligation%3Amonitoring%3Acontents%22%3E%0D%0A++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3E%7B%22type%22%3A%22onap.policies.Test%22%2C%22type_version%22%3A%221.0.0%22%2C%22properties%22%3A%7B%22nonmatachableString%22%3A%22I+am+NON+matchable%22%2C%22matchableString%22%3A%22I+should+be+matched%22%2C%22nonmatachableInteger%22%3A0%2C%22matachableInteger%22%3A1000%2C%22nonmatachableDouble%22%3A0%2C%22matchableDouble%22%3A1.1%2C%22nonmatachableBoolean%22%3Afalse%2C%22matachableBoolean%22%3Atrue%2C%22matchableListString%22%3A%5B%22match+A%22%2C%22match+B%22%5D%7D%2C%22name%22%3A%22Test.policy%22%2C%22version%22%3A%221.0.0%22%2C%22metadata%22%3A%7B%22policy-id%22%3A%22Test.policy%22%2C%22policy-version%22%3A%221%22%7D%7D%3C%2FAttributeValue%3E%0D%0A++++++++++++%3C%2FAttributeAssignmentExpression%3E%0D%0A++++++++%3C%2FObligationExpression%3E%0D%0A++++%3C%2FObligationExpressions%3E%0D%0A%3C%2FPolicy%3E%0D%0A" |
The native XACML rules for above TOSCA policy is:
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
<Policy
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Test.policy" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Target/>
<Rule RuleId="Test.policy:rule" Effect="Permit">
<Description>Default is to PERMIT if the policy matches.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">I should be matched</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1000</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matachableInteger" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">1.1</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableDouble" DataType="http://www.w3.org/2001/XMLSchema#double" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matachableBoolean" DataType="http://www.w3.org/2001/XMLSchema#boolean" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">match A</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableListString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">match B</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableListString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Description>IF exists and is equal</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Description>Does the policy-type attribute exist?</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<Description>Get the size of policy-type attributes</Description>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Description>Is this policy-type in the list?</Description>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">onap.policies.Test</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="Test.policy:rule:policy-type" Effect="Permit">
<Description>Match on policy-type onap.policies.Test</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">onap.policies.Test</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<ObligationExpressions>
<ObligationExpression ObligationId="urn:org:onap:rest:body" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="urn:org:onap::obligation:monitoring:contents">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{"type":"onap.policies.Test","type_version":"1.0.0","properties":{"nonmatachableString":"I am NON matchable","matchableString":"I should be matched","nonmatachableInteger":0,"matachableInteger":1000,"nonmatachableDouble":0,"matchableDouble":1.1,"nonmatachableBoolean":false,"matachableBoolean":true,"matchableListString":["match A","match B"]},"name":"Test.policy","version":"1.0.0","metadata":{"policy-id":"Test.policy","policy-version":"1"}}</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy> |
Note that DELETE call should remove TOSCA policy from DB as well as corresponding JAR from nexus
Pamela DragoshJorge Hernandez Question: checking existence of pointed JAR in nexus should happen in API each time new policy is created/updated, or in PAP when this policy gets deployed, or in PDP only???
Question: do we need to return native policy contents, i.e. DRL or XACML XML when GET call is invoked? If not, what if end user wants to view native policy rules???
