jhh | 108dd8f | 2020-06-12 17:01:24 -0500 | [diff] [blame^] | 1 | .. This work is licensed under a Creative Commons Attribution 4.0 International License. |
| 2 | .. http://creativecommons.org/licenses/by/4.0 |
| 3 | |
| 4 | .. _pdpd-engine-label: |
| 5 | |
| 6 | PDP-D Engine |
| 7 | ############ |
| 8 | |
| 9 | .. contents:: |
| 10 | :depth: 2 |
| 11 | |
| 12 | Overview |
| 13 | ======== |
| 14 | |
| 15 | The PDP-D Core Engine provides an infrastructure and services for `drools <https://www.drools.org/>`__ based applications |
| 16 | in the context of Policies and ONAP. |
| 17 | |
| 18 | A PDP-D supports applications by means of *controllers*. A *controller* is a named |
| 19 | grouping of resources. These typically include references to communication endpoints, |
| 20 | maven artifact coordinates, and *coders* for message mapping. |
| 21 | |
| 22 | *Controllers* use *communication endpoints* to interact |
| 23 | with remote networked entities typically using messaging (dmaap or ueb), |
| 24 | or http. |
| 25 | |
| 26 | PDP-D Engine capabilities can be extended via *features*. Integration with other |
| 27 | Policy Framework components (API, PAP, and PDP-X) is through one of them (*feature-lifecycle*). |
| 28 | |
| 29 | The PDP-D Engine infrastructure provides mechanisms for data migration, diagnostics, and application management. |
| 30 | |
| 31 | Software |
| 32 | ======== |
| 33 | |
| 34 | Source Code repositories |
| 35 | ~~~~~~~~~~~~~~~~~~~~~~~~ |
| 36 | |
| 37 | The PDP-D software is mainly located in the `policy/drools repository <https://git.onap.org/policy/drools-pdp>`__ with the *communication endpoints* software residing in the `policy/common repository <https://git.onap.org/policy/common>`__ and Tosca policy models in the `policy/models repository <https://git.onap.org/policy/models>`__. |
| 38 | |
| 39 | Docker Image |
| 40 | ~~~~~~~~~~~~ |
| 41 | |
| 42 | Check the *drools-pdp* `released versions <https://wiki.onap.org/display/DW/Policy+Framework+Project%3A+Component+Versions>`__ page for the latest versions. |
| 43 | At the time of this writing *1.6.3* is the latest version. |
| 44 | |
| 45 | .. code-block:: bash |
| 46 | |
| 47 | docker pull onap/policy-drools:1.6.3 |
| 48 | |
| 49 | A container instantiated from this image will run under the non-priviledged *policy* account. |
| 50 | |
| 51 | The PDP-D root directory is located at the */opt/app/policy* directory (or *$POLICY_HOME*), with the |
| 52 | exception of the *$HOME/.m2* which contains the local maven repository. |
| 53 | The PDP-D configuration resides in the following directories: |
| 54 | |
| 55 | - **/opt/app/policy/config**: (*$POLICY_HOME/config* or *$POLICY_CONFIG*) contains *engine*, *controllers*, and *endpoint* configuration. |
| 56 | - **/home/policy/.m2**: (*$HOME/.m2*) maven repository configuration. |
| 57 | - **/opt/app/policy/etc/**: (*$POLICY_HOME/etc*) miscellaneous configuration such as certificate stores. |
| 58 | |
| 59 | The following command can be used to explore the directory layout. |
| 60 | |
| 61 | .. code-block:: bash |
| 62 | |
| 63 | docker run --rm -it nexus3.onap.org:10001/onap/policy-drools:1.6.3 -- bash |
| 64 | |
| 65 | Communication Endpoints |
| 66 | ======================= |
| 67 | |
| 68 | PDP-D supports the following networked infrastructures. This is also referred to as |
| 69 | *communication infrastructures* in the source code. |
| 70 | |
| 71 | - DMaaP |
| 72 | - UEB |
| 73 | - NOOP |
| 74 | - Http Servers |
| 75 | - Http Clients |
| 76 | |
| 77 | The source code is located at |
| 78 | `the policy-endpoints module <https://git.onap.org/policy/common/tree/policy-endpoints>`__ |
| 79 | in the *policy/commons* repository. |
| 80 | |
| 81 | These network resources are *named* and typically have a *global* scope, therefore typically visible to |
| 82 | the PDP-D engine (for administration purposes), application *controllers*, |
| 83 | and *features*. |
| 84 | |
| 85 | DMaaP, UEB, and NOOP are message-based communication infrastructures, hence the terminology of |
| 86 | source and sinks, to denote their directionality into or out of the *controller*, respectively. |
| 87 | |
| 88 | An endpoint can either be *managed* or *unmanaged*. The default for an endpoint is to be *managed*, |
| 89 | meaning that they are globally accessible by name, and managed by the PDP-D engine. |
| 90 | *Unmanaged* topics are used when neither global visibility, or centralized PDP-D management is desired. |
| 91 | The software that uses *unmanaged* topics is responsible for their lifecycle management. |
| 92 | |
| 93 | DMaaP Endpoints |
| 94 | ~~~~~~~~~~~~~~~ |
| 95 | |
| 96 | These are messaging enpoints that use DMaaP as the communication infrastructure. |
| 97 | |
| 98 | Typically, a *managed* endpoint configuration is stored in the *<topic-name>-topic.properties* files. |
| 99 | |
| 100 | For example, the |
| 101 | `DCAE_TOPIC-topic.properties <https://git.onap.org/policy/drools-applications/tree/controlloop/common/feature-controlloop-management/src/main/feature/config/DCAE_TOPIC-topic.properties>`__ is defined as |
| 102 | |
| 103 | .. code-block:: bash |
| 104 | |
| 105 | dmaap.source.topics=DCAE_TOPIC |
| 106 | |
| 107 | dmaap.source.topics.DCAE_TOPIC.effectiveTopic=${env:DCAE_TOPIC} |
| 108 | dmaap.source.topics.DCAE_TOPIC.servers=${env:DMAAP_SERVERS} |
| 109 | dmaap.source.topics.DCAE_TOPIC.consumerGroup=${env:DCAE_CONSUMER_GROUP} |
| 110 | dmaap.source.topics.DCAE_TOPIC.https=true |
| 111 | |
| 112 | In this example, the generic name of the *source* endpoint |
| 113 | is *DCAE_TOPIC*. This is known as the *canonical* name. |
| 114 | The actual *topic* used in communication exchanges in a physical lab is contained |
| 115 | in the *$DCAE_TOPIC* environment variable. This environment variable is usually |
| 116 | set up by *devops* on a per installation basis to meet the needs of each |
| 117 | lab spec. |
| 118 | |
| 119 | In the previous example, *DCAE_TOPIC* is a source-only topic. |
| 120 | |
| 121 | Sink topics are similarly specified but indicating that are sink endpoints |
| 122 | from the perspective of the *controller*. For example, the *APPC-CL* topic |
| 123 | is configured as |
| 124 | |
| 125 | .. code-block:: bash |
| 126 | |
| 127 | dmaap.source.topics=APPC-CL |
| 128 | dmaap.sink.topics=APPC-CL |
| 129 | |
| 130 | dmaap.source.topics.APPC-CL.servers=${env:DMAAP_SERVERS} |
| 131 | dmaap.source.topics.APPC-CL.https=true |
| 132 | |
| 133 | dmaap.sink.topics.APPC-CL.servers=${env:DMAAP_SERVERS} |
| 134 | dmaap.sink.topics.APPC-CL.https=true |
| 135 | |
| 136 | Although not shown in these examples, additional configuration options are available such as *user name*, |
| 137 | *password*, *security keys*, *consumer group* and *consumer instance*. |
| 138 | |
| 139 | UEB Endpoints |
| 140 | ~~~~~~~~~~~~~ |
| 141 | |
| 142 | Similary, UEB endpoints are messaging endpoints, similar to the DMaaP ones. |
| 143 | |
| 144 | For example, the |
| 145 | `DCAE_TOPIC-topic.properties <https://git.onap.org/policy/drools-applications/tree/controlloop/common/feature-controlloop-management/src/main/feature/config/DCAE_TOPIC-topic.properties>`__ can be converted to an *UEB* one, by replacing the |
| 146 | *dmaap* prefix with *ueb*. For example: |
| 147 | |
| 148 | .. code-block:: bash |
| 149 | |
| 150 | ueb.source.topics=DCAE_TOPIC |
| 151 | |
| 152 | ueb.source.topics.DCAE_TOPIC.effectiveTopic=${env:DCAE_TOPIC} |
| 153 | ueb.source.topics.DCAE_TOPIC.servers=${env:DMAAP_SERVERS} |
| 154 | ueb.source.topics.DCAE_TOPIC.consumerGroup=${env:DCAE_CONSUMER_GROUP} |
| 155 | ueb.source.topics.DCAE_TOPIC.https=true |
| 156 | |
| 157 | NOOP Endpoints |
| 158 | ~~~~~~~~~~~~~~ |
| 159 | |
| 160 | NOOP (no-operation) endpoints are messaging endpoints that don't have any network attachments. |
| 161 | They are used for testing convenience. |
| 162 | To convert the |
