diff options
Diffstat (limited to 'docs/xacml')
30 files changed, 1466 insertions, 163 deletions
diff --git a/docs/xacml/decision.match.request.json b/docs/xacml/decision.match.request.json new file mode 100644 index 00000000..72ddc317 --- /dev/null +++ b/docs/xacml/decision.match.request.json @@ -0,0 +1,10 @@ +{ + "ONAPName": "my-ONAP", + "ONAPComponent": "my-component", + "ONAPInstance": "my-instance", + "requestId": "unique-request-1", + "action": "match", + "resource": { + "matchable": "foo" + } +}
\ No newline at end of file diff --git a/docs/xacml/decision.match.response.json b/docs/xacml/decision.match.response.json new file mode 100644 index 00000000..0f9e465a --- /dev/null +++ b/docs/xacml/decision.match.response.json @@ -0,0 +1,18 @@ +{ + "policies": { + "test_match_1": { + "type": "onap.policies.match.Test", + "type_version": "1.0.0", + "properties": { + "matchable": "foo", + "nonmatchable": "value1" + }, + "name": "test_match_1", + "version": "1.0.0", + "metadata": { + "policy-id": "test_match_1", + "policy-version": "1.0.0" + } + } + } +}
\ No newline at end of file diff --git a/docs/xacml/decision.monitoring.json b/docs/xacml/decision.monitoring.json index 4442f6f0..da253f13 100644 --- a/docs/xacml/decision.monitoring.json +++ b/docs/xacml/decision.monitoring.json @@ -4,6 +4,6 @@ "ONAPInstance": "622431a4-9dea-4eae-b443-3b2164639c64", "action": "configure", "resource": { - "policy-type": "onap.policies.monitoring.cdap.tca.hi.lo.app" + "policy-type": "onap.policies.monitoring.tcagen2" } } diff --git a/docs/xacml/example.guard.blacklist.yaml b/docs/xacml/example.guard.blacklist.yaml new file mode 100644 index 00000000..d8499571 --- /dev/null +++ b/docs/xacml/example.guard.blacklist.yaml @@ -0,0 +1,17 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + policies: + - guard.blacklist.scaleout: + type: onap.policies.controlloop.guard.common.Blacklist + type_version: 1.0.0 + version: 1.0.0 + name: guard.blacklist.scaleout + metadata: + policy-id: guard.blacklist.scaleout + properties: + actor: APPC + operation: Restart + id: my-controlloop + blacklist: + - vnf-id-1 + - vnf-id-2
\ No newline at end of file diff --git a/docs/xacml/example.guard.filter.yaml b/docs/xacml/example.guard.filter.yaml new file mode 100644 index 00000000..261ffbee --- /dev/null +++ b/docs/xacml/example.guard.filter.yaml @@ -0,0 +1,39 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + policies: + - filter.block.region.allow.one.vnf: + description: Block this region from Control Loop actions, but allow a specific vnf. + type: onap.policies.controlloop.guard.common.Filter + type_version: 1.0.0 + version: 1.0.0 + properties: + actor: SO + operation: VF Module Create + algorithm: whitelist-overrides + filters: + - field: cloud-region.cloud-region-id + filter: RegionOne + function: string-equal + blacklist: true + - field: generic-vnf.vnf-id + filter: e6130d03-56f1-4b0a-9a1d-e1b2ebc30e0e + function: string-equal + blacklist: false + - filter.allow.region.block.one.vnf: + description: allow this region to do Control Loop actions, but block a specific vnf. + type: onap.policies.controlloop.guard.common.Filter + type_version: 1.0.0 + version: 1.0.0 + properties: + actor: SO + operation: VF Module Create + algorithm: blacklist-overrides + filters: + - field: cloud-region.cloud-region-id + filter: RegionTwo + function: string-equal + blacklist: false + - field: generic-vnf.vnf-id + filter: f17face5-69cb-4c88-9e0b-7426db7edddd + function: string-equal + blacklist: true
\ No newline at end of file diff --git a/docs/xacml/example.guard.limiter.yaml b/docs/xacml/example.guard.limiter.yaml new file mode 100644 index 00000000..703be4f7 --- /dev/null +++ b/docs/xacml/example.guard.limiter.yaml @@ -0,0 +1,19 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + policies: + - + guard.frequency.scaleout: + type: onap.policies.controlloop.guard.common.FrequencyLimiter + type_version: 1.0.0 + version: 1.0.0 + name: guard.frequency.scaleout + description: Here we limit the number of Restarts for my-controlloop to 3 in a ten minute period. + metadata: + policy-id : guard.frequency.scaleout + properties: + actor: APPC + operation: Restart + id: my-controlloop + timeWindow: 10 + timeUnits: minute + limit: 3
\ No newline at end of file diff --git a/docs/xacml/example.guard.minmax.yaml b/docs/xacml/example.guard.minmax.yaml new file mode 100644 index 00000000..5411378a --- /dev/null +++ b/docs/xacml/example.guard.minmax.yaml @@ -0,0 +1,17 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + policies: + - guard.minmax.scaleout: + type: onap.policies.controlloop.guard.common.MinMax + type_version: 1.0.0 + version: 1.0.0 + name: guard.minmax.scaleout + metadata: + policy-id: guard.minmax.scaleout + properties: + actor: SO + operation: VF Module Create + id: my-controlloop + target: the-vfmodule-id + min: 1 + max: 2
\ No newline at end of file diff --git a/docs/xacml/match.policies.yaml b/docs/xacml/match.policies.yaml new file mode 100644 index 00000000..d0e214ca --- /dev/null +++ b/docs/xacml/match.policies.yaml @@ -0,0 +1,19 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +topology_template: + policies: + - test_match_1: + type: onap.policies.match.Test + version: 1.0.0 + type_version: 1.0.0 + name: test_match_1 + properties: + matchable: foo + nonmatchable: value1 + - test_match_2: + type: onap.policies.match.Test + version: 1.0.0 + type_version: 1.0.0 + name: test_match_2 + properties: + matchable: bar + nonmatchable: value2
\ No newline at end of file diff --git a/docs/xacml/match.policy-type.yaml b/docs/xacml/match.policy-type.yaml new file mode 100644 index 00000000..a131b844 --- /dev/null +++ b/docs/xacml/match.policy-type.yaml @@ -0,0 +1,16 @@ +tosca_definitions_version: tosca_simple_yaml_1_1_0 +policy_types: + onap.policies.match.Test: + derived_from: onap.policies.Match + version: 1.0.0 + name: onap.policies.match.Test + description: Test Matching Policy Type to test matchable policies + properties: + matchable: + type: string + metadata: + matchable: true + required: true + nonmatchable: + type: string + required: true diff --git a/docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json b/docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json new file mode 100644 index 00000000..23aa0eb8 --- /dev/null +++ b/docs/xacml/tutorial/PolicyApplicationTutorial.postman_collection.json @@ -0,0 +1,723 @@ +{ + "info": { + "_postman_id": "20eb42db-f0a7-4b65-8ccd-c3a5f56cb526", + "name": "Policy Application Tutorial", + "description": "Collection of Postman API calls to support the Policy Enforcement Tutorial", + "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json" + }, + "item": [ + { + "name": "Api Healthcheck", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-API-URL}}/policy/api/v1/healthcheck", + "host": [ + "{{POLICY-API-URL}}" + ], + "path": [ + "policy", + "api", + "v1", + "healthcheck" + ] + } + }, + "response": [] + }, + { + "name": "Create Authorization Policy Type", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/yaml" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/yaml" + } + ], + "body": { + "mode": "raw", + "raw": "tosca_definitions_version: tosca_simple_yaml_1_1_0\npolicy_types:\n onap.policies.Authorization:\n derived_from: tosca.policies.Root\n version: 1.0.0\n description: Example tutorial policy type for doing user authorization\n properties:\n user:\n type: string\n required: true\n description: The unique user name\n permissions:\n type: list\n required: true\n description: A list of resource permissions\n entry_schema:\n type: onap.datatypes.Tutorial\ndata_types:\n onap.datatypes.Tutorial:\n derived_from: tosca.datatypes.Root\n version: 1.0.0\n properties:\n entity:\n type: string\n required: true\n description: The resource\n permission:\n type: string\n required: true\n description: The permission level\n constraints:\n - valid_values: [read, write, delete]\n", + "options": { + "raw": { + "language": "text" + } + } + }, + "url": { + "raw": "{{POLICY-API-URL}}/policy/api/v1/policytypes", + "host": [ + "{{POLICY-API-URL}}" + ], + "path": [ + "policy", + "api", + "v1", + "policytypes" + ] + } + }, + "response": [] + }, + { + "name": "Create policies", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/yaml" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/yaml" + } + ], + "body": { + "mode": "raw", + "raw": "tosca_definitions_version: tosca_simple_yaml_1_1_0\ntopology_template:\n policies:\n -\n onap.policy.tutorial.demo:\n type: onap.policies.Authorization\n type_version: 1.0.0\n version: 1.0.0\n metadata:\n policy-id: onap.policy.tutorial.demo\n policy-version: 1\n properties:\n user: demo\n permissions:\n -\n entity: foo\n permission: read\n -\n entity: foo\n permission: write\n -\n onap.policy.tutorial.audit:\n type: onap.policies.Authorization\n version: 1.0.0\n type_version: 1.0.0\n metadata:\n policy-id: onap.policy.tutorial.bar\n policy-version: 1\n properties:\n user: audit\n permissions:\n -\n entity: foo\n permission: read\n", + "options": { + "raw": { + "language": "text" + } + } + }, + "url": { + "raw": "{{POLICY-API-URL}}/policy/api/v1/policytypes/onap.policies.Authorization/versions/1.0.0/policies", + "host": [ + "{{POLICY-API-URL}}" + ], + "path": [ + "policy", + "api", + "v1", + "policytypes", + "onap.policies.Authorization", + "versions", + "1.0.0", + "policies" + ] + } + }, + "response": [] + }, + { + "name": "PAP Healthcheck", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/healthcheck", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "healthcheck" + ] + } + }, + "response": [] + }, + { + "name": "PAP Get PDPs", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/json" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps" + ] + } + }, + "response": [] + }, + { + "name": "PdpGroup State Change PASSIVE", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "PUT", + "header": [ + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + }, + { + "key": "Accept", + "value": "application/json", + "type": "text" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/defaultGroup?state=PASSIVE", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "groups", + "defaultGroup" + ], + "query": [ + { + "key": "state", + "value": "PASSIVE" + } + ] + }, + "description": "This is an API to change the current state of a PdpGroup (example - \"defaultGroup\") resulting in changing state of all the PDP instances registered with the PdpGroup. As of now, the allowed states are ACTIVE and PASSIVE." + }, + "response": [] + }, + { + "name": "Delete PdpGroup", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "DELETE", + "header": [ + { + "key": "Accept", + "type": "text", + "value": "application/json" + }, + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/defaultGroup", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "groups", + "defaultGroup" + ] + }, + "description": "This is an API to delete a specific PdpGroup (example - \"SampleGroup\") currently available in Policy DB, resulting in removing all the PDP instances registered with the group." + }, + "response": [] + }, + { + "name": "Create/Update PdpGroup", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\n \"groups\": [\n {\n \"name\": \"defaultGroup\",\n \"pdpGroupState\": \"ACTIVE\",\n \"properties\": {},\n \"pdpSubgroups\": [\n {\n \"pdpType\": \"xacml\",\n \"desiredInstanceCount\": 1,\n \"properties\": {},\n \"supportedPolicyTypes\": [\n {\n \"name\": \"onap.policies.Authorization\",\n \"version\": \"1.0.0\"\n }\n ],\n \"policies\": []\n }\n ]\n }\n ]\n}" + }, + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/batch", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "groups", + "batch" + ] + }, + "description": "This is a generic API to create/update PdpGroups in Policy DB. However, the supportedPolicyTypes field of PdpSubGroup cannot be changed once created." + }, + "response": [] + }, + { + "name": "Simple Deploy Policy - onap.policy.tutorial.demo", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\r\n \"policies\" : [\r\n {\r\n \"policy-id\": \"onap.policy.tutorial.demo\",\r\n \"policy-version\": \"1.0.0\"\r\n },\r\n {\r\n \"policy-id\": \"onap.policy.tutorial.audit\",\r\n \"policy-version\": \"1.0.0\"\r\n }\r\n ]\r\n}" + }, + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/policies", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "policies" + ] + } + }, + "response": [] + }, + { + "name": "Dmaap Simulator - Policy Update Notification", + "protocolProfileBehavior": { + "disableBodyPruning": true + }, + "request": { + "auth": { + "type": "noauth" + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "" + }, + "url": { + "raw": "{{DMAAP-URL}}/events/POLICY-NOTIFICATION/group/id?timeout=5000", + "host": [ + "{{DMAAP-URL}}" + ], + "path": [ + "events", + "POLICY-NOTIFICATION", + "group", + "id" + ], + "query": [ + { + "key": "timeout", + "value": "5000" + } + ] + } + }, + "response": [] + }, + { + "name": "Xacml Healthcheck", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/healthcheck", + "host": [ + "{{POLICY-XACML-URL}}" + ], + "path": [ + "policy", + "pdpx", + "v1", + "healthcheck" + ] + } + }, + "response": [] + }, + { + "name": "Xacml Statistics", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "GET", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "url": { + "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/statistics", + "host": [ + "{{POLICY-XACML-URL}}" + ], + "path": [ + "policy", + "pdpx", + "v1", + "statistics" + ] + } + }, + "response": [] + }, + { + "name": "Xacml Decision - Authorization policy-type", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "POST", + "header": [ + { + "key": "Content-Type", + "type": "text", + "value": "application/json" + }, + { + "key": "Accept", + "type": "text", + "value": "application/json" + } + ], + "body": { + "mode": "raw", + "raw": "{\n \"ONAPName\": \"TutorialPEP\",\n \"ONAPComponent\": \"TutorialPEPComponent\",\n \"ONAPInstance\": \"TutorialPEPInstance\",\n \"requestId\": \"unique-request-id-tutorial\",\n \"action\": \"authorize\",\n \"resource\": {\n \"user\": \"audit\",\n \"entity\": \"foo\",\n \"permission\" : \"read\"\n }\n}" + }, + "url": { + "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/decision", + "host": [ + "{{POLICY-XACML-URL}}" + ], + "path": [ + "policy", + "pdpx", + "v1", + "decision" + ] + } + }, + "response": [] + }, + { + "name": "Simple Undeploy Policy", + "request": { + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "zb!XztG34", + "type": "string" + }, + { + "key": "username", + "value": "healthcheck", + "type": "string" + } + ] + }, + "method": "DELETE", + "header": [ + { + "key": "Accept", + "value": "application/json", + "type": "text" + }, + { + "key": "Content-Type", + "value": "application/json", + "type": "text" + } + ], + "url": { + "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/policies/onap.policy.tutorial.demo", + "host": [ + "{{POLICY-PAP-URL}}" + ], + "path": [ + "policy", + "pap", + "v1", + "pdps", + "policies", + "onap.policy.tutorial.demo" + ] + } + }, + "response": [] + } + ], + "auth": { + "type": "basic", + "basic": [ + { + "key": "password", + "value": "", + "type": "string" + }, + { + "key": "username", + "value": "", + "type": "string" + } + ] + }, + "protocolProfileBehavior": {} +}
\ No newline at end of file diff --git a/docs/xacml/tutorial/app/pom.xml b/docs/xacml/tutorial/app/pom.xml index bf8683a5..380ee512 100644 --- a/docs/xacml/tutorial/app/pom.xml +++ b/docs/xacml/tutorial/app/pom.xml @@ -1,29 +1,106 @@ +<!-- + ============LICENSE_START======================================================= + ONAP Policy Engine - XACML Application Tutorial + ================================================================================ + Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + ================================================================================ + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + ============LICENSE_END========================================================= + --> + <project xmlns="http://maven.apache.org/POM/4.0.0" - xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" - xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> - <modelVersion>4.0.0</modelVersion> - - <groupId>org.onap.policy.tutorial</groupId> - <artifactId>tutorial</artifactId> - <version>0.0.1-SNAPSHOT</version> - - <name>tutorial</name> - - <properties> - <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> - </properties> - - <dependencies> - <dependency> - <groupId>junit</groupId> - <artifactId>junit</artifactId> - <version>4.12</version> - <scope>test</scope> - </dependency> - <dependency> - <groupId>org.onap.policy.xacml-pdp.applications</groupId> - <artifactId>common</artifactId> - <version>2.1.0-SNAPSHOT</version> - </dependency> - </dependencies> + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd"> + <modelVersion>4.0.0</modelVersion> + + <groupId>org.onap.policy.tutorial</groupId> + <artifactId>tutorial</artifactId> + <version>0.0.1-SNAPSHOT</version> + <packaging>jar</packaging> + + <name>tutorial</name> + + <properties> + <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> + </properties> + + <dependencies> + <dependency> + <groupId>junit</groupId> + <artifactId>junit</artifactId> + <version>4.13</version> + <scope>test</scope> + </dependency> + <dependency> + <groupId>org.onap.policy.xacml-pdp.applications</groupId> + <artifactId>common</artifactId> + <version>2.2.2</version> + </dependency> + <dependency> + <groupId>org.onap.policy.xacml-pdp</groupId> + <artifactId>xacml-test</artifactId> + <version>2.2.2</version> + <scope>test</scope> + </dependency> + </dependencies> + + <build> + <plugins> + <plugin> + <groupId>org.apache.maven.plugins</groupId> + <artifactId>maven-compiler-plugin</artifactId> + <version>3.8.0</version> + <configuration> + <release>11</release> + </configuration> + </plugin> + <plugin> + <groupId>io.fabric8</groupId> + <artifactId>docker-maven-plugin</artifactId> + <version>0.33.0</version> + <configuration> + <verbose>true</verbose> + <images> + <image> + <name>onap/policy-xacml-tutorial</name> + <alias>xacml-pdp</alias> + <build> + <contextDir>${project.basedir}/src/main/docker</contextDir> + <assembly> + <descriptorRef>artifact-with-dependencies</descriptorRef> + </assembly> + </build> + </image> + </images> + </configuration> + <executions> + <execution> + <id>clean-images</id> + <phase>pre-clean</phase> + <goals> + <goal>remove</goal> + </goals> + </execution> + + <execution> + <id>generate-images</id> + <phase>package</phase> + <goals> + <goal>build</goal> + </goals> + </execution> + </executions> + </plugin> + </plugins> + </build> </project> diff --git a/docs/xacml/tutorial/app/src/main/docker/Dockerfile b/docs/xacml/tutorial/app/src/main/docker/Dockerfile new file mode 100644 index 00000000..639e94fb --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/Dockerfile @@ -0,0 +1,7 @@ +FROM onap/policy-xacml-pdp:2.2.2 + +ADD maven/${project.build.finalName}.jar /opt/app/policy/pdpx/lib/${project.build.finalName}.jar + +RUN mkdir -p /opt/app/policy/pdpx/apps/tutorial + +COPY --chown=policy:policy xacml.properties /opt/app/policy/pdpx/apps/tutorial
\ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/docker/README.txt b/docs/xacml/tutorial/app/src/main/docker/README.txt new file mode 100644 index 00000000..a29a44b2 --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/README.txt @@ -0,0 +1,36 @@ +docker-compose -f docker-compose.yml run --rm start_dependencies + +docker-compose -f docker-compose.yml run --rm start_all + + +curl -X POST http://0.0.0.0:3904/events/POLICY-PDP-PAP + +Should return JSON similar to this: +{"serverTimeMs":0,"count":0} + + +curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6969/policy/pdpx/v1/healthcheck' + +Should return JSON similar to this: +{"name":"Policy Xacml PDP","url":"self","healthy":true,"code":200,"message":"alive"} + + +curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6767/policy/api/v1/healthcheck' +Should return JSON similar to this: +{ + "name": "Policy API", + "url": "policy-api", + "healthy": true, + "code": 200, + "message": "alive" +} + +curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6868/policy/pap/v1/healthcheck' +Should return JSON similar to this: +{ + "name": "Policy PAP", + "url": "policy-pap", + "healthy": true, + "code": 200, + "message": "alive" +}
\ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/docker/config/db/db.conf b/docs/xacml/tutorial/app/src/main/docker/config/db/db.conf new file mode 100644 index 00000000..42f35844 --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/config/db/db.conf @@ -0,0 +1,20 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +MYSQL_ROOT_PASSWORD=secret +MYSQL_USER=policy_user +MYSQL_PASSWORD=policy_user
\ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/docker/config/db/db.sh b/docs/xacml/tutorial/app/src/main/docker/config/db/db.sh new file mode 100644 index 00000000..499764df --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/config/db/db.sh @@ -0,0 +1,26 @@ +#!/bin/bash -xv +# ============LICENSE_START======================================================= +# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= + +for db in policyadmin operationshistory +do + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" + mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" +done + +mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" diff --git a/docs/xacml/tutorial/app/src/main/docker/docker-compose.yml b/docs/xacml/tutorial/app/src/main/docker/docker-compose.yml new file mode 100644 index 00000000..b65098c1 --- /dev/null +++ b/docs/xacml/tutorial/app/src/main/docker/docker-compose.yml @@ -0,0 +1,102 @@ +# ============LICENSE_START======================================================= +# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. +# ================================================================================ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# SPDX-License-Identifier: Apache-2.0 +# ============LICENSE_END========================================================= +version: '2' +services: + mariadb: + image: mariadb:10.2.14 + container_name: mariadb + hostname: mariadb + command: ['--lower-case-table-names=1', '--wait_timeout=28800'] + env_file: config/db/db.conf + volumes: + - ./config/db:/docker-entrypoint-initdb.d + expose: + - 3306 + message-router: + image: dmaap/simulator + container_name: dmaap-simulator + hostname: dmaap-simulator + ports: + - "3904:3904" + expose: + - 3904 + api: + image: nexus3.onap.org:10001/onap/policy-api:2.2.4 + container_name: policy-api + depends_on: + - mariadb + hostname: policy-api + ports: + - "6767:6969" + expose: + - 6767 + pap: + image: nexus3.onap.org:10001/onap/policy-pap:2.2.3 + container_name: policy-pap + depends_on: + - mariadb + - message-router + - api + hostname: policy-pap + ports: + - "6868:6969" + expose: + - 6868 + xacml-pdp: + image: onap/policy-xacml-tutorial + container_name: policy-xacml-pdp + depends_on: + - mariadb + - message-router + - api + - pap + hostname: policy-xacml-pdp + ports: + - "6969:6969" + expose: + - 6969 + start_dependencies: + image: dadarek/wait-for-dependencies + environment: + TIMEOUT_LENGTH: 60 + container_name: policy-wait + depends_on: + - mariadb + - message-router + hostname: policy-wait + command: + mariadb:3306 + message-router:3904 + start_all: + image: dadarek/wait-for-dependencies + environment: + TIMEOUT_LENGTH: 60 + container_name: policy-wait-all + depends_on: + - mariadb + - message-router + - api + - pap + - xacml-pdp + hostname: policy-wait-all + command: + mariadb:3306 + message-router:3904 + api:6969 + pap:6969 + xacml-pdp:6969 diff --git a/docs/xacml/tutorial/tutorial-xacml.properties b/docs/xacml/tutorial/app/src/main/docker/xacml.properties index e10ad63f..277b098e 100644 --- a/docs/xacml/tutorial/tutorial-xacml.properties +++ b/docs/xacml/tutorial/app/src/main/docker/xacml.properties @@ -28,4 +28,4 @@ xacml.att.policyFinderFactory.combineRootPolicies=urn:oasis:names:tc:xacml:3.0:p # Policies to load # xacml.rootPolicies= -xacml.referencedPolicies= +xacml.referencedPolicies=
\ No newline at end of file diff --git a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java index 24e84049..5727f1c1 100644 --- a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java +++ b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java @@ -1,3 +1,21 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package org.onap.policy.tutorial.tutorial; import java.util.Arrays; @@ -8,7 +26,7 @@ import org.onap.policy.pdp.xacml.application.common.std.StdXacmlApplicationServi public class TutorialApplication extends StdXacmlApplicationServiceProvider { - private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier(); + private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier("onap.policies.Authorization", "1.0.0"); private final TutorialTranslator translator = new TutorialTranslator(); @Override diff --git a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialRequest.java b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialRequest.java index 1f890314..31aace69 100644 --- a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialRequest.java +++ b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialRequest.java @@ -1,3 +1,21 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package org.onap.policy.tutorial.tutorial; import java.util.Map; diff --git a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java index 80f0c68c..600c6214 100644 --- a/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java +++ b/docs/xacml/tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java @@ -1,3 +1,21 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package org.onap.policy.tutorial.tutorial; import java.util.List; @@ -30,8 +48,9 @@ public class TutorialTranslator implements ToscaPolicyTranslator { private static final Identifier ID_TUTORIAL_USER = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-user"); private static final Identifier ID_TUTORIAL_ENTITY = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-entity"); - private static final Identifier ID_TUTORIAL_PERM = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-perm"); + private static final Identifier ID_TUTORIAL_PERM = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-permission"); + @SuppressWarnings("unchecked") public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException { // // Here is our policy with a version and default combining algo @@ -55,7 +74,7 @@ public class TutorialTranslator implements ToscaPolicyTranslator { // For simplicity, let's just match on the action "authorize" and the user // MatchType matchAction = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL, - "authorize", XACML3.ID_DATATYPE_STRING, XACML3.ID_ACTION, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION); + "authorize", XACML3.ID_DATATYPE_STRING, XACML3.ID_ACTION_ACTION_ID, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION); Map<String, Object> props = toscaPolicy.getProperties(); String user = props.get("user").toString(); MatchType matchUser = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL, user, @@ -64,14 +83,14 @@ public class TutorialTranslator implements ToscaPolicyTranslator { // // Create AllOf (AND) of just Policy Id // - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction)); - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchUser)); + anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction, matchUser)); TargetType target = new TargetType(); target.getAnyOf().add(anyOf); newPolicyType.setTarget(target); // // Now add the rule for each permission // + int ruleNumber = 0; List<Object> permissions = (List<Object>) props.get("permissions"); for (Object permission : permissions) { @@ -83,18 +102,20 @@ public class TutorialTranslator implements ToscaPolicyTranslator { XACML3.ID_FUNCTION_STRING_EQUAL, ((Map<String, String>) permission).get("permission"), XACML3.ID_DATATYPE_STRING, ID_TUTORIAL_PERM, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE); anyOf = new AnyOfType(); - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity)); - anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchPermission)); + anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity, matchPermission)); target = new TargetType(); target.getAnyOf().add(anyOf); RuleType rule = new RuleType(); rule.setDescription("Default is to PERMIT if the policy matches."); - rule.setRuleId(newPolicyType.getPolicyId() + ":rule"); + rule.setRuleId(newPolicyType.getPolicyId() + ":rule" + ruleNumber); + rule.setEffect(EffectType.PERMIT); rule.setTarget(target); newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule); + + ruleNumber++; } return newPolicyType; } @@ -121,19 +142,12 @@ public class TutorialTranslator implements ToscaPolicyTranslator { // Just simply return a Permit response // decisionResponse.setStatus(Decision.PERMIT.toString()); - } - if (xacmlResult.getDecision() == Decision.DENY) { + } else { // // Just simply return a Deny response // decisionResponse.setStatus(Decision.DENY.toString()); } - if (xacmlResult.getDecision() == Decision.NOTAPPLICABLE) { - // - // There is no guard policy, so we return a permit - // - decisionResponse.setStatus(Decision.PERMIT.toString()); - } } return decisionResponse; diff --git a/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java b/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java index 7a1c2f94..d20c1b38 100644 --- a/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java +++ b/docs/xacml/tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java @@ -1,9 +1,28 @@ +/*- + * ============LICENSE_START======================================================= + * Copyright (C) 2020 AT&T Intellectual Property. All rights reserved. + * ================================================================================ + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * ============LICENSE_END========================================================= + */ + package org.onap.policy.tutorial.tutorial; +import static org.junit.Assert.assertEquals; + import java.io.File; import java.io.IOException; import java.util.Iterator; -import java.util.List; import java.util.Properties; import java.util.ServiceLoader; @@ -12,16 +31,16 @@ import org.junit.BeforeClass; import org.junit.ClassRule; import org.junit.Test; import org.junit.rules.TemporaryFolder; +import org.onap.policy.common.endpoints.parameters.RestServerParameters; import org.onap.policy.common.utils.coder.CoderException; import org.onap.policy.common.utils.coder.StandardCoder; import org.onap.policy.common.utils.resources.TextFileUtils; import org.onap.policy.models.decisions.concepts.DecisionRequest; import org.onap.policy.models.decisions.concepts.DecisionResponse; -import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicy; -import org.onap.policy.pdp.xacml.application.common.TestUtils; import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException; import org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider; import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils; +import org.onap.policy.pdp.xacml.xacmltest.TestUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -67,9 +86,9 @@ public class TutorialApplicationTest { // Tell the application to initialize based on the properties file // we just built for it. // - service.initialize(propertiesFile.toPath().getParent()); - } - + service.initialize(propertiesFile.toPath().getParent(), new RestServerParameters()); + } + @Test public void test() throws CoderException, XacmlApplicationException, IOException { // @@ -83,11 +102,19 @@ public class TutorialApplicationTest { TextFileUtils .getTextFileAsString("src/test/resources/tutorial-decision-request.json"), DecisionRequest.class); - // - // Test a decision // - Pair<DecisionResponse, Response> decision = service.makeDecision(decisionRequest); + // Test a decision - should start with a permit + // + Pair<DecisionResponse, Response> decision = service.makeDecision(decisionRequest, null); + LOGGER.info(decision.getLeft().toString()); + assertEquals("Permit", decision.getLeft().getStatus()); + // + // This should be a deny + // + decisionRequest.getResource().put("user", "audit"); + decision = service.makeDecision(decisionRequest, null); LOGGER.info(decision.getLeft().toString()); + assertEquals("Deny", decision.getLeft().getStatus()); } } diff --git a/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json b/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json index 8c1ec10c..f3a7f9a2 100644 --- a/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json +++ b/docs/xacml/tutorial/app/src/test/resources/tutorial-decision-request.json @@ -7,6 +7,6 @@ "resource": { "user": "demo", "entity": "foo", - "permission" : "read" + "permission" : "write" } } diff --git a/docs/xacml/tutorial/app/src/test/resources/tutorial-policies.yaml b/docs/xacml/tutorial/app/src/test/resources/tutorial-policies.yaml index 90a1f9ed..fa353653 100644 --- a/docs/xacml/tutorial/app/src/test/resources/tutorial-policies.yaml +++ b/docs/xacml/tutorial/app/src/test/resources/tutorial-policies.yaml @@ -1,9 +1,10 @@ -tosca_definitions_version: tosca_simple_yaml_1_0_0 +tosca_definitions_version: tosca_simple_yaml_1_1_0 topology_template: policies: - onap.policy.tutorial.demo: type: onap.policies.Authorization + type_version: 1.0.0 version: 1.0.0 metadata: policy-id: onap.policy.tutorial.demo @@ -21,6 +22,7 @@ topology_template: onap.policy.tutorial.audit: type: onap.policies.Authorization version: 1.0.0 + type_version: 1.0.0 metadata: policy-id: onap.policy.tutorial.bar policy-version: 1 diff --git a/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml b/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml index 181a73c5..7948bd28 100644 --- a/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml +++ b/docs/xacml/tutorial/app/src/test/resources/tutorial-policy-type.yaml @@ -1,6 +1,5 @@ -tosca_definitions_version: tosca_simple_yaml_1_0_0 +tosca_definitions_version: tosca_simple_yaml_1_1_0 policy_types: - - onap.policies.Authorization: derived_from: tosca.policies.Root version: 1.0.0 @@ -17,18 +16,17 @@ policy_types: entry_schema: type: onap.datatypes.Tutorial data_types: - - onap.datatypes.Tutorial: - derived_from: tosca.datatypes.Root - version: 1.0.0 - properties: - entity: - type: string - required: true - description: The resource - permission: - type: string - required: true - description: The permission level - constraints: - - valid_values: [read, write, delete] + derived_from: tosca.datatypes.Root + version: 1.0.0 + properties: + entity: + type: string + required: true + description: The resource + permission: + type: string + required: true + description: The permission level + constraints: + - valid_values: [read, write, delete] diff --git a/docs/xacml/tutorial/tutorial-decision-request.json b/docs/xacml/tutorial/tutorial-decision-request.json deleted file mode 100644 index 8c1ec10c..00000000 --- a/docs/xacml/tutorial/tutorial-decision-request.