...
Question: do we need to return native policy contents, i.e. DRL or XACML XML when GET call is invoked? If not, what if end user wants to view native policy rules???
2.
...
3 Native Apex Policy Support
2.
...
3.1 Policy Type for Native Apex Policy
Below is the policy type defined to support native apex policies.
| Code Block | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||
tosca_definitions_version: tosca_simple_yaml_1_0_0, policy_types: onap.policies.Native: derived_from: tosca.policies.Root description: a base policy type for all native PDP policies version: 1.0.0 onap.policies.native.Apex: derived_from: onap.policies.Native description: a policy type for native apex policies version: 1.0.0 properties: engine_service: type: onap.datatypes.native.apex.EngineService description: APEX Engine Service Parametersproperties: inputs: type: map description: Inputs for handling events coming into the APEX engine entry_schemaservice: type: onap.datatypes.native.apex.EventHandler outputs: type: map description: Outputs for handling events going out of the APEX engine entry_schema: type: onap.datatypes.native.apex.EventHandlerEngineService environment: type: list description: Envioronmental parameters for the APEX engine entry_schema: type: onap.datatypes.native.apex.Environment data_typesdescription: onap.datatypes.native.apex.EngineService: derived_from: tosca.datatypes.Root properties: name: type: string description: Specifies the engine name required: false default: "ApexEngineService" version: type: string description: Specifies the engine version in double dotted format required: false default: "1.0.0" id: type: int description: Specifies the engine id required: true instance_count: type: int description: Specifies the number of engine threads that should be run required: true deployment_port: type: int description: Specifies the port to connect to for engine administration required: false default: 1 policy_model_file_name: type: string description: The name of the file from which to read the APEX policy model required: false default: "" policy_type_impl: type: string description: The policy type implementation from which to read the APEX policy model required: false default: "" periodic_event_period: type: string description: The time interval in milliseconds for the periodic scanning event, 0 means don't scan required: false default: 0 engine: type: onap.datatypes.native.apex.engineservice.Engine description: The parameters for all engines in the APEX engine service required: true onap.datatypes.native.apex.EventHandler: derived_from: tosca.datatypes.Root properties: name: type: string description: Specifies the event handler name, if not specified this is set to the key name required: false carrier_technology:APEX Engine Service Parameters inputs: type: map description: Inputs for handling events coming into the APEX engine entry_schema: type: onap.datatypes.native.apex.EventHandler outputs: type: map description: Outputs for handling events going out of the APEX engine entry_schema: type: onap.datatypes.native.apex.CarrierTechnologyEventHandler description: Specifies the carrier technology of the event handler (such as REST/Web Socket/Kafka) required environment: true event_protocol: type: onap.datatypes.native.apex.EventProtocol description: Specifies the event protocol of events for the event handler (suchtype: as Yaml/JSON/XML/POJO) required: true event_name: type: string description: Specifies the event name for events on this event handler, if not specified, the event name is read from or written to the event being received or sent required: false event_name_filter: type: string description: Specifies a filter as a regular expression, events that do not match the filter are dropped, the default is to let all events through required: false synchronous_mode: type: bool description: Specifies the event handler is syncronous (receive event and send response) required: false default: false synchronous_peer: type: string description: The peer event handler (output for input or input for output) of this event handler in synchronous mode, this parameter is mandatory if the event handler is in synchronous mode required: false default: "" synchronous_timeout: type: int description: The timeout in milliseconds for responses to be issued by APEX torequests, this parameter is mandatory if the event handler is in synchronous mode required: false default: "" requestor_mode: type: bool description: Specifies the event handler is in requestor mode (send event and wait for response mode) required: false default: false requestor_peer: type: string description: The peer event handler (output for input or input for output) of this event handler in requestor mode, this parameter is mandatory if the event handler is in requestor mode required: false default: "" requestor_timeout: type: int description: The timeout in milliseconds for wait for responses to requests, this parameter is mandatory if the event handler is in requestor mode required: false default: "" onap.datatypes.native.apex.CarrierTechnology: derived_from: tosca.datatypes.Root properties: label: type: string description: The label (name) of the carrier technology (such as REST, Kafka, WebSocket) required: true plugin_parameter_class_name: type: string description: The class name of the class that overrides default handling of event input or output for this carrier technology, defaults to the supplied input or output class required: false onap.datatypes.native.apex.EventProtocol: derived_from: tosca.datatypes.Root properties: label: type: string description: The label (name) of the event protocol (such as Yaml, JSON, XML, or POJO) required: true event_protocol_plugin_class: type: string description: The class name of the class that overrides default handling of the event protocol for this carrier technology, defaults to the supplied event protocol class required: false onap.datatypes.native.apex.Environmental: derived_from: tosca.datatypes.Root properties: name: type: string description: The name of the environment variable required: true value: type: string description: The value of the environment variable required: true