Support Dynamic Policy Updation

User shall be able to deploy policy via PAP at run time. As currently we are supporting only Native policy for OPA, the design proposal is to encode rego file content in base 64 format and provide in the policy field.

For e.g. consider a sample rego file having following contents

consistency.rego
package cell.consistency
default allow = false

# Rule to check cell consistency
check_cell_consistency {
    input.cell != data.cell.consistency.allowedCellId
}
# Rule to allow if PCI is within range 1-3000
allow_if_pci_in_range {
    input.PCI >= data.cellconsistency.minPCI
    input.PCI <= data.cellconsistency.maxPCI
}
# Main rule to determine the final decision
allow {
    check_cell_consistency
    allow_if_pci_in_range
}
------------------------------
topology.rego
package cell.consistency.topology
import rego.v1
 
# Rule to check cell consistency
check_cell_consistency if {
    input.cell != data.cellconsistency.allowedCellId
}

data.json

{   
  "allowedCellId" : 445611193265040129, 
  "minPCI": 1, 
  "maxPCI": 3000  
 }

In the tosca template the rego contents will be encoded and added in policy field

Tosca Definition for OPA

tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
    policies:
        - native.cell.consistency.opa:
              type: onap.policies.native.opa
              type_version: 1.0.0
              properties:
                  data: 
                     cell.consistency: eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0=                       
                               
                  policy: 
                    cell.consistency: cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5CmRlZmF1bHQgYWxsb3cgPSBmYWxzZQoKIyBSdWxlIHRvIGNoZWNrIGNlbGwgY29uc2lzdGVuY3kKY2hlY2tfY2VsbF9jb25zaXN0ZW5jeSB7CsKgwqDCoCBpbnB1dC5jZWxsICE9IGRhdGEuY2VsbC5jb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0KIyBSdWxlIHRvIGFsbG93IGlmIFBDSSBpcyB3aXRoaW4gcmFuZ2UgMS0zMDAwCmFsbG93X2lmX3BjaV9pbl9yYW5nZSB7CsKgwqDCoCBpbnB1dC5QQ0kgPj0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWluUENJCsKgwqDCoCBpbnB1dC5QQ0kgPD0gZGF0YS5jZWxsY29uc2lzdGVuY3kubWF4UENJCn0KIyBNYWluIHJ1bGUgdG8gZGV0ZXJtaW5lIHRoZSBmaW5hbCBkZWNpc2lvbgphbGxvdyB7CsKgwqDCoCBjaGVja19jZWxsX2NvbnNpc3RlbmN5CsKgwqDCoCBhbGxvd19pZl9wY2lfaW5fcmFuZ2UKfQ==      
                    cell.conistency.topology : cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5LnRvcG9sb2d5CmltcG9ydCByZWdvLnYxCiAKIyBSdWxlIHRvIGNoZWNrIGNlbGwgY29uc2lzdGVuY3kKY2hlY2tfY2VsbF9jb25zaXN0ZW5jeSBpZiB7CiAgICBpbnB1dC5jZWxsICE9IGRhdGEuY2VsbGNvbnNpc3RlbmN5LmFsbG93ZWRDZWxsSWQKfQ==   
              name: native.cell.consistency.opa
              version: 1.0.0
              metadata:
                  policy-id: cell.consistency
                  policy-version: 1.0.0

OPA PDP after receiving the message on KAFKA will parse the message, extract policy, perform base64 decoding and deploys the policy to OPA. OPA PDP will send a PDP_STATUS message with the status of policy deployment.

In the above case, OPA-PDP will create following directory structure and store policy and data files. The “.” mentioned in the policy will translate to subdirectories in OPA-PDP pod. This will also ensure each policy is referenced by the main rego file, this will avoid collision in case we have same library file used in multiple main rego files.

Directory structure

Policy Deployment - In Memory Mode

Policy Deployment - Bundle Mode

Option: 2 Packing both static Data and Policy in the same message.

Create a new Policy Type which includes data field also

Design Discussion

ONAP Wiki

OPA PDP Phase 2

Support Dynamic Policy Updation

Related pages