| 163 | `DCAE_TOPIC-topic.properties <https://git.onap.org/policy/drools-applications/tree/controlloop/common/feature-controlloop-management/src/main/feature/config/DCAE_TOPIC-topic.properties>`__ to a *NOOP* endpoint, simply replace the *dmaap* prefix with *noop*: |
| 164 | |
| 165 | .. code-block:: bash |
| 166 | |
| 167 | noop.source.topics=DCAE_TOPIC |
| 168 | noop.source.topics.DCAE_TOPIC.effectiveTopic=${env:DCAE_TOPIC} |
| 169 | |
| 170 | HTTP Clients |
| 171 | ~~~~~~~~~~~~ |
| 172 | |
| 173 | HTTP Clients are typically stored in files following the naming convention: *<name>-http-client.properties* convention. |
| 174 | One such example is |
| 175 | the `AAI HTTP Client <https://git.onap.org/policy/drools-applications/tree/controlloop/common/feature-controlloop-management/src/main/feature/config/AAI-http-client.properties>`__: |
| 176 | |
| 177 | .. code-block:: bash |
| 178 | |
| 179 | http.client.services=AAI |
| 180 | |
| 181 | http.client.services.AAI.managed=true |
| 182 | http.client.services.AAI.https=true |
| 183 | http.client.services.AAI.host=${envd:AAI_HOST} |
| 184 | http.client.services.AAI.port=${envd:AAI_PORT} |
| 185 | http.client.services.AAI.userName=${envd:AAI_USERNAME} |
| 186 | http.client.services.AAI.password=${envd:AAI_PASSWORD} |
| 187 | http.client.services.AAI.contextUriPath=${envd:AAI_CONTEXT_URI} |
| 188 | |
| 189 | HTTP Servers |
| 190 | ~~~~~~~~~~~~ |
| 191 | |
| 192 | HTTP Servers are stored in files that follow a similar naming convention *<name>-http-server.properties*. |
| 193 | The following is an example of a server named *CONFIG*, getting most of its configuration from |
| 194 | environment variables. |
| 195 | |
| 196 | .. code-block:: bash |
| 197 | |
| 198 | http.server.services=CONFIG |
| 199 | |
| 200 | http.server.services.CONFIG.host=${envd:TELEMETRY_HOST} |
| 201 | http.server.services.CONFIG.port=7777 |
| 202 | http.server.services.CONFIG.userName=${envd:TELEMETRY_USER} |
| 203 | http.server.services.CONFIG.password=${envd:TELEMETRY_PASSWORD} |
| 204 | http.server.services.CONFIG.restPackages=org.onap.policy.drools.server.restful |
| 205 | http.server.services.CONFIG.managed=false |
| 206 | http.server.services.CONFIG.swagger=true |
| 207 | http.server.services.CONFIG.https=true |
| 208 | http.server.services.CONFIG.aaf=${envd:AAF:false} |
| 209 | |
| 210 | *Endpoints* configuration resides in the *$POLICY_HOME/config* (or *$POLICY_CONFIG*) directory in a container. |
| 211 | |
| 212 | Controllers |
| 213 | =========== |
| 214 | |
| 215 | *Controllers* are the means for the PDP-D to run *applications*. Controllers are |
| 216 | defined in *<name>-controller.properties* files. |
| 217 | |
| 218 | For example, see the |
| 219 | `frankfurt controller configuration <https://git.onap.org/policy/drools-applications/tree/controlloop/common/feature-controlloop-frankfurt/src/main/feature/config/frankfurt-controller.properties>`__. |
| 220 | |
| 221 | This configuration file has two sections: *a)* application maven coordinates, and *b)* endpoint references and coders. |
| 222 | |
| 223 | Maven Coordinates |
| 224 | ~~~~~~~~~~~~~~~~~ |
| 225 | |
| 226 | The coordinates section (*rules*) points to the *controller-frankfurt* *kjar* artifact. |
| 227 | It is the *brain* of the control loop application. |
| 228 | |
| 229 | .. code-block:: bash |
| 230 | |
| 231 | controller.name=frankfurt |
| 232 | |
| 233 | rules.groupId=${project.groupId} |
| 234 | rules.artifactId=controller-frankfurt |
| 235 | rules.version=${project.version} |
| 236 | ..... |
| 237 | |
| 238 | This *kjar* contains the |
| 239 | `frankfurt DRL <https://git.onap.org/policy/drools-applications/tree/controlloop/common/controller-frankfurt/src/main/resources/frankfurt.drl>`__ file (there may be more than one DRL file included). |
| 240 | |
| 241 | .. code-block:: bash |
| 242 | |
| 243 | ... |
| 244 | rule "NEW.TOSCA.POLICY" |
| 245 | when |
| 246 | $policy : ToscaPolicy() |
| 247 | then |
| 248 | |
| 249 | ... |
| 250 | |
| 251 | ControlLoopParams params = ControlLoopUtils.toControlLoopParams($policy); |
| 252 | if (params != null) { |
| 253 | insert(params); |
| 254 | } |
| 255 | end |
| 256 | ... |
| 257 | |
| 258 | The DRL in conjuction with the dependent java libraries in the kjar |
| 259 | `pom <https://git.onap.org/policy/drools-applications/tree/controlloop/common/controller-frankfurt/pom.xml>`__ |
| 260 | realizes the application's function. For intance, it realizes the |
| 261 | vFirewall, vCPE, and vDNS use cases in ONAP. |
| 262 | |
| 263 | .. code-block:: bash |
| 264 | |
| 265 | .. |
| 266 | <dependency> |
| 267 | <groupId>org.onap.policy.models.policy-models-interactions.model-actors</groupId> |
| 268 | <artifactId>actor.appclcm</artifactId> |
| 269 | <version>${policy.models.version}</version> |
| 270 | <scope>provided</scope> |
| 271 | </dependency> |
| 272 | ... |
| 273 | |
| 274 | Endpoints References and Coders |
| 275 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 276 | |
| 277 | The *frankfurt-controller.properties* configuration also contains a mix of |
| 278 | source (of incoming controller traffic) and sink (of outgoing controller traffic) |
| 279 | configuration. This configuration also contains specific |
| 280 | filtering and mapping rules for incoming and outgoing dmaap messages |
| 281 | known as *coders*. |
| 282 | |
| 283 | .. code-block:: bash |
| 284 | |
| 285 | ... |
| 286 | dmaap.source.topics=DCAE_TOPIC,APPC-CL,APPC-LCM-WRITE,SDNR-CL-RSP |
| 287 | dmaap.sink.topics=APPC-CL,APPC-LCM-READ,POLICY-CL-MGT,SDNR-CL,DCAE_CL_RSP |
| 288 | |
| 289 | |
| 290 | dmaap.source.topics.APPC-LCM-WRITE.events=org.onap.policy.appclcm.AppcLcmDmaapWrapper |
| 291 | dmaap.source.topics.APPC-LCM-WRITE.events.org.onap.policy.appclcm.AppcLcmDmaapWrapper.filter=[?($.type == 'response')] |
| 292 | dmaap.source.topics.APPC-LCM-WRITE.events.custom.gson=org.onap.policy.appclcm.util.Serialization,gson |
| 293 | |
| 294 | dmaap.sink.topics.APPC-CL.events=org.onap.policy.appc.Request |
| 295 | dmaap.sink.topics.APPC-CL.events.custom.gson=org.onap.policy.appc.util.Serialization,gsonPretty |
| 296 | ... |
| 297 | |
| 298 | In this example, the *coders* specify that incoming messages over the DMaaP endpoint |
| 299 | reference *APPC-LCM-WRITE*, that have a field called *type* under the root JSON object with |
| 300 | value *response* are allowed into the *controller* application. In this case, the incoming |
| 301 | message is converted into an object (fact) of type *org.onap.policy.appclcm.AppcLcmDmaapWrapper*. |
| 302 | The *coder* has attached a custom implementation provided by the *application* with class |
| 303 | *org.onap.policy.appclcm.util.Serialization*. Note that the *coder* filter is expressed in JSONPath notation. |
| 304 | |
| 305 | Note that not all the communication endpoint references need to be explicitly referenced within the |
| 306 | *controller* configuration file. For example, *Http clients* do not. |
| 307 | The reasons are historical, as the PDP-D was initially intended to only communicate |
| 308 | through messaging-based protocols such as UEB or DMaaP in asynchronous unidirectional mode. |
| 309 | The introduction of *Http* with synchronous bi-directional communication with remote endpoints made |
| 310 | it more convenient for the application to manage each network exchange. |
| 311 | |
| 312 | *Controllers* configuration resides in the *$POLICY_HOME/config* (or *$POLICY_CONFIG*) directory in a container. |
| 313 | |
| 314 | Other Configuration Files |
| 315 | ~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 316 | |
| 317 | There are other types of configuration files that *controllers* can use, for example *.environment* files |
| 318 | that provides a means to share data across applications. The |
| 319 | `controlloop.properties.environment <https://git.onap.org/policy/drools-applications/tree/controlloop/common/feature-controlloop-management/src/main/feature/config/controlloop.properties.environment>`__ is one such example. |
