Overview
In essence, a native policy is a custom policy/rule implementation for a specific PDP engine such as: drools DRL rules, xacml XML policies or apex JSON policies.
Taking drools rules as one example, current usecases.drl used in PDP-D is a default DRL implementation for Control Loop operational policies. It is both a TOSCA Policy Type implementation and a native drools rule implementation since it is a set of rules that directly run in the PDP-D supporting the TOSCA onap.policies.Operational Policy Type. However, some policy authors might prefer to compose their own drools rules for certain features which are partially supported by the usecases.drl such as: changing the treatment of incoming event messages, adding custom timeout logic, or adding extra processing logic. Current policy framework does not provide an interface for such policy authors to bring in their own native rules. Hence, we need to come up with a solution in Frankfurt to bridge the gap.
Taking XACML as another example, some policy authors may want to add customized guard, coordination, etc. XACML policies in which using a TOSCA Policy Type abstraction does not make sense or simply isn't required.
1. Native Rule Development Guidelines
1.1 Drools Native Rules
1.1.1 DRL development
DRL development refers to the composition of drl file which contains one or more drools rules written in drools language. These drools rules work together to fulfill policy decision making logic required by new custom application.
Policy author should develop drl rules in IDE of choice, e.g. Eclipse/IntelliJ as well as necessary junit tests to ensure it can compile and make expected decisions.
After drl rule development, policy author should submit composed rules for git review then deploy the new jar containing new drl rules to the existing nexus repos that hold the released artifacts currently supported by the runtime PDP-D engines.
1.1.2 Dependency JAR development
Dependency JAR development refers to the development of supportive java classes that will be used in drl rules. These dependency java classes could be the java models for I/O events and functional elements like eNodeB which may include necessary attributes of that element and operational functions/methods provided by that element, e.g. reboot. It could also be any other java class which has methods for processing input events and producing policy reactions, e.g. eventManager, operationManager. The drl rules will import these classes and use them in either condition or action part.
Dependency JAR developer should use development best practices/governance to test/deploy new and/or updated java artifacts to the nexus repo for drools PDP-D. These new java development should go through git review process and include necessary junit tests to make sure they will behave correctly as expected.
1.2 XACML XML
XACML Policy Designers can use a text or XML editor of their choice to design and test their XACML Policies. The Github:att/XACML project has tools and a GUI available for creating policies and testing those policies.
1.3 APEX JSON
APEX policy development includes three parts - develop the state machine transition using APEX language (i.e. .apex file), develop I/O event schema to each state (i.e. .avro files) and develop processing logic in each state/task (i.e. javascript files). APEX policy developer should follow best practices to develop APEX policies and submit for git review once they are done. Then APEX command line tool can be used to generate the executable JSON for PDP-A.
TBC with Apex team
2. Policy Lifecycle API CRUD Enhancements
Native policies can be supported by TOSCA policy type and policy. As for native Drools policy, since native DRL is packaged in JAR which has been deployed to nexus repo along with other dependency JARs, TOSCA policy for native DRL only needs to include the pointer for native JAR as well as necessary information being used by Drools PDP to instantiate a new controller instance with native DRL loaded into memory. Corresponding policy type should be defined and pre-loaded into policy framework so that TOSCA policy for native policy type can then be created off. As for native XACML policy, its contents are basically encoded in XML which is all XACML PDP needs to load into engine and run. Thus, TOSCA policy for native XACML only needs to include this XML content. An URL-encoded string can be created off composed XACML XML and is populated to a string property.
2.1 Native Drools Policy Support
Below is the policy types defined to support native Drools policies.