2.3 Native Apex Policy Support
2.3.1 Policy Type for Native Apex Policy
Below is the policy type defined to support native apex policies.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
tosca_definitions_version: tosca_simple_yaml_1_0_0, policy_types: onap.policies.Native: derived_from: tosca.policies.Root description: a base policy type for all native PDP policies version: 1.0.0 onap.policies.native.Apex: derived_from: onap.policies.Native description: a policy type for native apex policies version: 1.0.0 properties: engine_service: type: onap.datatypes.native.apex.EngineService description: APEX Engine Service Parameters inputs: type: map description: Inputs for handling events coming into the APEX engine entry_schema: type: onap.datatypes.native.apex.EventHandler outputs: type: map description: Outputs for handling events going out of the APEX engine entry_schema: type: onap.datatypes.native.apex.EventHandler environment: type: list description: Envioronmental parameters for the APEX engine entry_schema: type: onap.datatypes.native.apex.Environment data_types: onap.datatypes.native.apex.EngineService: derived_from: tosca.datatypes.Root properties: name: type: string description: Specifies the engine name required: false default: "ApexEngineService" version: type: string description: Specifies the engine version in double dotted format required: false default: "1.0.0" id: type: int description: Specifies the engine id required: true instance_count: type: int description: Specifies the number of engine threads that should be run required: true deployment_port: type: int description: Specifies the port to connect to for engine administration required: false default: 1 policy_model_file_name: type: string description: The name of the file from which to read the APEX policy model required: false default: "" policy_type_impl: type: string description: The policy type implementation from which to read the APEX policy model required: false default: "" periodic_event_period: type: string description: The time interval in milliseconds for the periodic scanning event, 0 means don't scan required: false default: 0 engine: type: onap.datatypes.native.apex.engineservice.Engine description: The parameters for all engines in the APEX engine service required: true onap.datatypes.native.apex.EventHandler: derived_from: tosca.datatypes.Root properties: name: type: string description: Specifies the event handler name, if not specified this is set to the key name required: false carrier_technology: type: onap.datatypes.native.apex.CarrierTechnology description: Specifies the carrier technology of the event handler (such as REST/Web Socket/Kafka) required: true event_protocol: type: onap.datatypes.native.apex.EventProtocol description: Specifies the event protocol of events for the event handler (such as Yaml/JSON/XML/POJO) required: true event_name: type: string description: Specifies the event name for events on this event handler, if not specified, the event name is read from or written to the event being received or sent required: false event_name_filter: type: string description: Specifies a filter as a regular expression, events that do not match the filter are dropped, the default is to let all events through required: false synchronous_mode: type: bool description: Specifies the event handler is syncronous (receive event and send response) required: false default: false synchronous_peer: type: string description: The peer event handler (output for input or input for output) of this event handler in synchronous mode, this parameter is mandatory if the event handler is in synchronous mode required: false default: "" synchronous_timeout: type: int <AnyOf> description: The timeout in milliseconds for responses to be issued by APEX <AllOf>torequests, this parameter is mandatory if the event handler is in synchronous mode <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> required: false <AttributeValuedefault: DataType="http://www.w3.org/2001/XMLSchema#string">Julius Hibbert</AttributeValue> requestor_mode: <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> type: bool </Match> description: Specifies the event handler is in requestor mode (send event and wait for </AllOf>response mode) </AnyOf> required: false <AnyOf> default: false <AllOf> requestor_peer: <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">type: string description: The peer event handler (output for input or input for output) <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">http://medico.com/record/patient/BartSimpson</AttributeValue> of this event handler in requestor mode, this parameter is mandatory if the event handler is in requestor mode <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/> required: false </Match> default: "" requestor_timeout: </AllOf> </AnyOf> type: int <AnyOf> description: The timeout in milliseconds for wait for responses to <AllOf>requests, this parameter is mandatory if the event handler is in requestor mode <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> required: false <AttributeValuedefault: DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue> onap.datatypes.native.apex.CarrierTechnology: derived_from: tosca.datatypes.Root <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> properties: label: type: string </Match> description: The label </AllOf> (name) of the carrier technology (such as REST, Kafka, WebSocket) <AllOf> required: true <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> plugin_parameter_class_name: type: string <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue> description: The class name of the class that overrides default handling of event input or output <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> for this carrier technology, defaults to the supplied input or output class </Match> required: false onap.datatypes.native.apex.EventProtocol: </AllOf> derived_from: tosca.datatypes.Root properties: </AnyOf> </Target> label: <Condition> type: string <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in"> description: The label <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">riddle me this</AttributeValue> (name) of the event protocol (such as Yaml, JSON, XML, or POJO) <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:2.0:example:some-attribute" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/> required: true </Apply> event_protocol_plugin_class: </Condition> </Rule> </Policy> |
2.3 PDP-A Content-Types
TBA
2.4 Endpoint Details
The Policy Lifecycle API will need to support new endpoints that consume these PDP specific Content-Type's as well as the ability to save them to the database.
