From 7984ada4d2ac68e7a008f8c4bfb632337e01c00d Mon Sep 17 00:00:00 2001 From: Chenfei Gao Date: Tue, 17 Mar 2020 22:34:15 -0400 Subject: Updated documentation for Frankfurt changes to api and xacml-pdp Issue-ID: POLICY-2412 Change-Id: I3a3d6ed436e307ef20b2a41c7512478cb9c09e2f Signed-off-by: Chenfei Gao --- docs/api/api.rst | 124 ++--- docs/api/swagger/guard-policy-api.json | 480 ----------------- docs/api/swagger/policy-api.json | 86 +-- docs/xacml/decision.native.json | 41 ++ docs/xacml/swagger.json | 956 +++++++++++++++++++++++++++++---- docs/xacml/xacml.rst | 28 +- 6 files changed, 977 insertions(+), 738 deletions(-) delete mode 100644 docs/api/swagger/guard-policy-api.json create mode 100644 docs/xacml/decision.native.json diff --git a/docs/api/api.rst b/docs/api/api.rst index a54ed4a4..e249358a 100644 --- a/docs/api/api.rst +++ b/docs/api/api.rst @@ -19,8 +19,8 @@ for storing and fetching new policies or policy types as needed. Apart from CRUD healthcheck status of this API REST service and statistics report including a variety of counters that reflect the history of API invocation. -Starting from Dublin release, we strictly follow `TOSCA Specification `_ -to define policy type and policy. Policy type is equivalent to policy model mentioned by clients before Dublin release. +We strictly follow `TOSCA Specification `_ +to define policy type and policy. A policy type is equivalent to the policy model mentioned by clients before Dublin release. Both policy type and policy are included in a TOSCA Service Template which is used as the entity passed into API POST call and the entity returned by API GET and DELETE calls. More details are presented in following sessions. We encourage clients to compose all kinds of policies and corresponding policy types in well-formed TOSCA Service Template. @@ -29,48 +29,65 @@ atop. In other words, different policies can match the same or different policy of creating such type of policies. In the payload body of each policy to create, policy type name and version should be indicated and the specified policy type should be valid and existing in policy database. -Starting from El Alto release, to ease policy creation, we preload several widely used policy types in policy database. Below is a table summarizing -preloaded policy types. +To ease policy creation, we preload several widely used policy types in policy database. Below is a table listing the preloaded policy types. .. csv-table:: :header: "Policy Type Name", "Payload" :widths: 15,10 - "Controlloop.Guard.Blacklist", `onap.policies.controlloop.guard.Blacklist.yaml `_ - "Controlloop.Guard.FrequencyLimiter", `onap.policies.controlloop.guard.FrequencyLimiter.yaml `_ - "Controlloop.Guard.MinMax", `onap.policies.controlloop.guard.MinMax.yaml `_ - "Controlloop.Guard.Coordination.FirstBlocksSecond", `onap.policies.controlloop.guard.coordination.FirstBlocksSecond.yaml `_ - "Controlloop.Operational", `onap.policies.controlloop.Operational.yaml `_ "Monitoring.TCA", `onap.policies.monitoring.cdap.tca.hi.lo.app.yaml `_ "Monitoring.Collectors", `onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server.yaml `_ "Optimization", `onap.policies.Optimization.yaml `_ - "Optimization.AffinityPolicy", `onap.policies.optimization.AffinityPolicy.yaml `_ - "Optimization.DistancePolicy", `onap.policies.optimization.DistancePolicy.yaml `_ - "Optimization.HpaPolicy", `onap.policies.optimization.HpaPolicy.yaml `_ - "Optimization.OptimizationPolicy", `onap.policies.optimization.OptimizationPolicy.yaml `_ - "Optimization.PciPolicy", `onap.policies.optimization.PciPolicy.yaml `_ - "Optimization.QueryPolicy", `onap.policies.optimization.QueryPolicy.yaml `_ - "Optimization.SubscriberPolicy", `onap.policies.optimization.SubscriberPolicy.yaml `_ - "Optimization.Vim_fit", `onap.policies.optimization.Vim_fit.yaml `_ - "Optimization.VnfPolicy", `onap.policies.optimization.VnfPolicy.yaml `_ - -Also, in El Alto release, We provide backward compatibility support for controlloop operational and guard -policies encoded in legacy format. Below is a table containing sample legacy guard/operational policies and -well-formed TOSCA monitoring policies. + "Optimization.Resource", `onap.policies.optimization.Resource.yaml `_ + "Optimization.Resource.AffinityPolicy", `onap.policies.optimization.resource.AffinityPolicy.yaml `_ + "Optimization.Resource.DistancePolicy", `onap.policies.optimization.resource.DistancePolicy.yaml `_ + "Optimization.Resource.HpaPolicy", `onap.policies.optimization.resource.HpaPolicy.yaml `_ + "Optimization.Resource.OptimizationPolicy", `onap.policies.optimization.resource.OptimizationPolicy.yaml `_ + "Optimization.Resource.PciPolicy", `onap.policies.optimization.resource.PciPolicy.yaml `_ + "Optimization.Resource.Vim_fit", `onap.policies.optimization.resource.Vim_fit.yaml `_ + "Optimization.Resource.VnfPolicy", `onap.policies.optimization.resource.VnfPolicy.yaml `_ + "Optimization.Service", `onap.policies.optimization.Service.yaml `_ + "Optimization.Service.QueryPolicy", `onap.policies.optimization.service.QueryPolicy.yaml `_ + "Optimization.Service.SubscriberPolicy", `onap.policies.optimization.service.SubscriberPolicy.yaml `_ + "Controlloop.Guard.Common", `onap.policies.controlloop.guard.Common.yaml `_ + "Controlloop.Guard.Common.Blacklist", `onap.policies.controlloop.guard.common.Blacklist.yaml `_ + "Controlloop.Guard.Common.FrequencyLimiter", `onap.policies.controlloop.guard.common.FrequencyLimiter.yaml `_ + "Controlloop.Guard.Common.MinMax", `onap.policies.controlloop.guard.common.MinMax.yaml `_ + "Controlloop.Guard.Coordination.FirstBlocksSecond", `onap.policies.controlloop.guard.coordination.FirstBlocksSecond.yaml `_ + "Controlloop.Operational", `onap.policies.controlloop.Operational.yaml `_ + "Controlloop.Operational.Common", `onap.policies.controlloop.operational.Common.yaml `_ + "Controlloop.Operational.Common.Apex", `onap.policies.controlloop.operational.common.Apex.yaml `_ + "Controlloop.Operational.Common.Drools", `onap.policies.controlloop.operational.common.Drools.yaml `_ + "Naming", `onap.policies.Naming.yaml `_ + "Native.Drools", `onap.policies.native.Drools.yaml `_ + "Native.Xacml", `onap.policies.native.Xacml.yaml `_ + "Native.Apex", `onap.policies.native.Apex.yaml `_ + +We also preload a policy in the policy database. Below is a table listing the preloaded polic(ies). + +.. csv-table:: + :header: "Policy Type Name", "Payload" + :widths: 15,10 + + "SDNC.Naming", `sdnc.policy.naming.input.tosca.yaml `_ + +Below is a table containing sample well-formed TOSCA compliant policies. .. csv-table:: :header: "Policy Name", "Payload" :widths: 15,10 "vCPE.Monitoring.Tosca", `vCPE.policy.monitoring.input.tosca.yaml `_ `vCPE.policy.monitoring.input.tosca.json `_ - "vCPE.Optimization.Tosca", `vCPE.policies.optimization.input.tosca.yaml `_ - "vCPE.Operational.Legacy", `vCPE.policy.operational.input.json `_ - "vDNS.Guard.FrequencyLimiting.Legacy", `vDNS.policy.guard.frequency.input.json `_ - "vDNS.Guard.MinMax.Legacy", `vDNS.policy.guard.minmax.input.json `_ + "vCPE.Optimization.Tosca", `vCPE.policies.optimization.input.tosca.yaml `_ `vCPE.policies.optimization.input.tosca.json `_ + "vCPE.Operational.Tosca", `vCPE.policy.operational.input.tosca.yaml `_ `vCPE.policy.operational.input.tosca.json `_ + "vDNS.Guard.FrequencyLimiting.Tosca", `vDNS.policy.guard.frequencylimiter.input.tosca.yaml `_ + "vDNS.Guard.MinMax.Tosca", `vDNS.policy.guard.minmaxvnfs.input.tosca.yaml `_ + "vDNS.Guard.Blacklist.Tosca", `vDNS.policy.guard.blacklist.input.tosca.yaml `_ "vDNS.Monitoring.Tosca", `vDNS.policy.monitoring.input.tosca.yaml `_ `vDNS.policy.monitoring.input.tosca.json `_ - "vDNS.Operational.Legacy", `vDNS.policy.operational.input.json `_ + "vDNS.Operational.Tosca", `vDNS.policy.operational.input.tosca.yaml `_ `vDNS.policy.operational.input.tosca.json `_ "vFirewall.Monitoring.Tosca", `vFirewall.policy.monitoring.input.tosca.yaml `_ `vFirewall.policy.monitoring.input.tosca.json `_ - "vFirewall.Operational.Legacy", `vFirewall.policy.operational.input.json `_ + "vFirewall.Operational.Tosca", `vFirewall.policy.operational.input.tosca.yaml `_ `vFirewall.policy.operational.input.tosca.json `_ + "vFirewallCDS.Operational.Tosca", `vFirewallCDS.policy.operational.input.tosca.yaml `_ Below is a global API table from where swagger JSON for different types of policy design API can be downloaded. @@ -84,7 +101,6 @@ Global API Table "Statistics API", ":download:`link `" "Tosca Policy Type API", ":download:`link `" "Tosca Policy API", ":download:`link `" - "Legacy Guard Policy API", ":download:`link `" "Legacy Operational Policy API", ":download:`link `" API Swagger @@ -129,9 +145,8 @@ Please check out the sample policies in above policy table. Also, in the POST payload passed into each policy or policy type creation call (i.e. POST API invocation), the client needs to explicitly specify the version of the policy or policy type to create. That being said, the "version" field is mandatory in the TOSCA service template -formatted policy or policy type payload. Likewise in the legacy guard and the operational policy payload, "policy-version" is mandatory too. -If the version is missing, that POST call will return "406 - Not Acceptable" and the policy or policy type to create will not be stored in -the database. +formatted policy or policy type payload. If the version is missing, that POST call will return "406 - Not Acceptable" and +the policy or policy type to create will not be stored in the database. To avoid inconsistent versions between the database and policies deployed in the PDPs, policy API REST service employs some enforcement rules that validate the version specified in the POST payload when a new version is to create or an existing version to update. @@ -140,45 +155,32 @@ Instead, we encourage the client to carefully select a version for the policy or of the version and feed an informative warning back to the client if the specified version is not good. To be specific, the following rules are implemented to enforce the version: -1. If the version is not in the database, we simply insert it. For example: if policy version 1.0.0 is stored in the database and now +1. If the incoming version is not in the database, we simply insert it. For example: if policy version 1.0.0 is stored in the database and now a client wants to create the same policy with updated version 3.0.0, this POST call will succeed and return "200" to the client. -2. If the version is already in the database, "406 - Not Acceptable" will be returned along with the message saying "specified version x.x.x" - is already existing and the latest version is y.y.y. It can force the client to create a newer version than the latest one. - For example, if policy versions "1.0.0" and "2.0.0" are already in the database and a client wants to create version "1.0.0" again, the - client will get "406" code returned along with the message "specified version 1.0.0 is already existing and the latest version is 2.0.0". - Then the client can change the version to anything newer than "2.0.0", such as "3.0.0". +2. If the incoming version is already in the database and the incoming payload is different from the same version in the database, + "406 - Not Acceptable" will be returned. This forces the client to update the version of the policy if the policy is changed. + +3. If a client creates a version of a policy and wishes to update a property on the policy, they must delete that version of the policy and re-create it. -3. If multiple policies or policy types are included in the POST payload, policy API will also check if duplicate version exists in between +4. If multiple policies are included in the POST payload, policy API will also check if duplicate version exists in between any two policies or policy types provided in the payload. For example, a client provides a POST payload which includes two policies with the same name and version but different policy properties. This POST call will fail and return "406" error back to the calling application along with a message such as "duplicate policy {name}:{version} found in the payload". -4. The same version validation is applied to legacy types of policies and policy types too (i.e. legacy guard and operational) so that everything - is consistent. +5. The same version validation is applied to policy types too. -5. To avoid unnecessary id/version inconsistency between the ones specified in the entity fields and the ones returned in the metadata field, +6. To avoid unnecessary id/version inconsistency between the ones specified in the entity fields and the ones returned in the metadata field, "policy-id" and "policy-version" in the metadata will only be set by policy API. Any incoming explicit specification in the POST payload will be ignored. For example, A POST payload has a policy with name "sample-policy-name1" and version "1.0.0" specified. In this policy, the metadata also includes "policy-id": "sample-policy-name2" and "policy-version": "2.0.0". The 200 return of this POST call will have this created policy with metadata including "policy-id": "sample-policy-name1" and "policy-version": "1.0.0". -.. swaggerv2doc:: swagger/guard-policy-api.json - -It is worth noting that guard policy name should start with one of the three: *guard.frequency.*, *guard.minmax.*, or *guard.blacklist.*. -Otherwise, it will complain that guard policy type cannot be found (does not exist). Apart from policy name, the policy version specified -in API path should be an integer, e.g. 1, 2, 10, instead of "1.0.0", "2.0.1", etc. -These naming restrictions will disappear after we evolve to use well-formed TOSCA Service Template for guard policies and -legacy policy design API is then deprecated. - .. swaggerv2doc:: swagger/operational-policy-api.json -Likewise, the policy version specified in operational policy API path should be an integer too, e.g. 1, 2, 10, instead of -"1.0.0", "2.0.1", etc. This restriction will disappear after we deprecate legacy policy design API in the near future release. - -Regarding DELETE APIs for both TOSCA policies and legacy policies, we only expose API to delete one particular version of policy +Regarding DELETE APIs for TOSCA compliant policies, we only expose API to delete one particular version of policy or policy type at a time for safety purpose. If client has the need to delete multiple or a group of policies or policy types, -they will need to delete one by one. +they will need to delete them one by one. Sample API Curl Commands ------------------------- @@ -192,15 +194,15 @@ Create vFirewall Monitoring Policy:: Get vFirewall Monitoring Policy:: curl --user 'healthcheck:zb!XztG34' -X GET "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.monitoring.cdap.tca.hi.lo.app/versions/1.0.0/policies/onap.vfirewall.tca/versions/1.0.0" -H "Accept: application/json" -H "Content-Type: application/json" - + Delete vFirewall Monitoring Policy:: curl --user 'healthcheck:zb!XztG34' -X DELETE "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.monitoring.cdap.tca.hi.lo.app/versions/1.0.0/policies/onap.vfirewall.tca/versions/1.0.0" -H "Accept: application/json" -H "Content-Type: application/json" Create vFirewall Operational Policy:: - curl --user 'healthcheck:zb!XztG34' -X POST "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.controlloop.Operational/versions/1.0.0/policies" -H "Accept: application/json" -H "Content-Type: application/json" -d @vFirewall.policy.operational.input.json - + curl --user 'healthcheck:zb!XztG34' -X POST "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.controlloop.operational.common.Drools/versions/1.0.0/policies" -H "Accept: application/json" -H "Content-Type: application/json" -d @vFirewall.policy.operational.input.tosca.json + Get vFirewall Operational Policy:: - curl --user 'healthcheck:zb!XztG34' -X GET "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.controlloop.Operational/versions/1.0.0/policies/operational.modifyconfig/versions/1" -H "Accept: application/json" -H "Content-Type: application/json" - + curl --user 'healthcheck:zb!XztG34' -X GET "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.controlloop.operational.common.Drools/versions/1.0.0/policies/operational.modifyconfig/versions/1.0.0" -H "Accept: application/json" -H "Content-Type: application/json" + Delete vFirewall Operational Policy:: - curl --user 'healthcheck:zb!XztG34' -X DELETE "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.controlloop.Operational/versions/1.0.0/policies/operational.modifyconfig/versions/1" -H "Accept: application/json" -H "Content-Type: application/json" + curl --user 'healthcheck:zb!XztG34' -X DELETE "http://{ip}:{port}/policy/api/v1/policytypes/onap.policies.controlloop.operational.common.Drools/versions/1.0.0/policies/operational.modifyconfig/versions/1.0.0" -H "Accept: application/json" -H "Content-Type: application/json" diff --git a/docs/api/swagger/guard-policy-api.json b/docs/api/swagger/guard-policy-api.json deleted file mode 100644 index 501312e5..00000000 --- a/docs/api/swagger/guard-policy-api.json +++ /dev/null @@ -1,480 +0,0 @@ -{ - "swagger" : "2.0", - "basePath" : "/", - "tags" : [ { - "name" : "Legacy Guard Policy" - } ], - "schemes" : [ "http", "https" ], - "paths" : { - "/policy/api/v1/policytypes/onap.policies.controlloop.Guard/versions/1.0.0/policies/{policyId}/versions/latest" : { - "get" : { - "tags" : [ "Legacy Guard Policy" ], - "summary" : "Retrieve the latest version of a particular guard policy", - "description" : "Returns the latest version of the specified guard policy", - "operationId" : "getLatestVersionOfGuardPolicy", - "produces" : [ "application/json", "application/yaml" ], - "parameters" : [ { - "name" : "policyId", - "in" : "path", - "description" : "ID of policy", - "required" : true, - "type" : "string" - }, { - "name" : "X-ONAP-RequestID", - "in" : "header", - "description" : "RequestID for http transaction", - "required" : false, - "type" : "string", - "format" : "uuid" - } ], - "responses" : { - "200" : { - "description" : "successful operation; Latest version of specified guard policy will be returned.", - "headers" : { - "X-MinorVersion" : { - "type" : "string", - "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" - }, - "X-PatchVersion" : { - "type" : "string", - "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" - }, - "X-LatestVersion" : { - "type" : "string", - "description" : "Used only to communicate an API's latest version" - }, - "X-ONAP-RequestID" : { - "type" : "string", - "format" : "uuid", - "description" : "Used to track REST transactions for logging purpose" - } - }, - "schema" : { - "type" : "object", - "additionalProperties" : { - "$ref" : "#/definitions/LegacyGuardPolicyOutput" - } - } - }, - "401" : { - "description" : "Authentication Error" - }, - "403" : { - "description" : "Authorization Error" - }, - "404" : { - "description" : "Resource Not Found" - }, - "500" : { - "description" : "Internal Server Error" - } - }, - "security" : [ { - "basicAuth" : [ ] - } ], - "x-interface info" : { - "api-version" : "1.0.0", - "last-mod-release" : "Dublin" - } - } - }, - "/policy/api/v1/policytypes/onap.policies.controlloop.Guard/versions/1.0.0/policies/{policyId}/versions/deployed" : { - "get" : { - "tags" : [ "Legacy Guard Policy" ], - "summary" : "Retrieve deployed versions of a particular guard policy in pdp groups", - "description" : "Returns deployed versions of a specified guard policy in pdp groups", - "operationId" : "getDeployedVersionsOfGuardPolicy", - "produces" : [ "application/json", "application/yaml" ], - "parameters" : [ { - "name" : "policyId", - "in" : "path", - "description" : "ID of guard policy", - "required" : true, - "type" : "string" - }, { - "name" : "X-ONAP-RequestID", - "in" : "header", - "description" : "RequestID for http transaction", - "required" : false, - "type" : "string", - "format" : "uuid" - } ], - "responses" : { - "200" : { - "description" : "successful operation; Deployed versions of specified guard policy in PDP groups will be returned.", - "headers" : { - "X-MinorVersion" : { - "type" : "string", - "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" - }, - "X-PatchVersion" : { - "type" : "string", - "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" - }, - "X-LatestVersion" : { - "type" : "string", - "description" : "Used only to communicate an API's latest version" - }, - "X-ONAP-RequestID" : { - "type" : "string", - "format" : "uuid", - "description" : "Used to track REST transactions for logging purpose" - } - }, - "schema" : { - "type" : "map", - "items" : { - "$ref" : "#/definitions/LegacyGuardPolicyOutput" - } - } - }, - "401" : { - "description" : "Authentication Error" - }, - "403" : { - "description" : "Authorization Error" - }, - "404" : { - "description" : "Resource Not Found" - }, - "500" : { - "description" : "Internal Server Error" - } - }, - "security" : [ { - "basicAuth" : [ ] - } ], - "x-interface info" : { - "api-version" : "1.0.0", - "last-mod-release" : "Dublin" - } - } - }, - "/policy/api/v1/policytypes/onap.policies.controlloop.Guard/versions/1.0.0/policies/{policyId}/versions/{policyVersion}" : { - "get" : { - "tags" : [ "Legacy Guard Policy" ], - "summary" : "Retrieve one version of a particular guard policy", - "description" : "Returns a particular version of a specified guard policy", - "operationId" : "getSpecificVersionOfGuardPolicy", - "produces" : [ "application/json", "application/yaml" ], - "parameters" : [ { - "name" : "policyId", - "in" : "path", - "description" : "ID of policy", - "required" : true, - "type" : "string" - }, { - "name" : "policyVersion", - "in" : "path", - "description" : "Version of policy", - "required" : true, - "type" : "string" - }, { - "name" : "X-ONAP-RequestID", - "in" : "header", - "description" : "RequestID for http transaction", - "required" : false, - "type" : "string", - "format" : "uuid" - } ], - "responses" : { - "200" : { - "description" : "successful operation; Specified version of guard policy will be returned.", - "headers" : { - "X-MinorVersion" : { - "type" : "string", - "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" - }, - "X-PatchVersion" : { - "type" : "string", - "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" - }, - "X-LatestVersion" : { - "type" : "string", - "description" : "Used