| 320 | |
| 321 | |
| 322 | Tosca Policies |
| 323 | ============== |
| 324 | |
| 325 | PDP-D supports Tosca Policies through the *feature-lifecycle*. The *PDP-D* receives its policy set |
| 326 | from the *PAP*. A policy conforms to its Policy Type specification. |
| 327 | Policy Types and policy creation is done by the *API* component. |
| 328 | Policy deployments are orchestrated by the *PAP*. |
| 329 | |
| 330 | All communication between *PAP* and PDP-D is over the DMaaP *POLICY-PDP-PAP* topic. |
| 331 | |
| 332 | Native Policy Types |
| 333 | ~~~~~~~~~~~~~~~~~~~ |
| 334 | |
| 335 | The PDP-D Engine supports two (native) Tosca policy types by means of the *lifecycle* |
| 336 | feature: |
| 337 | |
| 338 | - *onap.policies.native.drools.Controller* |
| 339 | - *onap.policies.native.drools.Artifact* |
| 340 | |
| 341 | These types can be used to dynamically deploy or undeploy application *controllers*, |
| 342 | assign policy types, and upgrade or downgrade their attached maven artifact versions. |
| 343 | |
| 344 | For instance, an |
| 345 | `example native controller <https://git.onap.org/policy/drools-pdp/tree/feature-lifecycle/src/test/resources/tosca-policy-native-controller-example.json>`__ policy is shown below. |
| 346 | |
| 347 | .. code-block:: bash |
| 348 | |
| 349 | { |
| 350 | "tosca_definitions_version": "tosca_simple_yaml_1_0_0", |
| 351 | "topology_template": { |
| 352 | "policies": [ |
| 353 | { |
| 354 | "example.controller": { |
| 355 | "type": "onap.policies.native.drools.Controller", |
| 356 | "type_version": "1.0.0", |
| 357 | "version": "1.0.0", |
| 358 | "name": "example.controller", |
| 359 | "metadata": { |
| 360 | "policy-id": "example.controller" |
| 361 | }, |
| 362 | "properties": { |
| 363 | "controllerName": "lifecycle", |
| 364 | "sourceTopics": [ |
| 365 | { |
| 366 | "topicName": "DCAE_TOPIC", |
| 367 | "events": [ |
| 368 | { |
| 369 | "eventClass": "java.util.HashMap", |
| 370 | "eventFilter": "[?($.closedLoopEventStatus == 'ONSET')]" |
| 371 | }, |
| 372 | { |
| 373 | "eventClass": "java.util.HashMap", |
| 374 | "eventFilter": "[?($.closedLoopEventStatus == 'ABATED')]" |
| 375 | } |
| 376 | ] |
| 377 | } |
| 378 | ], |
| 379 | "sinkTopics": [ |
| 380 | { |
| 381 | "topicName": "APPC-CL", |
| 382 | "events": [ |
| 383 | { |
| 384 | "eventClass": "java.util.HashMap", |
| 385 | "eventFilter": "[?($.CommonHeader && $.Status)]" |
| 386 | } |
| 387 | ] |
| 388 | } |
| 389 | ], |
| 390 | "customConfig": { |
| 391 | "field1" : "value1" |
| 392 | } |
| 393 | } |
| 394 | } |
| 395 | } |
| 396 | ] |
| 397 | } |
| 398 | } |
| 399 | |
| 400 | The actual application coordinates are provided with a policy of type onap.policies.native.drools.Artifact, |
| 401 | see the `example native artifact <https://git.onap.org/policy/drools-pdp/tree/feature-lifecycle/src/test/resources/tosca-policy-native-artifact-example.json>`__ |
| 402 | |
| 403 | .. code-block:: bash |
| 404 | |
| 405 | { |
| 406 | "tosca_definitions_version": "tosca_simple_yaml_1_0_0", |
| 407 | "topology_template": { |
| 408 | "policies": [ |
| 409 | { |
| 410 | "example.artifact": { |
| 411 | "type": "onap.policies.native.drools.Artifact", |
| 412 | "type_version": "1.0.0", |
| 413 | "version": "1.0.0", |
| 414 | "name": "example.artifact", |
| 415 | "metadata": { |
| 416 | "policy-id": "example.artifact" |
| 417 | }, |
| 418 | "properties": { |
| 419 | "rulesArtifact": { |
| 420 | "groupId": "org.onap.policy.drools.test", |
| 421 | "artifactId": "lifecycle", |
| 422 | "version": "1.0.0" |
| 423 | }, |
| 424 | "controller": { |
| 425 | "name": "lifecycle" |
| 426 | } |
| 427 | } |
| 428 | } |
| 429 | } |
| 430 | ] |
| 431 | } |
| 432 | } |
| 433 | |
| 434 | Operational Policy Types |
| 435 | ~~~~~~~~~~~~~~~~~~~~~~~~ |
| 436 | |
| 437 | The PDP-D also recognizes Tosca Operational Policies, although it needs an |
| 438 | application *controller* that understands them to execute them. These are: |
| 439 | |
| 440 | - *onap.policies.controlloop.operational.common.Drools* |
| 441 | - *onap.policies.controlloop.Operational* |
| 442 | |
| 443 | A minimum of one application *controller* that supports these capabilities |
| 444 | must be installed in order to honor the *operational policy types*. |
| 445 | One such controller is the *frankfurt* controller residing in the |
| 446 | `policy/drools-applications <https://git.onap.org/policy/drools-applications>`__ |
| 447 | repository. |
| 448 | |
| 449 | Controller Policy Type Support |
| 450 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 451 | |
| 452 | Note that a *controller* may support other policy types. A controller may declare them |
| 453 | explicitly in a native *onap.policies.native.drools.Controller* policy. |
| 454 | |
| 455 | .. code-block:: bash |
| 456 | |
| 457 | "customConfig": { |
| 458 | "controller.policy.types" : "policy.type.A" |
| 459 | } |
| 460 | |
| 461 | The *controller* application could declare its supported policy types in the *kjar*. |
| 462 | For example, the *frankfurt controller* packages this information in the |
| 463 | `kmodule.xml <https://git.onap.org/policy/drools-applications/tree/controlloop/common/controller-frankfurt/src/main/resources/META-INF/kmodule.xml>`__. One advantage of this approach is that the PDP-D would only |
| 464 | commit to execute policies against these policy types if a supporting controller is up and running. |
| 465 | |
| 466 | .. code-block:: bash |
| 467 | |
| 468 | <kmodule xmlns="http://jboss.org/kie/6.0.0/kmodule"> |
| 469 | <kbase name="onap.policies.controlloop.operational.common.Drools" default="false" equalsBehavior="equality"/> |
| 470 | <kbase name="onap.policies.controlloop.Operational" equalsBehavior="equality" |
| 471 | packages="org.onap.policy.controlloop" includes="onap.policies.controlloop.operational.common.Drools"> |
| 472 | <ksession name="frankfurt"/> |
| 473 | </kbase> |
| 474 | </kmodule> |
| 475 | |
| 476 | Software Architecture |
| 477 | ====================== |
| 478 | |
| 479 | PDP-D is divided into 2 layers: |
| 480 | |
| 481 | - core (`policy-core <https://git.onap.org/policy/drools-pdp/tree/policy-core>`__) |
| 482 | - management (`policy-management <https://git.onap.org/policy/drools-pdp/tree/policy-management>`__) |
| 483 | |
| 484 | Core Layer |
| 485 | ~~~~~~~~~~ |
| 486 | |
| 487 | The core layer directly interfaces with the *drools* libraries with 2 main abstractions: |
| 488 | |
| 489 | * `PolicyContainer <https://git.onap.org/policy/drools-pdp/tree/policy-core/src/main/java/org/onap/policy/drools/core/PolicyContainer.java>`__, and |
| 490 | * `PolicySession <https://git.onap.org/policy/drools-pdp/tree/policy-core/src/main/java/org/onap/policy/drools/core/PolicySession.java>`__. |
| 491 | |
| 492 | Policy Container and Sessions |
| 493 | """"""""""""""""""""""""""""" |
| 494 | |
| 495 | The *PolicyContainer* abstracts the drools *KieContainer*, while a *PolicySession* abstracts a drools *KieSession*. |
| 496 | PDP-D uses stateful sessions in active mode (*fireUntilHalt*) (please visit the `drools <https://www.drools.org/>`__ |
| 497 | website for additional documentation). |
| 498 | |
| 499 | Management Layer |
| 500 | ~~~~~~~~~~~~~~~~ |
| 501 | |
| 502 | The management layer manages the PDP-D and builds on top of the *core* capabilities. |
| 503 | |
| 504 | PolicyEngine |
| 505 | """""""""""" |
| 506 | |
| 507 | The PDP-D `PolicyEngine <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/system/PolicyEngine.java>`__ is the top abstraction and abstracts away the PDP-D and all the |
| 508 | resources it holds. The reader looking at the source code can start looking at this component |
| 509 | in a top-down fashion. Note that the *PolicyEngine* abstraction should not be confused with the |
| 510 | sofware in the *policy/engine* repository, there is no relationship whatsoever other than in the naming. |
| 511 | |
| 512 | The *PolicyEngine* represents the PDP-D, holds all PDP-D resources, and orchestrates activities among those. |