...
Creates a native drools policy.
Returns the id, version and created drl contents.
Note: policyId is the same as <artifactId> specified in the payload; version is the same as <version> specified in the payload; <groupId> specified in the payload could be a fixed one for all native drools policies, e.g. org.onap.policy.native.
200
| Code Block |
|---|
{
"policyId": "example-policy",
"version": "1.0.0",
"pdpType": "drools"
} |
...
Updates a native drools policy.
Return the id, version and updated drl contents.
Note: version is an auto-increased version off the original one. For example. the original version is "1.0.0". After this PUT call, the version returned could be "1.0.1".
200
| Code Block |
|---|
{
"policyId": "example-policy",
"version": "1.0.1",
"pdpType": "drools"
} |
...
Create a native xacml policy
200
| Code Block |
|---|
{
"policyId": "example-policy",
"version": "1.0.1",
"pdpType": "xacml"
} |
...
200
| Code Block |
|---|
{
"policyId": "example-policy",
"version": "1.0.1",
"pdpType": "apex"
} |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
"policies": [
{ "policyId": "id-1",
"version": "1.0.0",
"pdpType": "drools"
},
{
"policyId": "id-2",
"version": "1.1.0",
"pdpType": "xacml"
},
{
"policyId": "id-3",
"version": "1.2.0",
"pdpType": "apex"
}
]
} |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
"policies": [
{ "policyId": "id-1",
"version": "1.0.0",
"pdpType": "drools"
},
{
"policyId": "id-1",
"version": "1.0.1",
"pdpType": "drools"
},
{
"policyId": "id-1",
"version": "1.0.2",
"pdpType": "drools"
}
]
} |
...
application/vnd.onap.drools+text
application/xacml+xml; version=3.0
application/vnd.onap.apex+json
...
200
| Code Block |
|---|
policy text in DRL/XACML-XML/APEX-JSON |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
"policyId": "example-policy",
"version": "1.0.1",
"pdpType": "drools"
} |
...
application/json
application/yaml
...
200
| Code Block |
|---|
{
("pdpGroup1","1.0.0"): [
{
"policyId": "example-policy",
"version": "1.0.0",
"pdpType": "drools"
},
{
"policyId": "example-policy",
"version": "1.1.0",
"pdpType": "drools"
}
]
} |
...
application/vnd.onap.drools+text
application/xacml+xml; version=3.0
application/vnd.onap.apex+json
...
200
| Code Block |
|---|
policy text in DRL/XACML-XML/APEX-JSON |
A safety net should be implemented for DELETE. That is, if a policy version is deployed in any PDP, it cannot be deleted. A 409 Conflict should be returned along with message saying this policy id:version is deployed in which PDP.
3. PAP Enhancements
PDP Engines must now register with the PAP the native Content-Type's they support in order for policies to be deployed by the PAP engine to the PDP's. This will require an additional parameter in the Group Deploy/Undeploy to list the supported Content-Type's for the PDP engine. The proposal is to add a field "supportedContentTypes".
