aboutsummaryrefslogtreecommitdiffstats
path: root/applications/guard
diff options
context:
space:
mode:
Diffstat (limited to 'applications/guard')
-rw-r--r--applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java78
-rw-r--r--applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java214
-rw-r--r--applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java114
-rw-r--r--applications/guard/src/test/resources/xacml.properties2
4 files changed, 120 insertions, 288 deletions
diff --git a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java
index 41773ab7..0b3b1542 100644
--- a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java
+++ b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplication.java
@@ -22,26 +22,12 @@
package org.onap.policy.xacml.pdp.application.guard;
-import com.att.research.xacml.api.Request;
-import com.att.research.xacml.api.Response;
-import com.att.research.xacml.util.XACMLPolicyWriter;
-
-import java.io.IOException;
-import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
-import java.util.Map;
-import java.util.Properties;
-
-import oasis.names.tc.xacml._3_0.core.schema.wd_17.PolicyType;
-import org.onap.policy.models.decisions.concepts.DecisionRequest;
-import org.onap.policy.models.decisions.concepts.DecisionResponse;
import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicyTypeIdentifier;
-import org.onap.policy.pdp.xacml.application.common.ToscaPolicyConversionException;
-import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException;
-import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils;
+import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator;
import org.onap.policy.pdp.xacml.application.common.std.StdXacmlApplicationServiceProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -99,65 +85,7 @@ public class GuardPdpApplication extends StdXacmlApplicationServiceProvider {
}
@Override
- public void loadPolicies(Map<String, Object> toscaPolicies) throws XacmlApplicationException {
- try {
- //
- // Convert the policies first
- //
- List<PolicyType> listPolicies = translator.scanAndConvertPolicies(toscaPolicies);
- if (listPolicies.isEmpty()) {
- throw new XacmlApplicationException("Converted 0 policies");
- }
- //
- // Create a copy of the properties object
- //
- Properties newProperties = this.getProperties();
- //
- // Iterate through the policies
- //
- for (PolicyType newPolicy : listPolicies) {
- //
- // Construct the filename
- //
- Path refPath = XacmlPolicyUtils.constructUniquePolicyFilename(newPolicy, this.getDataPath());
- //
- // Write the policy to disk
- // Maybe check for an error
- //
- XACMLPolicyWriter.writePolicyFile(refPath, newPolicy);
- //
- // Add root policy to properties object
- //
- XacmlPolicyUtils.addRootPolicy(newProperties, refPath);
- }
- //
- // Write the properties to disk
- //
- XacmlPolicyUtils.storeXacmlProperties(newProperties,
- XacmlPolicyUtils.getPropertiesPath(this.getDataPath()));
- //
- // Reload the engine
- //
- this.createEngine(newProperties);
- } catch (IOException | ToscaPolicyConversionException e) {
- LOGGER.error("Failed to loadPolicies {}", e);
- }
+ protected ToscaPolicyTranslator getTranslator() {
+ return translator;
}
-
- @Override
- public DecisionResponse makeDecision(DecisionRequest request) {
- //
- // Convert to a XacmlRequest
- //
- Request xacmlRequest = translator.convertRequest(request);
- //
- // Now get a decision
- //
- Response xacmlResponse = this.xacmlDecision(xacmlRequest);
- //
- // Convert to a DecisionResponse
- //
- return translator.convertResponse(xacmlResponse);
- }
-
}
diff --git a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java
index 48861d86..77dbb353 100644
--- a/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java
+++ b/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/LegacyGuardTranslator.java
@@ -30,15 +30,9 @@ import com.att.research.xacml.api.Response;
import com.att.research.xacml.api.Result;
import com.att.research.xacml.api.XACML3;
import com.att.research.xacml.std.annotations.RequestParser;
-import com.att.research.xacml.util.XACMLPolicyWriter;
-import java.io.ByteArrayOutputStream;
-import java.io.IOException;
-import java.util.ArrayList;
import java.util.Collection;
-import java.util.List;
import java.util.Map;
-import java.util.Map.Entry;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpressionType;
import oasis.names.tc.xacml._3_0.core.schema.wd_17.AdviceExpressionsType;
@@ -58,6 +52,7 @@ import oasis.names.tc.xacml._3_0.core.schema.wd_17.TargetType;