| 513 | |
| 514 | The *PolicyEngine* manages applications via the `PolicyController <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/system/PolicyController.java>`__ abstractions in the base code. The |
| 515 | relationship between the *PolicyEngine* and *PolicyController* is one to many. |
| 516 | |
| 517 | The *PolicyEngine* holds other global resources such as a *thread pool*, *policies validator*, *telemetry* server, |
| 518 | and *unmanaged* topics for administration purposes. |
| 519 | |
| 520 | The *PolicyEngine* has interception points that allow |
| 521 | `*features* <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/features/PolicyEngineFeatureApi.java>`__ |
| 522 | to observe and alter the default *PolicyEngine* behavior. |
| 523 | |
| 524 | The *PolicyEngine* implements the `*Startable* <https://git.onap.org/policy/common/tree/capabilities/src/main/java/org/onap/policy/common/capabilities/Startable.java>`__ and `*Lockable* <https://git.onap.org/policy/common/tree/capabilities/src/main/java/org/onap/policy/common/capabilities/Lockable.java>`__ interfaces. These operations |
| 525 | have a cascading effect on the resources the *PolicyEngine* holds, as it is the top level entity, thus |
| 526 | affecting *controllers* and *endpoints*. These capabilities are intended to be used for extensions, |
| 527 | for example active/standby multi-node capabilities. This programmability is |
| 528 | exposed via the *telemetry* API, and *feature* hooks. |
| 529 | |
| 530 | Configuration |
| 531 | ^^^^^^^^^^^^^ |
| 532 | |
| 533 | *PolicyEngine* related configuration is located in the |
| 534 | `engine.properties <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server/config/engine.properties>`__, |
| 535 | and `engine-system.properties <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server/config/engine.properties>`__. |
| 536 | |
| 537 | The *engine* configuration files reside in the *$POLICY_CONFIG* directory. |
| 538 | |
| 539 | PolicyController |
| 540 | """""""""""""""" |
| 541 | |
| 542 | A *PolicyController* represents an application. Each *PolicyController* has an instance of a |
| 543 | `DroolsController <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/system/PolicyController.java>`__. The *PolicyController* provides the means to group application specific resources |
| 544 | into a single unit. Such resources include the application's *maven coordinates*, *endpoint references*, and *coders*. |
| 545 | |
| 546 | A *PolicyController* uses a |
| 547 | `DroolsController <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/controller/DroolsController.java>`__ to interface with the *core* layer (*PolicyContainer* and *PolicySession*). |
| 548 | |
| 549 | The relationship between the *PolicyController* and the *DroolsController* is one-to-one. |
| 550 | The *DroolsController* currently supports 2 implementations, the |
| 551 | `MavenDroolsController <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/controller/internal/MavenDroolsController.java>`__, and the |
| 552 | `NullDroolsController <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/controller/internal/NullDroolsController.java>`__. |
| 553 | The *DroolsController*'s polymorphic behavior depends on whether a maven artifact is attached to the controller or not. |
| 554 | |
| 555 | Configuration |
| 556 | ^^^^^^^^^^^^^ |
| 557 | |
| 558 | The *controllers* configuration resides in the *$POLICY_CONFIG* directory. |
| 559 | |
| 560 | Programmability |
| 561 | ~~~~~~~~~~~~~~~ |
| 562 | |
| 563 | PDP-D is programmable through: |
| 564 | |
| 565 | - Features and Event Listeners. |
| 566 | - Maven-Drools applications. |
| 567 | |
| 568 | Using Features and Listeners |
| 569 | """""""""""""""""""""""""""" |
| 570 | |
| 571 | Features hook into the interception points provided by the the *PDP-D* main entities. |
| 572 | |
| 573 | *Endpoint Listeners*, see `here <https://git.onap.org/policy/common/tree/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/event/comm/TopicListener.java>`__ |
| 574 | and `here <https://git.onap.org/policy/common/tree/policy-endpoints/src/main/java/org/onap/policy/common/endpoints/listeners>`__, can be used in conjuction with features for additional capabilities. |
| 575 | |
| 576 | Using Maven-Drools applications |
| 577 | """"""""""""""""""""""""""""""" |
| 578 | |
| 579 | Maven-based drools applications can run any arbitrary functionality structured with rules and java logic. |
| 580 | |
| 581 | Recommended Flow |
| 582 | """""""""""""""" |
| 583 | |
| 584 | Whenever possible it is suggested that PDP-D related operations flow through the |
| 585 | *PolicyEngine* downwards in a top-down manner. This imposed order implies that |
| 586 | all the feature hooks are always invoked in a deterministic fashion. It is also |
| 587 | a good mechanism to safeguard against deadlocks. |
| 588 | |
| 589 | Telemetry Extensions |
| 590 | """""""""""""""""""" |
| 591 | |
| 592 | It is recommended to *features* (extensions) to offer a diagnostics REST API |
| 593 | to integrate with the telemetry API. This is done by placing JAX-RS files under |
| 594 | the package *org.onap.policy.drools.server.restful*. The root context path |
| 595 | for all the telemetry services is */policy/pdp/engine*. |
| 596 | |
| 597 | Features |
| 598 | ======== |
| 599 | |
| 600 | *Features* is an extension mechanism for the PDP-D functionality. |
| 601 | Features can be toggled on and off. |
| 602 | A feature is composed of: |
| 603 | |
| 604 | - Java libraries. |
| 605 | - Scripts and configuration files. |
| 606 | |
| 607 | Java Extensions |
| 608 | ~~~~~~~~~~~~~~~ |
| 609 | |
| 610 | Additional functionality can be provided in the form of java libraries that hook into the |
| 611 | *PolicyEngine*, *PolicyController*, *DroolsController*, and *PolicySession* interception |
| 612 | points to observe or alter the PDP-D logic. |
| 613 | |
| 614 | See the Feature APIs available in the |
| 615 | `management <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/java/org/onap/policy/drools/features>`__ |
| 616 | and |
| 617 | `core <https://git.onap.org/policy/drools-pdp/tree/policy-core/src/main/java/org/onap/policy/drools/core/PolicySessionFeatureApi.java>`__ layers. |
| 618 | |
| 619 | The convention used for naming these extension modules are *api-<name>* for interfaces, |
| 620 | and *feature-<name>* for the actual java extensions. |
| 621 | |
| 622 | Configuration Items |
| 623 | ~~~~~~~~~~~~~~~~~~~ |
| 624 | |
| 625 | Installation items such as scripts, SQL, maven artifacts, and configuration files. |
| 626 | |
| 627 | The reader can refer to the `policy/drools-pdp repository <https://git.onap.org/policy/drools-pdp>`__ |
| 628 | and the <https://git.onap.org/policy/drools-applications>`__ repository for miscellaneous feature |
| 629 | implementations. |
| 630 | |
| 631 | Layout |
| 632 | """""" |
| 633 | |
| 634 | A feature is packaged in a *feature-<name>.zip* and has this internal layout: |
| 635 | |
| 636 | .. code-block:: bash |
| 637 | |
| 638 | # ####################################################################################### |
| 639 | # Features Directory Layout: |
| 640 | # |
| 641 | # $POLICY_HOME/ |
| 642 | # L─ features/ |
| 643 | # L─ <feature-name>*/ |
| 644 | #    L─ [config]/ |
| 645 | #    |  L─ <config-file>+ |
| 646 | #    L─ [bin]/ |
| 647 | #    |  L─ <bin-file>+ |
| 648 | #    L─ lib/ |
| 649 | #    | L─ [dependencies]/ |
| 650 | #    | | L─ <dependent-jar>+ |
| 651 | #    │ L─ feature/ |
| 652 | #    │ L─ <feature-jar> |
| 653 | #    L─ [db]/ |
| 654 | #    │  L─ <db-name>/+ |
| 655 | #    │ L─ sql/ |
| 656 | #    │ L─ <sql-scripts>* |
| 657 | #    L─ [artifacts]/ |
| 658 | #     L─ <artifact>+ |
| 659 | #    L─ [install] |
| 660 | #     L─ [enable] |
| 661 | #     L─ [disable] |
| 662 | #     L─ [other-directories-or-files] |
| 663 | # |
