--- /dev/null
+{
+ "info": {
+ "_postman_id": "20eb42db-f0a7-4b65-8ccd-c3a5f56cb526",
+ "name": "Policy Application Tutorial",
+ "description": "Collection of Postman API calls to support the Policy Enforcement Tutorial",
+ "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
+ },
+ "item": [
+ {
+ "name": "Api Healthcheck",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "GET",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-API-URL}}/policy/api/v1/healthcheck",
+ "host": [
+ "{{POLICY-API-URL}}"
+ ],
+ "path": [
+ "policy",
+ "api",
+ "v1",
+ "healthcheck"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Create Authorization Policy Type",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/yaml"
+ },
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/yaml"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "tosca_definitions_version: tosca_simple_yaml_1_1_0\npolicy_types:\n onap.policies.Authorization:\n derived_from: tosca.policies.Root\n version: 1.0.0\n description: Example tutorial policy type for doing user authorization\n properties:\n user:\n type: string\n required: true\n description: The unique user name\n permissions:\n type: list\n required: true\n description: A list of resource permissions\n entry_schema:\n type: onap.datatypes.Tutorial\ndata_types:\n onap.datatypes.Tutorial:\n derived_from: tosca.datatypes.Root\n version: 1.0.0\n properties:\n entity:\n type: string\n required: true\n description: The resource\n permission:\n type: string\n required: true\n description: The permission level\n constraints:\n - valid_values: [read, write, delete]\n",
+ "options": {
+ "raw": {
+ "language": "text"
+ }
+ }
+ },
+ "url": {
+ "raw": "{{POLICY-API-URL}}/policy/api/v1/policytypes",
+ "host": [
+ "{{POLICY-API-URL}}"
+ ],
+ "path": [
+ "policy",
+ "api",
+ "v1",
+ "policytypes"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Create policies",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/yaml"
+ },
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/yaml"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "tosca_definitions_version: tosca_simple_yaml_1_1_0\ntopology_template:\n policies:\n -\n onap.policy.tutorial.demo:\n type: onap.policies.Authorization\n type_version: 1.0.0\n version: 1.0.0\n metadata:\n policy-id: onap.policy.tutorial.demo\n policy-version: 1\n properties:\n user: demo\n permissions:\n -\n entity: foo\n permission: read\n -\n entity: foo\n permission: write\n -\n onap.policy.tutorial.audit:\n type: onap.policies.Authorization\n version: 1.0.0\n type_version: 1.0.0\n metadata:\n policy-id: onap.policy.tutorial.bar\n policy-version: 1\n properties:\n user: audit\n permissions:\n -\n entity: foo\n permission: read\n",
+ "options": {
+ "raw": {
+ "language": "text"
+ }
+ }
+ },
+ "url": {
+ "raw": "{{POLICY-API-URL}}/policy/api/v1/policytypes/onap.policies.Authorization/versions/1.0.0/policies",
+ "host": [
+ "{{POLICY-API-URL}}"
+ ],
+ "path": [
+ "policy",
+ "api",
+ "v1",
+ "policytypes",
+ "onap.policies.Authorization",
+ "versions",
+ "1.0.0",
+ "policies"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "PAP Healthcheck",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "GET",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/healthcheck",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "healthcheck"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "PAP Get PDPs",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "GET",
+ "header": [
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "pdps"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "PdpGroup State Change PASSIVE",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "PUT",
+ "header": [
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ },
+ {
+ "key": "Accept",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/defaultGroup?state=PASSIVE",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "pdps",
+ "groups",
+ "defaultGroup"
+ ],
+ "query": [
+ {
+ "key": "state",
+ "value": "PASSIVE"
+ }
+ ]
+ },
+ "description": "This is an API to change the current state of a PdpGroup (example - \"defaultGroup\") resulting in changing state of all the PDP instances registered with the PdpGroup. As of now, the allowed states are ACTIVE and PASSIVE."
+ },
+ "response": []
+ },
+ {
+ "name": "Delete PdpGroup",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "DELETE",
+ "header": [
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/defaultGroup",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "pdps",
+ "groups",
+ "defaultGroup"
+ ]
+ },
+ "description": "This is an API to delete a specific PdpGroup (example - \"SampleGroup\") currently available in Policy DB, resulting in removing all the PDP instances registered with the group."
