This tutorial shows how to build a XACML application for a Policy Type. Please be sure to clone the
policy repositories before going through the tutorial. See :ref:`policy-development-tools-label` for details.
-
Design a Policy Type
********************
Follow :ref:`TOSCA Policy Primer <tosca-label>` for more information. For the tutorial, we will use
this example Policy Type in which an ONAP PEP client would like to enforce an action **authorize**
-for a *user* to execute a *permission* on an *entity*.
+for a *user* to execute a *permission* on an *entity*. `See here for latest Tutorial Policy Type <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-xacml-application/src/test/resources/tutorial-policy-type.yaml>`_.
.. literalinclude:: tutorial/tutorial-policy-type.yaml
:language: yaml
We would expect then to be able to create the following policies to allow the demo user to Read/Write
an entity called foo, while the audit user can only read the entity called foo. Neither user has Delete
-permission.
+permission. `See here for latest Tutorial Policies <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-xacml-application/src/test/resources/tutorial-policies.yaml>`_.
.. literalinclude:: tutorial/tutorial-policies.yaml
:language: yaml
:caption: Example Decision Request
:linenos:
-For simplicity, we expect only a *Permit* or *Deny* in the Decision Response.
+For simplicity, this tutorial expects only a *Permit* or *Deny* in the Decision Response. However, one could
+customize the Decision Response object and send back whatever information is desired.
.. literalinclude:: tutorial/tutorial-decision-response.json
:language: JSON
Create A Maven Project
**********************
-This part of the tutorial assumes you understand how to use Eclipse to create a Maven
-project. Please follow any examples for the Eclipse installation you have to create
-an empty application. For the tutorial, use groupId *org.onap.policy.tutorial* and artifactId
-*tutorial*.
-
-.. image:: tutorial/images/eclipse-create-maven.png
-
-.. image:: tutorial/images/eclipse-maven-project.png
-
-Be sure to import the policy/xacml-pdp project into Eclipse.
-
-.. image:: tutorial/images/eclipse-import.png
+Use whatever tool or environment to create your application project. This tutorial assumes you use Maven to build it.
Add Dependencies Into Application pom.xml
*****************************************
+Here we import the XACML PDP Application common dependency which has the interfaces we need to implement. In addition,
+we are importing a testing dependency that has common code for producing a JUnit test.
+
.. code-block:: java
:caption: pom.xml dependencies
<dependency>
<groupId>org.onap.policy.xacml-pdp.applications</groupId>
<artifactId>common</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.3.3</version>
+ </dependency>
+ <dependency>
+ <groupId>org.onap.policy.xacml-pdp</groupId>
+ <artifactId>xacml-test</artifactId>
+ <version>2.3.3</version>
+ <scope>test</scope>
</dependency>
Create META-INF to expose Java Service
The name of the file must match **org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider**
and the contents of the file is one line **org.onap.policy.tutorial.tutorial.TutorialApplication**.
-.. image:: tutorial/images/eclipse-meta-inf.png
+.. code-block:: java
+ :caption: META-INF/services/org.onap.policy.pdp.xacml.application.common.XacmlApplicationServiceProvider
+
+ org.onap.policy.tutorial.tutorial.TutorialApplication
+
Create A Java Class That Extends **StdXacmlApplicationServiceProvider**
***********************************************************************
will get a lot of implementation done for your application up front. All
that needs to be implemented is providing a custom translator.
-.. image:: tutorial/images/eclipse-inherit-app.png
-
.. code-block:: java
:caption: Custom Tutorial Application Service Provider
:emphasize-lines: 6
on the user and action. It will then have one or more rules for each entity and permission combination. The
default combining algorithm for the XACML Rules are to "Deny Unless Permit".
+`See the tutorial example for details on how the translator is implemented <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-xacml-application/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java>`_. Note that in the Tutorial Translator, it also shows how a developer could extend the translator to return or act upon obligations, advice and attributes.
+
.. Note::
There are many ways to build the policy based on the attributes. How to do so is a matter of experience and
fine tuning using the many options for combining algorithms, target and/or condition matching and the rich set of
functions available.
-Here is one implementation example:
-
-.. literalinclude:: tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialTranslator.java
- :caption: Example Translator Implementation
- :linenos:
-
Use the TutorialTranslator in the TutorialApplication
*****************************************************
Be sure to go back to the TutorialApplication and create an instance of the translator to return to the
StdXacmlApplicationServiceProvider. The StdXacmlApplicationServiceProvider uses the translator to convert
-a policy when a new policy is deployed to the ONAP XACML PDP Engine.