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "ONAPName": "TutorialPEP", - "ONAPComponent": "TutorialPEPComponent", - "ONAPInstance": "TutorialPEPInstance", - "requestId": "unique-request-id-tutorial", - "action": "authorize", - "resource": { - "user": "demo", - "entity": "foo", - "permission" : "read" - } -} diff --git a/docs/xacml/tutorial/tutorial-policies.yaml b/docs/xacml/tutorial/tutorial-policies.yaml deleted file mode 100644 index 45769ead..00000000 --- a/docs/xacml/tutorial/tutorial-policies.yaml +++ /dev/null @@ -1,30 +0,0 @@ -tosca_definitions_version: tosca_simple_yaml_1_0_0 -topology_template: - policies: - - - onap.policy.tutorial.demo: - type: onap.policies.Authorization - version: 1.0.0 - metadata: - policy-id: onap.policy.tutorial.demo - properties: - user: demo - permissions: - - - entity: foo - permission: read - - - entity: foo - permission: write - - - onap.policy.tutorial.audit: - type: onap.policies.Authorization - version: 1.0.0 - metadata: - policy-id: onap.policy.tutorial.bar - properties: - user: audit - permissions: - - - entity: foo - permission: read diff --git a/docs/xacml/tutorial/tutorial-policy-type.yaml b/docs/xacml/tutorial/tutorial-policy-type.yaml deleted file mode 100644 index 181a73c5..00000000 --- a/docs/xacml/tutorial/tutorial-policy-type.yaml +++ /dev/null @@ -1,34 +0,0 @@ -tosca_definitions_version: tosca_simple_yaml_1_0_0 -policy_types: - - - onap.policies.Authorization: - derived_from: tosca.policies.Root - version: 1.0.0 - description: Example tutorial policy type for doing user authorization - properties: - user: - type: string - required: true - description: The unique user name - permissions: - type: list - required: true - description: A list of resource permissions - entry_schema: - type: onap.datatypes.Tutorial -data_types: - - - onap.datatypes.Tutorial: - derived_from: tosca.datatypes.Root - version: 1.0.0 - properties: - entity: - type: string - required: true - description: The resource - permission: - type: string - required: true - description: The permission level - constraints: - - valid_values: [read, write, delete] diff --git a/docs/xacml/tutorial/tutorial.tar b/docs/xacml/tutorial/tutorial.tar Binary files differnew file mode 100644 index 00000000..329041d4 --- /dev/null +++ b/docs/xacml/tutorial/tutorial.tar diff --git a/docs/xacml/xacml-tutorial.rst b/docs/xacml/xacml-tutorial.rst index f46c1bb5..e9eee0e2 100644 --- a/docs/xacml/xacml-tutorial.rst +++ b/docs/xacml/xacml-tutorial.rst @@ -18,7 +18,7 @@ Follow :ref:`TOSCA Policy Primer <tosca-label>` for more information. For the tu this example Policy Type in which an ONAP PEP client would like to enforce an action **authorize** for a *user* to execute a *permission* on an *entity*. -.. literalinclude:: tutorial/tutorial-policy-type.yaml +.. literalinclude:: tutorial/app/src/test/resources/tutorial-policy-type.yaml :language: yaml :caption: Example Tutorial Policy Type :linenos: @@ -27,7 +27,7 @@ We would expect then to be able to create the following policies to allow the de an entity called foo, while the audit user can only read the entity called foo. Neither user has Delete permission. -.. literalinclude:: tutorial/tutorial-policies.yaml +.. literalinclude:: tutorial/app/src/test/resources/tutorial-policies.yaml :language: yaml :caption: Example Policies Derived From Tutorial Policy Type :linenos: @@ -37,12 +37,13 @@ Design Decision Request and expected Decision Response For the PEP (Policy Enforcement Point) client applications that call the Decision API, you need to design how the Decision API Request resource fields will be sent via the PEP. -.. literalinclude:: tutorial/tutorial-decision-request.json +.. literalinclude:: tutorial/app/src/test/resources/tutorial-decision-request.json :language: JSON :caption: Example Decision Request :linenos: -For simplicity, we expect only a *Permit* or *Deny* in the Decision Response. +For simplicity, this tutorial expects only a *Permit* or *Deny* in the Decision Response. However, one could +customize the Decision Response object and send back whatever information is desired. .. literalinclude:: tutorial/tutorial-decision-response.json :language: JSON @@ -54,7 +55,8 @@ Create A Maven Project This part of the tutorial assumes you understand how to use Eclipse to create a Maven project. Please follow any examples for the Eclipse installation you have to create an empty application. For the tutorial, use groupId *org.onap.policy.tutorial* and artifactId -*tutorial*. +*tutorial*. If you wish to go directly to the source code, please see the +:ref:`Download Tutorial Application Example` below to download it. .. image:: tutorial/images/eclipse-create-maven.png @@ -67,13 +69,22 @@ Be sure to import the policy/xacml-pdp project into Eclipse. Add Dependencies Into Application pom.xml ***************************************** +Here we import the XACML PDP Application common dependency which has the interfaces we need to implement. In addition, +we are importing a testing dependency that has common code for producing a JUnit test. + .. code-block:: java :caption: pom.xml dependencies <dependency> <groupId>org.onap.policy.xacml-pdp.applications</groupId> <artifactId>common</artifactId> - <version>2.1.0-SNAPSHOT</version> + <version>2.2.2</version> + </dependency> + <dependency> + <groupId>org.onap.policy.xacml-pdp</groupId> + <artifactId>xacml-test</artifactId> + <version>2.2.2</version> + <scope>test</scope> </dependency> Create META-INF to expose Java Service @@ -297,19 +308,19 @@ Create xacml.properties for the XACML PDP engine to use In the applications *src/test/resources* directory, create a xacml.properties file that will be used by the embedded XACML PDP Engine when loading. -.. literalinclude:: tutorial/tutorial-xacml.properties +.. literalinclude:: tutorial/app/src/test/resources/xacml.properties :caption: Example xacml.properties