Update PAP to only check for deployed policies
Jira: POLICY-3263: Update PAP to only check for deployed policiesClosed
Related Jiras: POLICY-2112: Support policy updates between PAP and the PDPsClosed POLICY-3170: Support delta policies in ApexClosed POLICY-3187: Support delta policies in DroolsClosed POLICY-3188: Support delta policies in XACMLClosed
Background: Support Policy Updates between PAP and the PDPs
Description: As part of the work in POLICY-2112 - it was decided that PAP would be enhanced to send two additional lists of delta policies (policesToBeDeployed & policiesToBeUndeployed) to the PDPs. Sending these lists of delta policies, eliminates the need for the PDPs to filter through a full list of policies sent from PAP in order to determine what policies need to be deployed or undeployed. The PAP component now does this work for the PDPs. This means that the PDPs need to be modified to handle these delta policy lists to remove the need to filter through the entire list.
As part of the work for POLICY-3170 - it was decided that APEX-PDP would send back just the policies to be deployed in the response message. This would mean a slight change in PAP to check that these deployed policies list are included in the full list of policies.
Current approach: APEX-PDP sends policies to be deployed in the response message to PAP. PAP has yet to be modified to check these policies are in the full list of policies.
Drools-PDP sends back a full list of policies as per the old approach.
XACML-PDP has yet to be modified to handle the delta policies.
Maybe we can add some proposed solutions to this below.
Proposed solutions:
Solution # | Description |
---|---|
1 | Add an additional check in PAP to check that the delta policies are a subset of the full list of policies. In UpdateReq.checkResponse(PdpStatus response): the actualSet of policies is compared to the expectedSet of policies. This compares the full list of policies sent back in the response against the full list of policies in the PDP_UPDATE message. The proposal here would be to satisfy APEX-PDP sending back the deployed list of policies is to check if the deployed policies are a subset of the full list of policies. → Changing "if (!actualSet.equals(expectedSet))" to "if (!actualSet.conatinsAll(deployedListOfPoliciesInResponseMessage) || !actualSet.equals(expectedSet))". This will satisfy both drools and apex as the full list sent back from drools will be checked as before and the deployedPolicies from APEX will be checked to see if it a subset. ISSUE: actualSet.containsAll(emptySet) will always return true as an empty set is always a subset of another set. Therefore, if the deployedPolicies list is null - this condition will pass and will result in unexpected behaviors. To overcome this, additional null checks will need to be added to the existing check(s). |