summaryrefslogtreecommitdiffstats
path: root/policyhandler/onap/audit.py
AgeCommit message (Collapse)AuthorFilesLines
2020-02-275.1.0 policy-handler - policy-updates from new PDP5.1.0Alex Shatov1-18/+33
DCAEGEN2-1851: - policy-handler now supports the policy-update notification from the new policy-engine thru DMaaP MR = no policy-filters - only policy-id values - see README for discoverable config settings of dmaap_mr client = DMaaP MR client has the same flexibility as policy_engine = set the query.timeout to high value like 15000 (default) - requests to DMaaP MR go through a single blocking connection - first catch-up only after draining the policy-updates from DMaaP MR on the first loop - safe parsing of messages from DMaaP MR - policy-engine changed the data type for policy-version field from int to string that is expected to have the semver value - related change to deployment-handler (DCAEGEN2-2085) has to be deployed to handle the non-numeric policyVersion - on new PDP API: http /policy_latest and policy-updates return the new data from the new PDP API with the following fields added/renamed by the policy-handler to keep other policy related parts intact in R4-R6 (see pdp_api/policy_utils.py) * policyName = policy_id + "." + policyVersion.replace(".","-") + ".xml" * policyVersion = str(metadata["policy-version"]) * "config" - is the renamed "properties" from the new PDP API response - enabled the /catch_up and the periodic auto-catch-up for the new PDP API - enabled GET /policies_latest - returns the latest policies for the deployed components - POST /policies_latest - still disabled since no support for the policy-filters is provided for the new PDP API - fixed hiding the Authorization value on comparing the configs - logging of secrets is now sha256 to see whether they changed - added X-ONAP-RequestID to headers the same way as X-ECOMP-RequestID - on policy-update process the removal first, then addition - changed the pool_connections=1 (number of pools) on PDP and DH sides == only a single destination is expected for each - log the exception as fatal into error.log - other minor fixes and refactoring - unit-test coverage 74% - integration testing is requested DCAEGEN2-1976: - policy-handler is enhanced to get user/password from env vars for PDP and DMaaP MR clients and overwriting the Authorization field in https headers received from the discoverable config = to override the Authorization value on policy_engine, set the environment vars $PDP_USER and $PDP_PWD in policy-handler container = to override the Authorization value on dmaap_mr, if using https and user-password authentication, set the environment vars $DMAAP_MR_USER and $DMAAP_MR_PWD in policy-handler container Change-Id: Iad8eab9e20e615a0e0d2822f4735dc64c50aa55c Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-1851 Issue-ID: DCAEGEN2-1976
2019-04-015.0.0 policy-handler - new PDP API or old PDP API4.0.0-ONAPdublinAlex Shatov1-16/+18
- in R4 Dublin the policy-engine introduced a totally new API - policy-handler now has a startup option to either use the new PDP API or the old PDP API that was created-updated before the end of 2018 - see README.md and README_pdp_api_v0.md for instructions on how to setup the policy-handler running either with the new PDP API or the old (pdp_api_v0) PDP API - this is a massive refactoring that changed almost all the source files, but kept the old logic when using the old (pdp_api_v0) PDP API - all the code related to PDP API version is split into two subfolders = pdp_api/ contains the new PDP API source code = pdp_api_v0/ contains the old (2018) PDP API source code = pdp_client.py imports from either pdp_api or pdp_api_v0 = the rest of the code is only affected when it needs to branch the logic - logging to policy_handler.log now shows the path of the source file to allow tracing which PDP API is actually used - when the new PDP API is used, the policy-update flow is disabled = passive mode of operation = no web-socket = no periodic catch_up = no policy-filters = reduced web-API - only a single /policy_latest endpoint is available /policies_latest returns 404 /catch_up request is accepted, but ignored - on new PDP API: http /policy_latest returns the new data from the new PDP API with the following fields added by the policy-handler to keep other policy related parts intact in R4 (see pdp_api/policy_utils.py) = "policyName" = policy_id + "." + "policyVersion" + ".xml" = "policyVersion" = str("metadata"."policy-version") = "config" - is the renamed "properties" from the new PDP API response - unit tests are split into two subfolders as well = main/ for the new PDP API testing = pdp_api_v0/ for the old (2018) PDP API - removed the following line from the license text of changed files ECOMP is a trademark and service mark of AT&T Intellectual Property. - the new PDP API is expected to be extended and redesigned in R5 El Alto - on retiring the old PDP API - the intention is to be able to remove the pdp_api_v0/ subfolder and minimal related cleanup of the code that imports that as well as the cleanup of the config.py, etc. Change-Id: Ief9a2ae4541300308caaf97377f4ed051535dbe4 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-1128
2019-01-314.6.0 policy-handler - active-passiveAlex Shatov1-5/+8