| 664 | # notes: [] = optional , * = 0 or more , + = 1 or more |
| 665 | # <feature-name> directory without "feature-" prefix. |
| 666 | # [config] feature configuration directory that contains all configuration |
| 667 | # needed for this features |
| 668 | # [config]/<config-file> preferably named with "feature-<feature-name>" prefix to |
| 669 | # precisely match it against the exact features, source code, and |
| 670 | # associated wiki page for configuration details. |
| 671 | # [bin] feature bin directory that contains helper scripts for this feature |
| 672 | # [bin]/<executable-file> preferably named with "feature-<feature-name>" prefix. |
| 673 | # lib jar libraries needed by this features |
| 674 | # lib/[dependencies] 3rd party jar dependencies not provided by base installation |
| 675 | # of pdp-d that are necessary for <feature-name> to operate |
| 676 | # correctly. |
| 677 | # lib/feature the single feature jar that implements the feature. |
| 678 | # [db] database directory, if the feature contains sql. |
| 679 | # [db]/<db-name> database to which underlying sql scripts should be applied. |
| 680 | # ideally, <db-name> = <feature-name> so it is easily to associate |
| 681 | # the db data with a feature itself. In addition, since a feature is |
| 682 | # a somewhat independent isolated unit of functionality,the <db-name> |
| 683 | # database ideally isolates all its data. |
| 684 | # [db]/<db-name>/sql directory with all the sql scripts. |
| 685 | # [db]/<db-name>/sql/<sql-scripts> for this feature, sql |
| 686 | # upgrade scripts should be suffixed with ".upgrade.sql" |
| 687 | # and downgrade scripts should be suffixed with ".downgrade.sql" |
| 688 | # [artifacts] maven artifacts to be deployed in a maven repository. |
| 689 | # [artifacts]/<artifact> maven artifact with identifiable maven coordinates embedded |
| 690 | # in the artifact. |
| 691 | # [install] custom installation directory where custom enable or disable scripts |
| 692 | # and other free form data is included to be used for the enable and |
| 693 | # and disable scripts. |
| 694 | # [install]/[enable] enable script executed when the enable operation is invoked in |
| 695 | # the feature. |
| 696 | # [install]/[disable] disable script executed when the disable operation is invoked in |
| 697 | # the feature. |
| 698 | # [install]/[other-directories-or-files] other executables, or data that can be used |
| 699 | # by the feature for any of its operations. The content is determined |
| 700 | # by the feature designer. |
| 701 | # ######################################################################################## |
| 702 | |
| 703 | The `features <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server-gen/bin/features>`__ |
| 704 | is the tool used for administration purposes: |
| 705 | |
| 706 | .. code-block:: bash |
| 707 | |
| 708 | Usage: features status |
| 709 | Get enabled/disabled status on all features |
| 710 | features enable <feature> ... |
| 711 | Enable the specified feature |
| 712 | features disable <feature> ... |
| 713 | Disable the specified feature |
| 714 | features install [ <feature> | <file-name> ] ... |
| 715 | Install the specified feature |
| 716 | features uninstall <feature> ... |
| 717 | Uninstall the specified feature |
| 718 | |
| 719 | Features available in the Docker image |
| 720 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 721 | |
| 722 | The only enabled feature in the *onap/policy-drools* image is: |
| 723 | |
| 724 | - **lifecycle**: enables the lifecycle capability to integrate with the Policy Framework components. |
| 725 | |
| 726 | The following features are included in the image but disabled. |
| 727 | |
| 728 | - **distributed locking**: distributed resource locking. |
| 729 | - **healthcheck**: basic PDP-D Engine healthcheck. |
| 730 | |
| 731 | Healthcheck |
| 732 | """"""""""" |
| 733 | |
| 734 | The Healthcheck feature provides reports used to verify the health of *PolicyEngine.manager* in addition to the construction, operation, and deconstruction of HTTP server/client objects. |
| 735 | |
| 736 | When enabled, the feature takes as input a properties file named "*feature-healtcheck.properties*. |
| 737 | This file should contain configuration properties necessary for the construction of HTTP client and server objects. |
| 738 | |
| 739 | Upon initialization, the feature first constructs HTTP server and client objects using the properties |
| 740 | from its properties file. A healthCheck operation is then triggered. The logic of the healthCheck verifies |
| 741 | that *PolicyEngine.manager* is alive, and iteratively tests each HTTP server object by sending HTTP GET |
| 742 | requests using its respective client object. If a server returns a "200 OK" message, it is marked as "healthy" |
| 743 | in its individual report. Any other return code results in an "unhealthy" report. |
| 744 | |
| 745 | After the testing of the server objects has completed, the feature returns a single consolidated report. |
| 746 | |
| 747 | Lifecycle |
| 748 | """"""""" |
| 749 | |
| 750 | The "lifecycle" feature enables a PDP-D to work with the architectural framework introduced in the |
| 751 | Dublin release. |
| 752 | |
| 753 | The lifecycle feature maintains three states: TERMINATED, PASSIVE, and ACTIVE. |
| 754 | The PAP interacts with the lifecycle feature to put a PDP-D in PASSIVE or ACTIVE states. |
| 755 | The PASSIVE state allows for Tosca Operational policies to be deployed. |
| 756 | Policy execution is enabled when the PDP-D transitions to the ACTIVE state. |
| 757 | |
| 758 | This feature can coexist side by side with the legacy mode of operation that pre-dates the Dublin release. |
| 759 | |
| 760 | Distributed Locking |
| 761 | """"""""""""""""""" |
| 762 | |
| 763 | The Distributed Locking Feature provides locking of resources across a pool of PDP-D hosts. |
| 764 | The list of locks is maintained in a database, where each record includes a resource identifier, |
| 765 | an owner identifier, and an expiration time. Typically, a drools application will unlock the resource |
| 766 | when it's operation completes. However, if it fails to do so, then the resource will be automatically |
| 767 | released when the lock expires, thus preventing a resource from becoming permanently locked. |
| 768 | |
| 769 | Other features |
| 770 | ~~~~~~~~~~~~~~ |
| 771 | |
| 772 | The following features have been contributed to the *policy/drools-pdp* but are either |
| 773 | unnecessary or have not been thoroughly tested: |
| 774 | |
| 775 | .. toctree:: |
| 776 | :maxdepth: 1 |
| 777 | |
| 778 | feature_activestdbymgmt.rst |
| 779 | feature_controllerlogging.rst |
| 780 | feature_eelf.rst |
| 781 | feature_mdcfilters.rst |
| 782 | feature_pooling.rst |
| 783 | feature_sesspersist.rst |
| 784 | feature_statemgmt.rst |
| 785 | feature_testtransaction.rst |
| 786 | |
| 787 | Data Migration |
| 788 | ============== |
| 789 | |
| 790 | PDP-D data is migrated across releases with the |
| 791 | `db-migrator <https://git.onap.org/policy/drools-pdp/tree/policy-management/src/main/server-gen/bin/db-migrator>`__. |
| 792 | |
| 793 | The migration occurs when different release data is detected. *db-migrator* will look under the |
| 794 | *$POLICY_HOME/etc/db/migration* for databases and SQL scripts to migrate. |
| 795 | |
| 796 | .. code-block:: bash |
| 797 | |
| 798 | $POLICY_HOME/etc/db/migration/<schema-name>/sql/<sql-file> |
| 799 | |
| 800 | where *<sql-file>* is of the form: |
| 801 | |
| 802 | .. code-block:: bash |
| 803 | |
| 804 | <VERSION>-<pdp|feature-name>[-description](.upgrade|.downgrade).sql |
| 805 | |
| 806 | The db-migrator tool syntax is |
| 807 | |
| 808 | .. code-block:: bash |
| 809 | |
| 810 | syntax: db-migrator |
| 811 | -s <schema-name> |
| 812 | [-b <migration-dir>] |
| 813 | [-f <from-version>] |
| 814 | [-t <target-version>] |
| 815 | -o <operations> |
| 816 | |