import org.onap.policy.models.decisions.concepts.DecisionRequest;
import org.onap.policy.models.decisions.concepts.DecisionResponse;
+import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicy;
import org.onap.policy.pdp.xacml.application.common.ToscaDictionary;
import org.onap.policy.pdp.xacml.application.common.ToscaPolicyConversionException;
import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator;
@@ -69,8 +64,6 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
private static final Logger LOGGER = LoggerFactory.getLogger(LegacyGuardTranslator.class);
- private static final String FIELD_POLICIES = "policies";
- private static final String FIELD_TOPOLOGY_TEMPLATE = "topology_template";
private static final String FIELD_GUARD_ACTIVE_START = "guardActiveStart";
private static final String FIELD_GUARD_ACTIVE_END = "guardActiveEnd";
@@ -78,73 +71,52 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
super();
}
- @SuppressWarnings("unchecked")
@Override
- public List<PolicyType> scanAndConvertPolicies(Map<String, Object> toscaObject)
- throws ToscaPolicyConversionException {
+ public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException {
//
- // Our return object
+ // Policy name should be at the root
//
- List<PolicyType> scannedPolicies = new ArrayList<>();
+ String policyName = toscaPolicy.getMetadata().get("policy-id");
//
- // Find the Policies
+ // Set it as the policy ID
//
- List<Object> policies;
-
- if (toscaObject.containsKey(FIELD_POLICIES)) {
- policies = (List<Object>) toscaObject.get(FIELD_POLICIES);
- } else if (toscaObject.containsKey(FIELD_TOPOLOGY_TEMPLATE)) {
- Map<String, Object> topologyTemplate = (Map<String, Object>) toscaObject.get(FIELD_TOPOLOGY_TEMPLATE);
- if (topologyTemplate.containsKey(FIELD_POLICIES)) {
- policies = (List<Object>) topologyTemplate.get(FIELD_POLICIES);
- } else {
- LOGGER.warn("topologyTemplate does not contain policies");
- return scannedPolicies;
- }
- } else {
- LOGGER.warn("Failed to find policies or topologyTemplate");
- return scannedPolicies;
- }
+ PolicyType newPolicyType = new PolicyType();
+ newPolicyType.setPolicyId(policyName);
//
- // Iterate each of the Policies
+ // Optional description
//
- for (Object policyObject : policies) {
- //
- // Get the contents
- //
- LOGGER.debug("Found policy {}", policyObject.getClass());
- Map<String, Object> policyContents = (Map<String, Object>) policyObject;
- for (Entry<String, Object> entrySet : policyContents.entrySet()) {
- LOGGER.debug("Entry set {}", entrySet);
- //
- // Convert this policy
- //
- PolicyType policy = this.convertPolicy(entrySet);
- if (policy == null) {
- //
- // Somehow there wasn't enough information to create
- // a policy
- //
- LOGGER.debug("Failed to convert policy");
- continue;
- }
- //
- // Debug dump this
- //
- try (ByteArrayOutputStream os = new ByteArrayOutputStream()) {
- XACMLPolicyWriter.writePolicyFile(os, policy);
- LOGGER.debug("{}", os);
- } catch (IOException e) {
- LOGGER.error("Failed to convert {}", e);
- }
- //
- // Convert and add in the new policy
- //
- scannedPolicies.add(policy);
- }
+ newPolicyType.setDescription(toscaPolicy.getDescription());
+ //
+ // There should be a metadata section
+ //
+ this.fillMetadataSection(newPolicyType, toscaPolicy.getMetadata());
+ //
+ // Set the combining rule
+ //
+ newPolicyType.setRuleCombiningAlgId(XACML3.ID_RULE_DENY_UNLESS_PERMIT.stringValue());
+ //
+ // Generate the TargetType
+ //
+ newPolicyType.setTarget(this.generateTargetType(toscaPolicy.getProperties()));
+ //
+ // Now create the Permit Rule
+ //
+ RuleType rule = generatePermitRule(policyName, toscaPolicy.getType(), toscaPolicy.getProperties());
+ //
+ // Check if we were able to create the rule
+ //
+ if (rule == null) {
+ LOGGER.warn("Failed to create rule");
+ return null;
}
-
- return scannedPolicies;
+ //
+ // Add the rule to the policy
+ //
+ newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
+ //
+ // Return our new policy
+ //
+ return newPolicyType;
}
@Override
@@ -161,7 +133,6 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
return null;
}
-
@Override
public DecisionResponse convertResponse(Response xacmlResponse) {
LOGGER.debug("Converting Response {}", xacmlResponse);
@@ -196,89 +167,31 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
return decisionResponse;
}
- @SuppressWarnings("unchecked")
- private PolicyType convertPolicy(Entry<String, Object> entrySet) throws ToscaPolicyConversionException {
- //
- // Policy name should be at the root
- //
