2 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
3 .. http://creativecommons.org/licenses/by/4.0
5 ************************
6 Using guard in the PDP-D
7 ************************
12 This guide will help configure and test guard connection from PDP-D to PDP-X. This guide assumes that the PDP-D is installed and running policy properly with other properties being set properly.
20 Stop Policy, open, and verify the config:
22 - Stop policy with *policy stop*
23 - Open *$POLICY_HOME/config/controlloop.properties.environment*
24 - Make sure the *sql.db.host*, *sql.db.username* and *sql.db.password* are set correctly
30 **guard.url** - URL endpoint of the PDP-X which will receive the request.
31 - For example, *http://pdp:8081/pdp/api/getDecision* will connect to the localhost PDP-X.
32 - This request requires some configuration for PDP-X properties below.
33 - For testing this URL before running policy, see Verification below.
35 **guard.jdbc.url** - URL of the database location to which the operations history will be written.
36 - For example, *jdbc:mariadb://mariadb:3306/onap_sdk*.
37 - Note that the port is included.
38 - Note that at the end, the database name is used.
40 **guard.disabled** - For enabling / disabling guard functionality.
41 - For example, to enable set it to false.
42 - When this is set to true, the previous two properties will be ignored.
43 - If guard is enabled, then the following PDP-X properties must also be set.
49 For testing these properties before running policy, see Verification below.
51 **pdpx.host** - URL of the PDP-X
52 - For example, pdp can be used when PDP-X is on localhost.
54 **pdpx.username** - User to authenticate
56 **pdpx.password** - User Password
58 **pdpx.environment** - Environment making requests
61 **pdpx.client.username** - Client to authenticate
63 **pdpx.client.password** - Client password
70 It is recommended to test using CLI tools before running since changing bash command parameters are faster than restarting policy.
74 Checking the logs is straight forward. Check the *$POLICY_HOME/logs/error.log* file for the word "*callRESTfulPDP*" for any exceptions thrown. If they are thrown then there was a problem with the connection.
75 You can also check the *$POLICY_HOME/logs/network.log* file for the word "*Indeterminate*" which implies the connection failed or got a non 200 response code.
80 It can be helpful to test the PDP-X connection using bash commands to make sure that the PDP-X properties are correct and the guard.url property is correct before running policy.
82 **Method 1: httpie - CLI, cURL-like tool for humans**
84 Using the http command we can make a request directly to PDP-X from the command line. Use the following form:
89 POST pdp:8081/pdp/api/getDecision
90 Authorization:<yourAuth> ClientAuth:<yourClientAuth>
91 Environment:<environment> Content-Type:application/json < guard_request.json
94 | *<yourAuth>* is the string generated from user:pass converted to base64 encoding
95 | (a conversion tool is available at https://www.base64encode.org/)
96 | *<yourClientAuth>* is generated the same way but from the client user and pass.
97 | *<environment>* is the context of the request. For example: TEST
98 | *pdp* is the host of the PDP-X
101 The guard_request.json should be in the form of the following:
104 :caption: guard_request.json
107 "decisionAttributes": {
116 * This request uses Basic Access Authentication.
117 * This request will need further configuration if you are using a proxy.
120 You know a successful connection is set when a response containing a “PERMIT” or “DENY” in uppercase is returned as follows:
126 "decision": "PERMIT",
127 "details": "Decision Permit. OK!"
132 This method does the same as the http command but uses the alternate command of curl. The command should have the following form:
136 curl -u <user>:<pass> -H "Content-Type: application/json" -H "ClientAuth:<yourClientAuth>"
137 -H "Environment:<environment>" -X POST -d @guard_req.json pdp:8081/pdp/api/getDecision
139 * Note that <user> and <pass> are in plain text, while the other headers follow the same form as in Method 1 above.
140 * This request will need further configuration if you are using a proxy
141 * The response is the same as in Method 1.
146 * JVM system properties should be set if a proxy is being used to make the connection work with policy.
147 * The connection may succeed but have response code 401 or 403 with improper proxy authentication, which leads to "Indeterminate"
148 * Additionally, the CLI tools have specific proxy configuration. See their respective manual pages for more info.
153 .. SSNote: Wiki page ref. https://wiki.onap.org/display/DW/Using+guard+in+the+PDP-D