Support Dynamic Policy Updation
User shall be able to deploy policy via PAP at run time. As currently we are supporting only Native policy for OPA, the design proposal is to encode rego file content in base 64 format and provide in the policy field.
For e.g. consider a sample rego file having following contents
package cellconsistency default allow = false # Rule to check cell consistency check_cell_consistency { input.cell != data.cellconsistency.allowedCellId } # Rule to allow if PCI is within range 1-3000 allow_if_pci_in_range { input.PCI >= data.cellconsistency.minPCI input.PCI <= data.cellconsistency.maxPCI } # Main rule to determine the final decision allow { check_cell_consistency allow_if_pci_in_range }
data.json
{ "allowedCellId" : 445611193265040129, "minPCI": 1, "maxPCI": 3000 }
In the tosca template the rego contents will be encoded and added in policy field
tosca_definitions_version: tosca_simple_yaml_1_1_0 topology_template: policies: - native.cellconsistency.opa: type: onap.policies.native.opa type_version: 1.0.0 properties: policy: cGFja2FnZSBjZWxsY29uc2lzdGVuY3kKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCiMgUnVsZSB0byBjaGVjayBjZWxsIGNvbnNpc3RlbmN5CmNoZWNrX2NlbGxfY29uc2lzdGVuY3kgewogICAgaW5wdXQuY2VsbCAhPSBkYXRhLmNlbGxjb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0KIyBSdWxlIHRvIGFsbG93IGlmIFBDSSBpcyB3aXRoaW4gcmFuZ2UgMS0zMDAwCmFsbG93X2lmX3BjaV9pbl9yYW5nZSB7CiAgICBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCiAgICBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyB7CiAgICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgICBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQo= name: native.cellconsistency.opa version: 1.0.0 metadata: policy-id: native.cellconsistency.opa policy-version: 1.0.0
OPA PDP after receiving the message on KAFKA will parse the message, extract policy, perform base64 decoding and deploys the policy to OPA. OPA PDP will send a PDP_STATUS message with the status of policy deployment.
Policy Deployment - In Memory Mode
Policy Deployment - Bundle Mode
Option: 2 Packing both static Data and Policy in the same message.
Create a new Policy Type which includes data field also
tosca_definitions_version: tosca_simple_yaml_1_1_0 policy_types: onap.policies.Native: derived_from: tosca.policies.Root description: a base policy type for all native PDP policies version: 1.0.0 name: onap.policies.Native onap.policies.native.opa: derived_from: onap.policies.Native version: 1.0.0 name: onap.policies.native.opa description: a policy type for native opa policies properties: data: type: string type_version: 0.0.0 description: Data for corresponding Rego policy required: false metadata: encoding: Base64 policy: type: list type_version: 0.0.0 description: The Rego PolicySet or Policy required: true metadata: encoding: Base64
Create policy tosca definition for OPA
Tosca Definition for OPA tosca_definitions_version: tosca_simple_yaml_1_1_0 topology_template: policies: - native.cellconsistency.opa: type: onap.policies.native.opa type_version: 1.0.0 properties: policy: cGFja2FnZSBjZWxsY29uc2lzdGVuY3kKCmltcG9ydCByZWdvLnYxCmRlZmF1bHQgYWxsb3cgPSBmYWxzZQojIFJ1bGUgdG8gY2hlY2sgY2VsbCBjb25zaXN0ZW5jeQpjaGVja19jZWxsX2NvbnNpc3RlbmN5IGlmIHsKICAgIGlucHV0LmNlbGwgPT0gZGF0YS5jZWxsY29uc2lzdGVuY3kuYWxsb3dlZENlbGxJZAp9CiMgUnVsZSB0byBhbGxvdyBpZiBQQ0kgaXMgd2l0aGluIHJhbmdlIDEtMzAwMAphbGxvd19pZl9wY2lfaW5fcmFuZ2UgaWYgewogICAgaW5wdXQuUENJID49IGRhdGEuY2VsbGNvbnNpc3RlbmN5Lm1pblBDSQogICAgaW5wdXQuUENJIDw9IGRhdGEuY2VsbGNvbnNpc3RlbmN5Lm1heFBDSQp9CiMgTWFpbiBydWxlIHRvIGRldGVybWluZSB0aGUgZmluYWwgZGVjaXNpb24KYWxsb3cgaWYgewogICBjaGVja19jZWxsX2NvbnNpc3RlbmN5CiAgIGFsbG93X2lmX3BjaV9pbl9yYW5nZQp9 data: eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0K name: native.cellconsistency.opa version: 1.0.0 metadata: policy-id: native.cellconsistency.opa policy-version: 1.0.0