3.1 Example of PDP Register
Only change needed is to add "supportedContentTypes" to PDP status message when it registers itself with PAP. For example
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "pdpType": "xacml", "state": "PASSIVE", "healthy": "HEALTHY", "supportedPolicyTypes": [ { "name": "onap.Monitoring", "version": "1.0.0" }, { "name": "onap.policies.monitoring.cdap.tca.hi.lo.app", "version": "1.0.0" }, { "name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server", "version": "1.0.0" }, { "name": "onap.policies.monitoring.docker.sonhandler.app", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.FrequencyLimiter", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.MinMax", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.Blacklist", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "version": "1.0.0" }, { "name": "onap.policies.optimization.AffinityPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.DistancePolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.HpaPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.OptimizationPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.PciPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.QueryPolicy", "version": "1.0.0" }, { type: string description: The class name of the class that overrides default handling of the event protocol for this carrier technology, defaults to the supplied event protocol class required: false onap.datatypes.native.apex.Environmental: derived_from: tosca.datatypes.Root properties: name: type: string description: The name of the environment variable required: true value: type: string description: The value of the environment variable required: true onap.datatypes.native.apex.engineservice.Engine: derived_from: tosca.datatypes.Root properties: context: type: onap.datatypes.native.apex.engineservice.engine.Context description: The properties for handling context in APEX engines, defaults to using Java maps for context required: false executors: type: map description: The plugins for policy executors used in engines such as javascript, MVEL, Jython required: true entry_schema: description: The plugin class path for this policy executor type: string onap.datatypes.native.apex.engineservice.engine.Context: derived_from: tosca.datatypes.Root properties: distributor: type: onap.datatypes.native.apex.Plugin description: The plugin to be used for distributing context between APEX PDPs at runtime required: false schemas: type: map description: The plugins for context schemas available in APEX PDPs such as Java and Avro required: false entry_schema: type: onap.datatypes.native.apex.Plugin locking: type: onap.datatypes.native.apex.plugin description: The plugin to be used for locking context in and between APEX PDPs at runtime required: false persistence: type: onap.datatypes.native.apex.Plugin description: The plugin to be used for persisting context for APEX PDPs at runtime required: false onap.datatypes.native.apex.Plugin: derived_from: tosca.datatypes.Root properties: name: type: string description: The name of the executor such as Javascript, Jython or MVEL required: true plugin_class_name: type: string description: The class path of the plugin class for this executor |
NOTE: The native policy type is already loaded in policy framework during installation, hence a user can directly deploy native policies in respective pdp engines without a need to create policy type first.
3. PAP Enhancements
PDP Groups must be provisioned to support the new policy types for native policies in order for policies to be deployed by PAP to the PDP's. This will require an additional entry to be added into supported policy types list to indicate which native policy type each specific PDP Subgroup can support.
3.1 PDP Group & SubGroup
The native policy type should be added into supported policy types list to indicate which type of native policies each PDP SubGroup can support.
Below is one example of PDP Group with native policies support for xacml, drools & apex engines.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "groups": [ { "name": "onap.policies.optimization.SubscriberPolicydefaultGroup", "versiondescription": "1.0.0" },The default group that registers all supported policy types and pdps.", { "namepdpGroupState": "onap.policies.optimization.Vim_fitACTIVE", "version": "1.0.0" "properties": {}, { "namepdpSubgroups": "onap.policies.optimization.VnfPolicy", [ "version": "1.0.0" { } ], "supportedContentTypes": [ { "namepdpType": "application/xacml+xml; version=3.0apex", "version": "1.0.0" } ], "policiessupportedPolicyTypes": [], "messageName": "PDP_STATUS", "requestId": "77f42778-f19a-47a6-a9a1-984cbb125d96", "timestampMs": 1571244733313, "name": "FLCDTL02JH7358" } | ||||||||
| Code Block | ||||||||
| ||||||||
{{ "pdpType": "drools", "state": "PASSIVE", "healthy": "HEALTHY", "supportedPolicyTypes": [ { "name": "onap.policies.controlloop.operational.OperationalApex", "version": "1.0.0" } ], "supportedContentTypes": [ { "nameversion": "application/vnd1.onap0.drools+text",0" "version": "1.0.0" }, { }, { "name": "application/vndonap.onappolicies.droolsnative.mvn+xmlApex", "version": "1.0.0" } "version": "1.0.0" } ], "policies": [], "messageName": "PDP_STATUS", "requestId": "8ae9fe00-8979-460f-83b2-92d7bd517c34", "timestampMs": 1571244753326, "name": "XGIQPQ96FL9182" } |
Question: Do we need a version attached to the native content-type? Might be easier to keep it around.
