1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
.. This work is licensed under a
.. Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
###########
GUARD Actor
###########
.. contents::
:depth: 3
Overview of GUARD Actor
#######################
Within ONAP Policy Framework, a GUARD is typically an implicit check performed at the
start of each operation and is performed by making a REST call to the XACML-PDP.
Previously, the request was built, and the REST call made, by the application. However,
Guard checks have now been implemented using the new Actor framework.
Currently, there is a single operation, *Decision*, which is implemented by the java
class, *GuardOperation*. This class is derived from *HttpOperation*.
Request
#######
A number of the request fields are populated from values specified in the
actor/operation's configuration parameters (e.g., "onapName"). Additional fields
are specified below.
Request ID
**********
The "requestId" field is set to a UUID.
Resource
********
The "resource" field is populated with a *Map* containing a single item, "guard". The
value of the item is set to the contents of the *payload* specified within the
*ControlLoopOperationParams*.
Examples
########
Suppose the *ControlLoopOperationParams* were populated as follows:
.. code-block:: bash
{
"actor": "GUARD",
"operation": "Decision",
"payload": {
"actor": "SO",
"operation": "VF Module Create",
"target": "OzVServer",
"requestId": "c7c6a4aa-bb61-4a15-b831-ba1472dd4a65",
"clname": "ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3",
"vfCount": 2
}
}
An example of a request constructed by the actor using the above parameters, sent to the
GUARD REST server:
.. code-block:: bash
{
"ONAPName": "Policy",
"ONAPComponent": "Drools PDP",
"ONAPInstance": "Usecases",
"requestId": "90ee99d2-f2d8-4d90-b162-605203c30180",
"action": "guard",
"resource": {
"guard": {
"actor": "SO",
"operation": "VF Module Create",
"target": "OzVServer",
"requestId": "c7c6a4aa-bb61-4a15-b831-ba1472dd4a65",
"clname": "ControlLoop-vDNS-6f37f56d-a87d-4b85-b6a9-cc953cf779b3",
"vfCount": 2
}
}
}
An example response received from the GUARD REST service:
.. code-block:: bash
{
"status": "Permit",
"advice": {},
"obligations": {},
"policies": {}
}
Configuration of the GUARD Actor
################################
The following table specifies the fields that should be provided to configure the GUARD
actor.
=============================== ===================== ==================================================================
Field name type Description
=============================== ===================== ==================================================================
clientName string Name of the HTTP client to use to send the request to the
GUARD REST server.
timeoutSec integer (optional) Maximum time, in seconds, to wait for a response to be received
from the REST server. Defaults to 90s.
path string URI appended to the URL. This field only applies to individual
operations; it does not apply at the actor level. Note: the
*path* should not include a leading or trailing slash.
onapName string ONAP Name (e.g., "Policy")
onapComponent string ONAP Component (e.g., "Drools PDP")
onapInstance string ONAP Instance (e.g., "Usecases")
action string (optional) Used to populate the "action" request field.
Defaults to "guard".
disabled boolean (optional) **True**, to disable guard checks, **false** otherwise.
Defaults to *false*.
=============================== ===================== ==================================================================
The individual operations are configured using these same field names. However, all
of them, except the path, are optional, as they inherit their values from the
corresponding actor-level fields.
|