only to communicate an API's latest version" - }, - "X-ONAP-RequestID" : { - "type" : "string", - "format" : "uuid", - "description" : "Used to track REST transactions for logging purpose" - } - }, - "schema" : { - "type" : "object", - "additionalProperties" : { - "$ref" : "#/definitions/LegacyGuardPolicyOutput" - } - } - }, - "401" : { - "description" : "Authentication Error" - }, - "403" : { - "description" : "Authorization Error" - }, - "404" : { - "description" : "Resource Not Found" - }, - "500" : { - "description" : "Internal Server Error" - } - }, - "security" : [ { - "basicAuth" : [ ] - } ], - "x-interface info" : { - "api-version" : "1.0.0", - "last-mod-release" : "Dublin" - } - }, - "delete" : { - "tags" : [ "Legacy Guard Policy" ], - "summary" : "Delete a particular version of a guard policy", - "description" : "Delete a particular version of a guard policy. It must follow one rule. Rule: the version that has been deployed in PDP group(s) cannot be deleted", - "operationId" : "deleteSpecificVersionOfGuardPolicy", - "consumes" : [ "application/json", "application/yaml" ], - "produces" : [ "application/json", "application/yaml" ], - "parameters" : [ { - "name" : "policyId", - "in" : "path", - "description" : "ID of policy", - "required" : true, - "type" : "string" - }, { - "name" : "policyVersion", - "in" : "path", - "description" : "Version of policy", - "required" : true, - "type" : "string" - }, { - "name" : "X-ONAP-RequestID", - "in" : "header", - "description" : "RequestID for http transaction", - "required" : false, - "type" : "string", - "format" : "uuid" - } ], - "responses" : { - "200" : { - "description" : "successful operation; Newly deleted guard policy will be returned.", - "headers" : { - "X-MinorVersion" : { - "type" : "string", - "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" - }, - "X-PatchVersion" : { - "type" : "string", - "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" - }, - "X-LatestVersion" : { - "type" : "string", - "description" : "Used only to communicate an API's latest version" - }, - "X-ONAP-RequestID" : { - "type" : "string", - "format" : "uuid", - "description" : "Used to track REST transactions for logging purpose" - } - }, - "schema" : { - "type" : "object", - "additionalProperties" : { - "$ref" : "#/definitions/LegacyGuardPolicyOutput" - } - } - }, - "401" : { - "description" : "Authentication Error" - }, - "403" : { - "description" : "Authorization Error" - }, - "404" : { - "description" : "Resource Not Found" - }, - "409" : { - "description" : "Delete Conflict, Rule Violation" - }, - "500" : { - "description" : "Internal Server Error" - } - }, - "security" : [ { - "basicAuth" : [ ] - } ], - "x-interface info" : { - "api-version" : "1.0.0", - "last-mod-release" : "Dublin" - } - } - }, - "/policy/api/v1/policytypes/onap.policies.controlloop.Guard/versions/1.0.0/policies" : { - "post" : { - "tags" : [ "Legacy Guard Policy" ], - "summary" : "Create a new guard policy", - "description" : "Create a new guard policy. Client should provide entity body of the new guard policy", - "operationId" : "createGuardPolicy", - "consumes" : [ "application/json", "application/yaml" ], - "produces" : [ "application/json", "application/yaml" ], - "parameters" : [ { - "name" : "X-ONAP-RequestID", - "in" : "header", - "description" : "RequestID for http transaction", - "required" : false, - "type" : "string", - "format" : "uuid" - }, { - "in" : "body", - "name" : "body", - "description" : "Entity body of policy", - "required" : true, - "type" : "ToscaServiceTemplate", - "schema" : { - "$ref" : "#/definitions/LegacyGuardPolicyInput" - } - } ], - "responses" : { - "200" : { - "description" : "successful operation; Newly created guard policy will be returned.", - "headers" : { - "X-MinorVersion" : { - "type" : "string", - "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" - }, - "X-PatchVersion" : { - "type" : "string", - "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" - }, - "X-LatestVersion" : { - "type" : "string", - "description" : "Used only to communicate an API's latest version" - }, - "X-ONAP-RequestID" : { - "type" : "string", - "format" : "uuid", - "description" : "Used to track REST transactions for logging purpose" - } - }, - "schema" : { - "type" : "object", - "additionalProperties" : { - "$ref" : "#/definitions/LegacyGuardPolicyOutput" - } - } - }, - "400" : { - "description" : "Invalid Body" - }, - "401" : { - "description" : "Authentication Error" - }, - "403" : { - "description" : "Authorization Error" - }, - "406" : { - "description" : "Not Acceptable Version" - }, - "500" : { - "description" : "Internal Server Error" - } - }, - "security" : [ { - "basicAuth" : [ ] - } ], - "x-interface info" : { - "api-version" : "1.0.0", - "last-mod-release" : "Dublin" - } - } - } - }, - "securityDefinitions" : { - "basicAuth" : { - "description" : "", - "type" : "basic" - } - }, - "definitions" : { - "LegacyGuardPolicyContent" : { - "type" : "object", - "properties" : { - "actor" : { - "type" : "string" - }, - "recipe" : { - "type" : "string" - }, - "targets" : { - "type" : "string" - }, - "clname" : { - "type" : "string" - }, - "limit" : { - "type" : "string" - }, - "timeWindow" : { - "type" : "string" - }, - "timeUnits" : { - "type" : "string" - }, - "min" : { - "type" : "string" - }, - "max" : { - "type" : "string" - }, - "guardActiveStart" : { - "type" : "string" - }, - "guardActiveEnd" : { - "type" : "string" - }, - "asPropertyMap" : { - "type" : "object", - "additionalProperties" : { - "type" : "string" - } - } - } - }, - "LegacyGuardPolicyOutput" : { - "type" : "object", - "properties" : { - "type" : { - "type" : "string" - }, - "version" : { - "type" : "string" - }, - "metadata" : { - "type" : "object", - "additionalProperties" : { - "type" : "object" - } - }, - "properties" : { - "type" : "object", - "additionalProperties" : { - "$ref" : "#/definitions/LegacyGuardPolicyContent" - } - } - } - }, - "LegacyGuardPolicyInput" : { - "type" : "object", - "properties" : { - "policy-id" : { - "type" : "string" - }, - "policy-version" : { - "type" : "string" - }, - "content" : { - "$ref" : "#/definitions/LegacyGuardPolicyContent" - } - } - } - } -} diff --git a/docs/api/swagger/policy-api.json b/docs/api/swagger/policy-api.json index ef070ef7..76735751 100644 --- a/docs/api/swagger/policy-api.json +++ b/docs/api/swagger/policy-api.json @@ -506,91 +506,7 @@ "last-mod-release" : "Dublin" } } - }, - "/policy/api/v1/policytypes/{policyTypeId}/versions/{policyTypeVersion}/policies/{policyId}/versions/deployed" : { - "get" : { - "tags" : [ "Policy" ], - "summary" : "Retrieve deployed versions of a particular policy in pdp groups", - "description" : "Returns deployed versions of specified policy in pdp groups", - "operationId" : "getDeployedVersionsOfPolicy", - "produces" : [ "application/json", "application/yaml" ], - "parameters" : [ { - "name" : "policyTypeId", - "in" : "path", - "description" : "ID of policy type", - "required" : true, - "type" : "string" - }, { - "name" : "policyTypeVersion", - "in" : "path", - "description" : "Version of policy type", - "required" : true, - "type" : "string" - }, { - "name" : "policyId", - "in" : "path", - "description" : "ID of policy", - "required" : true, - "type" : "string" - }, { - "name" : "X-ONAP-RequestID", - "in" : "header", - "description" : "RequestID