3.2 Example PDP Group Deploy
Only change needed is to add "supportedContentTypes in each "pdpSubGroups" to indicate what kind of native policies it can support. Typically, Drools PDP will support both "application/vnd.onap.drools+text" and "application/vnd.onap.drools.mvn+xml". XACML PDP will need to support "application/xacml+xml; version=3.0" and APEX PDP will need to support "application/vnd.onap.apex+json". Likewise, the same "supportedContentTypes" also needs to be added into PDP group query return.
Below is one example to deploy a PDP group.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{ "policies": [], "currentInstanceCount": 0, "groupsdesiredInstanceCount": [ 1, { "nameproperties": "defaultGroup",{}, "descriptionpdpInstances": "The default group that registers all supported policy types and pdps.", [ { "pdpGroupState": "ACTIVE", "propertiesinstanceId": {},"apex_35", "pdpSubgroups": [ "pdpState": "ACTIVE", { "pdpTypehealthy": "apex",HEALTHY", "supportedPolicyTypesmessage": ["Pdp Heartbeat" } { ] "name": "onap.policies.controlloop.operational.Apex", }, { "version": "1.0.0" "pdpType": "drools", } "supportedPolicyTypes": [ ], { "supportedContentTypes": [ {"name": "onap.policies.controlloop.Operational", "nameversion": "application/vnd1.onap0.apex+json0", }, { "name": "onap.policies.native.Drools", "version": "1.0.0" } ], "policies": [], "currentInstanceCount": 0, "desiredInstanceCount": 1, "properties": {}, "pdpInstances": [ { "instanceId": "apex_35dev-policy-drools-0", "pdpState": "ACTIVE", "healthy": "HEALTHY", "message": "Pdp Heartbeat" } ] }, { "pdpType": "droolsxacml", "supportedPolicyTypes": [ { "name": "onap.policies.controlloop.Operationalguard.FrequencyLimiter", "version": "1.0.0" } ], "supportedContentTypes": [ }, { "name": "application/vnd.onap.drools+textonap.policies.controlloop.guard.MinMax", "version": "1.0.0" }, { "name": "application/vnd.onap.drools.mvn+xml"onap.policies.controlloop.guard.Blacklist", "version": "1.0.0" } , ], { "policies": [], "currentInstanceCountname": 0, "desiredInstanceCount": 1, "properties": {},"onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "pdpInstances": [ "version": "1.0.0" { }, "instanceId": "dev-policy-drools-0", { "pdpStatename": "ACTIVEonap.Monitoring", "healthyversion": "HEALTHY1.0.0" }, { ] }, "name": "onap.policies.monitoring.cdap.tca.hi.lo.app", { "pdpTypeversion": "xacml",1.0.0" "supportedPolicyTypes": [ }, { "name": "onap.policies.controlloop.guard.FrequencyLimitermonitoring.dcaegen2.collectors.datafile.datafile-app-server", "version": "1.0.0" }, { "name": "onap.policies.monitoring.controlloopdocker.guardsonhandler.MinMaxapp", "version": "1.0.0" }, { "name": "onap.policies.controlloopoptimization.guard.BlacklistAffinityPolicy", "version": "1.0.0" }, { "name": "onap.policies.controlloop.guard.coordinationoptimization.FirstBlocksSecondDistancePolicy", "version": "1.0.0" }, { "name": "onap.Monitoringpolicies.optimization.HpaPolicy", "version": "1.0.0" }, { "name": "onap.policies.monitoring.cdap.tca.hi.lo.appoptimization.OptimizationPolicy", "version": "1.0.0" }, { "name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-serveroptimization.PciPolicy", "version": "1.0.0" }, { "name": "onap.policies.monitoring.docker.sonhandler.appoptimization.QueryPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.AffinityPolicySubscriberPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.DistancePolicyVim_fit", "version": "1.0.0" }, { "name": "onap.policies.optimization.HpaPolicyVnfPolicy", "version": "1.0.0" }, { "name": "onap.policies.native.Xacml", "version": "1.0.0" } ], }, "policies": [], { "currentInstanceCount": 1, "name": "onap.policies.optimization.OptimizationPolicy", "desiredInstanceCount": 1, "versionproperties": "1.0.0"{}, },"pdpInstances": [ { "nameinstanceId": "onap.policies.optimization.PciPolicydev-policy-policy-xacml-pdp-558c478477-g85jl", "versionpdpState": "1.0.0ACTIVE", }, "healthy": "HEALTHY" } { ] "name": "onap.policies.optimization.QueryPolicy", } ] } "version": "1.0.0" }, { "name": "onap.policies.optimization.SubscriberPolicy", "version": "1.0.0" }, { "name": "onap.policies.optimization.Vim_fit", "version": "1.0.0" }, { "name": "onap.policies.optimization.VnfPolicy", "version": "1.0.0" } ], "supportedContentTypes": [ { "name": "application/xacml+xml; version=3.0", "version": "1.0.0" } ], "policies": [], "currentInstanceCount": 1, "desiredInstanceCount": 1, "properties": {}, "pdpInstances": [ { "instanceId": "dev-policy-policy-xacml-pdp-558c478477-g85jl", "pdpState": "ACTIVE", "healthy": "HEALTHY" } ] } ] } ] } |
3.3 Deploy/Undeploy API
No change is envisioned on current deploy/undeploy API. Still, only policyId and version are needed to tell PAP to deploy/undeploy a native policy.
4. PDP Changes
Each PDP will need to be able to support native policies being deploy/undeployed to it as done today.
4.1 Drools PDP
Drools PDP will need to be able to instantiate a new controller instance and then ingest native DRL to that controller. First change needed is to expose telemetry API to external users, particularly the one being used to create a new controller. One example is shown as below
curl -k --user "demo@people.osaaf.org:demo123456!" -X POST --data @example-controller.rest.json --header "Content-Type: application/json" https://{ip or hostname}:9696/policy/pdp/engine/controllers
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
{
"controller.name": "example-controller",
"ueb.source.topics": "EXAMPLE-SOURCE-TOPIC",
"ueb.source.topics.EXAMPLE-SOURCE-TOPIC.servers": "example-dmaap-server",
"ueb.source.topics.EXAMPLE-SOURCE-TOPIC.events": "example-source-event-class",
"ueb.sink.topics": "EXAMPLE-SINK-TOPIC",
"ueb.sink.topics.EXAMPLE-SINK-TOPIC.servers": "example-dmaap-server",
"ueb.sink.topics.EXAMPLE-SINK-TOPIC.events": "example-sink-event-class",
"rules.groupId": "org.onap.policy.controlloop",
"rules.artifactId": "policy-ran-optimization",
"rules.version": "1.0.0-SNAPSHOT"
} |
In addition, when drools PDP receives native policy deployed from PAP, given the deployment contains groupId, artifactId and version, drools PDP will need to pull the java artifact that contains drl rules as well as corresponding dependency artifacts then place them in local m2 repo. When a new controller shown above is created, it will scan local m2, search for the artifact with specified "rules.groupId", "rules.artifactId" and "rules.version" and load its contained drl rules into drools memory.
On the other hand, if drools PDP receives a request from PAP to undeploy a native policy, it will need to disable/delete the corresponding controller and remove the corresponding artifact from local m2 repo. Deleting a controller can be realized by calling exposed telemetry API. For example:
curl -k --user "demo@people.osaaf.org:demo123456!" -X DELETE https://{ip or hostname}:9696/policy/pdp/engine/controllers/example-controller
4.2 XACML PDP
XACML PDP will need to be able to ingest a XACML XML Policy directly. One suggestion is to create an application specifically for the XACML natives rules by default. The opportunity exists where a policy designer could create a specific application that supports native XACML policies (with or without TOSCA Policy Types as an option) and uses the grouping of PDPs to differentiate itself from the default XACML native rule application. The XACML PDP should also be enhanced to support configuring of applications in order to provide flexibility to the policy designers as to where all of its possible policy types and content types are deployed.