DCAEGEN2-931: - exposed POST /reconfigure endpoint on the web-server that initiates the reconfigure process right away DCAEGEN2-932: - mode_of_operation: active or passive = active is as before this change = in passive mode the policy-handler * closes the web-socket to PDP * skips the periodic catch_ups * still periodically checks for reconfigure * still allows usig the web-server to retrieve policies from PDP - default is active - when mode_of_operation changes from passive to active, the policy-handler invokes the catch_up right away - config-kv contains the optional override field mode_of_operation = changing the mode_of_operation in config-kv and invoking POST /reconfigure will bring the new value and change the mode of operation of the policy-handler if no service_activator section is provided in consul-kv record - if config-kv contains the service_activator section, = the policy-handler registers with service_activator - untested = and receives the mode_of_operation - untested = service_activator can POST-notify the policy-handler to initiate the /reconfigure - reduced the default web-socket ping interval from 180 to 30 seconds because PDP changed its default timeout on the web-socket from 400 seconds to 50 seconds Change-Id: If7dd21c008d9906aca97939be65dfa9c2f007535 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-931 Issue-ID: DCAEGEN2-932
2018-12-054.5.0 policy-handler - multi changeAlex Shatov1-35/+46
DCAEGEN2-853: - stop reporting the absence of policies or updates as error - this is an expected result == INFO or WARNING DCAEGEN2-903: preparation for TLS on the web-server of policy-handler DCAEGEN2-930: - configurable timeouts for http requests from policy-handler - added configurable pinging on the web-socket to PDP - added healthcheck info on the web-socket - upgraded websocket-client lib to 0.53.0 DCAEGEN2-1017: fixed a bug on policy-filter matching by filter_config_name - refactored and enhanced the unit-tests Change-Id: I111ddc57bb978554ef376cbf916965b6667dad9b Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-853 Issue-ID: DCAEGEN2-903 Issue-ID: DCAEGEN2-930 Issue-ID: DCAEGEN2-1017
2018-08-244.2.0 policy-handler - periodic reconfigureAlex Shatov1-1/+2
- reconfigure == periodically retrieve the policy-handler config from consul-kv and compare to previous config and subconfigs. If changed, reconfigure the subunits - selectively change one or any settings for the following = catch_up timer interval = reconfigure timer interval = deployment-handler url and params (thread-safe) = policy-engine url and params (thread-safe) = web-socket url to policy-engine (through a callback) - each subunit has its own Settings that keep track of changes - try-catch and metrics around discovery - consul API - hidden the secrets from logs - froze the web-socket version to 0.49.0 because 0.50.0 and 0.51.0 are broken - looking around for stable alternatives - fixed-adapted the callbacks passed to the web-socket lib that changed its API in 0.49.0 and later - log the stack on the exception occurring in the web-socket lib - unit test refactoring Change-Id: Id53bad59660a197f59d9aeb7c05ab761d1060cd0 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-470
2018-08-104.0.1 fix for removing the non-matching policyAlex Shatov1-8/+6
- fixed removing the policy that no longer match the filter = sending an empty policy_filter_matches for the policy_id - cleaner workaround on getting the updated policy when policy-engine sent policy-update notification before finishing the update on there side = using the collection of expected_versions instead of min_version_expected - some minor refactoring on policy_matcher and audit Change-Id: Ica3cb810378e61d6991c616f88265ff170d32a64 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-492
2018-08-074.0.0 new dataflow on policy-update and catchupAlex Shatov1-5/+24
- changed API and functionality - new dataflow - new dataflow between policy-handler and deployment-handler on policy-update and catchup = GETting policy_ids+versions and policy-filters from deployment-handler = PUTting policy-update and catchup in the new message format = data segmenting the policy-update/catchup messages to deployment-handler to avoid 413 on deployment-handler side = matching policies from policy-engine to policies and policy-filters from deployment-handler = coarsening the policyName filter received from deployment-handler to reduce the number messages passed to policy-engine on catchup = consolidating sequential policy-updates into a single request when the policy-update is busy - removed policy scope-prefixes from config and logic - it is not needed anymore because = the policy matching happens directly to policies and policy-filters received from deployment-handler = on catchup - the policy scope-prefix equivalents are calculated based on the data received from deployment-handler - API - GET /policies_latest now returns the info on deployed policy_ids+versions and policy-filters, rather than policies of the scope-prefixes previously found in config (obsolete) - not sending an empty catch_up message to deployment-handler when nothing changed - send policy-removed to deployment-handler when getting 404-not found from PDP on removal of policy - config change: removed catch_up.max_skips - obsolete - brought the latest CommonLogger.py - minor refactoring - improved naming of variables Change-Id: I36b3412eefd439088cb693703a6e5f18f4238b00 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-492
