blob: 1515af53a04a5a5078e75a2d7b6edc66391a15ba [file] [log] [blame]
.. This work is licensed under a Creative Commons Attribution 4.0 International License.
.. http://creativecommons.org/licenses/by/4.0
.. _pap-label:
Policy Administration Point API
###############################
.. contents::
:depth: 3
.. toctree::
InternalPapPdp.rst
Policy Administration Point (PAP) Architecture
==============================================
The Policy Administration Point (PAP) keeps track of PDPs, supporting the deployment of PDP groups and the deployment
of policies across those PDP groups. Policies are created using the Policy API, but are deployed via the PAP.
The PAP is stateless in a RESTful sense, using the database (persistent storage) to track PDPs and the deployment of
policies to those PDPs. In short, policy management on PDPs is the responsibility of PAP; management of policies by
any other manner is not permitted.
Because the PDP is the main unit of scalability in the Policy Framework, the framework is designed to allow PDPs in a
PDP group to arbitrarily appear and disappear and for policy consistency across all PDPs in a PDP group to be easily
maintained. The PAP is responsible for controlling the state across the PDPs in a PDP group. The PAP interacts with the
policy database and transfers policies to PDPs.
The unit of execution and scaling in the Policy Framework is a *PolicyImpl* entity. A *PolicyImpl* entity runs on a PDP.
As is explained above, a *PolicyImpl* entity is a *PolicyTypeImpl* implementation parameterized with a TOSCA *Policy*.
.. image:: images/PolicyImplPDPSubGroup.svg
In order to achieve horizontal scalability, we group the PDPs running instances of a given *PolicyImpl* entity logically
together into a *PDPSubGroup*. The number of PDPs in a *PDPSubGroup* can then be scaled up and down using Kubernetes. In
other words, all PDPs in a subgroup run the same *PolicyImpl*, that is the same policy template implementation (in
XACML, Drools, or APEX) with the same parameters.
The figure above shows the layout of *PDPGroup* and *PDPSubGroup* entities. The figure shows examples of PDP groups for
Control Loop and Monitoring policies on the right.
The health of PDPs is monitored by the PAP in order to alert operations teams managing policies. The PAP manages the life
cycle of policies running on PDPs.
The table below shows the deployment methods in which *PolicyImpl* entities can be deployed to PDP Subgroups.
========== =========================================== ============================== ==================================
**Method** **Description** **Advantages** **Disadvantages**
========== =========================================== ============================== ==================================
Cold The *PolicyImpl* (*PolicyTypeImpl* and No run time configuration Very restrictive, no run time
TOSCA *Policy*) are predeployed on the PDP. required and run time configuration of PDPs is possible.
PDP is fully configured and ready to administration is simple.
execute when started.
PDPs register with the PAP when they
start, providing the *pdpGroup* they
have been preconfigured with.
Warm The *PolicyTypeImpl* entity is predeployed The configuration, parameters, Administration and management is
on the PDP. A TOSCA *Policy* may be loaded and PDP group of PDPs may be required. The configuration and
at startup. The PDP may be configured or changed at run time by loading life cycle of the TOSCA policies
reconfigured with a new or updated TOSCA or updating a TOSCA *Policy* can change at run time and must be
*Policy* at run time. into the PDP. administered and managed.
PDPs register with the PAP when they start, Support TOSCA *Policy* entity
providing the *pdpGroup* they have been life cycle managgement is
predeployed with if any. The PAP may update supported, allowing features
the TOSCA *Policy* on a PDP at any time such as *PolicyImpl* Safe Mode
after registration. and *PolicyImpl* retirement.
Hot The *PolicyImpl* (*PolicyTypeImpl* and The policy logic, rules, Administration and management is
TOSCA *Policy*) are deployed at run time. configuration, parameters, and more complex. The *PolicyImpl*
The *PolicyImpl* (*PolicyTypeImpl* and PDP group of PDPs may be itself and its configuration and
TOSCA *Policy*) may be loaded at startup. changed at run time by loading life cycle as well as the life
The PDP may be configured or reconfigured or updating a TOSCA *Policy* cycle of the TOSCA policies can
with a new or updated *PolicyTypeImpl* and *PolicyTypeImpl* into the change at run time and must be
and/or TOSCA *Policy* at run time. PDP. administered and managed.