With regards to the Decision API supported by XACML, that api can be enhanced to support XACML XML requests/responses directly.
Some scenarios are listed as below:
Scenario #1: Use pre-defined XACML policies only (i.e. Guard, Coordination, Optimization, Monitoring)
This scenario is already supported today through some pre-build XACML applications which support Guard, Coordination(W.I.P), Optimization and Monitoring. We provide TOSCA Policy Types for such types of XACML policies. XACML author can use lifecyle APIs to CRUD corresponding TOSCA policies which will then be deployed to XACML PDP. XACML PDP will be able to translate these TOSCA policies into low level native XACML XML policies and then enforce them.
Scenario #2: Use native XACML policies only
This scenario requires a new XACML application to be built which particularly handles native XACML policies only.
Scenario #3: Use pre-defined XACML policies and native XACML policies together
This scenario is the most complicated one. For new use case, XACML policy author might need to use both existing types of XACML policies, e.g. guard, together with newly composed native XACML XML policies, e.g. custom access control rules. Perhaps we need to build another new XACML application for this combination. More details need to be figured out, e.g. do we need a new TOSCA policy type for this combination? how to combine the low level XACML XML policies together? what is the combining algorithm we should use? etc. etc.
4.3 Apex PDP
Apex PDP will need to be able to ingest custom Apex JSON policies. TBC with that team - may already be well-supported.
5. Sequence flows for native policy design and deployment
5.1 Drools
Create native DRL
Update native DRL
Deploy native DRL
Undeploy native DRL
Delele native DRL
5.2 XACML
...
]
} |
3.2 Deploy/Undeploy API
No change is envisioned on current deploy/undeploy API. Still, only policy-id and version are needed to tell PAP to deploy/undeploy a native policy.
4. PDP Changes
Each PDP will need to be able to support native policies being deploy/undeployed to it as done today.
4.1 Drools PDP
On one hand, Drools PDP will need to parse the information encoded in the TOSCA policy deployed from PAP in terms of native DRL JAR GAV (GroupId, ArtifactId, Version) information and Drools controller configuration if present. It will then go to the nexus to pull the native DRL JAR and corresonding dependencies. If the Drools controller configuration is present, Drools PDP needs to know first if it is a new controller to instantiate or reusing an existing one by parsing the "isNewController" flag. If reusing an existing one, what Drools PDP needs to do is just assign the native DRL JAR and dependencies to that controller. Otherwise, a new Drools controller instance should be instantiated using the configurations included in the TOSCA properties. The new Drools controller should be able to load the native DRL and corresponding facts into work memory for rule execution.
On the other hand, when Drools PDP receives a request to undeploy a native policy, it should be able to disable corresponding Drools controller and clean up the related facts from the memory.
Another thread of extension needed is to expose the telemetry API used to manage the lifecycle of Drools controller, which is to facilitate those policy designers who want to change controller setup at runtime. Current telemetry API can only be called from within policy container. One example is shown below:
| Code Block |
|---|
curl -k --silent --user ${TELEMETRY_USER}:${TELEMETRY_PASSWORD} -X POST --data @${json} --header "Content-Type: application/json" \
https://localhost:${TELEMETRY_PORT}/policy/pdp/engine/controllers |
4.2 XACML PDP
XACML PDP will need to be able to ingest a XACML XML Policy directly. One suggestion is to create an application specifically for the XACML natives rules by default. The opportunity exists where a policy designer could create a specific application that supports native XACML policies (with or without TOSCA Policy Types as an option) and uses the grouping of PDPs to differentiate itself from the default XACML native rule application. The XACML PDP should also be enhanced to support configuring of applications in order to provide flexibility to the policy designers as to where all of its possible policy types are deployed.
With regards to the Decision API supported by XACML, that api can be enhanced to support XACML XML requests/responses directly.