| 817 | where <operations>=upgrade|downgrade|auto|version|erase|report |
| 818 | |
| 819 | Configuration Options: |
| 820 | -s|--schema|--database: schema to operate on ('ALL' to apply on all) |
| 821 | -b|--basedir: overrides base DB migration directory |
| 822 | -f|--from: overrides current release version for operations |
| 823 | -t|--target: overrides target release to upgrade/downgrade |
| 824 | |
| 825 | Operations: |
| 826 | upgrade: upgrade operation |
| 827 | downgrade: performs a downgrade operation |
| 828 | auto: autonomous operation, determines upgrade or downgrade |
| 829 | version: returns current version, and in conjunction if '-f' sets the current version |
| 830 | erase: erase all data related <schema> (use with care) |
| 831 | report: migration detailed report on an schema |
| 832 | ok: is the migration status valid |
| 833 | |
| 834 | See the |
| 835 | `feature-distributed-locking sql directory <https://git.onap.org/policy/drools-pdp/tree/feature-distributed-locking/src/main/feature/db/pooling/sql>`__ |
| 836 | for an example of upgrade/downgrade scripts. |
| 837 | |
| 838 | The following command will provide a report on the upgrade or downgrade activies: |
| 839 | |
| 840 | .. code-block:: bash |
| 841 | |
| 842 | db-migrator -s ALL -o report |
| 843 | |
| 844 | For example in the official frankfurt delivery: |
| 845 | |
| 846 | .. code-block:: bash |
| 847 | |
| 848 | policy@dev-drools-0:/tmp/policy-install$ db-migrator -s ALL -o report |
| 849 | +---------+---------+ |
| 850 | | name | version | |
| 851 | +---------+---------+ |
| 852 | | pooling | 1811 | |
| 853 | +---------+---------+ |
| 854 | +-------------------------------------+-----------+---------+---------------------+ |
| 855 | | script | operation | success | atTime | |
| 856 | +-------------------------------------+-----------+---------+---------------------+ |
| 857 | | 1804-distributedlocking.upgrade.sql | upgrade | 1 | 2020-05-22 19:33:09 | |
| 858 | | 1811-distributedlocking.upgrade.sql | upgrade | 1 | 2020-05-22 19:33:09 | |
| 859 | +-------------------------------------+-----------+---------+---------------------+ |
| 860 | |
| 861 | In order to use the *db-migrator* tool, the system must be configured with a database. |
| 862 | |
| 863 | .. code-block:: bash |
| 864 | |
| 865 | SQL_HOST=mariadb |
| 866 | |
| 867 | Maven Repositories |
| 868 | ================== |
| 869 | |
| 870 | The drools libraries in the PDP-D uses maven to fetch rules artifacts and software dependencies. |
| 871 | |
| 872 | The default *settings.xml* file specifies the repositories to search. This configuration |
| 873 | can be overriden with a custom copy that would sit in a mounted configuration |
| 874 | directory. See an example of the OOM override |
| 875 | `settings.xml <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools/resources/configmaps/settings.xml>`__. |
| 876 | |
| 877 | The default ONAP installation of the *control loop* child image *onap/policy-pdpd-cl:1.6.4* is *OFFLINE*. |
| 878 | In this configuration, the *rules* artifact and the *dependencies* retrieves all the artifacts from the local |
| 879 | maven repository. Of course, this requires that the maven dependencies are preloaded in the local |
| 880 | repository for it to work. |
| 881 | |
| 882 | An offline configuration requires two items: |
| 883 | |
| 884 | - *OFFLINE* environment variable set to true. |
| 885 | - override *settings.xml* customization, see |
| 886 | `settings.xml <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools/resources/configmaps/settings.xml>`__. |
| 887 | |
| 888 | The default mode in the *onap/policy-drools:1.6.3* is ONLINE instead. |
| 889 | |
| 890 | In *ONLINE* mode, the *controller* initialization can take a significant amount of time. |
| 891 | |
| 892 | The Policy ONAP installation includes a *nexus* repository component that can be used to host any arbitrary |
| 893 | artifacts that an PDP-D application may require. |
| 894 | The following environment variables configure its location: |
| 895 | |
| 896 | .. code-block:: bash |
| 897 | |
| 898 | SNAPSHOT_REPOSITORY_ID=policy-nexus-snapshots |
| 899 | SNAPSHOT_REPOSITORY_URL=http://nexus:8080/nexus/content/repositories/snapshots/ |
| 900 | RELEASE_REPOSITORY_ID=policy-nexus-releases |
| 901 | RELEASE_REPOSITORY_URL=http://nexus:8080/nexus/content/repositories/releases/ |
| 902 | REPOSITORY_OFFLINE=false |
| 903 | |
| 904 | The *deploy-artifact* tool is used to deploy artifacts to the local or remote maven repositories. |
| 905 | It also allows for dependencies to be installed locally. The *features* tool invokes it when artifacts are |
| 906 | to be deployed as part of a feature. The tool can be useful for developers to test a new application |
| 907 | in a container. |
| 908 | |
| 909 | .. code-block:: bash |
| 910 | |
| 911 | syntax: deploy-artifact |
| 912 | [-f|-l|-d] |
| 913 | -s <custom-settings> |
| 914 | -a <artifact> |
| 915 | |
| 916 | Options: |
| 917 | -f|--file-repo: deploy in the file repository |
| 918 | -l|--local-repo: install in the local repository |
| 919 | -d|--dependencies: install dependencies in the local repository |
| 920 | -s|--settings: custom settings.xml |
| 921 | -a|--artifact: file artifact (jar or pom) to deploy and/or install |
| 922 | |
| 923 | AAF |
| 924 | === |
| 925 | |
| 926 | Policy can talk to AAF for authorization requests. To enable AAF set |
| 927 | the following environment variables: |
| 928 | |
| 929 | .. code-block:: bash |
| 930 | |
| 931 | AAF=true |
| 932 | AAF_NAMESPACE=org.onap.policy |
| 933 | AAF_HOST=aaf-locate.onap |
| 934 | |
| 935 | By default AAF is disabled. |
| 936 | |
| 937 | Policy Tool |
| 938 | =========== |
| 939 | |
| 940 | The *policy* tool can be used to stop, start, and provide status on the PDP-D. |
| 941 | |
| 942 | .. code-block:: bash |
| 943 | |
| 944 | syntax: policy [--debug] status|start|stop |
| 945 | |
| 946 | The *status* option provides generic status of the system. |
| 947 | |
| 948 | .. code-block:: bash |
| 949 | |
| 950 | [drools-pdp-controllers] |
| 951 | L []: Policy Management (pid 408) is running |
| 952 | 0 cron jobs installed. |
| 953 | |
| 954 | [features] |
| 955 | name version status |
| 956 | ---- ------- ------ |
| 957 | healthcheck 1.6.3 enabled |
| 958 | distributed-locking 1.6.3 enabled |
| 959 | lifecycle 1.6.3 enabled |
| 960 | controlloop-management 1.6.4 enabled |
| 961 | controlloop-utils 1.6.4 enabled |
| 962 | controlloop-trans 1.6.4 enabled |
| 963 | controlloop-frankfurt 1.6.4 enabled |
| 964 | controlloop-usecases 1.6.4 disabled |
| 965 | |
| 966 | [migration] |
| 967 | pooling: OK @ 1811 |
| 968 | |
| 969 | It contains 3 sections: |
| 970 | |
| 971 | - *PDP-D* running status |
| 972 | - *features* applied |
| 973 | - Data migration status on a per database basis. |
| 974 | |
| 975 | The *start* and *stop* commands are useful for developers testing functionality on a docker container instance. |
| 976 | |
| 977 | Telemetry Shell |
| 978 | =============== |
| 979 | |
| 980 | *PDP-D* offers an ample set of REST APIs to debug, introspect, and change state on a running PDP-D. This is known as the |
| 981 | *telemetry* API. The *telemetry* shell wraps these APIs for shell-like access using |
| 982 | `http-prompt <http://http-prompt.com/>`__. |
| 983 | |
| 984 | .. code-block:: bash |
| 985 | |
| 986 | policy@dev-drools-0:~$ telemetry |
| 987 | Version: 1.0.0 |
| 988 | https://localhost:9696/policy/pdp/engine> get controllers |
| 989 | HTTP/1.1 200 OK |
| 990 | Content-Length: 13 |
| 991 | Content-Type: application/json |
| 992 | Date: Thu, 04 Jun 2020 01:07:38 GMT |
| 993 | Server: Jetty(9.4.24.v20191120) |
| 994 | |
| 995 | [ |
| 996 | "frankfurt" |
| 997 | ] |
| 998 | |
| 999 | https://localhost:9696/policy/pdp/engine> exit |
| 1000 | Goodbye! |
| 1001 | policy@dev-drools-0:~$ |
| 1002 | |
| 1003 | |
| 1004 | Other tools |
| 1005 | =========== |
| 1006 | |
| 1007 | Refer to the *$POLICY_HOME/bin/* directory for additional tooling. |