file :linenos: :emphasize-lines: 20, 25 -Create a JUnit and use the TestUtils.java class in application/common -********************************************************************* +Create a JUnit and use the TestUtils.java class in xacml-test dependency +************************************************************************ Using Eclipse, create a JUnit and be sure to add a setup() method stub. Here you will be utilizing a TestUtils.java -class from the policy/xamcl-pdp repo's application/common submodule to use some utility methods for building the JUnit test. +class from the policy/xamcl-pdp repo's xacml-test submodule to use some utility methods for building the JUnit test. .. image: tutorial/images/eclipse-junit-create.png -Copy the TOSCA Policy Type :download:`link <tutorial/tutorial-policy-type.yaml>` and the TOSCA Policies :download:`link <tutorial/tutorial-policies.yaml>` +Copy the TOSCA Policy Type :download:`link <tutorial/app/src/test/resources/tutorial-policy-type.yaml>` and the TOSCA Policies :download:`link <tutorial/app/src/test/resources/tutorial-policies.yaml>` into the src/test/resources directory. We will create a temporary folder which is used by the **StdXacmlApplicationServiceProvider** to store working copies of policies as they are loaded @@ -319,12 +330,41 @@ into the application. :caption: Example Translator Implementation :linenos: -Run the JUnit test!! +Run the JUnit test. Its easiest to run it via a terminal command line using maven commands. + -Where To Go From Here +.. code-block:: bash + :caption: Running Maven Commands + :linenos: + + > mvn clean install + +Building Docker Image ********************* Once you have created enough JUnit tests that test the TutorialTranslator.java and TutorialRequest.java classes, you are ready to now make your -application available to the ONAP XACML PDP Engine. These steps are covered in another tutorial. +application build a docker image that incorporates your application with the XACML PDP Engine. The XACML PDP Engine +must be able to *find* your Java.Service in the classpath. This is easy to do, just create a jar file for your application +and copy into the same directory used to startup the XACML PDP. + +Here is a Dockerfile as an example: + +.. literalinclude:: tutorial/app/src/main/docker/Dockerfile + :caption: Dockerfile + :linenos: + +Download Tutorial Application Example +************************************* + +If you don't wish to use Eclipse, or go through the steps outlined above. The tutorial is +available for download: + +:download:`Download tutorial tar <tutorial/tutorial.tar>` + +After you tar xf tutorial.jar, you can import it into Eclipse or your favorite editor. Or simply +use a terminal command line to build, test and run the tutorial. +In addition, there is a POSTMAN collection available for setting up and running tests against a +running instance of ONAP Policy Components (api, pap, dmaap-simulator, tutorial-xacml-pdp). +:download:`Download tutorial POSTMAN Collection <tutorial/PolicyApplicationTutorial.postman_collection.json>` diff --git a/docs/xacml/xacml.rst b/docs/xacml/xacml.rst index 4100e800..32949f4a 100644 --- a/docs/xacml/xacml.rst +++ b/docs/xacml/xacml.rst @@ -23,6 +23,7 @@ The following Policy Types are supported by the XACML PDP Engine (PDP-X): "Optimization", "onap.policies.Optimization", "optimize", "Optimization policy types used by OOF" "Naming", "onap.policies.Naming", "naming", "Naming policy types used by SDNC" "Native", "onap.policies.native.Xacml", "native", "Native XACML Policies" + "Match", "onap.policies.Match", "native", "Matchable Policy Types for the ONAP community to use" Each Policy Type is implemented as an application that extends the **XacmlApplicationServiceProvider**, and provides a **ToscaPolicyTranslator** that translates the TOSCA representation of the policy into a XACML OASIS 3.0 standard policy. @@ -45,6 +46,8 @@ A simple translator that wraps the TOSCA policy into a XACML policy and performs The Monitoring and Naming applications use this translator. +.. _xacml-matchable-label: + StdMatchableTranslator Translator --------------------------------- More robust translator that searches metadata of TOSCA properties for a **matchable** field set to **true**. The translator then uses those "matchable" properties to translate a policy into a XACML OASIS 3.0 policy which allows for fine-grained decision making such that ONAP applications can retrieve the appropriate policy(s) to be enforced during runtime. @@ -79,10 +82,13 @@ The following policy types derive from onap.policies.Monitoring: .. csv-table:: :header: "Derived Policy Type", "Action", "Description" - "onap.policies.monitoring.cdap.tca.hi.lo.app", "configure", "TCA DCAE microservice component" + "onap.policies.monitoring.tcagen2", "configure", "TCA DCAE microservice gen2 component" "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server", "configure", "REST Collector" "onap.policies.monitoring.docker.sonhandler.app", "configure", "SON Handler microservice component" +.. note:: + DCAE project deprecated TCA DCAE microservice in lieu for their gen2 microservice. Thus, the policy type onap.policies.monitoring.cdap.tca.hi.lo.app was removed from Policy Framework. + This is an example Decision API payload made to retrieve a decision for a Monitoring Policy by id. Not recommended - as users may change id's of a policy. Available for backward compatibility. .. literalinclude:: decision.monitoring.json @@ -103,6 +109,7 @@ These Policy Types are used by Control Loop Drools Engine to support guarding co "onap.policies.controlloop.guard.common.FrequencyLimiter", "guard", "Limits frequency of actions over a specified time period" "onap.policies.controlloop.guard.common.Blacklist", "guard", "Blacklists a regexp of VNF IDs" "onap.policies.controlloop.guard.common.MinMax", "guard", "For scaling, enforces a min/max number of VNFS" + "onap.policies.controlloop.guard.common.Filter", "guard", "Used for filtering entities in A&AI from Control Loop actions" "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "guard", "Gives priority to one control loop vs another" This is an example Decision API payload made to retrieve a decision for a Guard Policy Type. @@ -115,6 +122,90 @@ The return decision simply has "permit" or "deny" in the response to tell the ca .. literalinclude:: decision.guard.response.json :language: JSON +Guard Common Base Policy Type +----------------------------- +Each guard Policy Type derives from **onap.policies.controlloop.guard.Common** base policy type. Thus, they share a set of common +properties. + +.. csv-table:: Common Properties for all Guards + :header: "Property", "Examples", "Required", "Type", "Description" + + "actor", "APPC, SO", "Required", "String", "Identifies the actor involved in the Control Loop