tosca_definitions_version: tosca_simple_yaml_1_0_0
policy_types:
onap.policies.controlloop.native.Drools:
derived_from: tosca.policies.Root
description: a policy type for native drools
version: 1.0.0
properties:
rule_artifact:
type: onap.datatypes.controlloop.native.rule_artifact
required: true
description: specifies rule artifact pointer
drools_controller:
type: onap.datatypes.controlloop.native.drools_controller
required: true
description: specifies information for drools controller instantiation
data_types:
onap.datatypes.controlloop.native.rule_artifact:
derived_from: tosca.datatypes.Root
properties:
groupId:
type: string
required: true
artifactId:
type: string
required: true
version:
type: string
required: true
onap.datatypes.controlloop.native.drools_controller:
derived_from: tosca.datatypes.Root
properties:
controllerName:
type: string
required: true
sourceTopics:
type: list
required: true
entry_schema:
type: onap.datatypes.controlloop.native.dmaap_config
sinkTopics:
type: list
required: true
entry_schema:
type: onap.datatypes.controlloop.native.dmaap_config
onap.datatypes.controlloop.native.dmaap_config:
derived_from: tosca.datatypes.Root
properties:
topicName:
type: string
required: true
dmaapServer:
type: string
required: false # default if not present
serialization:
type: list
required: true
entry_schema:
type: onap.datatypes.controlloop.native.dmaap.serialization
onap.datatypes.controlloop.native.dmaap.serialization:
derived_from: tosca.datatypes.Root
properties:
eventCanonicalName:
type: string
required: true
eventFilter:
type: string
required: false
customSerializer:
type: string
required: false
2.2 Native XACML Policy Support
Below is the policy types defined to support native XACML policies.
tosca_definitions_version: tosca_simple_yaml_1_0_0
policy_types:
onap.policies.controlloop.native.Xacml:
derived_from: tosca.policies.Root
description: a policy type for native xacml
version: 1.0.0
properties:
policy:
type: String
required: true
description: The XML XACML 3.0 PolicySet or Policy
Below is an example of TOSCA policy for native XACML rules
tosca_definitions_version: tosca_simple_yaml_1_0_0
topology_template:
policies:
-
usecase_foo_xacml_policy:
policy: "%3CPolicy+xmlns%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Acore%3Aschema%3Awd-17%22+PolicyId%3D%22Test.policy%22+Version%3D%221%22+RuleCombiningAlgId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Arule-combining-algorithm%3Afirst-applicable%22%3E%0D%0A++++%3CTarget%2F%3E%0D%0A++++%3CRule+RuleId%3D%22Test.policy%3Arule%22+Effect%3D%22Permit%22%3E%0D%0A++++++++%3CDescription%3EDefault+is+to+PERMIT+if+the+policy+matches.%3C%2FDescription%3E%0D%0A++++++++%3CTarget%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3EI+should+be+matched%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableString%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Ainteger-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23integer%22%3E1000%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatachableInteger%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23integer%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Adouble-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23double%22%3E1.1%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableDouble%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23double%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Aboolean-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23boolean%22%3Etrue%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatachableBoolean%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23boolean%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Ematch+A%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableListString%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Ematch+B%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Amatchable%3AmatchableListString%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++%3C%2FTarget%3E%0D%0A++++++++%3CCondition%3E%0D%0A++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Aor%22%3E%0D%0A++++++++++++++++%3CDescription%3EIF+exists+and+is+equal%3C%2FDescription%3E%0D%0A++++++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Ainteger-equal%22%3E%0D%0A++++++++++++++++++++%3CDescription%3EDoes+the+policy-type+attribute+exist%3F%3C%2FDescription%3E%0D%0A++++++++++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-bag-size%22%3E%0D%0A++++++++++++++++++++++++%3CDescription%3EGet+the+size+of+policy-type+attributes%3C%2FDescription%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Apolicy-type%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FApply%3E%0D%0A++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23integer%22%3E0%3C%2FAttributeValue%3E%0D%0A++++++++++++++++%3C%2FApply%3E%0D%0A++++++++++++++++%3CApply+FunctionId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-is-in%22%3E%0D%0A++++++++++++++++++++%3CDescription%3EIs+this+policy-type+in+the+list%3F%3C%2FDescription%3E%0D%0A++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Eonap.policies.Test%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Apolicy-type%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++%3C%2FApply%3E%0D%0A++++++++++++%3C%2FApply%3E%0D%0A++++++++%3C%2FCondition%3E%0D%0A++++%3C%2FRule%3E%0D%0A++++%3CRule+RuleId%3D%22Test.policy%3Arule%3Apolicy-type%22+Effect%3D%22Permit%22%3E%0D%0A++++++++%3CDescription%3EMatch+on+policy-type+onap.policies.Test%3C%2FDescription%3E%0D%0