| 1008 | |
| 1009 | PDP-D Docker Container Configuration |
| 1010 | ==================================== |
| 1011 | |
| 1012 | Both the PDP-D *onap/policy-drools* and *onap/policy-pdpd-cl* images can be used without other components. |
| 1013 | |
| 1014 | There are 2 types of configuration data provided to the container: |
| 1015 | |
| 1016 | 1. environment variables. |
| 1017 | 2. configuration files and shell scripts. |
| 1018 | |
| 1019 | Environment variables |
| 1020 | ~~~~~~~~~~~~~~~~~~~~~ |
| 1021 | |
| 1022 | As it was shown in the *controller* and *endpoint* sections, PDP-D configuration can rely |
| 1023 | on environment variables. In a container environment, these variables are set up by the user |
| 1024 | in the host environment. |
| 1025 | |
| 1026 | Configuration Files and Shell Scripts |
| 1027 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 1028 | |
| 1029 | PDP-D is very flexible in its configuration. |
| 1030 | |
| 1031 | The following file types are recognized when mounted under */tmp/policy-install/config*. |
| 1032 | |
| 1033 | These are the configuration items that can reside externally and override the default configuration: |
| 1034 | |
| 1035 | - **settings.xml** if working with external nexus repositories. |
| 1036 | - **standalone-settings.xml** if an external *policy* nexus repository is not available. |
| 1037 | - ***.conf** files containing environment variables. This is an alternative to use environment variables, |
| 1038 | as these files will be sourced in before the PDP-D starts. |
| 1039 | - **features*.zip** to load any arbitrary feature not present in the image. |
| 1040 | - ***.pre.sh** scripts that will be executed before the PDP-D starts. |
| 1041 | - ***.post.sh** scripts that will be executed after the PDP-D starts. |
| 1042 | - **policy-keystore** to override the default PDP-D java keystore. |
| 1043 | - **policy-truststore** to override the default PDP-D java truststore. |
| 1044 | - **aaf-cadi.keyfile** to override the default AAF CADI Key generated by AAF. |
| 1045 | - ***.properties** to override or add any properties file for the PDP-D, this includes *controller*, *endpoint*, |
| 1046 | *engine* or *system* configurations. |
| 1047 | - **logback*.xml** to override the default logging configuration. |
| 1048 | - ***.xml** to override other .xml configuration that may be used for example by an *application*. |
| 1049 | - ***.json** *json* configuration that may be used by an *application*. |
| 1050 | |
| 1051 | |
| 1052 | Running PDP-D with a single container |
| 1053 | ===================================== |
| 1054 | |
| 1055 | Environment File |
| 1056 | ~~~~~~~~~~~~~~~~ |
| 1057 | |
| 1058 | First create an environment file (in this example *env.conf*) to configure the PDP-D. |
| 1059 | |
| 1060 | .. code-block:: bash |
| 1061 | |
| 1062 | # SYSTEM software configuration |
| 1063 | |
| 1064 | POLICY_HOME=/opt/app/policy |
| 1065 | POLICY_LOGS=/var/log/onap/policy/pdpd |
| 1066 | KEYSTORE_PASSWD=Pol1cy_0nap |
| 1067 | TRUSTSTORE_PASSWD=Pol1cy_0nap |
| 1068 | |
| 1069 | # Telemetry credentials |
| 1070 | |
| 1071 | TELEMETRY_PORT=9696 |
| 1072 | TELEMETRY_HOST=0.0.0.0 |
| 1073 | TELEMETRY_USER=demo@people.osaaf.org |
| 1074 | TELEMETRY_PASSWORD=demo123456! |
| 1075 | |
| 1076 | # nexus repository |
| 1077 | |
| 1078 | SNAPSHOT_REPOSITORY_ID= |
| 1079 | SNAPSHOT_REPOSITORY_URL= |
| 1080 | RELEASE_REPOSITORY_ID= |
| 1081 | RELEASE_REPOSITORY_URL= |
| 1082 | REPOSITORY_USERNAME= |
| 1083 | REPOSITORY_PASSWORD= |
| 1084 | REPOSITORY_OFFLINE=true |
| 1085 | |
| 1086 | # Relational (SQL) DB access |
| 1087 | |
| 1088 | SQL_HOST= |
| 1089 | SQL_USER= |
| 1090 | SQL_PASSWORD= |
| 1091 | |
| 1092 | # AAF |
| 1093 | |
| 1094 | AAF=false |
| 1095 | AAF_NAMESPACE=org.onap.policy |
| 1096 | AAF_HOST=aaf.api.simpledemo.onap.org |
| 1097 | |
| 1098 | # PDP-D DMaaP configuration channel |
| 1099 | |
| 1100 | PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION |
| 1101 | PDPD_CONFIGURATION_API_KEY= |
| 1102 | PDPD_CONFIGURATION_API_SECRET= |
| 1103 | PDPD_CONFIGURATION_CONSUMER_GROUP= |
| 1104 | PDPD_CONFIGURATION_CONSUMER_INSTANCE= |
| 1105 | PDPD_CONFIGURATION_PARTITION_KEY= |
| 1106 | |
| 1107 | # PAP-PDP configuration channel |
| 1108 | |
| 1109 | POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP |
| 1110 | POLICY_PDP_PAP_API_KEY= |
| 1111 | POLICY_PDP_PAP_API_SECRET= |
| 1112 | |
| 1113 | # DMaaP |
| 1114 | |
| 1115 | DMAAP_SERVERS=localhost |
| 1116 | |
| 1117 | Note that *SQL_HOST*, and *REPOSITORY* are empty, so the PDP-D does not attempt |
| 1118 | to integrate with those components. |
| 1119 | |
| 1120 | Configuration |
| 1121 | ~~~~~~~~~~~~~ |
| 1122 | |
| 1123 | In order to avoid the noise in the logs that relate to dmaap configuration, a startup script (*noop.pre.sh*) is added |
| 1124 | to convert *dmaap* endpoints to *noop* in the host directory to be mounted. |
| 1125 | |
| 1126 | noop.pre.sh |
| 1127 | """"""""""" |
| 1128 | |
| 1129 | .. code-block:: bash |
| 1130 | |
| 1131 | #!/bin/bash -x |
| 1132 | |
| 1133 | sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties |
| 1134 | |
| 1135 | |
| 1136 | active.post.sh |
| 1137 | """""""""""""" |
| 1138 | |
| 1139 | To put the controller directly in active mode at initialization, place an *active.post.sh* script under the |
| 1140 | mounted host directory: |
| 1141 | |
| 1142 | .. code-block:: bash |
| 1143 | |
| 1144 | #!/bin/bash -x |
| 1145 | |
| 1146 | bash -c "http --verify=no -a ${TELEMETRY_USER}:${TELEMETRY_PASSWORD} PUT https://localhost:9696/policy/pdp/engine/lifecycle/state/ACTIVE" |
| 1147 | |
| 1148 | Bring up the PDP-D |
| 1149 | ~~~~~~~~~~~~~~~~~~ |
| 1150 | |
| 1151 | .. code-block:: bash |
| 1152 | |
| 1153 | docker run --rm -p 9696:9696 -v ${PWD}/config:/tmp/policy-install/config --env-file ${PWD}/env/env.conf -it --name PDPD -h pdpd nexus3.onap.org:10001/onap/policy-drools:1.6.3 |
| 1154 | |
| 1155 | To run the container in detached mode, add the *-d* flag. |
| 1156 | |
| 1157 | Note that in this command, we are opening the *9696* telemetry API port to the outside world, the config directory |
| 1158 | (where the *noop.pre.sh* customization script resides) is mounted as /tmp/policy-install/config, |
| 1159 | and the customization environment variables (*env/env.conf*) are passed into the container. |
| 1160 | |
| 1161 | To open a shell into the PDP-D: |
| 1162 | |
| 1163 | .. code-block:: bash |
| 1164 | |
| 1165 | docker exec -it pdp-d bash |
| 1166 | |
| 1167 | Once in the container, run tools such as *telemetry*, *db-migrator*, *policy* to look at the system state: |
| 1168 | |
| 1169 | To run the *telemetry shell* and other tools from the host: |
| 1170 | |
| 1171 | .. code-block:: bash |
| 1172 | |
| 1173 | docker exec -it PDPD bash -c "/opt/app/policy/bin/telemetry" |
| 1174 | docker exec -it PDPD bash -c "/opt/app/policy/bin/policy status" |
| 1175 | docker exec -it PDPD bash -c "/opt/app/policy/bin/db-migrator -s ALL -o report" |
| 1176 | |
| 1177 | Controlled instantiation of the PDP-D |
| 1178 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 1179 | |
| 1180 | Sometimes a developer may want to start and stop the PDP-D manually: |
| 1181 | |
| 1182 | .. code-block:: bash |
| 1183 | |
| 1184 | # start a bash |
| 1185 | |
| 1186 | docker run --rm -p 9696:9696 -v ${PWD}/config:/tmp/policy-install/config --env-file ${PWD}/env/env.conf -it --name PDPD -h pdpd nexus3.onap.org:10001/onap/policy-drools:1.6.3 bash |
| 1187 | |
| 1188 | # use this command to start policy applying host customizations from /tmp/policy-install/config |
| 1189 | |
| 1190 | pdpd-entrypoint.sh vmboot |
| 1191 | |
| 1192 | # or use this command to start policy without host customization |
| 1193 | |
| 1194 | policy start |
| 1195 | |
| 1196 | # at any time use the following command to stop the PDP-D |
| 1197 | |
| 1198 | policy stop |
| 1199 | |