operation." + "operation", "Restart, VF Module Create", "Required", "String", "Identifies the Control Loop operation the actor must perform." + "timeRange", "start_time: T00:00:00Z end_time: T08:00:00Z", "Optional", "tosca.datatypes.TimeInterval", "A given time range the guard is in effect. Following the TOSCA specification the format should be ISO 8601 format " + "id", "control-loop-id", "Optional", "String", "A specific Control Loop id the guard is in effect." + +`Common Guard Policy Type <https://github.com/onap/policy-models/blob/master/models-examples/src/main/resources/policytypes/onap.policies.controlloop.guard.Common.yaml>`__ + +Frequency Limiter Guard Policy Type +----------------------------------- +The Frequency Limiter Guard is used to specify limits as to how many operations can occur over a given time period. + +.. csv-table:: Frequency Guard Properties + :header: "Property", "Examples", "Required", "Type", "Description" + + "timeWindow", "10, 60", "Required", "integer", "The time window to count the actions against." + "timeUnits", "second minute, hour, day, week, month, year", "Required", "String", "The units of time the window is counting" + "limit", "5", "Required", "integer", "The limit value to be checked against." + +.. literalinclude:: example.guard.limiter.yaml + :language: YAML + +`Frequency Limiter Guard Policy Type <https://github.com/onap/policy-models/blob/master/models-examples/src/main/resources/policytypes/onap.policies.controlloop.guard.common.FrequencyLimiter.yaml>`__ + +Min/Max Guard Policy Type +------------------------- +The Min/Max Guard is used to specify a minimum or maximum number of instantiated entities in A&AI. Typically this is a VFModule for Scaling operations. One should specify either a min or a max value, or **both** a min and max value. At least one must be specified. + +.. csv-table:: Min/Max Guard Properties + :header: "Property", "Examples", "Required", "Type", "Description" + + "target", "e6130d03-56f1-4b0a-9a1d-e1b2ebc30e0e", "Required", "String", "The target entity that has scaling restricted." + "min", "1", "Optional", "integer", "Minimum value. Optional only if max is not specified." + "max", "5", "Optional", "integer", "Maximum value. Optional only if min is not specified." + +.. literalinclude:: example.guard.minmax.yaml + :language: YAML + +`Min/Max Guard Policy Type <https://github.com/onap/policy-models/blob/master/models-examples/src/main/resources/policytypes/onap.policies.controlloop.guard.common.MinMax.yaml>`__ + +Blacklist Guard Policy Type +--------------------------- +The Blacklist Guard is used to specify a list of A&AI entities that are blacklisted from having an operation performed on them. Recommendation is to use the vnf-id for the A&AI entity. + +.. csv-table:: Blacklist Guard Properties + :header: "Property", "Examples", "Required", "Type", "Description" + + "blacklist", "e6130d03-56f1-4b0a-9a1d-e1b2ebc30e0e", "Required", "list of string", "List of target entity's that are blacklisted from an operation." + +.. literalinclude:: example.guard.blacklist.yaml + :language: YAML + +`Blacklist Guard Policy Type <https://github.com/onap/policy-models/blob/master/models-examples/src/main/resources/policytypes/onap.policies.controlloop.guard.common.Blacklist.yaml>`__ + +Filter Guard Policy Type +------------------------ +The Filter Guard is a more robust guard for blacklisting and whitelisting A&AI entities when performing control loop operations. The intent for this guard is to filter in or out a block of entities, while allowing the ability to filter in or out specific entities. This allows a DevOps team to control the introduction of a Control Loop for a region or specific VNF's, as well as block specific VNF's that are being negatively affected when poor network conditions arise. Care and testing should be taken to understand the ramifications when combining multiple filters as well as their use in conjunction with other Guard Policy Types. + +.. csv-table:: Filter Guard Properties + :header: "Property", "Examples", "Required", "Type", "Description" + + "algorithm", "blacklist-overrides", "Required", "What algorithm to be applied", "blacklist-overrides or whitelist-overrides are the valid values. Indicates whether blacklisting or whitelisting has precedence." + "filters", "see table below", "Required", "list of onap.datatypes.guard.filter", "List of datatypes that describe the filter." + +.. csv-table:: Filter Guard onap.datatypes.guard.filter Properties + :header: "Property", "Examples", "Required", "Type", "Description" + + "field", "generic-vnf.vnf-name", "Required", "String", "Field used to perform filter on and must be a string value. See the Policy Type below for valid values." + "filter", "vnf-id-1", "Required", "String", "The filter being applied." + "function", "string-equal", "Required", "String", "The function that is applied to the filter. See the Policy Type below for valid values." + "blacklist", "true", "Required", "boolean", "Whether the result of the filter function applied to the filter is blacklisted or whitelisted (eg Deny or Permit)." + +.. literalinclude:: example.guard.filter.yaml + :language: YAML + +`Filter Guard Policy Type <https://github.com/onap/policy-models/blob/master/models-examples/src/main/resources/policytypes/onap.policies.controlloop.guard.common.Filter.yaml>`__ + .. _xacml-optimization-label: Optimization Policy Types @@ -169,6 +260,31 @@ This is an example Native Decision API payload made to retrieve a decision for w .. literalinclude:: decision.native.json :language: JSON +Match Policy Type +================= + +This Policy type can be used to design your own Policy Type and utilize the :ref:`StdMatchableTranslator <xacml-matchable-label>`, and does not need to build your own custom application. You can design your Policy Type by inheriting from the Match policy type (eg. onap.policies.match.<YourPolicyType>) and adding a **matchable** metadata set to **true** for the properties that you would like to request a Decision on. All a user would need to do is then use the Policy Lifecycle API to add their Policy Type and then create policies from it. Then deploy those policies to the XACML PDP and they would be able to get Decisions without customizing their ONAP installation. + +Here is an example Policy Type: + +.. literalinclude:: match.policy-type.yaml + :language: YAML + +Here are example Policies: + +.. literalinclude:: match.policies.yaml + :language: YAML + +This is an example Decision API request that can be made: + +.. literalinclude:: decision.match.request.json + :language: JSON + +Which would render the following decision response: + +.. literalinclude:: decision.match.response.json + :language: JSON + Supporting Your Own Policy Types and Translators ************************************************ |