| .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| |
| .. _xacmltutorial-enforcement-label: |
| |
| Policy XACML - Policy Enforcement Tutorial |
| ########################################## |
| |
| .. toctree:: |
| :maxdepth: 3 |
| |
| This tutorial shows how to build Policy Enforcement into your application. Please be sure to clone the |
| policy repositories before going through the tutorial. See :ref:`policy-development-tools-label` for details. |
| |
| This tutorial can be found in the XACML PDP repository. `See the tutorial <https://github.com/onap/policy-xacml-pdp/tree/master/tutorials/tutorial-enforcement>`_ |
| |
| Policy Type being Enforced |
| ************************** |
| |
| For this tutorial, we will be enforcing a Policy Type that inherits from the **onap.policies.Monitoring** Policy Type. This Policy Type is |
| used by DCAE analytics for configuration purposes. Any inherited Policy Type is automatically supported by the XACML PDP for Decisions. |
| |
| `See the latest example Policy Type <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-enforcement/src/test/resources/MyAnalytic.yaml>`_ |
| |
| .. code-block:: java |
| :caption: Example Policy Type |
| |
| tosca_definitions_version: tosca_simple_yaml_1_1_0 |
| policy_types: |
| onap.policies.Monitoring: |
| derived_from: tosca.policies.Root |
| version: 1.0.0 |
| name: onap.policies.Monitoring |
| description: a base policy type for all policies that govern monitoring provisioning |
| onap.policies.monitoring.MyAnalytic: |
| derived_from: onap.policies.Monitoring |
| type_version: 1.0.0 |
| version: 1.0.0 |
| description: Example analytic |
| properties: |
| myProperty: |
| type: string |
| required: true |
| |
| Example Policy |
| ************** |
| |
| `See the latest example policy <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-enforcement/src/test/resources/MyPolicies.yaml>`_ |
| |
| .. code-block:: java |
| :caption: Example Policy |
| |
| tosca_definitions_version: tosca_simple_yaml_1_1_0 |
| topology_template: |
| policies: |
| - |
| policy1: |
| type: onap.policies.monitoring.MyAnalytic |
| type_version: 1.0.0 |
| version: 1.0.0 |
| name: policy1 |
| metadata: |
| policy-id: policy1 |
| policy-version: 1.0.0 |
| properties: |
| myProperty: value1 |
| |
| Example Decision Requests and Responses |
| *************************************** |
| |
| For **onap.policies.Montoring** Policy Types, the action used will be **configure**. For **configure** actions, you can specify a resource by **policy-id** or **policy-type**. We recommend using **policy-type**, as a policy-id may not necessarily be deployed. In addition, your application should request all the available policies for your policy-type that your application should be enforcing. |
| |
| .. code-block:: json |
| :caption: Example Decision Request |
| |
| { |
| "ONAPName": "myName", |
| "ONAPComponent": "myComponent", |
| "ONAPInstance": "myInstanceId", |
| "requestId": "1", |
| "action": "configure", |
| "resource": { |
| "policy-type": "onap.policies.monitoring.MyAnalytic" |
| } |
| } |
| |
| The **configure** action will return a payload containing your full policy: |
| |
| .. code-block: json |
| :caption: Example Decision Response |
| { |
| "policies": { |
| "policy1": { |
| "type": "onap.policies.monitoring.MyAnalytic", |
| "type_version": "1.0.0", |
| "properties": { |
| "myProperty": "value1" |
| }, |
| "name": "policy1", |
| "version": "1.0.0", |
| "metadata": { |
| "policy-id": "policy1", |
| "policy-version": "1.0.0" |
| } |
| } |
| } |
| } |
| |
| Making Decision Call in your Application |
| **************************************** |
| |
| Your application should be able to do a RESTful API call to the XACML PDP Decision API endpoint. If you have code that does this already, then utilize that to do something similar to the following curl command: |
| |
| .. code-block: bash |
| :caption: Example Decision API REST Call using curl |
| |
| curl -k -u https://xacml-pdp:6969/policy/pdpx/v1/decision |
| |
| If your application does not have REST http client code, you can use some common code available in the policy/common repository for doing HTTP calls. |
| |
| .. code-block: java |
| :caption: Policy Common REST Code Dependency |
| |
| <dependency> |
| <groupId>org.onap.policy.common</groupId> |
| <artifactId>policy-endpoints</artifactId> |
| <version>${policy.common.version}</version> |
| </dependency> |
| |
| Also, if your application wants to use common code to serialize/deserialize Decision Requests and Responses, then you can include the following dependency: |
| |
| .. code-block: java |
| :caption: Policy Decision Request and Response Classes |
| |
| <dependency> |
| <groupId>org.onap.policy.models</groupId> |
| <artifactId>policy-models-decisions</artifactId> |
| <version>${policy.models.version}</version> |
| </dependency> |
| |
| Responding to Policy Update Notifications |
| ***************************************** |
| |
| Your application should also be able to respond to Policy Update Notifications that are published on the Dmaap topic POLICY-NOTIFICATION. This is because if a user pushes an updated Policy, your application should be able to dynamically start enforcing that policy without restart. |
| |
| .. code-block: bash |
| :caption: Example Dmaap REST Call using curl |
| |
| curl -k -u https://dmaap:3904/events/POLICY-NOTIFICATION/group/id?timeout=5000 |
| |
| If your application does not have Dmaap client code, you can use some available code in policy/common to receive Dmaap events. |
| |
| To parse the JSON send over the topic, your application can use the following dependency: |
| |
| .. code-block: java |
| :caption: Policy PAP Update Notification Classes |
| |
| <dependency> |
| <groupId>org.onap.policy.models</groupId> |
| <artifactId>policy-models-pap</artifactId> |
| <version>${policy.models.version}</version> |
| </dependency> |