+ },
+ "response": []
+ },
+ {
+ "name": "Create/Update PdpGroup",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\n \"groups\": [\n {\n \"name\": \"defaultGroup\",\n \"pdpGroupState\": \"ACTIVE\",\n \"properties\": {},\n \"pdpSubgroups\": [\n {\n \"pdpType\": \"xacml\",\n \"desiredInstanceCount\": 1,\n \"properties\": {},\n \"supportedPolicyTypes\": [\n {\n \"name\": \"onap.policies.Authorization\",\n \"version\": \"1.0.0\"\n }\n ],\n \"policies\": []\n }\n ]\n }\n ]\n}"
+ },
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/groups/batch",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "pdps",
+ "groups",
+ "batch"
+ ]
+ },
+ "description": "This is a generic API to create/update PdpGroups in Policy DB. However, the supportedPolicyTypes field of PdpSubGroup cannot be changed once created."
+ },
+ "response": []
+ },
+ {
+ "name": "Simple Deploy Policy - onap.policy.tutorial.demo",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\r\n \"policies\" : [\r\n {\r\n \"policy-id\": \"onap.policy.tutorial.demo\",\r\n \"policy-version\": \"1.0.0\"\r\n },\r\n {\r\n \"policy-id\": \"onap.policy.tutorial.audit\",\r\n \"policy-version\": \"1.0.0\"\r\n }\r\n ]\r\n}"
+ },
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/policies",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "pdps",
+ "policies"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Dmaap Simulator - Policy Update Notification",
+ "protocolProfileBehavior": {
+ "disableBodyPruning": true
+ },
+ "request": {
+ "auth": {
+ "type": "noauth"
+ },
+ "method": "GET",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": ""
+ },
+ "url": {
+ "raw": "{{DMAAP-URL}}/events/POLICY-NOTIFICATION/group/id?timeout=5000",
+ "host": [
+ "{{DMAAP-URL}}"
+ ],
+ "path": [
+ "events",
+ "POLICY-NOTIFICATION",
+ "group",
+ "id"
+ ],
+ "query": [
+ {
+ "key": "timeout",
+ "value": "5000"
+ }
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Xacml Healthcheck",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "GET",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/healthcheck",
+ "host": [
+ "{{POLICY-XACML-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pdpx",
+ "v1",
+ "healthcheck"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Xacml Statistics",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "GET",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/statistics",
+ "host": [
+ "{{POLICY-XACML-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pdpx",
+ "v1",
+ "statistics"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Xacml Decision - Authorization policy-type",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "POST",
+ "header": [
+ {
+ "key": "Content-Type",
+ "type": "text",
+ "value": "application/json"
+ },
+ {
+ "key": "Accept",
+ "type": "text",
+ "value": "application/json"
+ }
+ ],
+ "body": {
+ "mode": "raw",
+ "raw": "{\n \"ONAPName\": \"TutorialPEP\",\n \"ONAPComponent\": \"TutorialPEPComponent\",\n \"ONAPInstance\": \"TutorialPEPInstance\",\n \"requestId\": \"unique-request-id-tutorial\",\n \"action\": \"authorize\",\n \"resource\": {\n \"user\": \"audit\",\n \"entity\": \"foo\",\n \"permission\" : \"read\"\n }\n}"
+ },
+ "url": {
+ "raw": "{{POLICY-XACML-URL}}/policy/pdpx/v1/decision",
+ "host": [
+ "{{POLICY-XACML-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pdpx",
+ "v1",
+ "decision"
+ ]
+ }
+ },
+ "response": []
+ },
+ {
+ "name": "Simple Undeploy Policy",
+ "request": {
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "zb!XztG34",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "healthcheck",
+ "type": "string"
+ }
+ ]
+ },
+ "method": "DELETE",
+ "header": [
+ {
+ "key": "Accept",
+ "value": "application/json",
+ "type": "text"
+ },
+ {
+ "key": "Content-Type",
+ "value": "application/json",
+ "type": "text"
+ }
+ ],
+ "url": {
+ "raw": "{{POLICY-PAP-URL}}/policy/pap/v1/pdps/policies/onap.policy.tutorial.demo",
+ "host": [
+ "{{POLICY-PAP-URL}}"
+ ],
+ "path": [
+ "policy",
+ "pap",
+ "v1",