onap.datatypes.native.apex.engineservice.Engine: derived_from: tosca.datatypes.Root properties: context: type: onap.datatypes.native.apex.engineservice.engine.Context description: The properties for handling context in APEX engines, defaults to using Java maps for context required: false executors: type: map description: The plugins for policy executors used in engines such as javascript, MVEL, Jython required: true entry_schema: description: The plugin class path for this policy executor type: string onap.datatypes.native.apex.engineservice.engine.Context: derived_from: tosca.datatypes.Root properties: distributor: type: onap.datatypes.native.apex.Plugin description: The plugin to be used for distributing context between APEX PDPs at runtime required: false schemas: type: map description: The plugins for context schemas available in APEX PDPs such as Java and Avro required: false entry_schema: type: onap.datatypes.native.apex.Plugin locking: type: onap.datatypes.native.apex.plugin description: The plugin to be used for locking context in and between APEX PDPs at runtime required: false persistence: type: onap.datatypes.native.apex.Plugin description: The plugin to be used for persisting context for APEX PDPs at runtime required: false onap.datatypes.native.apex.Plugin: derived_from: tosca.datatypes.Root properties: name: type: string description: The name of the executor such as Javascript, Jython or MVEL required: true plugin_class_name: type: string description: The class path of the plugin class for this executor |
2.1.2 TOSCA Policy for Native Drools Rules
Below is an example of TOSCA policy for native Drools rules
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
tosca_definitions_version: tosca_simple_yaml_1_0_0 topology_template: policies: - Example_policy_name: type: onap.policies.native.Drools version: 1.0.0list description: Envioronmental parameters for the APEX engine entry_schema: type: onap.datatypes.native.apex.Environment data_types: onap.datatypes.native.apex.EngineService: derived_from: tosca.datatypes.Root properties: name: type: string description: Specifies the engine name required: false default: "ApexEngineService" version: type: string description: Specifies the engine version in double dotted format required: false default: "1.0.0" id: type: int description: Specifies the engine id required: true instance_count: type: int description: Specifies the number of engine threads that should be run required: true deployment_port: type: int description: Specifies the port to connect to for engine administration required: false default: 1 policy_model_file_name: type: string description: The name of the file from which to read the APEX policy model required: false default: "" policy_type_impl: type: string description: The policy type implementation from which to read the APEX policy model required: false default: "" periodic_event_period: type: string metadata: policy-iddescription: Example_policy_nameThe time interval in milliseconds for the periodic scanning event, 0 means don't properties:scan rule_artifactrequired: false groupIddefault: org.onap.policy.native0 engine: artifactId: example_controlloop type: onap.datatypes.native.apex.engineservice.Engine version: 1.0.0-SNAPSHOT description: The parameters for all engines in the APEX engine service drools_controller: required: true controllerNameonap.datatypes.native.apex.EventHandler: example_controller_name derived_from: tosca.datatypes.Root properties: isNewController: true name: sourceTopics: type: string description: Specifies the -event handler name, if not specified this is set to the key name topicNamerequired: POLICY_INPUTfalse carrier_technology: serialization type: onap.datatypes.native.apex.CarrierTechnology description: Specifies the carrier technology of the event handler (such as REST/Web Socket/Kafka) - required: true event_protocol: eventCanonicalNametype: org.onap.policydatatypes.controlloopnative.eventapex.ControlLoopEventEventProtocol description: Specifies the event protocol of events for the event handler (such as Yaml/JSON/XML/POJO) eventFilter: [?($.closedLoopControlName == 'example_controlloop_name')] required: true event_name: customSerializertype: org.onap.policy.controlloop.utils.serializer,gsonstring description: Specifies the event name for events on this -event handler, if not specified, the event name is read from or written to the event being received or sent topicName: SDNR_TO_POLICY required: false event_name_filter: serialization: type: string description: Specifies a filter as a regular -expression, events that do not match the filter are dropped, the default is to let all events through required: false eventCanonicalName: org.onap.policy.controlloop.event.Response synchronous_mode: type: bool eventFilter: [?($.closedLoopControlName == 'example_controlloop_name' && $.action == 'example_action')] description: Specifies the event handler is syncronous (receive event and send response) required: false customSerializer: org.onap.policy.controlloop.utils.serializer,gson default: false sinkTopics: synchronous_peer: type: string - description: The peer event handler (output for input or input for output) of this event handler in synchronous mode, topicName: POLICY_TO_SDNR this parameter is mandatory if the event handler is in synchronous mode serializationrequired: false default: "" synchronous_timeout: - type: int description: The timeout in eventCanonicalName: org.onap.policy.controlloop.event.Request milliseconds for responses to be issued by APEX torequests, this parameter is mandatory if the event handler is in synchronous mode eventFilterrequired: [?($.closedLoopControlName == 'example_controlloop_name' && $.action == 'example_action')]false default: "" requestor_mode: type: bool customSerializer: org.onap.policy.controlloop.utils.serializer,gson |
3. PAP Enhancements
PDP Engines must now register with PAP the new policy types for native policies they support in order for policies to be deployed by PAP to the PDP's. This will require an additional entry to be added into supported policy types list to indicate which native policy type each specific PDP engine can support.
