aboutsummaryrefslogtreecommitdiffstats
path: root/docs/xacml/xacml-tutorial-enforcement.rst
blob: 0e8efc0d8675babbc0c6227361f78e9519282667 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
.. This work is licensed under a Creative Commons Attribution 4.0 International License.

.. _xacmltutorial-enforcement-label:

Policy XACML - Policy Enforcement Tutorial
##########################################

.. toctree::
   :maxdepth: 3

This tutorial shows how to build Policy Enforcement into your application. Please be sure to clone the
policy repositories before going through the tutorial. See :ref:`policy-development-tools-label` for details.

This tutorial can be found in the XACML PDP repository. `See the tutorial <https://github.com/onap/policy-xacml-pdp/tree/master/tutorials/tutorial-enforcement>`_

Policy Type being Enforced
**************************

For this tutorial, we will be enforcing a Policy Type that inherits from the **onap.policies.Monitoring** Policy Type. This Policy Type is
used by DCAE analytics for configuration purposes. Any inherited Policy Type is automatically supported by the XACML PDP for Decisions.

`See the latest example Policy Type <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-enforcement/src/test/resources/MyAnalytic.yaml>`_

.. code-block:: java
  :caption: Example Policy Type

    tosca_definitions_version: tosca_simple_yaml_1_1_0
    policy_types:
       onap.policies.Monitoring:
          derived_from: tosca.policies.Root
          version: 1.0.0
          name: onap.policies.Monitoring
          description: a base policy type for all policies that govern monitoring provisioning
       onap.policies.monitoring.MyAnalytic:
          derived_from: onap.policies.Monitoring
          type_version: 1.0.0
          version: 1.0.0
          description: Example analytic
          properties:
             myProperty:
                type: string
                required: true

Example Policy
**************

`See the latest example policy <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-enforcement/src/test/resources/MyPolicies.yaml>`_

.. code-block:: java
  :caption: Example Policy

    tosca_definitions_version: tosca_simple_yaml_1_1_0
    topology_template:
       policies:
         -
           policy1:
               type: onap.policies.monitoring.MyAnalytic
               type_version: 1.0.0
               version: 1.0.0
               name: policy1
               metadata:
                 policy-id: policy1
                 policy-version: 1.0.0
               properties:
                 myProperty: value1

Example Decision Requests and Responses
***************************************

For **onap.policies.Montoring** Policy Types, the action used will be **configure**. For **configure** actions, you can specify a resource by **policy-id** or **policy-type**. We recommend using **policy-type**, as a policy-id may not necessarily be deployed. In addition, your application should request all the available policies for your policy-type that your application should be enforcing.

.. code-block:: json
  :caption: Example Decision Request

    {
      "ONAPName": "myName",
      "ONAPComponent": "myComponent",
      "ONAPInstance": "myInstanceId",
      "requestId": "1",
      "action": "configure",
      "resource": {
          "policy-type": "onap.policies.monitoring.MyAnalytic"
      }
    }

The **configure** action will return a payload containing your full policy:

.. code-block: json
  :caption: Example Decision Response
    {
        "policies": {
            "policy1": {
                "type": "onap.policies.monitoring.MyAnalytic",
                "type_version": "1.0.0",
                "properties": {
                    "myProperty": "value1"
                },
                "name": "policy1",
                "version": "1.0.0",
                "metadata": {
                    "policy-id": "policy1",
                    "policy-version": "1.0.0"
                }
            }
        }
    }

Making Decision Call in your Application
****************************************

Your application should be able to do a RESTful API call to the XACML PDP Decision API endpoint. If you have code that does this already, then utilize that to do something similar to the following curl command:

.. code-block: bash
  :caption: Example Decision API REST Call using curl

    curl -k -u https://xacml-pdp:6969/policy/pdpx/v1/decision

If your application does not have REST http client code, you can use some common code available in the policy/common repository for doing HTTP calls.

.. code-block: java
  :caption: Policy Common REST Code Dependency

        <dependency>
            <groupId>org.onap.policy.common</groupId>
            <artifactId>policy-endpoints</artifactId>
            <version>${policy.common.version}</version>
        </dependency>

Also, if your application wants to use common code to serialize/deserialize Decision Requests and Responses, then you can include the following dependency:

.. code-block: java
  :caption: Policy Decision Request and Response Classes

        <dependency>
            <groupId>org.onap.policy.models</groupId>
            <artifactId>policy-models-decisions</artifactId>
            <version>${policy.models.version}</version>
        </dependency>

Responding to Policy Update Notifications
*****************************************

Your application should also be able to respond to Policy Update Notifications that are published on the Dmaap topic POLICY-NOTIFICATION. This is because if a user pushes an updated Policy, your application should be able to dynamically start enforcing that policy without restart.

.. code-block: bash
  :caption: Example Dmaap REST Call using curl

  curl -k -u https://dmaap:3904/events/POLICY-NOTIFICATION/group/id?timeout=5000

If your application does not have Dmaap client code, you can use some available code in policy/common to receive Dmaap events.

To parse the JSON send over the topic, your application can use the following dependency:

.. code-block: java
  :caption: Policy PAP Update Notification Classes

        <dependency>
            <groupId>org.onap.policy.models</groupId>
            <artifactId>policy-models-pap</artifactId>
            <version>${policy.models.version}</version>
        </dependency>