diff options
Diffstat (limited to 'docs/drools/guardpdp.rst')
| -rw-r--r-- | docs/drools/guardpdp.rst | 153 |
1 files changed, 0 insertions, 153 deletions
diff --git a/docs/drools/guardpdp.rst b/docs/drools/guardpdp.rst deleted file mode 100644 index 0fdb4ab2..00000000 --- a/docs/drools/guardpdp.rst +++ /dev/null @@ -1,153 +0,0 @@ - -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 - -************************ -Using guard in the PDP-D -************************ - -.. contents:: - :depth: 2 - -This guide will help configure and test the guard connection from PDP-D (drools-pdp) to PDP-X (xacml-pdp). This guide assumes that the PDP-D is installed and running policy properly with other properties being set properly. - -Configuration -^^^^^^^^^^^^^ - -Prerequisites -------------- - -Stop Policy, open, and verify the config: - -- Stop policy with **policy stop** -- Open *$POLICY_HOME/config/controlloop.properties.environment* -- Make sure the *sql.db.host*, *sql.db.username* and *sql.db.password* are set correctly - - -Guard Properties ----------------- - -**guard.url** - URL endpoint of the PDP-X which will receive the request. - - For example, *http://pdp:8081/pdp/api/getDecision* will connect to the localhost PDP-X. - - This request requires some configuration for PDP-X properties below. - - For testing this URL before running policy, see Verification below. - -**guard.jdbc.url** - URL of the database location to which the operations history will be written. - - For example, *jdbc:mariadb://mariadb:3306/onap_sdk*. - - Note that the port is included. - - Note that at the end, the database name is used. - -**guard.disabled** - For enabling / disabling guard functionality. - - For example, to enable set it to false. - - When this is set to true, the previous two properties (guard.url and guard.jdbc.url) will be ignored. - - If guard is enabled, then the following PDP-X properties must also be set. - - -PDP-X Properties ----------------- - -For testing these properties before running policy, see Verification below. - -**pdpx.host** - URL of the PDP-X - - For example, pdp can be used when PDP-X is on localhost. - -**pdpx.username** - User to authenticate - -**pdpx.password** - User Password - -**pdpx.environment** - Environment making requests - - For example, TEST - -**pdpx.client.username** - Client to authenticate - -**pdpx.client.password** - Client password - - -Verification -^^^^^^^^^^^^ - -It is recommended to test using CLI tools before running since changing bash command parameters are faster than restarting policy. - -Logs Verification ------------------ -Checking the logs is straight forward. Check the **$POLICY_HOME/logs/error.log** file for the word "*callRESTfulPDP*" for any exceptions thrown. If they are thrown then there was a problem with the connection. -You can also check the **$POLICY_HOME/logs/network.log** file for the word "*Indeterminate*" which implies the connection failed or got a non 200 response code. - - -CLI Verification ----------------- - -It can be helpful to test the PDP-X connection using bash commands to make sure that the PDP-X properties are correct and the guard.url property is correct before running policy. - -**Method 1: httpie - CLI, cURL-like tool for humans** - - Using the http command we can make a request directly to PDP-X from the command line. Use the following form: - - .. code-block:: bash - - http - POST pdp:8081/pdp/api/getDecision - Authorization:<yourAuth> ClientAuth:<yourClientAuth> - Environment:<environment> Content-Type:application/json < guard_request.json - - | where: - | *<yourAuth>* is the string generated from user:pass converted to base64 encoding - | (a conversion tool is available at https://www.base64encode.org/) - | *<yourClientAuth>* is generated the same way but from the client user and pass. - | *<environment>* is the context of the request. For example: TEST - | *pdp* is the host of the PDP-X - - - The guard_request.json should be in the form of the following: - - .. code-block:: json - :caption: guard_request.json - - { - "decisionAttributes": { - "actor": "APPC", - "recipe": "Restart", - "target": "test13", - "clname" : "piptest" - }, - "onapName": "PDPD" - } - - * This request uses Basic Access Authentication. - * This request will need further configuration if you are using a proxy. - - - You know a successful connection is set when a response containing a “PERMIT” or “DENY” in uppercase is returned as follows: - - .. code-block:: json - :caption: Response - - { - "decision": "PERMIT", - "details": "Decision Permit. OK!" - } - -**Method 2: curl** - - This method does the same as the http command but uses the alternate command of curl. The command should have the following form: - - .. code-block:: bash - - curl -u <user>:<pass> -H "Content-Type: application/json" -H "ClientAuth:<yourClientAuth>" - -H "Environment:<environment>" -X POST -d @guard_req.json pdp:8081/pdp/api/getDecision - - * Note that <user> and <pass> are in plain text, while the other headers follow the same form as in Method 1 above. - * This request will need further configuration if you are using a proxy - * The response is the same as in Method 1. - - -**Note on Proxies** - - * JVM system properties should be set if a proxy is being used to make the connection work with policy. - * The connection may succeed but have response code 401 or 403 with improper proxy authentication, which leads to "Indeterminate" - * Additionally, the CLI tools have specific proxy configuration. See their respective manual pages for more info. - - -End of Document - -.. SSNote: Wiki page ref. https://wiki.onap.org/display/DW/Using+guard+in+the+PDP-D |