- String policyName = entrySet.getKey();
- Map<String, Object> policyDefinition = (Map<String, Object>) entrySet.getValue();
- //
- // Set it as the policy ID
- //
- PolicyType newPolicyType = new PolicyType();
- newPolicyType.setPolicyId(policyName);
- //
- // Optional description
- //
- if (policyDefinition.containsKey("description")) {
- newPolicyType.setDescription(policyDefinition.get("description").toString());
- }
- //
- // There should be a metadata section
- //
- if (! policyDefinition.containsKey("metadata")) {
- throw new ToscaPolicyConversionException(policyName + " missing metadata section");
- }
- this.fillMetadataSection(newPolicyType,
- (Map<String, Object>) policyDefinition.get("metadata"));
- //
- // Set the combining rule
- //
- newPolicyType.setRuleCombiningAlgId(XACML3.ID_RULE_DENY_UNLESS_PERMIT.stringValue());
- //
- // Generate the TargetType
- //
- if (! policyDefinition.containsKey("properties")) {
- throw new ToscaPolicyConversionException(policyName + " missing properties section");
- }
- newPolicyType.setTarget(this.generateTargetType((Map<String, Object>) policyDefinition.get("properties")));
- //
- // Now create the Permit Rule
- //
- RuleType rule = generatePermitRule(policyName, policyDefinition.get("type").toString(),
- (Map<String, Object>) policyDefinition.get("properties"));
- //
- // Check if we were able to create the rule
- //
- if (rule == null) {
- LOGGER.warn("Failed to create rule");
- return null;
- }
- //
- // Add the rule to the policy
- //
- newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
- //
- // Return our new policy
- //
- return newPolicyType;
- }
/**
* From the TOSCA metadata section, pull in values that are needed into the XACML policy.
*
* @param policy Policy Object to store the metadata
- * @param metadata The Metadata TOSCA Map
+ * @param map The Metadata TOSCA Map
* @return Same Policy Object
* @throws ToscaPolicyConversionException If there is something missing from the metadata
*/
protected PolicyType fillMetadataSection(PolicyType policy,
- Map<String, Object> metadata) throws ToscaPolicyConversionException {
- if (! metadata.containsKey("policy-id")) {
+ Map<String, String> map) throws ToscaPolicyConversionException {
+ if (! map.containsKey("policy-id")) {
throw new ToscaPolicyConversionException(policy.getPolicyId() + " missing metadata policy-id");
} else {
//
// Do nothing here - the XACML PolicyId is used from TOSCA Policy Name field
//
}
- if (! metadata.containsKey("policy-version")) {
+ if (! map.containsKey("policy-version")) {
throw new ToscaPolicyConversionException(policy.getPolicyId() + " missing metadata policy-version");
} else {
//
// Add in the Policy Version
//
- policy.setVersion(metadata.get("policy-version").toString());
+ policy.setVersion(map.get("policy-version").toString());
}
return policy;
}
@@ -343,7 +256,8 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
return allOf;
}
- private static RuleType generatePermitRule(String policyName, String policyType, Map<String, Object> properties) {
+ private static RuleType generatePermitRule(String policyName, String policyType, Map<String, Object> properties)
+ throws ToscaPolicyConversionException {
//
// Now determine which policy type we are generating
//
@@ -352,17 +266,16 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
} else if ("onap.policies.controlloop.guard.MinMax".equals(policyType)) {
return generateMinMaxPermit(policyName, properties);
}
+ LOGGER.error("Missing policy type in the policy");
return null;
}
- private static RuleType generateFrequencyPermit(String policyName, Map<String, Object> properties) {
+ private static RuleType generateFrequencyPermit(String policyName, Map<String, Object> properties)
+ throws ToscaPolicyConversionException {
//
// See if its possible to generate a count
//
- Integer limit = null;
- if (properties.containsKey("limit")) {
- limit = Integer.decode(properties.get("limit").toString());
- }
+ Integer limit = parseInteger(properties.get("limit").toString());
if (limit == null) {
LOGGER.debug("Must have a limit value for frequency guard policy to be created");
return null;
@@ -372,7 +285,11 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
//
String timeWindow = null;
if (properties.containsKey("timeWindow")) {
- timeWindow = properties.get("timeWindow").toString();
+ Integer intTimeWindow = parseInteger(properties.get("timeWindow").toString());
+ if (intTimeWindow == null) {
+ throw new ToscaPolicyConversionException("timeWindow is not an integer");
+ }