| 1200 | # and this command to start the PDP-D back again |
| 1201 | |
| 1202 | policy start |
| 1203 | |
| 1204 | Running PDP-D with nexus and mariadb |
| 1205 | ==================================== |
| 1206 | |
| 1207 | *docker-compose* can be used to test the PDP-D with other components. This is an example configuration |
| 1208 | that brings up *nexus*, *mariadb* and the PDP-D (*docker-compose-pdp.yml*) |
| 1209 | |
| 1210 | docker-compose-pdp.yml |
| 1211 | ~~~~~~~~~~~~~~~~~~~~~~ |
| 1212 | |
| 1213 | .. code-block:: bash |
| 1214 | |
| 1215 | version: '3' |
| 1216 | services: |
| 1217 | mariadb: |
| 1218 | image: mariadb:10.2.25 |
| 1219 | container_name: mariadb |
| 1220 | hostname: mariadb |
| 1221 | command: ['--lower-case-table-names=1', '--wait_timeout=28800'] |
| 1222 | env_file: |
| 1223 | - ${PWD}/db/db.conf |
| 1224 | volumes: |
| 1225 | - ${PWD}/db:/docker-entrypoint-initdb.d |
| 1226 | ports: |
| 1227 | - "3306:3306" |
| 1228 | nexus: |
| 1229 | image: sonatype/nexus:2.14.8-01 |
| 1230 | container_name: nexus |
| 1231 | hostname: nexus |
| 1232 | ports: |
| 1233 | - "8081:8081" |
| 1234 | drools: |
| 1235 | image: nexus3.onap.org:10001/onap/policy-drools:1.6.3 |
| 1236 | container_name: drools |
| 1237 | depends_on: |
| 1238 | - mariadb |
| 1239 | - nexus |
| 1240 | hostname: drools |
| 1241 | ports: |
| 1242 | - "9696:9696" |
| 1243 | volumes: |
| 1244 | - ${PWD}/config:/tmp/policy-install/config |
| 1245 | env_file: |
| 1246 | - ${PWD}/env/env.conf |
| 1247 | |
| 1248 | with *${PWD}/db/db.conf*: |
| 1249 | |
| 1250 | db.conf |
| 1251 | ~~~~~~~ |
| 1252 | |
| 1253 | .. code-block:: bash |
| 1254 | |
| 1255 | MYSQL_ROOT_PASSWORD=secret |
| 1256 | MYSQL_USER=policy_user |
| 1257 | MYSQL_PASSWORD=policy_user |
| 1258 | |
| 1259 | and *${PWD}/db/db.sh*: |
| 1260 | |
| 1261 | db.sh |
| 1262 | ~~~~~ |
| 1263 | |
| 1264 | .. code-block:: bash |
| 1265 | |
| 1266 | for db in support onap_sdk log migration operationshistory10 pooling policyadmin operationshistory |
| 1267 | do |
| 1268 | mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};" |
| 1269 | mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;" |
| 1270 | done |
| 1271 | |
| 1272 | mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;" |
| 1273 | |
| 1274 | env.conf |
| 1275 | ~~~~~~~~ |
| 1276 | |
| 1277 | The environment file *env/env.conf* for *PDP-D* can be set up with appropriate variables to point to the *nexus* instance |
| 1278 | and the *mariadb* database: |
| 1279 | |
| 1280 | .. code-block:: bash |
| 1281 | |
| 1282 | # SYSTEM software configuration |
| 1283 | |
| 1284 | POLICY_HOME=/opt/app/policy |
| 1285 | POLICY_LOGS=/var/log/onap/policy/pdpd |
| 1286 | KEYSTORE_PASSWD=Pol1cy_0nap |
| 1287 | TRUSTSTORE_PASSWD=Pol1cy_0nap |
| 1288 | |
| 1289 | # Telemetry credentials |
| 1290 | |
| 1291 | TELEMETRY_PORT=9696 |
| 1292 | TELEMETRY_HOST=0.0.0.0 |
| 1293 | TELEMETRY_USER=demo@people.osaaf.org |
| 1294 | TELEMETRY_PASSWORD=demo123456! |
| 1295 | |
| 1296 | # nexus repository |
| 1297 | |
| 1298 | SNAPSHOT_REPOSITORY_ID=policy-nexus-snapshots |
| 1299 | SNAPSHOT_REPOSITORY_URL=http://nexus:8081/nexus/content/repositories/snapshots/ |
| 1300 | RELEASE_REPOSITORY_ID=policy-nexus-releases |
| 1301 | RELEASE_REPOSITORY_URL=http://nexus:8081/nexus/content/repositories/releases/ |
| 1302 | REPOSITORY_USERNAME=admin |
| 1303 | REPOSITORY_PASSWORD=admin123 |
| 1304 | REPOSITORY_OFFLINE=false |
| 1305 | |
| 1306 | MVN_SNAPSHOT_REPO_URL=https://nexus.onap.org/content/repositories/snapshots/ |
| 1307 | MVN_RELEASE_REPO_URL=https://nexus.onap.org/content/repositories/releases/ |
| 1308 | |
| 1309 | # Relational (SQL) DB access |
| 1310 | |
| 1311 | SQL_HOST=mariadb |
| 1312 | SQL_USER=policy_user |
| 1313 | SQL_PASSWORD=policy_user |
| 1314 | |
| 1315 | # AAF |
| 1316 | |
| 1317 | AAF=false |
| 1318 | AAF_NAMESPACE=org.onap.policy |
| 1319 | AAF_HOST=aaf.api.simpledemo.onap.org |
| 1320 | |
| 1321 | # PDP-D DMaaP configuration channel |
| 1322 | |
| 1323 | PDPD_CONFIGURATION_TOPIC=PDPD-CONFIGURATION |
| 1324 | PDPD_CONFIGURATION_API_KEY= |
| 1325 | PDPD_CONFIGURATION_API_SECRET= |
| 1326 | PDPD_CONFIGURATION_CONSUMER_GROUP= |
| 1327 | PDPD_CONFIGURATION_CONSUMER_INSTANCE= |
| 1328 | PDPD_CONFIGURATION_PARTITION_KEY= |
| 1329 | |
| 1330 | # PAP-PDP configuration channel |
| 1331 | |
| 1332 | POLICY_PDP_PAP_TOPIC=POLICY-PDP-PAP |
| 1333 | POLICY_PDP_PAP_API_KEY= |
| 1334 | POLICY_PDP_PAP_API_SECRET= |
| 1335 | |
| 1336 | # DMaaP |
| 1337 | |
| 1338 | DMAAP_SERVERS=localhost |
| 1339 | |
| 1340 | prepare.pre.sh |
| 1341 | ~~~~~~~~~~~~~~ |
| 1342 | |
| 1343 | A pre-start script *config/prepare.pres.sh"can be added the custom config directory |
| 1344 | to prepare the PDP-D to activate the distributed-locking feature (using the database) |
| 1345 | and to use "noop" topics instead of *dmaap* topics: |
| 1346 | |
| 1347 | .. code-block:: bash |
| 1348 | |
| 1349 | #!/bin/bash |
| 1350 | |
| 1351 | bash -c "/opt/app/policy/bin/features enable distributed-locking" |
| 1352 | sed -i "s/^dmaap/noop/g" $POLICY_HOME/config/*.properties |
| 1353 | |
| 1354 | active.post.sh |
| 1355 | ~~~~~~~~~~~~~~ |
| 1356 | |
| 1357 | A post-start script *config/active.post.sh* can place PDP-D in *active* mode at initialization: |
| 1358 | |
| 1359 | .. code-block:: bash |
| 1360 | |
| 1361 | bash -c "http --verify=no -a ${TELEMETRY_USER}:${TELEMETRY_PASSWORD} PUT https://localhost:9696/policy/pdp/engine/lifecycle/state/ACTIVE" |
| 1362 | |
| 1363 | Bring up the PDP-D, nexus, and mariadb |
| 1364 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ |
| 1365 | |
| 1366 | To bring up the containers: |
| 1367 | |
| 1368 | .. code-block:: bash |
| 1369 | |
| 1370 | docker-compose -f docker-compose-pdpd.yaml up -d |
| 1371 | |
| 1372 | To take it down: |
| 1373 | |
| 1374 | .. code-block:: bash |
| 1375 | |
| 1376 | docker-compose -f docker-compose-pdpd.yaml down -v |
| 1377 | |
| 1378 | Other examples |
| 1379 | ~~~~~~~~~~~~~~ |
| 1380 | |
| 1381 | The reader can also look at the `integration/csit repository <https://git.onap.org/integration/csit>`__. |
| 1382 | More specifically, these directories have examples of other PDP-D configurations: |
| 1383 | |
| 1384 | * `plans <https://git.onap.org/integration/csit/tree/plans/policy/drools-pdp>`__: startup scripts. |
| 1385 | * `scripts <https://git.onap.org/integration/csit/tree/scripts/policy/docker-compose-drools.yml>`__: docker-compose related files. |
| 1386 | * `plans <https://git.onap.org/integration/csit/tree/tests/policy/drools-pdp>`__: test plan. |
| 1387 | |
| 1388 | Configuring the PDP-D in an OOM Kubernetes installation |
| 1389 | ======================================================= |
| 1390 | |
| 1391 | The `PDP-D OOM chart <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools>`__ can be |
| 1392 | customized at the following locations: |
| 1393 | |
| 1394 | * `values.yaml <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools/values.yaml>`__: custom values for your installation. |
| 1395 | * `configmaps <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools/resources/configmaps>`__: place in this directory any configuration extensions or overrides to customize the PDP-D that does not contain sensitive information. |
| 1396 | * `secrets <https://git.onap.org/oom/tree/kubernetes/policy/charts/drools/resources/secrets>`__: place in this directory any configuration extensions or overrides to customize the PDP-D that does contain sensitive information. |
| 1397 | |
| 1398 | The same customization techniques described in the docker sections for PDP-D, fully apply here, by placing the corresponding |
| 1399 | files or scripts in these two directories. |
| 1400 | |
| 1401 | Additional information |
| 1402 | ====================== |
| 1403 | |
| 1404 | For additional information, please see the |
| 1405 | `Drools PDP Development and Testing (In Depth) <https://wiki.onap.org/display/DW/2020+Frankfurt+Tutorials>`__ page. |