PDPs register with the PAP when they Lifecycle management of TOSCA
start, providing the *pdpGroup* they have *Policy* entities and
been preconfigured with if any. The PAP may *PolicyTypeImpl* entites is
update the TOSCA *Policy* and supported, allowing features
*PolicyTypeImpl* on a PDP at any time after such as *PolicyImpl* Safe Mode
registration and *PolicyImpl* retirement.
========== =========================================== ============================== ==================================
1 APIs
======
The APIs in the subchapters below are supported by the PAP.
1.1 REST API
------------
The purpose of this API is to support CRUD of PDP groups and subgroups and to support the deployment and life cycles of
policies on PDP sub groups and PDPs. This API is provided by the *PolicyAdministration* component (PAP) of the Policy
Framework, see the :ref:`ONAP Policy Framework Architecture <architecture-label>` page.
PDP groups and subgroups may be prefedined in the system. Predefined groups and subgroups may be modified or deleted
over this API. The policies running on predefined groups or subgroups as well as the instance counts and properties may
also be modified.
A PDP may be preconfigured with its PDP group, PDP subgroup, and policies. The PDP sends this information to the PAP
when it starts. If the PDP group, subgroup, or any policy is unknown to the PAP, the PAP locks the PDP in state PASSIVE.
PAP supports the operations listed in the following table, via its REST API:
.. csv-table::
:header: "Operation", "Description"
:widths: 25,70
"Health check", "Queries the health of the PAP"
"Consolidated healthcheck", "Queries the health of all policy components"
"Statistics", "Queries various statistics"
"PDP state change", "Changes the state of all PDPs in a PDP Group"
"PDP Group create/update", "Creates/updates PDP Groups"
"PDP Group delete", "Deletes a PDP Group"
"PDP Group query", "Queries all PDP Groups"
"Deployment update", "Deploy/undeploy one or more policies in specified PdpGroups"
"Deploy policy", "Deploys one or more policies to the PDPs"
"Undeploy policy", "Undeploys a policy from the PDPs"
"Policy Status", "Queries the status of all policies"
"Policy deployment status", "Queries the status of all deployed policies"
"Policy Audit", "Queries the audit records of policies"
1.2 KAFKA API
-------------
PAP interacts with the PDPs via the kafka interface. The messages listed
in the following table are transmitted via Kafka:
.. csv-table::
:header: "Message", "Direction", "Description"
:widths: 25,10,70
"PDP status", "Incoming", "Registers a PDP with PAP; also sent as a periodic heart beat; also sent in response to requests from the PAP"
"PDP update", "Outgoing", "Assigns a PDP to a PDP Group and Subgroup; also deploys or undeploys policies from the PDP"
"PDP state change", "Outgoing", "Changes the state of a PDP or all PDPs within a PDP Group or Subgroup"
In addition, PAP generates notifications via the Kafka when policies are successfully or unsuccessfully
deployed (or undeployed) from all relevant PDPs.
Here is a sample notification:
.. literalinclude:: notification/kafka-pap-notif.json
:language: json
2 PAP REST API Swagger
======================
It is worth noting that we use basic authorization for access with user name and password set to *policyadmin* and
*zb!XztG34*, respectively.
For every call, the client is encouraged to insert a uuid-type *requestID* as parameter. It is helpful for tracking each
http transaction and facilitates debugging. More importantly, it complies with Logging requirements v1.2. If the client
does not provide the requestID in a call, one will be randomly generated and attached to the response header,
*x-onap-requestid*.