2018-06-143.0.0 policy-handler - migrated to python 3.6Alex Shatov1-11/+17
- migrated from python 2.7 to 3.6 - brought up the latest versions of dependencies -- Cherrypy 15.0.0, requests 2.18.4, websocket-client 0.48.0 - fixed migration errors -- renamed the standard package Queue to queue -- dict.items() instead of dict.iteritems() -- dict.keys() instead of dict.viewkeys() -- range() instead of xrange() -- subprocess.check_output(..., universal_newlines=True) to get str instead of byte-stream from stdout - cleaned up migration warnings -- super() instead of super(A, self) -- logger.warning() instead of .warn() - moved main() from policy_handler.py to __main__.py - getting the policy_handler version directly from setup.py instead of the env var on init of the audit Change-Id: I0fc4ddc51c08a64f3cfdc5d2f010b1c6a1ae92f0 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-515
2018-05-182.4.4 policy-handler - log process memoryAlex Shatov1-59/+10
- in search of the memory leak that is falsely reported by docker stats, the following runtime logging was added = process_memory - rss and other memory of the current process = virtual_memory - the memory info of the whole system = thread_stacks - the active threads with the full stack on each Change-Id: I5f5ab3a477bfba3aecc5963547aa82da6269670b Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-514
2018-05-102.4.3 policy-handler - try-catch top ExceptionsAlex Shatov1-160/+283
- added try-except for top level Exception into all threads of policy-handler to avoid losing the thread and tracking the unexpected crashes - rediscover the deployment-handler if not found before and after each catchup - refactored audit - separated metrics from audit - added more stats and runtime info to healthcheck = gc counts and garbage info if any detected = memory usage - to detect the potential memory leaks = request_id to all stats = stats of active requests - avoid reallocating the whole Queue of policy-updates after catchup = clear of the internal queue under proper lock Change-Id: I3fabcaac70419a68bd070ff7d591a75942f37663 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-483
2018-04-272.4.2 policy-handler - fixed race on step-timerAlex Shatov1-5/+17
- fixed the bug of unpredictably stopping of the periodic catch-up step-timer due to thread race condition in policy-handler = added critical sections under the reentrant lock on every group of local var change in step-timer - added more stats for healthcheck to track each type of job-operation separately = that helps narrowing down identifying the potential problems - unit test coverage 76% Change-Id: I92ddf6c92a3d225d9b87427e3edfb7f80669501a Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-472
2018-03-222.4.1 better step-timer + audit + unit-testsAlex Shatov1-7/+13
- improved step-timer due to unit tests -- fixed events -- better logging - audit - collect list of package thru subprocess pip freeze - unit tests coverage 76% Change-Id: Ib1cb5f687612ecf18aa7414b1ff7dbf5774345b4 Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-389
2018-03-202.4.0 dns based discovery of deployment-handlerAlex Shatov1-9/+5
- policy-handler uses dns based discovery of deployment-handler - driven by config - new data structure for deploy_handler section of config -- changed from string "deployment_handler" in 2.3.1 to structure in 2.4.0 deploy_handler : # name of deployment-handler service # used by policy-handler for logging target_entity : "deployment_handler" # url of the deployment-handler service # for policy-handler to direct the policy-updates to # - expecting dns to resolve the name # deployment_handler to ip address url : "http://deployment_handler:8188" - logic is backwards compatible with 2.3.1 format - removed import pip from audit -- import pip broken in pip 9.0.2 (2018-03-19) -- import pip conflicts with requests -- pip API is not officially supported -- see links for more https://github.com/pypa/pip/issues/5079 https://github.com/pypa/pip/issues/5081 Change-Id: Ifcaba6cfd714f3099ab7a25fe979a3696a6460fc Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-404
2018-02-27up the version to 2.1.0 for policy-handlerAlex Shatov1-1/+0
- removed #org.onap.dcae from license text Change-Id: I07f11e60c4677109ccb826c4e969b47acb4c498a Signed-off-by: Alex Shatov <alexs@att.com> Issue-ID: DCAEGEN2-347
2018-02-12Update license textLusheng Ji1-1/+1
Change-Id: I5626e0bbd3abaf96d8ab6a9b864329917b728c12 Signed-off-by: Lusheng Ji <lji@research.att.com> Issue-ID: DCAEGEN2-325
2018-01-11moved module docstring below the license textAlex Shatov1-9/+9
Change-Id: I2a3628cb67d15ab2828f6818764d111df13e795a Issue-ID: DCAEGEN2-249 Signed-off-by: Alex Shatov <alexs@att.com>
2018-01-10variable collection of policies per componentAlex Shatov1-41/+101
* new feature variable collection of policies per component in DCAE * massive refactoring * dissolved the external PolicyEngine.py into policy_receiver.py - kept only the web-socket communication to PolicyEngine * new /healthcheck - shows some stats of service running * Unit Test coverage 75% Change-Id: I816b7d5713ae0dd88fa73d3656f272b4f3e7946e Issue-ID: DCAEGEN2-249 Signed-off-by: Alex Shatov <alexs@att.com>
2017-08-23policy-handler seed codealex_sh1-0/+320
Change-Id: I35cd80b6e082f4b84740bab752774e8abc40ca35 Issue-Id: DCAEGEN2-46 Signed-off-by: Alex Shatov <alexs@att.com>