1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
|
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
*********************************
Creating and Using Guard Policies
*********************************
.. contents::
:depth: 3
Background
^^^^^^^^^^
Guard policies are used to limit what operations shall be permitted. These policies are specified in the Policy GUI or restful API and either return "PERMIT" or "DENY" on request.
There are 2 types of policies, guard policies and blacklist guard policies. The blacklist describes what is not allowed to be permitted and guard policies describe what is allowed to be permitted. Note: as of 1802 release, Policy PDP behaves as a PERMIT overrides fashion so if any policy permits, it will override any denies.
Creating Guard Policies
^^^^^^^^^^^^^^^^^^^^^^^
There are two options for creating guard policies: (1) through the GUI and (2) through the restful API.
GUI Method
----------
The GUARD policy can be created from the POLICY GUI as shown below.
.. note::
* The Onap Name must be empty for the policy to work. To do this, **clone** the policy provided and then edit.
* Even though the number of requests exceeds the limit, the request is not denied.
.. image:: PolicyGUI_GuardPolicy.png
|
API Method
----------
PUT /createPolicy to create a policy
The request should be in the following form for regular guard policy:
.. code-block:: bash
:caption: Regular Guard Policy Creation
:linenos:
{
"policyClass": "Decision",
"policyName": "Test.TestingGUARDapitest",
"policyDescription": "Testing new YAML Guard Policy",
"onapName": "PDPD",
"ruleProvider": "GUARD_YAML",
"attributes": {
"MATCHING": {
"actor": "APPC",
"recipe": "restart",
"targets" : "test",
"clname" : "test",
"limit": "5",
"timeWindow": "15",
"timeUnits" : "minute",
"guardActiveStart": "05:00:00-05:00",
"guardActiveEnd": "23:59:59-05:00"
}
}
}
The request should be in the following form for blacklist guard policy:
.. code-block:: bash
:caption: Blacklist Guard Policy Creation
:linenos:
{
"policyClass": "Decision",
"policyName": "Test.TestingBLGUARD",
"policyDescription": "Testing New BL YAML Guard Policy",
"onapName": "MSO",
"ruleProvider": "GUARD_BL_YAML",
"attributes": {
"MATCHING": {
"actor": "APPC",
"recipe": "restart",
"clname": "test",
"guardActiveStart": "05:00:00-05:00",
"guardActiveEnd": "23:59:59-05:00",
"blackList": "target1,target2,target3"
}
}
}
Using Guard Policies
^^^^^^^^^^^^^^^^^^^^
In order to use the guard policies just make an http request. For example:
.. code-block:: bash
http
POST pdp:8081/pdp/api/getDecision
Authorization:<yourAuth> ClientAuth:<yourClientAuth>
Environment:<environment> Content-Type:application/json < guard_request.json
| where:
| <yourAuth> is the string generated from user:pass converted to base64 encoding.
| <yourClientAuth> is generated the same way but from the client user and pass.
| <environment> is the context of the request. For example: TEST
The guard_request.json should be in the form of the following:
.. code-block:: json
:caption: guard_request.json
{
"decisionAttributes": {
"actor": "APPC",
"recipe": "Restart",
"target": "test13",
"clname" : "piptest"
},
"onapName": "PDPD"
}
A response should be received that contains a "PERMIT" or "DENY" in all caps, like the following:
.. code-block:: json
:caption: Response
{
"decision": "PERMIT",
"details": "Decision Permit. OK!"
}
End of Document
|