+a policy when a new policy is deployed to the ONAP XACML PDP Engine. `See the Tutorial Application Example <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-xacml-application/src/main/java/org/onap/policy/tutorial/tutorial/TutorialApplication.java>`_.
.. code-block:: java
:caption: Final TutorialApplication Class
:linenos:
- :emphasize-lines: 37
-
- package org.onap.policy.tutorial.tutorial;
-
- import java.util.Arrays;
- import java.util.List;
-
- import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicyTypeIdentifier;
- import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator;
- import org.onap.policy.pdp.xacml.application.common.std.StdXacmlApplicationServiceProvider;
-
- public class TutorialApplication extends StdXacmlApplicationServiceProvider {
-
- private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier();
- private final TutorialTranslator translator = new TutorialTranslator();
-
- @Override
- public String applicationName() {
- return "tutorial";
- }
-
- @Override
- public List<String> actionDecisionsSupported() {
- return Arrays.asList("authorize");
- }
-
- @Override
- public synchronized List<ToscaPolicyTypeIdentifier> supportedPolicyTypes() {
- return Arrays.asList(supportedPolicyType);
- }
-
- @Override
- public boolean canSupportPolicyType(ToscaPolicyTypeIdentifier policyTypeId) {
- return supportedPolicyType.equals(policyTypeId);
+ :emphasize-lines: 38
+
+ package org.onap.policy.tutorial.tutorial;
+
+ import java.util.Arrays;
+ import java.util.List;
+ import org.onap.policy.models.tosca.authorative.concepts.ToscaPolicyTypeIdentifier;
+ import org.onap.policy.pdp.xacml.application.common.ToscaPolicyTranslator;
+ import org.onap.policy.pdp.xacml.application.common.std.StdXacmlApplicationServiceProvider;
+
+ public class TutorialApplication extends StdXacmlApplicationServiceProvider {
+
+ private final ToscaPolicyTypeIdentifier supportedPolicyType =
+ new ToscaPolicyTypeIdentifier("onap.policies.Authorization", "1.0.0");
+ private final TutorialTranslator translator = new TutorialTranslator();
+
+ @Override
+ public String applicationName() {
+ return "tutorial";
+ }
+
+ @Override
+ public List<String> actionDecisionsSupported() {
+ return Arrays.asList("authorize");
+ }
+
+ @Override
+ public synchronized List<ToscaPolicyTypeIdentifier> supportedPolicyTypes() {
+ return Arrays.asList(supportedPolicyType);
+ }
+
+ @Override
+ public boolean canSupportPolicyType(ToscaPolicyTypeIdentifier policyTypeId) {
+ return supportedPolicyType.equals(policyTypeId);
+ }
+
+ @Override
+ protected ToscaPolicyTranslator getTranslator(String type) {
+ return translator;
+ }
+
}
- @Override
- protected ToscaPolicyTranslator getTranslator(String type) {
- return translator;
- }
-
- }
-
Create a XACML Request from ONAP Decision Request
*************************************************
The easiest way to do this is to use the annotations feature from XACML PDP library to create an example XACML
request. Then create an instance and simply populate it from an incoming ONAP Decision Request.
-.. image: tutorial/images/eclipse-create-request.png
-
-.. literalinclude:: tutorial/app/src/main/java/org/onap/policy/tutorial/tutorial/TutorialRequest.java
- :caption: Example Decision Request to Decision Response Implementation
- :linenos:
+.. code-block:: java
+ :caption: Final TutorialApplication Class
+
+ import com.att.research.xacml.std.annotations.XACMLAction;
+ import com.att.research.xacml.std.annotations.XACMLRequest;
+ import com.att.research.xacml.std.annotations.XACMLResource;
+ import com.att.research.xacml.std.annotations.XACMLSubject;
+ import java.util.Map;
+ import java.util.Map.Entry;
+ import lombok.Getter;
+ import lombok.Setter;
+ import lombok.ToString;
+ import org.onap.policy.models.decisions.concepts.DecisionRequest;
+
+ @Getter
+ @Setter
+ @ToString
+ @XACMLRequest(ReturnPolicyIdList = true)
+ public class TutorialRequest {
+ @XACMLSubject(includeInResults = true)
+ private String onapName;
+
+ @XACMLSubject(attributeId = "urn:org:onap:onap-component", includeInResults = true)
+ private String onapComponent;
+
+ @XACMLSubject(attributeId = "urn:org:onap:onap-instance", includeInResults = true)
+ private String onapInstance;
+
+ @XACMLAction()
+ private String action;
+
+ @XACMLResource(attributeId = "urn:org:onap:tutorial-user", includeInResults = true)
+ private String user;
+
+ @XACMLResource(attributeId = "urn:org:onap:tutorial-entity", includeInResults = true)
+ private String entity;
+
+ @XACMLResource(attributeId = "urn:org:onap:tutorial-permission", includeInResults = true)
+ private String permission;
+
+ /**
+ * createRequest.