A++++++++%3CTarget%3E%0D%0A++++++++++++%3CAnyOf%3E%0D%0A++++++++++++++++%3CAllOf%3E%0D%0A++++++++++++++++++++%3CMatch+MatchId%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A1.0%3Afunction%3Astring-equal%22%3E%0D%0A++++++++++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3Eonap.policies.Test%3C%2FAttributeValue%3E%0D%0A++++++++++++++++++++++++%3CAttributeDesignator+Category%3D%22urn%3Aoasis%3Anames%3Atc%3Axacml%3A3.0%3Aattribute-category%3Aresource%22+AttributeId%3D%22urn%3Aorg%3Aonap%3Apolicy-type%22+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22+MustBePresent%3D%22false%22%2F%3E%0D%0A++++++++++++++++++++%3C%2FMatch%3E%0D%0A++++++++++++++++%3C%2FAllOf%3E%0D%0A++++++++++++%3C%2FAnyOf%3E%0D%0A++++++++%3C%2FTarget%3E%0D%0A++++%3C%2FRule%3E%0D%0A++++%3CObligationExpressions%3E%0D%0A++++++++%3CObligationExpression+ObligationId%3D%22urn%3Aorg%3Aonap%3Arest%3Abody%22+FulfillOn%3D%22Permit%22%3E%0D%0A++++++++++++%3CAttributeAssignmentExpression+AttributeId%3D%22urn%3Aorg%3Aonap%3A%3Aobligation%3Amonitoring%3Acontents%22%3E%0D%0A++++++++++++++++%3CAttributeValue+DataType%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema%23string%22%3E%7B%22type%22%3A%22onap.policies.Test%22%2C%22type_version%22%3A%221.0.0%22%2C%22properties%22%3A%7B%22nonmatachableString%22%3A%22I+am+NON+matchable%22%2C%22matchableString%22%3A%22I+should+be+matched%22%2C%22nonmatachableInteger%22%3A0%2C%22matachableInteger%22%3A1000%2C%22nonmatachableDouble%22%3A0%2C%22matchableDouble%22%3A1.1%2C%22nonmatachableBoolean%22%3Afalse%2C%22matachableBoolean%22%3Atrue%2C%22matchableListString%22%3A%5B%22match+A%22%2C%22match+B%22%5D%7D%2C%22name%22%3A%22Test.policy%22%2C%22version%22%3A%221.0.0%22%2C%22metadata%22%3A%7B%22policy-id%22%3A%22Test.policy%22%2C%22policy-version%22%3A%221%22%7D%7D%3C%2FAttributeValue%3E%0D%0A++++++++++++%3C%2FAttributeAssignmentExpression%3E%0D%0A++++++++%3C%2FObligationExpression%3E%0D%0A++++%3C%2FObligationExpressions%3E%0D%0A%3C%2FPolicy%3E%0D%0A"
The native XACML rules for above TOSCA policy is:
<Policy
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="Test.policy" Version="1" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable">
<Target/>
<Rule RuleId="Test.policy:rule" Effect="Permit">
<Description>Default is to PERMIT if the policy matches.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">I should be matched</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">1000</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matachableInteger" DataType="http://www.w3.org/2001/XMLSchema#integer" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:double-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#double">1.1</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableDouble" DataType="http://www.w3.org/2001/XMLSchema#double" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:boolean-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#boolean">true</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matachableBoolean" DataType="http://www.w3.org/2001/XMLSchema#boolean" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">match A</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableListString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">match B</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:matchable:matchableListString" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Description>IF exists and is equal</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:integer-equal">
<Description>Does the policy-type attribute exist?</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag-size">
<Description>Get the size of policy-type attributes</Description>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#integer">0</AttributeValue>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<Description>Is this policy-type in the list?</Description>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">onap.policies.Test</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule RuleId="Test.policy:rule:policy-type" Effect="Permit">
<Description>Match on policy-type onap.policies.Test</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">onap.policies.Test</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" AttributeId="urn:org:onap:policy-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
</Match>
</AllOf>
</AnyOf>
</Target>
</Rule>
<ObligationExpressions>
<ObligationExpression ObligationId="urn:org:onap:rest:body" FulfillOn="Permit">
<AttributeAssignmentExpression AttributeId="urn:org:onap::obligation:monitoring:contents">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">{"type":"onap.policies.Test","type_version":"1.0.0","properties":{"nonmatachableString":"I am NON matchable","matchableString":"I should be matched","nonmatachableInteger":0,"matachableInteger":1000,"nonmatachableDouble":0,"matchableDouble":1.1,"nonmatachableBoolean":false,"matachableBoolean":true,"matchableListString":["match A","match B"]},"name":"Test.policy","version":"1.0.0","metadata":{"policy-id":"Test.policy","policy-version":"1"}}</AttributeValue>
</AttributeAssignmentExpression>
</ObligationExpression>
</ObligationExpressions>
</Policy>
Note that DELETE call should remove TOSCA policy from DB as well as corresponding JAR from nexus
Pamela DragoshJorge Hernandez Question: checking existence of pointed JAR in nexus should happen in API each time new policy is created/updated, or in PAP when this policy gets deployed, or in PDP only???