Some scenarios are listed as below:
Scenario #1: Use pre-defined XACML policies only (i.e. Guard, Coordination, Optimization, Monitoring)
This scenario is already supported today through some pre-build XACML applications which support Guard, Coordination(W.I.P), Optimization and Monitoring. We provide TOSCA Policy Types for such types of XACML policies. XACML author can use lifecyle APIs to CRUD corresponding TOSCA policies which will then be deployed to XACML PDP. XACML PDP will be able to translate these TOSCA policies into low level native XACML XML policies and then enforce them.
Scenario #2: Use native XACML policies only
This scenario requires a new XACML application to be built which particularly handles native XACML policies only.
Scenario #3: Use pre-defined XACML policies and native XACML policies together
This scenario is the most complicated one. For new use case, XACML policy author might need to use both existing types of XACML policies, e.g. guard, together with newly composed native XACML XML policies, e.g. custom access control rules. Perhaps we need to build another new XACML application for this combination. More details need to be figured out, e.g. do we need a new TOSCA policy type for this combination? how to combine the low level XACML XML policies together? what is the combining algorithm we should use? etc. etc.
4.3 Apex PDP
Apex PDP already supports the native policies created using the policy type defined in section 2.3.1 above.
5. Sequence flows for native policy design, deployment and enforcement
5.1 Drools native policies supported by the PDP-D engine
5.1.1 Create native DRL
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
@startuml
autonumber
actor Drools_Policy_Designer as User
participant API
database Policy_DB as DB
participant Nexus
User -> Nexus: develop and deploy dependency JAR to nexus
User -> Nexus: develop and deploy DRL JAR to nexus
User -> API: POST - create TOSCA policy
API -> Nexus: validate JAR existence and Drools controller config
alt non-existence or invalid config
API -> User: JAR non-existence or invalid controller config
else everything is good
API -> DB: store policy in DB
DB -> API: success
API -> User: 200 Success
end
@enduml |
5.1.2 Deploy native DRL
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
@startuml
autonumber
actor Drools_Policy_Designer as User
database Policy_DB as DB
participant API
participant PAP
participant DroolsPDP as PDP
participant Nexus
User -> PAP: POST - deploy policy
PAP -> API: GET the policy
API -> DB: read from DB
DB -> API: success
API -> PAP: return the policy
PAP -> PDP: public dmaap - deploy policy
PDP -> Nexus: pull the JAR
Nexus -> PDP: success
PDP -> PDP: instantiate a new drools controller
PDP -> PDP: load DRL and facts into memory
PDP -> PAP: publish dmaap - policy deployed
PAP -> User: 200 success
PAP -> PAP: publish policy update notification
@enduml |
5.1.3 Undeploy native DRL
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
@startuml
autonumber
actor Drools_Policy_Designer as User
participant PAP
participant DroolsPDP as PDP
User -> PAP: DELETE - undeploy policy
PAP -> PDP: publish dmaap - undeploy policy
PDP -> PDP: DELETE - disable the controller
PDP -> PAP: publish dmaap - policy undeployed
PAP -> User: 200 success
PAP -> PAP: publish policy update notification
@enduml |
5.1.4 Delele native DRL
| Code Block | ||||||
|---|---|---|---|---|---|---|
| ||||||
@startuml
autonumber
actor Drools_Policy_Designer as User
participant API
database Policy_DB as DB
participant Nexus
User -> API: DELETE - delete policy
API -> DB: remove policy from DB
DB -> API: success
API -> Nexus: remove JAR from nexus
Nexus -> API: success
API -> User: 200 success
@enduml |
5.2 XACML native policies supported by the PDP-X engine
5.2.1 Getting XACML native policies into the Policy Framework via the Policy Lifecycle API CRUD
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
5.2.2 Deploying/Undeploying XACML native policies using the Policy PAP API
| Gliffy | ||||
|---|---|---|---|---|
|
5.2.3 Enforcement of XACML native policies done by the PDP-X engine using the Decision API
| Drawio | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|