+ "pdps",
+ "policies",
+ "onap.policy.tutorial.demo"
+ ]
+ }
+ },
+ "response": []
+ }
+ ],
+ "auth": {
+ "type": "basic",
+ "basic": [
+ {
+ "key": "password",
+ "value": "",
+ "type": "string"
+ },
+ {
+ "key": "username",
+ "value": "",
+ "type": "string"
+ }
+ ]
+ },
+ "protocolProfileBehavior": {}
+}
\ No newline at end of file
+<!--
+ ============LICENSE_START=======================================================
+ ONAP Policy Engine - XACML Application Tutorial
+ ================================================================================
+ Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+ ================================================================================
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ ============LICENSE_END=========================================================
+ -->
+
<project xmlns="http://maven.apache.org/POM/4.0.0"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<scope>test</scope>
</dependency>
</dependencies>
+
<build>
<plugins>
<plugin>
<release>11</release>
</configuration>
</plugin>
+ <plugin>
+ <groupId>io.fabric8</groupId>
+ <artifactId>docker-maven-plugin</artifactId>
+ <version>0.33.0</version>
+ <configuration>
+ <verbose>true</verbose>
+ <images>
+ <image>
+ <name>onap/policy-xacml-tutorial</name>
+ <alias>xacml-pdp</alias>
+ <build>
+ <contextDir>${project.basedir}/src/main/docker</contextDir>
+ <assembly>
+ <descriptorRef>artifact-with-dependencies</descriptorRef>
+ </assembly>
+ </build>
+ </image>
+ </images>
+ </configuration>
+ <executions>
+ <execution>
+ <id>clean-images</id>
+ <phase>pre-clean</phase>
+ <goals>
+ <goal>remove</goal>
+ </goals>
+ </execution>
+
+ <execution>
+ <id>generate-images</id>
+ <phase>package</phase>
+ <goals>
+ <goal>build</goal>
+ </goals>
+ </execution>
+ </executions>
+ </plugin>
</plugins>
</build>
</project>
--- /dev/null
+FROM onap/policy-xacml-pdp:2.2.2
+
+ADD maven/${project.build.finalName}.jar /opt/app/policy/pdpx/lib/${project.build.finalName}.jar
+
+RUN mkdir -p /opt/app/policy/pdpx/apps/tutorial
+
+COPY --chown=policy:policy xacml.properties /opt/app/policy/pdpx/apps/tutorial
\ No newline at end of file
--- /dev/null
+docker-compose -f docker-compose.yml run --rm start_dependencies
+
+docker-compose -f docker-compose.yml run --rm start_all
+
+
+curl -X POST http://0.0.0.0:3904/events/POLICY-PDP-PAP
+
+Should return JSON similar to this:
+{"serverTimeMs":0,"count":0}
+
+
+curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6969/policy/pdpx/v1/healthcheck'
+
+Should return JSON similar to this:
+{"name":"Policy Xacml PDP","url":"self","healthy":true,"code":200,"message":"alive"}
+
+
+curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6767/policy/api/v1/healthcheck'
+Should return JSON similar to this:
+{
+ "name": "Policy API",
+ "url": "policy-api",
+ "healthy": true,
+ "code": 200,
+ "message": "alive"
+}
+
+curl -k -u 'healthcheck:zb!XztG34' 'https://0.0.0.0:6868/policy/pap/v1/healthcheck'
+Should return JSON similar to this:
+{
+ "name": "Policy PAP",
+ "url": "policy-pap",
+ "healthy": true,
+ "code": 200,
+ "message": "alive"
+}
\ No newline at end of file
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+MYSQL_ROOT_PASSWORD=secret
+MYSQL_USER=policy_user
+MYSQL_PASSWORD=policy_user
\ No newline at end of file
--- /dev/null
+#!/bin/bash -xv
+# ============LICENSE_START=======================================================
+# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+
+for db in policyadmin operationshistory
+do
+ mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "CREATE DATABASE IF NOT EXISTS ${db};"
+ mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "GRANT ALL PRIVILEGES ON \`${db}\`.* TO '${MYSQL_USER}'@'%' ;"
+done
+
+mysql -uroot -p"${MYSQL_ROOT_PASSWORD}" --execute "FLUSH PRIVILEGES;"
--- /dev/null
+# ============LICENSE_START=======================================================
+# Copyright (C) 2020 AT&T Intellectual Property. All rights reserved.