Question: do we need to return native policy contents, i.e. DRL or XACML XML when GET call is invoked? If not, what if end user wants to view native policy rules???
3. PAP Enhancements
PDP Engines must now register with PAP the new policy types for native policies they support in order for policies to be deployed by PAP to the PDP's. This will require an additional entry to be added into supported policy types list to indicate which native policy type each specific PDP engine can support.
3.1 Example of PDP Register
Only change needed is to add a new supported policy type to PDP status message when it registers itself with PAP. For XACML PDP, new policy type "onap.policies.controlloop.native.Xacml" should be added. Likewise, new policy type "onap.policies.controlloop.native.Drools" should be added when Drools PDP registers itself with PAP. For example
{
"pdpType": "xacml",
"state": "PASSIVE",
"healthy": "HEALTHY",
"supportedPolicyTypes": [
{
"name": "onap.Monitoring",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.cdap.tca.hi.lo.app",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.docker.sonhandler.app",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.FrequencyLimiter",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.MinMax",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.Blacklist",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.AffinityPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.DistancePolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.HpaPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.OptimizationPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.PciPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.QueryPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.SubscriberPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.Vim_fit",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.VnfPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.native.Xacml",
"version": "1.0.0"
}
],
"policies": [],
"messageName": "PDP_STATUS",
"requestId": "77f42778-f19a-47a6-a9a1-984cbb125d96",
"timestampMs": 1571244733313,
"name": "FLCDTL02JH7358"
}
{
"pdpType": "drools",
"state": "PASSIVE",
"healthy": "HEALTHY",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.Operational",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.native.Drools",
"version": "1.0.0"
}
],
"policies": [],
"messageName": "PDP_STATUS",
"requestId": "8ae9fe00-8979-460f-83b2-92d7bd517c34",
"timestampMs": 1571244753326,
"name": "XGIQPQ96FL9182"
}
3.2 Example PDP Group Deploy
Like PDP registration message, the same native policy type should be added into supported policy types list to indicate which type of native policies each pdpSubGroup can support.
Below is one example to deploy a PDP group.
{
"groups": [
{
"name": "defaultGroup",
"description": "The default group that registers all supported policy types and pdps.",
"pdpGroupState": "ACTIVE",
"properties": {},
"pdpSubgroups": [
{
"pdpType": "apex",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.operational.Apex",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.native.Apex",
"version": "1.0.0"
}
],
"policies": [],
"currentInstanceCount": 0,
"desiredInstanceCount": 1,
"properties": {},
"pdpInstances": [
{
"instanceId": "apex_35",
"pdpState": "ACTIVE",
"healthy": "HEALTHY",
"message": "Pdp Heartbeat"
}
]
},
{
"pdpType": "drools",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.Operational",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.native.Drools",
"version": "1.0.0"
}
],
"policies": [],
"currentInstanceCount": 0,
"desiredInstanceCount": 1,
"properties": {},
"pdpInstances": [
{
"instanceId": "dev-policy-drools-0",
"pdpState": "ACTIVE",
"healthy": "HEALTHY"
}
]
},
{
"pdpType": "xacml",
"supportedPolicyTypes": [
{
"name": "onap.policies.controlloop.guard.FrequencyLimiter",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.MinMax",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.Blacklist",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.guard.coordination.FirstBlocksSecond",
"version": "1.0.0"
},
{
"name": "onap.Monitoring",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.cdap.tca.hi.lo.app",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server",
"version": "1.0.0"
},
{
"name": "onap.policies.monitoring.docker.sonhandler.app",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.AffinityPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.DistancePolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.HpaPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.OptimizationPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.PciPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.QueryPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.SubscriberPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.Vim_fit",
"version": "1.0.0"
},
{
"name": "onap.policies.optimization.VnfPolicy",
"version": "1.0.0"
},
{
"name": "onap.policies.controlloop.native.Xacml",
"version": "1.0.0"
}
],
"policies": [],
"currentInstanceCount": 1,
"desiredInstanceCount": 1,
"properties": {},
"pdpInstances": [
{
"instanceId": "dev-policy-policy-xacml-pdp-558c478477-g85jl",
"pdpState": "ACTIVE",
"healthy": "HEALTHY"
}
]
}
]
}
]
}
3.3 Deploy/Undeploy API
No change is envisioned on current deploy/undeploy API. Still, only policy-id and version are needed to tell PAP to deploy/undeploy a native policy.
