Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | |
| 4 | ********************************* |
| 5 | Creating and Using Guard Policies |
| 6 | ********************************* |
| 7 | |
| 8 | .. contents:: |
| 9 | :depth: 3 |
| 10 | |
| 11 | Background |
| 12 | ^^^^^^^^^^ |
| 13 | |
| 14 | Guard policies are used to limit what operations shall be permitted. These policies are specified in the Policy GUI or restful API and either return "PERMIT" or "DENY" on request. |
| 15 | |
| 16 | There are 2 types of policies, guard policies and blacklist guard policies. The blacklist describes what is not allowed to be permitted and guard policies describe what is allowed to be permitted. Note: as of 1802 release, Policy PDP behaves as a PERMIT overrides fashion so if any policy permits, it will override any denies. |
| 17 | |
| 18 | Creating Guard Policies |
| 19 | ^^^^^^^^^^^^^^^^^^^^^^^ |
| 20 | |
| 21 | There are two options for creating guard policies: (1) through the GUI and (2) through the restful API. |
| 22 | |
| 23 | GUI Method |
| 24 | ---------- |
| 25 | |
| 26 | The GUARD policy can be created from the POLICY GUI as shown below. |
| 27 | |
| 28 | .. note:: |
| 29 | * The Onap Name must be empty for the policy to work. To do this, **clone** the policy provided and then edit. |
| 30 | * Even though the number of requests exceeds the limit, the request is not denied. |
| 31 | |
| 32 | .. image:: PolicyGUI_GuardPolicy.png |
| 33 | |
| 34 | | |
| 35 | |
| 36 | API Method |
| 37 | ---------- |
| 38 | |
| 39 | PUT /createPolicy to create a policy |
| 40 | |
| 41 | The request should be in the following form for regular guard policy: |
| 42 | |
| 43 | .. code-block:: bash |
| 44 | :caption: Regular Guard Policy Creation |
| 45 | :linenos: |
| 46 | |
| 47 | { |
| 48 | "policyClass": "Decision", |
| 49 | "policyName": "Test.TestingGUARDapitest", |
| 50 | "policyDescription": "Testing new YAML Guard Policy", |
| 51 | "onapName": "PDPD", |
| 52 | "ruleProvider": "GUARD_YAML", |
| 53 | "attributes": { |
| 54 | "MATCHING": { |
| 55 | "actor": "APPC", |
| 56 | "recipe": "restart", |
| 57 | "targets" : "test", |
| 58 | "clname" : "test", |
| 59 | "limit": "5", |
| 60 | "timeWindow": "15", |
| 61 | "timeUnits" : "minute", |
| 62 | "guardActiveStart": "05:00:00-05:00", |
| 63 | "guardActiveEnd": "23:59:59-05:00" |
| 64 | } |
| 65 | } |
| 66 | } |
| 67 | |
| 68 | The request should be in the following form for blacklist guard policy: |
| 69 | |
| 70 | .. code-block:: bash |
| 71 | :caption: Blacklist Guard Policy Creation |
| 72 | :linenos: |
| 73 | |
| 74 | { |
| 75 | "policyClass": "Decision", |
| 76 | "policyName": "Test.TestingBLGUARD", |
| 77 | "policyDescription": "Testing New BL YAML Guard Policy", |
| 78 | "onapName": "MSO", |
| 79 | "ruleProvider": "GUARD_BL_YAML", |
| 80 | "attributes": { |
| 81 | "MATCHING": { |
| 82 | "actor": "APPC", |
| 83 | "recipe": "restart", |
| 84 | "clname": "test", |
| 85 | "guardActiveStart": "05:00:00-05:00", |
| 86 | "guardActiveEnd": "23:59:59-05:00", |
| 87 | "blackList": "target1,target2,target3" |
| 88 | } |
| 89 | } |
| 90 | } |
| 91 | |
| 92 | Using Guard Policies |
| 93 | ^^^^^^^^^^^^^^^^^^^^ |
| 94 | |
| 95 | In order to use the guard policies just make an http request. For example: |
| 96 | |
| 97 | .. code-block:: bash |
| 98 | |
| 99 | http |
| 100 | POST pdp:8081/pdp/api/getDecision |
| 101 | Authorization:<yourAuth> ClientAuth:<yourClientAuth> |
| 102 | Environment:<environment> Content-Type:application/json < guard_request.json |
| 103 | |
| 104 | | where: |
| 105 | | <yourAuth> is the string generated from user:pass converted to base64 encoding. |
| 106 | | <yourClientAuth> is generated the same way but from the client user and pass. |
| 107 | | <environment> is the context of the request. For example: TEST |
| 108 | |
| 109 | The guard_request.json should be in the form of the following: |
| 110 | |
| 111 | .. code-block:: json |
| 112 | :caption: guard_request.json |
| 113 | |
| 114 | { |
| 115 | "decisionAttributes": { |
| 116 | "actor": "APPC", |
| 117 | "recipe": "Restart", |
| 118 | "target": "test13", |
| 119 | "clname" : "piptest" |
| 120 | }, |
| 121 | "onapName": "PDPD" |
| 122 | } |
| 123 | |
| 124 | A response should be received that contains a "PERMIT" or "DENY" in all caps, like the following: |
| 125 | |
| 126 | .. code-block:: json |
| 127 | :caption: Response |
| 128 | |
| 129 | { |
| 130 | "decision": "PERMIT", |
| 131 | "details": "Decision Permit. OK!" |
| 132 | } |
| 133 | |
| 134 | |
Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 135 | |
Saryu Shah | 4300d57 | 2017-11-02 13:13:59 +0000 | [diff] [blame] | 136 | End of Document |
Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 137 | |