In accordance with `ONAP API Common Versioning Strategy Guidelines
<https://wiki.onap.org/display/DW/ONAP+API+Common+Versioning+Strategy+%28CVS%29+Guidelines>`_, several custom headers
are added in the response to each call:
.. csv-table::
:header: "Header", "Example value", "Description"
:widths: 25,10,70
"x-latestversion", "1.0.0", "latest version of the API"
"x-minorversion", "0", "MINOR version of the API"
"x-patchversion", "0", "PATCH version of the API"
"x-onap-requestid", "e1763e61-9eef-4911-b952-1be1edd9812b", "described above; used for logging purposes"
.. csv-table::
:header: "/healthcheck"
:widths: 10
`Health Check PAP Swagger <./local-swagger.html#tag/HealthCheckRestControllerV1>`_
This operation performs a health check on the PAP.
Here is a sample response:
.. literalinclude:: response/health-check-pap-resp.json
:language: json
.. csv-table::
:header: "/pdps/healthcheck"
:widths: 10
`Consolidated Health Check PAP Swagger <./local-swagger.html#tag/PolicyComponentsHealthCheckControllerV1>`_
This operation performs a health check of all policy components. The response
contains the health check result of each component. The consolidated health check
is reported as healthy only if all the components are healthy, otherwise the
"healthy" flag is marked as false.
Here is a sample response:
.. literalinclude:: response/consolidated-healthcheck-pap-resp.json
:language: json
.. csv-table::
:header: "/pdps/groups/{name}"
:widths: 10
`PDP State Change PAP Swagger <./local-swagger.html#tag/PdpGroupStateChangeControllerV1>`_
The state of PDP groups is managed by this operation. PDP groups can be in states PASSIVE, TEST, SAFE, or ACTIVE. For a full
description of PDP group states, see the :ref:`ONAP Policy Framework Architecture <architecture-label>` page.
.. csv-table::
:header: "/pdps/groups/batch"
:widths: 10
`Group Batch PAP Swagger <./local-swagger.html#tag/PdpGroupCreateOrUpdateControllerV1>`_
This operation allows the PDP groups and subgroups to be created and updated. Many PDP groups can be created or updated
in a single POST operation by specifying more than one PDP group in the POST operation body.
This can be used to create the PDP group by providing all the details including the supported policy types for each subgroup.
However, it cannot be used to update policies; that is done using one of
the deployment requests. Consequently, the "policies" property of this
request will be ignored.
This can also be used to update a PDP Group, but supported policy types cannot be updated during the update operation.
So, "policies" and "supportedPolicyTypes" properties in the request will be ignored if provided during the PDP Group update operation.
The "desiredInstanceCount" specifies the minimum number of PDPs of the given
type that should be registered with PAP. Currently, this is just used for
health check purposes; if the number of PDPs registered with PAP drops below
the given value, then PAP will return an "unhealthy" indicator if a
"Consolidated Health Check" is performed.
.. note::
If a subgroup is to be deleted from a PDP Group, then the policies must be removed from
the subgroup first.
.. note::
Policies cannot be added/updated during PDP Group create/update operations. So, if provided, they are ignored.
Supported policy types are defined during PDP Group creation. They cannot be updated once they are created.
So, supportedPolicyTypes are expected during PDP Group create, but ignored if provided during PDP Group update.
Here is a sample request:
.. literalinclude:: request/groups-batch-pap-req.json
:language: json
.. csv-table::
:header: "/pdps/groups/{name}"
:widths: 10
`PdpGroup Delete PAP Swagger <./local-swagger.html#tag/PdpGroupDeleteControllerV1>`_
The API also allows PDP groups to be deleted. DELETE operations are only permitted on PDP groups in PASSIVE state.
.. csv-table::
:header: "/pdps"
:widths: 10
`PdpGroup Query PAP Swagger <./local-swagger.html#tag/PdpGroupQueryControllerV1>`_
This operation allows the PDP groups and subgroups to be listed as well as the policies that are deployed on each PDP
group and subgroup.
