Support Dynamic Policy Updation
User shall be able to deploy policy via PAP at run time. As currently we are supporting only Native policy for OPA, the design proposal is to encode rego file content in base 64 format and provide in the policy field.
For e.g. consider a sample rego file having following contents
package cellconsistency
default allow = false
# Rule to check cell consistency
check_cell_consistency {
input.cell != data.cellconsistency.allowedCellId
}
# Rule to allow if PCI is within range 1-3000
allow_if_pci_in_range {
input.PCI >= data.cellconsistency.minPCI
input.PCI <= data.cellconsistency.maxPCI
}
# Main rule to determine the final decision
allow {
check_cell_consistency
allow_if_pci_in_range
}
data.json
{
"allowedCellId" : 445611193265040129,
"minPCI": 1,
"maxPCI": 3000
}
In the tosca template the rego contents will be encoded and added in policy field
tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
policies:
- native.cellconsistency.opa:
type: onap.policies.native.opa
type_version: 1.0.0
properties:
policy: cGFja2FnZSBjZWxsY29uc2lzdGVuY3kKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCiMgUnVsZSB0byBjaGVjayBjZWxsIGNvbnNpc3RlbmN5CmNoZWNrX2NlbGxfY29uc2lzdGVuY3kgewogICAgaW5wdXQuY2VsbCAhPSBkYXRhLmNlbGxjb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0KIyBSdWxlIHRvIGFsbG93IGlmIFBDSSBpcyB3aXRoaW4gcmFuZ2UgMS0zMDAwCmFsbG93X2lmX3BjaV9pbl9yYW5nZSB7CiAgICBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCiAgICBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyB7CiAgICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgICBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQo=
name: native.cellconsistency.opa
version: 1.0.0
metadata:
policy-id: native.cellconsistency.opa
policy-version: 1.0.0
OPA PDP after receiving the message on KAFKA will parse the message, extract policy, perform base64 decoding and deploys the policy to OPA. OPA PDP will send a PDP_STATUS message with the status of policy deployment.
Policy Deployment - In Memory Mode
Policy Deployment - Bundle Mode
Option: 2 Packing both static Data and Policy in the same message.
Create a new Policy Type which includes data field also
tosca_definitions_version: tosca_simple_yaml_1_1_0
policy_types:
onap.policies.Native:
derived_from: tosca.policies.Root
description: a base policy type for all native PDP policies
version: 1.0.0
name: onap.policies.Native
onap.policies.native.opa:
derived_from: onap.policies.Native
version: 1.0.0
name: onap.policies.native.opa
description: a policy type for native opa policies
properties:
data:
type: string
type_version: 0.0.0
description: Data for corresponding Rego policy
required: false
metadata:
encoding: Base64
policy:
type: list
type_version: 0.0.0
description: The Rego PolicySet or Policy
required: true
metadata:
encoding: Base64
Create policy tosca definition for OPA
Tosca Definition for OPA
tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
policies:
- native.cellconsistency.opa:
type: onap.policies.native.opa
type_version: 1.0.0
properties: policy: cGFja2FnZSBjZWxsY29uc2lzdGVuY3kKCmltcG9ydCByZWdvLnYxCmRlZmF1bHQgYWxsb3cgPSBmYWxzZQojIFJ1bGUgdG8gY2hlY2sgY2VsbCBjb25zaXN0ZW5jeQpjaGVja19jZWxsX2NvbnNpc3RlbmN5IGlmIHsKICAgIGlucHV0LmNlbGwgPT0gZGF0YS5jZWxsY29uc2lzdGVuY3kuYWxsb3dlZENlbGxJZAp9CiMgUnVsZSB0byBhbGxvdyBpZiBQQ0kgaXMgd2l0aGluIHJhbmdlIDEtMzAwMAphbGxvd19pZl9wY2lfaW5fcmFuZ2UgaWYgewogICAgaW5wdXQuUENJID49IGRhdGEuY2VsbGNvbnNpc3RlbmN5Lm1pblBDSQogICAgaW5wdXQuUENJIDw9IGRhdGEuY2VsbGNvbnNpc3RlbmN5Lm1heFBDSQp9CiMgTWFpbiBydWxlIHRvIGRldGVybWluZSB0aGUgZmluYWwgZGVjaXNpb24KYWxsb3cgaWYgewogICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgIGFsbG93X2lmX3BjaV9pbl9yYW5nZQp9
data: eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0K
name: native.cellconsistency.opa
version: 1.0.0
metadata:
policy-id: native.cellconsistency.opa
policy-version: 1.0.0