4. PDP Changes
Each PDP will need to be able to support native policies being deploy/undeployed to it as done today.
4.1 Drools PDP
Drools PDP will need to parse the information encoded in TOSCA policy with native Drools JAR pointer and Drools controller configuration which is deployed from PAP. It will then go to the nexus to pull the native Drools JAR and corresonding dependencies. A new Drools controller instance should be instantiated using the configuration included in the deployed TOSCA policy. The new Drools controller should be able to load the native DRL and corresponding supportive facts into Drools memory to execute native DRL.
On the other hand, when Drools PDP receives a request to undeploy a native policy, it should be able to disable corresponding Drools controller and clean up the related facts from the memory.
4.2 XACML PDP
XACML PDP will need to be able to ingest a XACML XML Policy directly. One suggestion is to create an application specifically for the XACML natives rules by default. The opportunity exists where a policy designer could create a specific application that supports native XACML policies (with or without TOSCA Policy Types as an option) and uses the grouping of PDPs to differentiate itself from the default XACML native rule application. The XACML PDP should also be enhanced to support configuring of applications in order to provide flexibility to the policy designers as to where all of its possible policy types are deployed.
With regards to the Decision API supported by XACML, that api can be enhanced to support XACML XML requests/responses directly.
Some scenarios are listed as below:
Scenario #1: Use pre-defined XACML policies only (i.e. Guard, Coordination, Optimization, Monitoring)
This scenario is already supported today through some pre-build XACML applications which support Guard, Coordination(W.I.P), Optimization and Monitoring. We provide TOSCA Policy Types for such types of XACML policies. XACML author can use lifecyle APIs to CRUD corresponding TOSCA policies which will then be deployed to XACML PDP. XACML PDP will be able to translate these TOSCA policies into low level native XACML XML policies and then enforce them.
Scenario #2: Use native XACML policies only
This scenario requires a new XACML application to be built which particularly handles native XACML policies only.
Scenario #3: Use pre-defined XACML policies and native XACML policies together
This scenario is the most complicated one. For new use case, XACML policy author might need to use both existing types of XACML policies, e.g. guard, together with newly composed native XACML XML policies, e.g. custom access control rules. Perhaps we need to build another new XACML application for this combination. More details need to be figured out, e.g. do we need a new TOSCA policy type for this combination? how to combine the low level XACML XML policies together? what is the combining algorithm we should use? etc. etc.
4.3 Apex PDP
Apex PDP will need to be able to ingest custom Apex JSON policies. TBC with that team - may already be well-supported.