Here is a sample response:
.. literalinclude:: response/group-query-pap-resp.json
:language: json
.. csv-table::
:header: "/pdps/deployments/batch"
:widths: 10
`Deployments Update PAP Swagger <./local-swagger.html#tag/PdpGroupDeployControllerV1>`_
This operation allows policies to be deployed on specific PDP groups.
Each subgroup includes an "action" property, which is used to indicate
that the policies are being added (POST) to the subgroup, deleted (DELETE)
from the subgroup, or that the subgroup's entire set of policies is being
replaced (PATCH) by a new set of policies. As such, a subgroup may appear
more than once in a single request, one time to delete some policies and
another time to add new policies to the same subgroup.
Here is a sample request:
.. literalinclude:: request/deployment-batch-pap-req.json
:language: json
Here is a sample response:
.. literalinclude:: response/deployment-pap-resp.json
:language: json
.. csv-table::
:header: "/pdps/policies"
:widths: 10
`Deploy PAP Swagger <./local-swagger.html#operation/deployPolicies>`_
This operation allows policies to be deployed across all relevant PDP groups.
PAP will deploy the specified policies to all relevant subgroups. Only the
policies supported by a given subgroup will be deployed to that subgroup.
.. note::
The policy version is optional. If left unspecified, then the latest version of the policy is deployed. On the other
hand, if it is specified, it may be an integer, or it may be a fully qualified version (e.g., "3.0.2").
In addition, a subgroup to which a policy is being deployed must have at
least one PDP instance, otherwise the request will be rejected.
Here is a sample request:
.. literalinclude:: request/policy-deploy-pap-req.json
:language: json
Here is a sample response:
.. literalinclude:: response/deployment-pap-resp.json
:language: json
.. csv-table::
:header: "/pdps/policies/{name}"
:widths: 10
`Undeploy PAP Swagger <./local-swagger.html#operation/deletePolicy>`_
This operation allows policies to be undeployed from PDP groups.
.. note::
If the policy version is specified, then it may be an integer, or it may be a fully qualified version (e.g., "3.0.2").
On the other hand, if left unspecified, then the latest deployed version will be undeployed.
.. note::
Due to current limitations, a fully qualified policy version must always be specified.
Here is a sample response:
.. literalinclude:: response/deployment-pap-resp.json
:language: json
.. csv-table::
:header: "/policies/status"
:widths: 10
`All Policy Status PAP Swagger <./local-swagger.html#operation/getStatusOfAllPolicies>`_
This operation allows the status of all policies that are deployed or undeployed to be listed together.
The result can be filtered based on pdp group name, policy name & version.
.. note::
When a policy is successfully undeployed, it will no longer appear in the policy status response.
Here is a sample response:
.. literalinclude:: response/policy-status-pap-resp.json
:language: json
.. csv-table::
:header: "/policies/deployed"
:widths: 10
`Deployed Policy Status PAP Swagger <./local-swagger.html#operation/queryAllDeployedPolicies>`_
This operation allows the deployed policies to be listed together with their respective deployment status.
The result can be filtered based on policy name & version.
Here is a sample response:
.. literalinclude:: response/deployed-policy-pap-resp.json
:language: json
.. csv-table::
:header: "/policies/audit"
:widths: 10
`Policy Status PAP Swagger <./local-swagger.html#tag/PolicyAuditControllerV1>`_
This operation allows the audit records of policies to be listed together.
The result can be filtered based on pdp group name, policy name & version.
Along with record count, start time & end time as query parameters.
Here is a sample response:
.. literalinclude:: response/policy-audit-pap-resp.json
:language: json
3 Configuration
=================
The *PolicyAdministration* component (PAP) is initialized using a configuration file: `papParameters.yaml
<https://github.com/onap/policy-pap/blob/master/packages/policy-pap-tarball/src/main/resources/etc/papParameters.yaml>`_
The configuration file is a YAML file containing the relevant fields for configuring the REST server, Database and DMaaP connectivity and so on.
End of Document