+ timeWindow = intTimeWindow.toString();
}
String timeUnits = null;
if (properties.containsKey("timeUnits")) {
@@ -452,11 +369,11 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
//
Integer min = null;
if (properties.containsKey("min")) {
- min = Integer.decode(properties.get("min").toString());
+ min = parseInteger(properties.get("min").toString());
}
Integer max = null;
if (properties.containsKey("max")) {
- max = Integer.decode(properties.get("max").toString());
+ max = parseInteger(properties.get("max").toString());
}
final ApplyType minApply = generateMinCheck(min);
final ApplyType maxApply = generateMaxCheck(max);
@@ -708,6 +625,23 @@ public class LegacyGuardTranslator implements ToscaPolicyTranslator {
return applyLessThanEqual;
}
+ private static Integer parseInteger(String strInteger) {
+ Integer theInt = null;
+ try {
+ theInt = Integer.parseInt(strInteger);
+ } catch (NumberFormatException e) {
+ LOGGER.warn("Expecting an integer", e);
+ try {
+ Double dblLimit = Double.parseDouble(strInteger);
+ theInt = dblLimit.intValue();
+ } catch (NumberFormatException e1) {
+ LOGGER.error("Failed to parse expected integer as a double", e);
+ return null;
+ }
+ }
+ return theInt;
+ }
+
private static AdviceExpressionsType generateRequestIdAdvice() {
AdviceExpressionType adviceExpression = new AdviceExpressionType();
adviceExpression.setAppliesTo(EffectType.PERMIT);
diff --git a/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java b/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java
index be0ee2db..17917af0 100644
--- a/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java
+++ b/applications/guard/src/test/java/org/onap/policy/xacml/pdp/application/guard/GuardPdpApplicationTest.java
@@ -25,10 +25,8 @@ package org.onap.policy.xacml.pdp.application.guard;
import static org.assertj.core.api.Assertions.assertThat;
import java.io.File;
-import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
-import java.io.InputStream;
import java.sql.Date;
import java.time.Instant;
import java.util.HashMap;
@@ -56,12 +54,12 @@ import org.onap.policy.models.decisions.concepts.DecisionRequest;
import org.onap.policy.models.decisions.concepts.DecisionResponse;
import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicyTypeIdentifier;
import org.onap.policy.pdp.xacml.application.common.OnapOperationsHistoryDbao;
+import org.onap.policy.pdp.xacml.application.common.TestUtils;
import org.onap.policy.pdp.xacml.application.common.XacmlApplicationException;
import org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider;
import org.onap.policy.pdp.xacml.application.common.XacmlPolicyUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import org.yaml.snakeyaml.Yaml;
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class GuardPdpApplicationTest {
@@ -242,17 +240,7 @@ public class GuardPdpApplicationTest {
// the pdp can support it and have it load
// into the PDP.
//
- try (InputStream is = new FileInputStream("src/test/resources/vDNS.policy.guard.frequency.output.tosca.yaml")) {
- //
- // Have yaml parse it
- //
- Yaml yaml = new Yaml();
- Map<String, Object> toscaObject = yaml.load(is);
- //
- // Load the policies
- //
- service.loadPolicies(toscaObject);
- }
+ TestUtils.loadPolicies("src/test/resources/vDNS.policy.guard.frequency.output.tosca.yaml", service);
//
// Zero recent actions: should get permit
//
@@ -283,17 +271,7 @@ public class GuardPdpApplicationTest {
// the pdp can support it and have it load
// into the PDP.
//
- try (InputStream is = new FileInputStream("src/test/resources/vDNS.policy.guard.minmax.output.tosca.yaml")) {
- //
- // Have yaml parse it
- //
- Yaml yaml = new Yaml();
- Map<String, Object> toscaObject = yaml.load(is);
- //
- // Load the policies
- //
- service.loadPolicies(toscaObject);
- }
+ TestUtils.loadPolicies("src/test/resources/vDNS.policy.guard.minmax.output.tosca.yaml", service);
//
// vfcount=1 below min of 2: should get a Deny
//
@@ -322,7 +300,8 @@ public class GuardPdpApplicationTest {
}
@Test
- public void test5MissingFields() throws FileNotFoundException, IOException, XacmlApplicationException {
+ public void test5MissingFields() throws FileNotFoundException, IOException, XacmlApplicationException,
+ CoderException {
LOGGER.info("**************** Running test5 ****************");
//
// Most likely we would not get a policy with missing fields passed to
@@ -330,52 +309,42 @@ public class GuardPdpApplicationTest {
// will be optional due to re-working of how the XACML policies are built,
// let's add support in for that.
