.. toctree::
:maxdepth: 2
-The ONAP XACML Policy PDP Engine uses an `open source implementation <https://github.com/att/XACML>`__ of the `OASIS XACML 3.0 Standard <https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml>`__ to support fine-grained policy decisions in the ONAP. The XACML 3.0 Standard is a language for both policies and requests/responses for access control decisions. The ONAP XACML PDP translates TOSCA Compliant Policies into the XACML policy language, loads the policies into the XACML engine and exposes a Decision API which uses the XACML request/response language to render decisions for ONAP components.
+The ONAP XACML Policy PDP Engine uses an `open source implementation <https://github.com/att/xacml-3.0>`__ of the `OASIS XACML 3.0 Standard <https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=xacml>`__ to support fine-grained policy decisions in the ONAP. The XACML 3.0 Standard is a language for both policies and requests/responses for access control decisions. The ONAP XACML PDP translates TOSCA Compliant Policies into the XACML policy language, loads the policies into the XACML engine and exposes a Decision API which uses the XACML request/response language to render decisions for ONAP components.
ONAP XACML PDP Supported Policy Types
*************************************
"Optimization", "onap.policies.Optimization", "optimize", "Optimization policy types used by OOF"
"Naming", "onap.policies.Naming", "naming", "Naming policy types used by SDNC"
"Native", "onap.policies.native.Xacml", "native", "Native XACML Policies"
+ "Match", "onap.policies.Match", "native", "Matchable Policy Types for the ONAP community to use"
Each Policy Type is implemented as an application that extends the **XacmlApplicationServiceProvider**, and provides a **ToscaPolicyTranslator** that translates the TOSCA representation of the policy into a XACML OASIS 3.0 standard policy.
The Monitoring and Naming applications use this translator.
+.. _xacml-matchable-label:
+
StdMatchableTranslator Translator
---------------------------------
More robust translator that searches metadata of TOSCA properties for a **matchable** field set to **true**. The translator then uses those "matchable" properties to translate a policy into a XACML OASIS 3.0 policy which allows for fine-grained decision making such that ONAP applications can retrieve the appropriate policy(s) to be enforced during runtime.
`Implementation of Coordination Translator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/CoordinationGuardTranslator.java>`_
Native XACML OAISIS 3.0 XML Policy Translator
------------------------------------------------
+---------------------------------------------
This translator pulls a URL encoded XML XACML policy from a TOSCA Policy and loads it into a XACML Engine. This allows native XACML policies to be used to support complex use cases in which a translation from TOSCA to XACML is too difficult.
.. literalinclude:: decision.native.json
:language: JSON
+Match Policy Type
+=================
+
+This Policy type can be used to design your own Policy Type and utilize the :ref:`StdMatchableTranslator <xacml-matchable-label>`, and does not need to build your own custom application. You can design your Policy Type by inheriting from the Match policy type (eg. onap.policies.match.<YourPolicyType>) and adding a **matchable** metadata set to **true** for the properties that you would like to request a Decision on. All a user would need to do is then use the Policy Lifecycle API to add their Policy Type and then create policies from it. Then deploy those policies to the XACML PDP and they would be able to get Decisions without customizing their ONAP installation.
+
+Here is an example Policy Type:
+
+.. literalinclude:: match.policy-type.yaml
+ :language: YAML
+
+Here are example Policies:
+
+.. literalinclude:: match.policies.yaml
+ :language: YAML
+
+This is an example Decision API request that can be made:
+
+.. literalinclude:: decision.match.request.json
+ :language: JSON
+
+Which would render the following decision response:
+
+.. literalinclude:: decision.match.response.json
+ :language: JSON
+
+Overriding or Extending the ONAP XACML PDP Supported Policy Types
+*****************************************************************
+
+It is possible to extend or replace one or more of the existing ONAP application implementations with your own. Since the XACML application loader uses the java.util.Service class to search the classpath to find and load applications, it may be necessary via the configuration file to exclude the ONAP packaged applications in order for your custom application to be loaded. This can be done via the configuration file by adding an **exclusions** property with a list of the Java class names you wish to exclude.
+
+`A configuration file example is located here <https://github.com/onap/policy-xacml-pdp/blob/7711185bb36b387e3596653ca170262f919ff474/main/src/test/resources/parameters/XacmlPdpConfigParameters_Exclusions.json#L19>`_
+
+A coding example is available in the JUnit test for the Application Manager called `testXacmlPdpApplicationManagerSimple <https://github.com/onap/policy-xacml-pdp/blob/7711185bb36b387e3596653ca170262f919ff474/main/src/test/java/org/onap/policy/pdpx/main/rest/XacmlPdpApplicationManagerTest.java#L143>`_. This example demonstrates how to exclude the Match and Guard applications while verifying a custom `TestGuardOverrideApplication <https://github.com/onap/policy-xacml-pdp/blob/master/main/src/test/java/org/onap/policy/pdpx/main/rest/TestGuardOverrideApplication.java>`_ class is loaded and associated with the **guard** action. Thus, replacing and extending the guard application.
+
+Note that this XACML PDP feature is exclusive to the XACML PDP and is secondary to the ability of the PAP to group PDP's and declare which Policy Types are supported by a PDP group. For example, even if a PDP group excludes a Policy Type for a XACML PDP, this simply prevents policies being deployed to that group using the PAP Deployment API. If there is no **exclusions** in the configuration file, then any application will be loaded that it is in the classpath. If needed, one could use both PDP group Policy Type supported feature **and** the exclusions configuration to completely restrict which Policy Types as well as which applications are loaded at runtime.
+
+For more information on PDP groups and setting supported Policy Types, please refer to the :ref:`PAP Documentation <pap-label>`
+
Supporting Your Own Policy Types and Translators
************************************************
ToscaPolicyTranslator
=====================
-Your custom **XacmlApplicationServiceProvider** must provide an implementation of a *ToscaPolicyTranslator*.
+Your custom **XacmlApplicationServiceProvider** must provide an implementation of a **ToscaPolicyTranslator**.
`Interface for ToscaPolicyTranslator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaPolicyTranslator.java>`_
-See each of the ONAP Policy type application implementations which each have their own *ToscaPolicyTranslator*. Most use or extend the **StdBaseTranslator**.
+See each of the ONAP Policy type application implementations which each have their own *ToscaPolicyTranslator*. Most use or extend the **StdBaseTranslator** which contain methods that applications can use to support XACML obligations, advice as well as return attributes to the calling client applications via the **DecisionResponse**.
-`Standard Tosca Policy Translator implementation <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdBaseTranslator.java>`.
+`Standard Tosca Policy Translator implementation <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdBaseTranslator.java>`_.
-XACML Application Tutorial
-==========================
+XACML Application and Enforcement Tutorials
+===========================================
-The following tutorial can be helpful to get started:
+The following tutorials can be helpful to get started on building your own decision application as well as building enforcement into your application. They also show how to build and extend both the **XacmlApplicationServiceProvider** and **ToscaPolicyTranslator** classes.
.. toctree::
:maxdepth: 1
xacml-tutorial
-
-Once your application is developed and the ONAP XACML PDP Engine can find your application via setting the classpath appropriately, then use the :ref:`PAP REST API <pap-label>` to ensure the ONAP XACML PDP is registering your custom Policy Type with the PAP. Once successful, then you should be able to start deploying the created policies to the XACML PDP Engine.
+ xacml-tutorial-enforcement
Code Review / policy / parent.git / blobdiff