for http transaction", - "required" : false, - "type" : "string", - "format" : "uuid" - } ], - "responses" : { - "200" : { - "description" : "successful operation; Deployed versions of specified policy matching specified policy type will be returned.", - "headers" : { - "X-MinorVersion" : { - "type" : "string", - "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" - }, - "X-PatchVersion" : { - "type" : "string", - "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" - }, - "X-LatestVersion" : { - "type" : "string", - "description" : "Used only to communicate an API's latest version" - }, - "X-ONAP-RequestID" : { - "type" : "string", - "format" : "uuid", - "description" : "Used to track REST transactions for logging purpose" - } - }, - "schema" : { - "type" : "array", - "items" : { - "$ref" : "#/definitions/ToscaPolicy" - } - } - }, - "401" : { - "description" : "Authentication Error" - }, - "403" : { - "description" : "Authorization Error" - }, - "404" : { - "description" : "Resource Not Found" - }, - "500" : { - "description" : "Internal Server Error" - } - }, - "security" : [ { - "basicAuth" : [ ] - } ], - "x-interface info" : { - "api-version" : "1.0.0", - "last-mod-release" : "Dublin" - } - } - }, + }, "/policy/api/v1/policies" : { "post" : { "tags" : [ "Policy" ], diff --git a/docs/xacml/decision.native.json b/docs/xacml/decision.native.json new file mode 100644 index 00000000..5e593bc9 --- /dev/null +++ b/docs/xacml/decision.native.json @@ -0,0 +1,41 @@ +{ + "Request": { + "ReturnPolicyIdList": false, + "CombinedDecision": false, + "AccessSubject": [ + { + "Attribute": [ + { + "IncludeInResult": false, + "AttributeId": "subject-id", + "Value": "Julius Hibbert" + } + ] + } + ], + "Resource": [ + { + "Attribute": [ + { + "IncludeInResult": false, + "AttributeId": "resource-id", + "Value": "http://medico.com/record/patient/BartSimpson", + "DataType": "anyURI" + } + ] + } + ], + "Action": [ + { + "Attribute": [ + { + "IncludeInResult": false, + "AttributeId": "action-id", + "Value": "read" + } + ] + } + ], + "Environment": [] + } +} \ No newline at end of file diff --git a/docs/xacml/swagger.json b/docs/xacml/swagger.json index 49011964..0bb133b9 100644 --- a/docs/xacml/swagger.json +++ b/docs/xacml/swagger.json @@ -7,31 +7,92 @@ "x-component" : "Policy Framework", "x-planned-retirement-date" : "tbd" }, - "host" : "Pamelas-MBP-2.client.research.att.com:6969", + "host" : "policy-xacml-pdp:6969", "basePath" : "/", "tags" : [ { + "name" : "HealthCheck" + }, { "name" : "Decision" }, { "name" : "Statistics" - }, { - "name" : "HealthCheck" } ], "schemes" : [ "http", "https" ], "paths" : { - "/policy/pdpx/v1/decision" : { + "/policy/pdpx/v1/healthcheck" : { + "get" : { + "tags" : [ "HealthCheck" ], + "summary" : "Perform a system healthcheck", + "description" : "Provides healthy status of the Policy Xacml PDP component", + "operationId" : "healthcheck", + "consumes" : [ "application/json", "application/yaml" ], + "produces" : [ "application/json", "application/yaml" ], + "parameters" : [ { + "name" : "X-ONAP-RequestID", + "in" : "header", + "description" : "RequestID for http transaction", + "required" : false, + "type" : "string", + "format" : "uuid" + } ], + "responses" : { + "200" : { + "description" : "successful operation", + "headers" : { + "X-MinorVersion" : { + "type" : "string", + "description" : "Used to request or communicate a MINOR version back from the client to the server, and from the server back to the client" + }, + "X-PatchVersion" : { + "type" : "string", + "description" : "Used only to communicate a PATCH version in a response for troubleshooting purposes only, and will not be provided by the client on request" + }, + "X-LatestVersion" : { + "type" : "string", + "description" : "Used only to communicate an API's latest version" + }, + "X-ONAP-RequestID" : { + "type" : "string", + "format" : "uuid", + "description" : "Used to track REST transactions for logging purpose" + } + }, + "schema" : { + "$ref" : "#/definitions/HealthCheckReport" + } + }, + "401" : { + "description" : "Authentication Error" + }, + "403" : { + "description" : "Authorization Error" + }, + "500" : { + "description" : "Internal Server Error" + } + }, + "security" : [ { + "basicAuth" : [ ] + } ], + "x-interface info" : { + "last-mod-release" : "Dublin", + "pdpx-version" : "1.0.0" + } + } + }, + "/policy/pdpx/v1/xacml" : { "post" : { "tags" : [ "Decision" ], "summary" : "Fetch the decision using specified decision parameters", "description" : "Returns the policy decision from Policy Xacml PDP", - "operationId" : "decision", - "consumes" : [ "application/json" ], - "produces" : [ "application/json" ], + "operationId" : "xacml", + "consumes" : [ "application/xacml+json", "application/xacml+xml" ], + "produces" : [ "application/xacml+json", "application/xacml+xml" ], "parameters" : [ { "in" : "body", "name" : "body", "required" : false, "schema" : { - "$ref" : "#/definitions/DecisionRequest" + "$ref" : "#/definitions/Request" } }, { "name" : "X-ONAP-RequestID", @@ -40,12 +101,6 @@ "required" : false, "type" : "string", "format" : "uuid" - }, { - "name" : "abbrev", - "in" : "query", - "description" : "Specifies whether the DCAE Monitoring decision results should be abbreviated", - "required" : false, - "type" : "boolean" } ], "responses" : { "200" : { @@ -70,7 +125,7 @@ } }, "schema" : { - "$ref" : "#/definitions/DecisionResponse" + "$ref" : "#/definitions/Response" } }, "400" : { @@ -93,7 +148,7 @@ "basicAuth" : [ ] } ], "x-interface info" : { - "last-mod-release" : "Dublin", + "last-mod-release" : "Frankfurt", "pdpx-version" : "1.0.0" } } @@ -104,8 +159,8 @@ "summary" : "Fetch current statistics", "description" : "Provides current statistics of the Policy Xacml PDP component", "operationId" : "statistics", - "consumes" : [ "application/json" ], - "produces" : [ "application/json" ], + "consumes" : [ "application/json", "application/yaml" ], + "produces" : [ "application/json", "application/yaml" ], "parameters" : [ { "name" : "X-ONAP-RequestID", "in" : "header", @@ -159,15 +214,22 @@ } } }, - "/policy/pdpx/v1/healthcheck" : { - "get" : { - "tags" : [ "HealthCheck" ], - "summary" : "Perform a system healthcheck", - "description" : "Provides healthy status of the Policy Xacml PDP component", - "operationId" : "healthcheck", - "consumes" : [ "application/json" ], - "produces" : [ "application/json" ], + "/policy/pdpx/v1/decision" : { + "post" : { + "tags" : [ "Decision" ], + "summary" : "Fetch the decision using specified decision parameters", + "description" : "Returns the policy decision from Policy Xacml PDP", + "operationId" : "decision", + "consumes" : [ "application/json", "application/yaml" ], + "produces" : [ "application/json", "application/yaml" ], "parameters" : [ { + "in" : "body", + "name" : "body", + "required" : false, + "schema" : { + "$ref" : "#/definitions/DecisionRequest" + } + }, { "name" : "X-ONAP-RequestID", "in" : "header", "description" : "RequestID for http transaction", @@ -198,7 +260,13 @@ } }, "schema" : { - "$ref" : "#/definitions/HealthCheckReport" + "$ref" : "#/definitions/DecisionResponse" + } + }, + "400" : { + "description" : "Bad Request", + "schema" : { + "$ref" : "#/definitions/ErrorResponse" } }, "401" : { @@ -228,137 +296,811 @@ } }, "definitions" : { - "DecisionResponse" : { + "HealthCheckReport" : { "type" : "object", "properties" : { - "status" : { + "name" : { "type" : "string" }, - "advice" : { - "type" : "object", - "additionalProperties" : { - "type" : "object" - } + "url" : { + "type" : "string" }, - "obligations" : { - "type" : "object", - "additionalProperties" : { - "type" : "object" - } + "healthy" : { + "type" : "boolean" }, - "policies" : { - "type" : "object", - "additionalProperties" : { - "type" : "object" - } + "code" : { + "type" : "integer", + "format" : "int32" + }, + "message" : { + "type" : "string" } } }, - "ErrorResponse" : { + "Advice" : { "type" : "object", "properties" : { - "responseCode" : { - "type" : "string", - "enum" : [ "OK", "CREATED", "ACCEPTED", "NO_CONTENT", "RESET_CONTENT", "PARTIAL_CONTENT", "MOVED_PERMANENTLY", "FOUND", "SEE_OTHER", "NOT_MODIFIED", "USE_PROXY", "TEMPORARY_REDIRECT", "BAD_REQUEST", "UNAUTHORIZED", "PAYMENT_REQUIRED", "FORBIDDEN", "NOT_FOUND", "METHOD_NOT_ALLOWED", "NOT_ACCEPTABLE", "PROXY_AUTHENTICATION_REQUIRED", "REQUEST_TIMEOUT", "CONFLICT", "GONE", "LENGTH_REQUIRED", "PRECONDITION_FAILED", "REQUEST_ENTITY_TOO_LARGE", "REQUEST_URI_TOO_LONG", "UNSUPPORTED_MEDIA_TYPE", "REQUESTED_RANGE_NOT_SATISFIABLE", "EXPECTATION_FAILED", "INTERNAL_SERVER_ERROR", "NOT_IMPLEMENTED", "BAD_GATEWAY", "SERVICE_UNAVAILABLE", "GATEWAY_TIMEOUT", "HTTP_VERSION_NOT_SUPPORTED" ] - }, - "errorMessage" : { - "type" : "string" - }, - "errorDetails" : { + "attributeAssignments" : { "type" : "array", "items" : { - "type" : "string" + "$ref" : "#/definitions/AttributeAssignment" } }, - "warningDetails" : { + "id" : { + "$ref" : "#/definitions/Identifier" + } + } + }, + "Attribute" : { + "type" : "object", + "properties" : { + "attributeId" : { + "$ref" : "#/definitions/Identifier" + }, + "values" : { "type" : "array", "items" : { - "type" : "string" + "$ref" : "#/definitions/AttributeValueObject" } + }, + "category" : { + "$ref" : "#/definitions/Identifier" + }, + "issuer" : { + "type" : "string" + }, + "includeInResults" : { + "type" : "boolean" } } }, - "DecisionRequest" : { + "AttributeAssignment" : { "type" : "object", "properties" : { - "onapName" : { - "type" : "string" + "attributeValue" : { + "$ref" : "#/definitions/AttributeValueObject" }, - "onapComponent" : { - "type" : "string" + "attributeId" : { + "$ref" : "#/definitions/Identifier" }, - "onapInstance" : { - "type" : "string" + "category" : { + "$ref" : "#/definitions/Identifier" }, - "requestId" : { + "issuer" : { "type" : "string" }, - "action" : { - "type" : "string" + "dataTypeId" : { + "$ref" : "#/definitions/Identifier" + } + } + }, + "AttributeCategory" : { + "type" : "object", + "properties" : { + "category" : { + "$ref" : "#/definitions/Identifier" }, - "resource" : { - "type" : "object", - "additionalProperties" : { - "type" : "object" + "attributes" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/Attribute" } } } }, - "StatisticsReport" : { + "AttributeValue" : { "type" : "object", "properties" : { - "code" : { - "type" : "integer", - "format" : "int32" + "xpathCategory" : { + "$ref" : "#/definitions/Identifier" }, - "totalPolicyTypesCount" : { - "type" : "integer", - "format" : "int64" + "dataTypeId" : { + "$ref" : "#/definitions/Identifier" }, - "totalPoliciesCount" : { - "type" : "integer", - "format" : "int64" + "value" : { + "type" : "object" + } + } + }, + "AttributeValueObject" : { + "type" : "object", + "properties" : { + "xpathCategory" : { + "$ref" : "#/definitions/Identifier" }, - "totalErrorCount" : { - "type" : "integer", - "format" : "int64" + "dataTypeId" : { + "$ref" : "#/definitions/Identifier" }, - "permitDecisionsCount" : { - "type" : "integer", - "format" : "int64" + "value" : { + "type" : "object" + } + } + }, + "IdReference" : { + "type" : "object", + "properties" : { + "version" : { + "$ref" : "#/definitions/Version" }, - "denyDecisionsCount" : { - "type" : "integer", - "format" : "int64" + "id" : { + "$ref" : "#/definitions/Identifier" + } + } + }, + "Identifier" : { + "type" : "object", + "properties" : { + "uri" : { + "type" : "string", + "format" : "uri" + } + } + }, + "MissingAttributeDetail" : { + "type" : "object", + "properties" : { + "attributeId" : { + "$ref" : "#/definitions/Identifier" }, - "indeterminantDecisionsCount" : { - "type" : "integer", - "format" : "int64" + "category" : { + "$ref" : "#/definitions/Identifier" }, - "notApplicableDecisionsCount" : { - "type" : "integer", - "format" : "int64" + "issuer" : { + "type" : "string" + }, + "attributeValues" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/AttributeValueObject" + } + }, + "dataTypeId" : { + "$ref" : "#/definitions/Identifier" } } }, - "HealthCheckReport" : { + "Obligation" : { "type" : "object", "properties" : { - "name" : { - "type" : "string" + "attributeAssignments" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/AttributeAssignment" + } }, - "url" : { - "type" : "string" + "id" : { + "$ref" : "#/definitions/Identifier" + } + } + }, + "Response" : { + "type" : "object", + "properties" : { + "results" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/Result" + } + } + } + }, + "Result" : { + "type" : "object", + "properties" : { + "status" : { + "$ref" : "#/definitions/Status" }, - "healthy" : { - "type" : "boolean" + "decision" : { + "type" : "string", + "enum" : [ "PERMIT", "DENY", "INDETERMINATE", "INDETERMINATE_PERMIT", "INDETERMINATE_DENY", "INDETERMINATE_DENYPERMIT", "NOTAPPLICABLE" ] }, - "code" : { - "type" : "integer", - "format" : "int32" + "associatedAdvice" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/Advice" + } }, - "message" : { - "type" : "string" + "obligations" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/Obligation" + } + }, + "policyIdentifiers" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/IdReference" + } + }, + "policySetIdentifiers" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/IdReference" + } + }, + "attributes" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/AttributeCategory" + } + } + } + }, + "Status" : { + "type" : "object", + "properties" : { + "statusCode" : { + "$ref" : "#/definitions/StatusCode" + }, + "statusMessage" : { + "type" : "string" + }, + "statusDetail" : { + "$ref" : "#/definitions/StatusDetail" + }, + "ok" : { + "type" : "boolean" + } + } + }, + "StatusCode" : { + "type" : "object", + "properties" : { + "statusCodeValue" : { + "$ref" : "#/definitions/Identifier" + }, + "child" : { + "$ref" : "#/definitions/StatusCode" + } + } + }, + "StatusDetail" : { + "type" : "object", + "properties" : { + "missingAttributeDetails" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/MissingAttributeDetail" + } + } + } + }, + "Version" : { + "type" : "object", + "properties" : { + "version" : { + "type" : "string" + }, + "versionDigits" : { + "type" : "array", + "items" : { + "type" : "integer", + "format" : "int32" + } + } + } + }, + "ErrorResponse" : { + "type" : "object", + "properties" : { + "responseCode" : { + "type" : "string", + "enum" : [ "OK", "CREATED", "ACCEPTED", "NO_CONTENT", "RESET_CONTENT", "PARTIAL_CONTENT", "MOVED_PERMANENTLY", "FOUND", "SEE_OTHER", "NOT_MODIFIED", "USE_PROXY", "TEMPORARY_REDIRECT", "BAD_REQUEST", "UNAUTHORIZED", "PAYMENT_REQUIRED", "FORBIDDEN", "NOT_FOUND", "METHOD_NOT_ALLOWED", "NOT_ACCEPTABLE", "PROXY_AUTHENTICATION_REQUIRED", "REQUEST_TIMEOUT", "CONFLICT", "GONE", "LENGTH_REQUIRED", "PRECONDITION_FAILED", "REQUEST_ENTITY_TOO_LARGE", "REQUEST_URI_TOO_LONG", "UNSUPPORTED_MEDIA_TYPE", "REQUESTED_RANGE_NOT_SATISFIABLE", "EXPECTATION_FAILED", "PRECONDITION_REQUIRED", "TOO_MANY_REQUESTS", "REQUEST_HEADER_FIELDS_TOO_LARGE", "INTERNAL_SERVER_ERROR", "NOT_IMPLEMENTED", "BAD_GATEWAY", "SERVICE_UNAVAILABLE", "GATEWAY_TIMEOUT", "HTTP_VERSION_NOT_SUPPORTED", "NETWORK_AUTHENTICATION_REQUIRED" ] + }, + "errorMessage" : { + "type" : "string" + }, + "errorDetails" : { + "type" : "array", + "items" : { + "type" : "string" + } + }, + "warningDetails" : { + "type" : "array", + "items" : { + "type" : "string" + } + } + } + }, + "DOMConfiguration" : { + "type" : "object", + "properties" : { + "parameterNames" : { + "$ref" : "#/definitions/DOMStringList" + } + } + }, + "DOMImplementation" : { + "type" : "object" + }, + "DOMStringList" : { + "type" : "object", + "properties" : { + "length" : { + "type" : "integer", + "format" : "int32" + } + } + }, + "Document" : { + "type" : "object", + "properties" : { + "documentElement" : { + "$ref" : "#/definitions/Element" + }, + "xmlVersion" : { + "type" : "string" + }, + "strictErrorChecking" : { + "type" : "boolean" + }, + "documentURI" : { + "type" : "string" + }, + "xmlStandalone" : { + "type" : "boolean" + }, + "implementation" : { + "$ref" : "#/definitions/DOMImplementation" + }, + "doctype" : { + "$ref" : "#/definitions/DocumentType" + }, + "inputEncoding" : { + "type" : "string" + }, + "xmlEncoding" : { + "type" : "string" + }, + "domConfig" : { + "$ref" : "#/definitions/DOMConfiguration" + }, + "localName" : { + "type" : "string" + }, + "prefix" : { + "type" : "string" + }, + "nodeValue" : { + "type" : "string" + }, + "ownerDocument" : { + "$ref" : "#/definitions/Document" + }, + "nodeName" : { + "type" : "string" + }, + "childNodes" : { + "$ref" : "#/definitions/NodeList" + }, + "nodeType" : { + "type" : "integer", + "format" : "int32" + }, + "namespaceURI" : { + "type" : "string" + }, + "lastChild" : { + "$ref" : "#/definitions/Node" + }, + "parentNode" : { + "$ref" : "#/definitions/Node" + }, + "firstChild" : { + "$ref" : "#/definitions/Node" + }, + "nextSibling" : { + "$ref" : "#/definitions/Node" + }, + "previousSibling" : { + "$ref" : "#/definitions/Node" + }, + "baseURI" : { + "type" : "string" + }, + "textContent" : { + "type" : "string" + }, + "attributes" : { + "$ref" : "#/definitions/NamedNodeMap" + } + } + }, + "DocumentType" : { + "type" : "object", + "properties" : { + "entities" : { + "$ref" : "#/definitions/NamedNodeMap" + }, + "publicId" : { + "type" : "string" + }, + "systemId" : { + "type" : "string" + }, + "notations" : { + "$ref" : "#/definitions/NamedNodeMap" + }, + "internalSubset" : { + "type" : "string" + }, + "name" : { + "type" : "string" + }, + "localName" : { + "type" : "string" + }, + "prefix" : { + "type" : "string" + }, + "nodeValue" : { + "type" : "string" + }, + "ownerDocument" : { + "$ref" : "#/definitions/Document" + }, + "nodeName" : { + "type" : "string" + }, + "childNodes" : { + "$ref" : "#/definitions/NodeList" + }, + "nodeType" : { + "type" : "integer", + "format" : "int32" + }, + "namespaceURI" : { + "type" : "string" + }, + "lastChild" : { + "$ref" : "#/definitions/Node" + }, + "parentNode" : { + "$ref" : "#/definitions/Node" + }, + "firstChild" : { + "$ref" : "#/definitions/Node" + }, + "nextSibling" : { + "$ref" : "#/definitions/Node" + }, + "previousSibling" : { + "$ref" : "#/definitions/Node" + }, + "baseURI" : { + "type" : "string" + }, + "textContent" : { + "type" : "string" + }, + "attributes" : { + "$ref" : "#/definitions/NamedNodeMap" + } + } + }, + "Element" : { + "type" : "object", + "properties" : { + "tagName" : { + "type" : "string" + }, + "schemaTypeInfo" : { + "$ref" : "#/definitions/TypeInfo" + }, + "localName" : { + "type" : "string" + }, + "prefix" : { + "type" : "string" + }, + "nodeValue" : { + "type" : "string" + }, + "ownerDocument" : { + "$ref" : "#/definitions/Document" + }, + "nodeName" : { + "type" : "string" + }, + "childNodes" : { + "$ref" : "#/definitions/NodeList" + }, + "nodeType" : { + "type" : "integer", + "format" : "int32" + }, + "namespaceURI" : { + "type" : "string" + }, + "lastChild" : { + "$ref" : "#/definitions/Node" + }, + "parentNode" : { + "$ref" : "#/definitions/Node" + }, + "firstChild" : { + "$ref" : "#/definitions/Node" + }, + "nextSibling" : { + "$ref" : "#/definitions/Node" + }, + "previousSibling" : { + "$ref" : "#/definitions/Node" + }, + "baseURI" : { + "type" : "string" + }, + "textContent" : { + "type" : "string" + }, + "attributes" : { + "$ref" : "#/definitions/NamedNodeMap" + } + } + }, + "NamedNodeMap" : { + "type" : "object", + "properties" : { + "length" : { + "type" : "integer", + "format" : "int32" + } + } + }, + "Node" : { + "type" : "object", + "properties" : { + "localName" : { + "type" : "string" + }, + "prefix" : { + "type" : "string" + }, + "nodeValue" : { + "type" : "string" + }, + "ownerDocument" : { + "$ref" : "#/definitions/Document" + }, + "nodeName" : { + "type" : "string" + }, + "childNodes" : { + "$ref" : "#/definitions/NodeList" + }, + "nodeType" : { + "type" : "integer", + "format" : "int32" + }, + "namespaceURI" : { + "type" : "string" + }, + "lastChild" : { + "$ref" : "#/definitions/Node" + }, + "parentNode" : { + "$ref" : "#/definitions/Node" + }, + "firstChild" : { + "$ref" : "#/definitions/Node" + }, + "nextSibling" : { + "$ref" : "#/definitions/Node" + }, + "previousSibling" : { + "$ref" : "#/definitions/Node" + }, + "baseURI" : { + "type" : "string" + }, + "textContent" : { + "type" : "string" + }, + "attributes" : { + "$ref" : "#/definitions/NamedNodeMap" + } + } + }, + "NodeList" : { + "type" : "object", + "properties" : { + "length" : { + "type" : "integer", + "format" : "int32" + } + } + }, + "Request" : { + "type" : "object", + "properties" : { + "requestDefaults" : { + "$ref" : "#/definitions/RequestDefaults" + }, + "multiRequests" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/RequestReference" + } + }, + "status" : { + "$ref" : "#/definitions/Status" + }, + "requestAttributesIncludedInResult" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/AttributeCategory" + } + }, + "combinedDecision" : { + "type" : "boolean" + }, + "returnPolicyIdList" : { + "type" : "boolean" + }, + "requestAttributes" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/RequestAttributes" + } + } + } + }, + "RequestAttributes" : { + "type" : "object", + "properties" : { + "contentRoot" : { + "$ref" : "#/definitions/Node" + }, + "xmlId" : { + "type" : "string" + }, + "category" : { + "$ref" : "#/definitions/Identifier" + }, + "attributes" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/Attribute" + } + } + } + }, + "RequestAttributesReference" : { + "type" : "object", + "properties" : { + "referenceId" : { + "type" : "string" + } + } + }, + "RequestDefaults" : { + "type" : "object", + "properties" : { + "xpathVersion" : { + "type" : "string", + "format" : "uri" + } + } + }, + "RequestReference" : { + "type" : "object", + "properties" : { + "attributesReferences" : { + "type" : "array", + "items" : { + "$ref" : "#/definitions/RequestAttributesReference" + } + } + } + }, + "TypeInfo" : { + "type" : "object", + "properties" : { + "typeNamespace" : { + "type" : "string" + }, + "typeName" : { + "type" : "string" + } + } + }, + "StatisticsReport" : { + "type" : "object", + "properties" : { + "code" : { + "type" : "integer", + "format" : "int32" + }, + "totalPolicyTypesCount" : { + "type" : "integer", + "format" : "int64" + }, + "totalPoliciesCount" : { + "type" : "integer", + "format" : "int64" + }, + "totalErrorCount" : { + "type" : "integer", + "format" : "int64" + }, + "permitDecisionsCount" : { + "type" : "integer", + "format" : "int64" + }, + "denyDecisionsCount" : { + "type" : "integer", + "format" : "int64" + }, + "indeterminantDecisionsCount" : { + "type" : "integer", + "format" : "int64" + }, + "notApplicableDecisionsCount" : { + "type" : "integer", + "format" : "int64" + } + } + }, + "DecisionResponse" : { + "type" : "object", + "properties" : { + "status" : { + "type" : "string" + }, + "message" : { + "type" : "string" + }, + "advice" : { + "type" : "object", + "additionalProperties" : { + "type" : "object" + } + }, + "obligations" : { + "type" : "object", + "additionalProperties" : { + "type" : "object" + } + }, + "policies" : { + "type" : "object", + "additionalProperties" : { + "type" : "object" + } + } + } + }, + "DecisionRequest" : { + "type" : "object", + "properties" : { + "onapName" : { + "type" : "string" + }, + "onapComponent" : { + "type" : "string" + }, + "onapInstance" : { + "type" : "string" + }, + "requestId" : { + "type" : "string" + }, + "context" : { + "type" : "object", + "additionalProperties" : { + "type" : "object" + } + }, + "action" : { + "type" : "string" + }, + "resource" : { + "type" : "object", + "additionalProperties" : { + "type" : "object" + } } } } diff --git a/docs/xacml/xacml.rst b/docs/xacml/xacml.rst index 6d74ce6a..a034e8f9 100644 --- a/docs/xacml/xacml.rst +++ b/docs/xacml/xacml.rst @@ -13,7 +13,7 @@ The ONAP XACML Policy PDP Engine uses an `open source implementation `__. +In ONAP the following Policy Types are supported. Each Policy Type is implemented as an application that extends the **XacmlApplicationServiceProvider**. For details on each implementation, please refer to the `applications submodule of the onap/xacml-pdp project `__. By cloning the policy/xacml-pdp repository, one can run the JUnit tests to get a better understanding on how applications are built using translators and the XACML Policies that are generated for each Policy Type. Each application supports one or more Policy Types and an associated "action" used by the Decision API when making these calls. @@ -27,7 +27,7 @@ These Policy Types are used by Control Loop DCAE microservice components to supp "onap.policies.monitoring.cdap.tca.hi.lo.app", "configure", "TCA DCAE microservice component" "onap.policies.monitoring.dcaegen2.collectors.datafile.datafile-app-server", "configure", "REST Collector" -The translator used to translate these TOSCA Policy Types is the `StdCombinedPolicyResultsTranslator `__. +The translator used to translate these TOSCA Policy Types is the `StdCombinedPolicyResultsTranslator `__. This is an example Decision API payload made to retrieve a decision for a Monitoring Policy Type. @@ -45,7 +45,7 @@ These Policy Types are used by Control Loop Drools Engine to support guarding of "onap.policies.controlloop.guard.Blacklist", "guard", "Blacklists a regexp of VNF IDs" "onap.policies.controlloop.guard.MinMax", "guard", "For scaling, enforces a min/max number of VNFS" -The translator used to translate these legacy Policy Types is the `LegacyGuardTranslator `__ which implements a more fine grained approach to translating the properties into a XACML policy. +The translator used to translate these legacy Policy Types is the `LegacyGuardTranslator `__ which implements a more fine grained approach to translating the properties into a XACML policy. This is an example Decision API payload made to retrieve a decision for a Guard Policy Type. @@ -62,7 +62,7 @@ These Policy Types are similar to the guard Policy Types and are called by the C "onap.policies.controlloop.guard.coordination.FirstBlocksSecond", "guard", "Gives priority to one control loop vs another" -The translator used to translate the coordination Policy Types is the `CoordinationGuardTranslator `__ which uses a XACML Policy Template in its implementation. For example, when a new policy is loaded the translator copies the template to a new policy and replaces the CONTROL_LOOP_ONE and CONTROL_LOOP_TWO values with the specified control loops. See the `XAMCL Coordination Template for more details `__. +The translator used to translate the coordination Policy Types is the `CoordinationGuardTranslator `__ which uses a XACML Policy Template in its implementation. For example, when a new policy is loaded the translator copies the template to a new policy and replaces the CONTROL_LOOP_ONE and CONTROL_LOOP_TWO values with the specified control loops. See the `XAMCL Coordination Template for more details `__. The same Decision API payload example for guard applies to this Policy Type. @@ -84,13 +84,31 @@ These Policy Types are designed to be used by the OOF Project support placement "onap.policies.optimization.Vim_fit", "optimize" "onap.policies.optimization.VnfPolicy", "optimize" -The translator used to translate the optimization Policy Types is the `StdMatchableTranslator `__. +The translator used to translate the optimization Policy Types is the `StdMatchableTranslator `__. This is an example Decision API payload made to retrieve a decision for an Optimization Policy Type. .. literalinclude:: decision.affinity.json :language: JSON +Native XACML Policy Type +======================= +This Policy type is used by any client or ONAP component who has the need of native XACML evaluation. A native XACML policy or policy set encoded in XML can be created off this policy type and loaded into the XACML PDP engine by invoking the PAP policy deployment API. Native XACML requests encoded in either JSON or XML can be sent to the XACML PDP engine for evaluation by invoking the native decision API. Native XACML responses will be returned upon evaluating the requests against the matching XACML policies. Those native XACML policies, policy sets, requests and responses all follow the `OASIS XACML 3.0 Standard `__. + +.. csv-table:: + :header: "Policy Type", "Action", "Description" + + "onap.policies.native.Xacml", "native", "any client or ONAP component" + +The translator used to translate the aforementioned TOSCA Policy Type is the `NativePdpApplicationTranslator `__. + +According to the XACML 3.0 specification, two content-types are supported and used to present the native requests/responses. They are formally defined as "application/xacml+json" and "application/xacml+xml". + +This is an example Native Decision API payload made to retrieve a decision for whether Julius Hibbert can read http://medico.com/record/patient/BartSimpson. + +.. literalinclude:: decision.native.json + :language: JSON + Supporting Custom Policy Types ****************************** In order to support your own custom Policy Type that the XACML PDP Engine can support, one needs to build a Java service application that extends the **XacmlApplicationServiceProvider** interface and implement a **ToscaTranslator** application. Your application should register itself as a Java service application and expose it in the classpath used to be loaded into the ONAP XACML PDP Engine. Ensure you define and create the TOSCA Policy Type according to these :ref:`Policy Design and Development `. You should be able to load your custom Policy Type using the :ref:`Policy Lifecycle API `. Once successful, you should be able to start creating policies from your custom Policy Type. -- cgit 1.2.3-korg