+ *
+ * @param decisionRequest Incoming
+ * @return TutorialRequest object
+ */
+ public static TutorialRequest createRequest(DecisionRequest decisionRequest) {
+ //
+ // Create our object
+ //
+ TutorialRequest request = new TutorialRequest();
+ //
+ // Add the subject attributes
+ //
+ request.onapName = decisionRequest.getOnapName();
+ request.onapComponent = decisionRequest.getOnapComponent();
+ request.onapInstance = decisionRequest.getOnapInstance();
+ //
+ // Add the action attribute
+ //
+ request.action = decisionRequest.getAction();
+ //
+ // Add the resource attributes
+ //
+ Map<String, Object> resources = decisionRequest.getResource();
+ for (Entry<String, Object> entrySet : resources.entrySet()) {
+ if ("user".equals(entrySet.getKey())) {
+ request.user = entrySet.getValue().toString();
+ }
+ if ("entity".equals(entrySet.getKey())) {
+ request.entity = entrySet.getValue().toString();
+ }
+ if ("permission".equals(entrySet.getKey())) {
+ request.permission = entrySet.getValue().toString();
+ }
+ }
+
+ return request;
+ }
+ }
+`See the Tutorial Request <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-xacml-application/src/main/java/org/onap/policy/tutorial/tutorial/TutorialRequest.java>`_
-Create xacml.properties for the XACML PDP engine to use
-*******************************************************
-In the applications *src/test/resources* directory, create a xacml.properties file that will be used by the embedded
-XACML PDP Engine when loading.
+Create a JUnit and use the TestUtils.java class in xacml-test dependency
+************************************************************************
+Be sure to create a JUnit that will test your translator and application code. You can utilize a TestUtils.java
+class from the policy/xamcl-pdp repo's xacml-test submodule to use some utility methods for building the JUnit test.
-.. literalinclude:: tutorial/tutorial-xacml.properties
- :caption: Example xacml.properties file
- :linenos:
- :emphasize-lines: 20, 25
+Build the code and run the JUnit test. Its easiest to run it via a terminal command line using maven commands.
-Create a JUnit and use the TestUtils.java class in application/common
-*********************************************************************
-Using Eclipse, create a JUnit and be sure to add a setup() method stub. Here you will be utilizing a TestUtils.java
-class from the policy/xamcl-pdp repo's application/common submodule to use some utility methods for building the JUnit test.
+.. code-block:: bash
+ :caption: Running Maven Commands
+ :linenos:
-.. image: tutorial/images/eclipse-junit-create.png
+ > mvn clean install
-Copy the TOSCA Policy Type :download:`link <tutorial/tutorial-policy-type.yaml>` and the TOSCA Policies :download:`link <tutorial/tutorial-policies.yaml>`
-into the src/test/resources directory.
-We will create a temporary folder which is used by the **StdXacmlApplicationServiceProvider** to store working copies of policies as they are loaded
-into the application.
+Download Tutorial Application Example
+*************************************
-.. literalinclude:: tutorial/app/src/test/java/org/onap/policy/tutorial/tutorial/TutorialApplicationTest.java
- :caption: Example Translator Implementation
- :linenos:
+If you clone the XACML-PDP repo, the tutorial is included for local testing without building your own.
-Run the JUnit test!!
+`Tutorial code located in xacml-pdp repo <https://github.com/onap/policy-xacml-pdp/tree/master/tutorials/tutorial-xacml-application>`_
-Where To Go From Here
-*********************
-Once you have created enough JUnit tests that test the TutorialTranslator.java and TutorialRequest.java classes, you are ready to now make your
-application available to the ONAP XACML PDP Engine. These steps are covered in another tutorial.
+There are instructions on the repo to run the Policy Framework components locally and test the tutorial out using Docker.
+`Docker Instructions <https://github.com/onap/policy-xacml-pdp/tree/master/tutorials/tutorial-xacml-application/src/main/docker>`_
+In addition, there is a POSTMAN collection available for setting up and running tests against a
+running instance of ONAP Policy Components (api, pap, dmaap-simulator, tutorial-xacml-pdp).
+`POSTMAN collection for testing <https://github.com/onap/policy-xacml-pdp/blob/master/tutorials/tutorial-xacml-application/postman/PolicyApplicationTutorial.postman_collection.json>`_
Code Review / policy / parent.git / blobdiff