//
- try (InputStream is = new FileInputStream("src/test/resources/guard.policy-minmax-missing-fields1.yaml")) {
- //
- // Have yaml parse it
- //
- Yaml yaml = new Yaml();
- Map<String, Object> toscaObject = yaml.load(is);
- //
- // Load the policies
- //
- service.loadPolicies(toscaObject);
- //
- // We can create a DecisionRequest on the fly - no need
- // to have it in the .json files
- //
- DecisionRequest request = new DecisionRequest();
- request.setOnapName("JUnit");
- request.setOnapComponent("test5MissingFields");
- request.setRequestId(UUID.randomUUID().toString());
- request.setAction("guard");
- Map<String, Object> guard = new HashMap<>();
- guard.put("actor", "FOO");
- guard.put("recipe", "bar");
- guard.put("vfCount", "4");
- Map<String, Object> resource = new HashMap<>();
- resource.put("guard", guard);
- request.setResource(resource);
- //
- // Ask for a decision - should get permit
- //
- DecisionResponse response = service.makeDecision(request);
- LOGGER.info("Looking for Permit Decision {}", response);
- assertThat(response).isNotNull();
- assertThat(response.getStatus()).isNotNull();
- assertThat(response.getStatus()).isEqualTo("Permit");
- //
- // Try a deny
- //
- guard.put("vfCount", "10");
- resource.put("guard", guard);
- request.setResource(resource);
- response = service.makeDecision(request);
- LOGGER.info("Looking for Deny Decision {}", response);
- assertThat(response).isNotNull();
- assertThat(response.getStatus()).isNotNull();
- assertThat(response.getStatus()).isEqualTo("Deny");
- }
+ TestUtils.loadPolicies("src/test/resources/guard.policy-minmax-missing-fields1.yaml", service);
+ //
+ // We can create a DecisionRequest on the fly - no need
+ // to have it in the .json files
+ //
+ DecisionRequest request = new DecisionRequest();
+ request.setOnapName("JUnit");
+ request.setOnapComponent("test5MissingFields");
+ request.setRequestId(UUID.randomUUID().toString());
+ request.setAction("guard");
+ Map<String, Object> guard = new HashMap<>();
+ guard.put("actor", "FOO");
+ guard.put("recipe", "bar");
+ guard.put("vfCount", "4");
+ Map<String, Object> resource = new HashMap<>();
+ resource.put("guard", guard);
+ request.setResource(resource);
+ //
+ // Ask for a decision - should get permit
+ //
+ DecisionResponse response = service.makeDecision(request);
+ LOGGER.info("Looking for Permit Decision {}", response);
+ assertThat(response).isNotNull();
+ assertThat(response.getStatus()).isNotNull();
+ assertThat(response.getStatus()).isEqualTo("Permit");
+ //
+ // Try a deny
+ //
+ guard.put("vfCount", "10");
+ resource.put("guard", guard);
+ request.setResource(resource);
+ response = service.makeDecision(request);
+ LOGGER.info("Looking for Deny Decision {}", response);
+ assertThat(response).isNotNull();
+ assertThat(response.getStatus()).isNotNull();
+ assertThat(response.getStatus()).isEqualTo("Deny");
}
@SuppressWarnings("unchecked")
@@ -397,6 +366,7 @@ public class GuardPdpApplicationTest {
newEntry.setEndtime(Date.from(Instant.now()));
newEntry.setRequestId(UUID.randomUUID().toString());
newEntry.setTarget(properties.get("target").toString());
+ LOGGER.info("Inserting {}", newEntry);
em.getTransaction().begin();
em.persist(newEntry);
em.getTransaction().commit();
diff --git a/applications/guard/src/test/resources/xacml.properties b/applications/guard/src/test/resources/xacml.properties
index d429a32e..25dee375 100644
--- a/applications/guard/src/test/resources/xacml.properties
+++ b/applications/guard/src/test/resources/xacml.properties
@@ -22,7 +22,7 @@ xacml.att.policyFinderFactory=org.onap.policy.pdp.xacml.application.common.OnapP
#
# Use a root combining algorithm
#
-xacml.att.policyFinderFactory.combineRootPolicies=urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-unless-deny
+xacml.att.policyFinderFactory.combineRootPolicies=urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-overrides
xacml.pip.engines=historydb