3.1 Example of PDP Register
Only change needed is to add a new supported policy type to PDP status message when it registers itself with PAP. For XACML PDP, new policy type "onap.policies.controlloop.native.Xacml" should be added. Likewise, new policy type "onap.policies.controlloop.native.Drools" should be added when Drools PDP registers itself with PAP. For example
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{
"pdpType": "xacml",
"state": "PASSIVE",
"healthy": "HEALTHY",
"supportedPolicyTypes": [
{
"name": "onap.Monitoring",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.cdap.tca.hi.lo.app",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.docker.sonhandler.app",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.FrequencyLimiter",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.MinMax",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.Blacklist",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.AffinityPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.DistancePolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.HpaPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.OptimizationPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.PciPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.QueryPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.SubscriberPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.Vim_fit",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.VnfPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.native.Xacml",
"version": "1.0.0"
}
],
"policies": [],
"messageName": "PDP_STATUS",
"requestId": "77f42778-f19a-47a6-a9a1-984cbb125d96",
"timestampMs": 1571244733313,
"name": "FLCDTL02JH7358"
} |
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{
"pdpType": "drools",
"state": "PASSIVE",
"healthy": "HEALTHY",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.Operational",
"version": "1.0.0"
},
{
"name": "onap.policies.native.Drools",
"version": "1.0.0"
}
],
"policies": [],
"messageName": "PDP_STATUS",
"requestId": "8ae9fe00-8979-460f-83b2-92d7bd517c34",
"timestampMs": 1571244753326,
"name": "XGIQPQ96FL9182"
} |
3.2 Example PDP Group Deploy
...
description: Specifies the event handler is in requestor mode (send event and wait for response mode)
required: false
default: false
requestor_peer:
type: string
description: The peer event handler (output for input or input for output) of this event handler in requestor mode, this parameter is mandatory if the event handler is in requestor mode
required: false
default: ""
requestor_timeout:
type: int
description: The timeout in milliseconds for wait for responses to requests, this parameter is mandatory if the event handler is in requestor mode
required: false
default: ""
onap.datatypes.native.apex.CarrierTechnology:
derived_from: tosca.datatypes.Root
properties:
label:
type: string
description: The label (name) of the carrier technology (such as REST, Kafka, WebSocket)
required: true
plugin_parameter_class_name:
type: string
description: The class name of the class that overrides default handling of event input or output for this carrier technology, defaults to the supplied input or output class
required: false
onap.datatypes.native.apex.EventProtocol:
derived_from: tosca.datatypes.Root
properties:
label:
type: string
description: The label (name) of the event protocol (such as Yaml, JSON, XML, or POJO)
required: true
event_protocol_plugin_class:
type: string
description: The class name of the class that overrides default handling of the event protocol for this carrier technology, defaults to the supplied event protocol class
required: false
onap.datatypes.native.apex.Environmental:
derived_from: tosca.datatypes.Root
properties:
name:
type: string
description: The name of the environment variable
required: true
value:
type: string
description: The value of the environment variable
required: true
onap.datatypes.native.apex.engineservice.Engine:
derived_from: tosca.datatypes.Root
properties:
context:
type: onap.datatypes.native.apex.engineservice.engine.Context
description: The properties for handling context in APEX engines, defaults to using Java maps for context
required: false
executors:
type: map
description: The plugins for policy executors used in engines such as javascript, MVEL, Jython
required: true
entry_schema:
description: The plugin class path for this policy executor
type: string
onap.datatypes.native.apex.engineservice.engine.Context:
derived_from: tosca.datatypes.Root
properties:
distributor:
type: onap.datatypes.native.apex.Plugin
description: The plugin to be used for distributing context between APEX PDPs at runtime
required: false
schemas:
type: map
description: The plugins for context schemas available in APEX PDPs such as Java and Avro
required: false
entry_schema:
type: onap.datatypes.native.apex.Plugin
locking:
type: onap.datatypes.native.apex.plugin
description: The plugin to be used for locking context in and between APEX PDPs at runtime
required: false
persistence:
type: onap.datatypes.native.apex.Plugin
description: The plugin to be used for persisting context for APEX PDPs at runtime
required: false
onap.datatypes.native.apex.Plugin:
derived_from: tosca.datatypes.Root
properties:
name:
type: string
description: The name of the executor such as Javascript, Jython or MVEL
required: true
plugin_class_name:
type: string
description: The class path of the plugin class for this executor |
NOTE: The native policy type is already loaded in policy framework during installation, hence a user can directly deploy native policies in respective pdp engines without a need to create policy type first.