5. Sequence flows for native policy design, deployment and enforcement
5.1 Drools native policies supported by the PDP-D engine
5.1.1 Create native DRL
5.1.2 Deploy native DRL
5.1.3 Undeploy native DRL
5.1.4 Delele native DRL
5.2 XACML native policies supported by the PDP-X engine
5.2.1 Getting XACML native policies into the Policy Framework via the Policy Lifecycle API CRUD
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IlBhbWVsYSBEcmFnb3NoIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IlBhbWVsYSBEcmFnb3NoIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjcxODM0MzY1IiwiZGlhZ3JhbU5hbWUiOiJGb28iLCJhc3BlY3QiOiIiLCJsaW5rcyI6ImF1dG8iLCJjZW9OYW1lIjoiUjYgRGlzY3Vzc2lvbiBvbiBBUEkgc3VwcG9ydCBmb3IgTmF0aXZlIFBvbGljeSBDUlVEIiwidGJzdHlsZSI6InRvcCIsImNhbkNvbW1lbnQiOmZhbHNlLCJkaWFncmFtVXJsIjoiIiwiY3N2RmlsZVVybCI6IiIsImJvcmRlciI6dHJ1ZSwibWF4U2NhbGUiOiIxIiwib3duaW5nUGFnZUlkIjo2ODUzOTA1MCwiZWRpdGFibGUiOmZhbHNlLCJjZW9JZCI6NzE4Mzc4MTksInBhZ2VJZCI6IiIsImxib3giOnRydWUsInNlcnZlckNvbmZpZyI6eyJlbWFpbHByZXZpZXciOiIxIn0sIm9kcml2ZUlkIjoiIiwicmV2aXNpb24iOjIsIm1hY3JvSWQiOiI2YTRhZDM5ZC05NTY3LTRhZjgtODg2Ny04OTgxZWNlN2Q0MGEiLCJwcmV2aWV3TmFtZSI6IkZvby5wbmciLCJsaWNlbnNlU3RhdHVzIjoiT0siLCJzZXJ2aWNlIjoiIiwiaXNUZW1wbGF0ZSI6IiIsIndpZHRoIjoiNjI5Iiwic2ltcGxlVmlld2VyIjpmYWxzZSwibGFzdE1vZGlmaWVkIjoxNTcyMDI2NTY4MDAwLCJleGNlZWRQYWdlV2lkdGgiOmZhbHNlLCJvQ2xpZW50SWQiOiIifQ==
5.2.2 Deploying/Undeploying XACML native policies using the Policy PAP API
5.2.3 Enforcement of XACML native policies done by the PDP-X engine using the Decision API
eyJleHRTcnZJbnRlZ1R5cGUiOiIiLCJnQ2xpZW50SWQiOiIiLCJjcmVhdG9yTmFtZSI6IlBhbWVsYSBEcmFnb3NoIiwib3V0cHV0VHlwZSI6ImJsb2NrIiwibGFzdE1vZGlmaWVyTmFtZSI6IlBhbWVsYSBEcmFnb3NoIiwibGFuZ3VhZ2UiOiJlbiIsImRpYWdyYW1EaXNwbGF5TmFtZSI6IiIsInNGaWxlSWQiOiIiLCJhdHRJZCI6IjcxODM0MzcwIiwiZGlhZ3JhbU5hbWUiOiJYQUNNTCBSZXF1ZXN0IERlY2lzaW9uIEFQSSIsImFzcGVjdCI6IiIsImxpbmtzIjoiYXV0byIsImNlb05hbWUiOiJSNiBEaXNjdXNzaW9uIG9uIEFQSSBzdXBwb3J0IGZvciBOYXRpdmUgUG9saWN5IENSVUQiLCJ0YnN0eWxlIjoidG9wIiwiY2FuQ29tbWVudCI6ZmFsc2UsImRpYWdyYW1VcmwiOiIiLCJjc3ZGaWxlVXJsIjoiIiwiYm9yZGVyIjp0cnVlLCJtYXhTY2FsZSI6IjEiLCJvd25pbmdQYWdlSWQiOjY4NTM5MDUwLCJlZGl0YWJsZSI6ZmFsc2UsImNlb0lkIjo3MTgzNzgxOSwicGFnZUlkIjoiIiwibGJveCI6dHJ1ZSwic2VydmVyQ29uZmlnIjp7ImVtYWlscHJldmlldyI6IjEifSwib2RyaXZlSWQiOiIiLCJyZXZpc2lvbiI6MiwibWFjcm9JZCI6IjljMmEwOTY2LTk4ZDMtNGUyNC1hYmY1LTRkMjEwMzcyYmViOSIsInByZXZpZXdOYW1lIjoiWEFDTUwgUmVxdWVzdCBEZWNpc2lvbiBBUEkucG5nIiwibGljZW5zZVN0YXR1cyI6Ik9LIiwic2VydmljZSI6IiIsImlzVGVtcGxhdGUiOiIiLCJ3aWR0aCI6IjYyOSIsInNpbXBsZVZpZXdlciI6ZmFsc2UsImxhc3RNb2RpZmllZCI6MTU3MjAyNzI2ODAwMCwiZXhjZWVkUGFnZVdpZHRoIjpmYWxzZSwib0NsaWVudElkIjoiIn0=
