| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | |
| 4 | ********************************* |
| 5 | Creating and Using Guard Policies |
| 6 | ********************************* |
| 7 | |
| 8 | .. contents:: |
| 9 | :depth: 3 |
| 10 | |
| 11 | Background |
| 12 | ^^^^^^^^^^ |
| 13 | |
| 14 | Guard policies are used to limit what operations shall be permitted. These policies are specified in the Policy GUI or restful API and either return "PERMIT" or "DENY" on request. |
| 15 | |
| Saryu Shah | d14620d | 2017-11-03 21:02:26 +0000 | [diff] [blame] | 16 | There are 2 types of policies, guard policies and blacklist guard policies. The blacklist describes what is not allowed to be permitted and guard policies describe what is allowed to be permitted. The Policy PDP behaves in a PERMIT overrides fashion, that is, if any policy permits, it will override any denies. |
| 17 | |
| 18 | .. note:: *Limit Functionality*: The determination to deny a request because it has exceeded the limit is based on the number of entries in the **database**. |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 19 | |
| 20 | Creating Guard Policies |
| 21 | ^^^^^^^^^^^^^^^^^^^^^^^ |
| 22 | |
| 23 | There are two options for creating guard policies: (1) through the GUI and (2) through the restful API. |
| 24 | |
| 25 | GUI Method |
| 26 | ---------- |
| 27 | |
| 28 | The GUARD policy can be created from the POLICY GUI as shown below. |
| 29 | |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 30 | .. image:: PolicyGUI_GuardPolicy.png |
| 31 | |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 32 | |
| 33 | API Method |
| 34 | ---------- |
| 35 | |
| Saryu Shah | d14620d | 2017-11-03 21:02:26 +0000 | [diff] [blame] | 36 | To create the policy, use the PUT /createPolicy API. This request uses Basic Access Authentication. |
| 37 | |
| 38 | The request should be in the following form for the regular guard policy: |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 39 | |
| Saryu Shah | 73009de | 2017-11-02 16:59:23 +0000 | [diff] [blame] | 40 | .. code-block:: json |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 41 | :caption: Regular Guard Policy Creation |
| 42 | :linenos: |
| 43 | |
| 44 | { |
| 45 | "policyClass": "Decision", |
| 46 | "policyName": "Test.TestingGUARDapitest", |
| 47 | "policyDescription": "Testing new YAML Guard Policy", |
| 48 | "onapName": "PDPD", |
| 49 | "ruleProvider": "GUARD_YAML", |
| 50 | "attributes": { |
| 51 | "MATCHING": { |
| 52 | "actor": "APPC", |
| 53 | "recipe": "restart", |
| 54 | "targets" : "test", |
| 55 | "clname" : "test", |
| 56 | "limit": "5", |
| 57 | "timeWindow": "15", |
| 58 | "timeUnits" : "minute", |
| 59 | "guardActiveStart": "05:00:00-05:00", |
| 60 | "guardActiveEnd": "23:59:59-05:00" |
| 61 | } |
| 62 | } |
| 63 | } |
| 64 | |
| 65 | The request should be in the following form for blacklist guard policy: |
| 66 | |
| Saryu Shah | 73009de | 2017-11-02 16:59:23 +0000 | [diff] [blame] | 67 | .. code-block:: json |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 68 | :caption: Blacklist Guard Policy Creation |
| 69 | :linenos: |
| 70 | |
| 71 | { |
| 72 | "policyClass": "Decision", |
| 73 | "policyName": "Test.TestingBLGUARD", |
| 74 | "policyDescription": "Testing New BL YAML Guard Policy", |
| 75 | "onapName": "MSO", |
| 76 | "ruleProvider": "GUARD_BL_YAML", |
| 77 | "attributes": { |
| 78 | "MATCHING": { |
| 79 | "actor": "APPC", |
| 80 | "recipe": "restart", |
| 81 | "clname": "test", |
| 82 | "guardActiveStart": "05:00:00-05:00", |
| 83 | "guardActiveEnd": "23:59:59-05:00", |
| 84 | "blackList": "target1,target2,target3" |
| 85 | } |
| 86 | } |
| 87 | } |
| 88 | |
| 89 | Using Guard Policies |
| 90 | ^^^^^^^^^^^^^^^^^^^^ |
| 91 | |
| 92 | In order to use the guard policies just make an http request. For example: |
| 93 | |
| 94 | .. code-block:: bash |
| 95 | |
| 96 | http |
| 97 | POST pdp:8081/pdp/api/getDecision |
| 98 | Authorization:<yourAuth> ClientAuth:<yourClientAuth> |
| 99 | Environment:<environment> Content-Type:application/json < guard_request.json |
| 100 | |
| 101 | | where: |
| Saryu Shah | 73009de | 2017-11-02 16:59:23 +0000 | [diff] [blame] | 102 | | *<yourAuth>* is the string generated from user:pass converted to base64 encoding. |
| 103 | | *<yourClientAuth>* is generated the same way but from the client user and pass. |
| 104 | | *<environment>* is the context of the request. For example: TEST |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 105 | |
| 106 | The guard_request.json should be in the form of the following: |
| 107 | |
| 108 | .. code-block:: json |
| 109 | :caption: guard_request.json |
| 110 | |
| 111 | { |
| 112 | "decisionAttributes": { |
| 113 | "actor": "APPC", |
| 114 | "recipe": "Restart", |
| 115 | "target": "test13", |
| 116 | "clname" : "piptest" |
| 117 | }, |
| 118 | "onapName": "PDPD" |
| 119 | } |
| 120 | |
| Saryu Shah | d14620d | 2017-11-03 21:02:26 +0000 | [diff] [blame] | 121 | A response containing a “PERMIT” or “DENY” in uppercase is returned as follows: |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 122 | |
| 123 | .. code-block:: json |
| 124 | :caption: Response |
| 125 | |
| 126 | { |
| 127 | "decision": "PERMIT", |
| 128 | "details": "Decision Permit. OK!" |
| 129 | } |
| 130 | |
| 131 | |
| Saryu Shah | 4300d57 | 2017-11-02 13:13:59 +0000 | [diff] [blame] | 132 | End of Document |
| Saryu Shah | b5ce885 | 2017-11-02 00:56:03 +0000 | [diff] [blame] | 133 | |
| Saryu Shah | 83f3ae3 | 2017-11-06 23:18:08 +0000 | [diff] [blame] | 134 | .. SSNote: Wiki page ref. https://wiki.onap.org/display/DW/Creating+and+Using+Guard+Policies |
| 135 | |
| 136 | |