3. PAP Enhancements
PDP Groups must be provisioned to support the new policy types for native policies in order for policies to be deployed by PAP to the PDP's. This will require an additional entry to be added into supported policy types list to indicate which native policy type each specific PDP Subgroup can support.
3.1 PDP Group & SubGroup
The native policy type should be added into supported policy types list to indicate which type of native policies each pdpSubGroup PDP SubGroup can support.
Below is one example to deploy a PDP groupof PDP Group with native policies support for xacml, drools & apex engines.
| Code Block | ||||||||
|---|---|---|---|---|---|---|---|---|
| ||||||||
{
"groups": [
{
"name": "defaultGroup",
"description": "The default group that registers all supported policy types and pdps.",
"pdpGroupState": "ACTIVE",
"properties": {},
"pdpSubgroups": [
{
"pdpType": "apex",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.operational.Apex",
"version": "1.0.0"
},
{
"name": "onap.policies.native.Apex",
"version": "1.0.0"
}
],
"policies": [],
"currentInstanceCount": 0,
"desiredInstanceCount": 1,
"properties": {},
"pdpInstances": [
{
"instanceId": "apex_35",
"pdpState": "ACTIVE",
"healthy": "HEALTHY",
"message": "Pdp Heartbeat"
}
]
},
{
"pdpType": "drools",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.Operational",
"version": "1.0.0"
},
{
"name": "onap.policies.native.Drools",
"version": "1.0.0"
}
],
"policies": [],
"currentInstanceCount": 0,
"desiredInstanceCount": 1,
"properties": {},
"pdpInstances": [
{
"instanceId": "dev-policy-drools-0",
"pdpState": "ACTIVE",
"healthy": "HEALTHY"
}
]
},
{
"pdpType": "xacml",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.guard.FrequencyLimiter",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.MinMax",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.Blacklist",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond",
"version": "1.0.0"
},
{
"name": "onap.Monitoring",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.cdap.tca.hi.lo.app",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.docker.sonhandler.app",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.AffinityPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.DistancePolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.HpaPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.OptimizationPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.PciPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.QueryPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.SubscriberPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.Vim_fit",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.VnfPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.native.Xacml",
"version": "1.0.0"
}
],
"policies": [],
"currentInstanceCount": 1,
"desiredInstanceCount": 1,
"properties": {},
"pdpInstances": [
{
"instanceId": "dev-policy-policy-xacml-pdp-558c478477-g85jl",
"pdpState": "ACTIVE",
"healthy": "HEALTHY"
}
]
}
]
}
]
} |
3.
...
2 Deploy/Undeploy API
No change is envisioned on current deploy/undeploy API. Still, only policy-id and version are needed to tell PAP to deploy/undeploy a native policy.
...
This scenario is the most complicated one. For new use case, XACML policy author might need to use both existing types of XACML policies, e.g. guard, together with newly composed native XACML XML policies, e.g. custom access control rules. Perhaps we need to build another new XACML application for this combination. More details need to be figured out, e.g. do we need a new TOSCA policy type for this combination? how to combine the low level XACML XML policies together? what is the combining algorithm we should use? etc. etc.
4.3 Apex PDP
Apex PDP will need to be able to ingest custom Apex JSON policies. TBC with that team - may already be well-supportedalready supports the native policies created using the policy type defined in section 2.3.1 above.
5. Sequence flows for native policy design, deployment and enforcement
...