+# ================================================================================
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# SPDX-License-Identifier: Apache-2.0
+# ============LICENSE_END=========================================================
+version: '2'
+services:
+ mariadb:
+ image: mariadb:10.2.14
+ container_name: mariadb
+ hostname: mariadb
+ command: ['--lower-case-table-names=1', '--wait_timeout=28800']
+ env_file: config/db/db.conf
+ volumes:
+ - ./config/db:/docker-entrypoint-initdb.d
+ expose:
+ - 3306
+ message-router:
+ image: dmaap/simulator
+ container_name: dmaap-simulator
+ hostname: dmaap-simulator
+ ports:
+ - "3904:3904"
+ expose:
+ - 3904
+ api:
+ image: nexus3.onap.org:10001/onap/policy-api:2.2.4
+ container_name: policy-api
+ depends_on:
+ - mariadb
+ hostname: policy-api
+ ports:
+ - "6767:6969"
+ expose:
+ - 6767
+ pap:
+ image: nexus3.onap.org:10001/onap/policy-pap:2.2.3
+ container_name: policy-pap
+ depends_on:
+ - mariadb
+ - message-router
+ - api
+ hostname: policy-pap
+ ports:
+ - "6868:6969"
+ expose:
+ - 6868
+ xacml-pdp:
+ image: onap/policy-xacml-tutorial
+ container_name: policy-xacml-pdp
+ depends_on:
+ - mariadb
+ - message-router
+ - api
+ - pap
+ hostname: policy-xacml-pdp
+ ports:
+ - "6969:6969"
+ expose:
+ - 6969
+ start_dependencies:
+ image: dadarek/wait-for-dependencies
+ environment:
+ TIMEOUT_LENGTH: 60
+ container_name: policy-wait
+ depends_on:
+ - mariadb
+ - message-router
+ hostname: policy-wait
+ command:
+ mariadb:3306
+ message-router:3904
+ start_all:
+ image: dadarek/wait-for-dependencies
+ environment:
+ TIMEOUT_LENGTH: 60
+ container_name: policy-wait-all
+ depends_on:
+ - mariadb
+ - message-router
+ - api
+ - pap
+ - xacml-pdp
+ hostname: policy-wait-all
+ command:
+ mariadb:3306
+ message-router:3904
+ api:6969
+ pap:6969
+ xacml-pdp:6969
# Policies to load
#
xacml.rootPolicies=
-xacml.referencedPolicies=
+xacml.referencedPolicies=
\ No newline at end of file
public class TutorialApplication extends StdXacmlApplicationServiceProvider {
- private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier();
+ private final ToscaPolicyTypeIdentifier supportedPolicyType = new ToscaPolicyTypeIdentifier("onap.policies.Authorization", "1.0.0");
private final TutorialTranslator translator = new TutorialTranslator();
@Override
private static final Identifier ID_TUTORIAL_USER = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-user");
private static final Identifier ID_TUTORIAL_ENTITY =
new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-entity");
- private static final Identifier ID_TUTORIAL_PERM = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-perm");
+ private static final Identifier ID_TUTORIAL_PERM = new IdentifierImpl(ToscaDictionary.ID_URN_ONAP, "tutorial-permission");
@SuppressWarnings("unchecked")
- public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException {
+ public PolicyType convertPolicy(ToscaPolicy toscaPolicy) throws ToscaPolicyConversionException {
//
// Here is our policy with a version and default combining algo
//
// For simplicity, let's just match on the action "authorize" and the user
//
MatchType matchAction = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL,
- "authorize", XACML3.ID_DATATYPE_STRING, XACML3.ID_ACTION, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION);
+ "authorize", XACML3.ID_DATATYPE_STRING, XACML3.ID_ACTION_ACTION_ID, XACML3.ID_ATTRIBUTE_CATEGORY_ACTION);
Map<String, Object> props = toscaPolicy.getProperties();
String user = props.get("user").toString();
MatchType matchUser = ToscaPolicyTranslatorUtils.buildMatchTypeDesignator(XACML3.ID_FUNCTION_STRING_EQUAL, user,
//
// Create AllOf (AND) of just Policy Id
//
- anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction));
- anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchUser));
+ anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchAction, matchUser));
TargetType target = new TargetType();
target.getAnyOf().add(anyOf);
newPolicyType.setTarget(target);
//
// Now add the rule for each permission
//
+ int ruleNumber = 0;
List<Object> permissions = (List<Object>) props.get("permissions");
for (Object permission : permissions) {
XACML3.ID_FUNCTION_STRING_EQUAL, ((Map<String, String>) permission).get("permission"),
XACML3.ID_DATATYPE_STRING, ID_TUTORIAL_PERM, XACML3.ID_ATTRIBUTE_CATEGORY_RESOURCE);
anyOf = new AnyOfType();
- anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity));
- anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchPermission));
+ anyOf.getAllOf().add(ToscaPolicyTranslatorUtils.buildAllOf(matchEntity, matchPermission));
target = new TargetType();
target.getAnyOf().add(anyOf);
RuleType rule = new RuleType();
rule.setDescription("Default is to PERMIT if the policy matches.");
- rule.setRuleId(newPolicyType.getPolicyId() + ":rule");
+ rule.setRuleId(newPolicyType.getPolicyId() + ":rule" + ruleNumber);
+
rule.setEffect(EffectType.PERMIT);
rule.setTarget(target);
newPolicyType.getCombinerParametersOrRuleCombinerParametersOrVariableDefinition().add(rule);
+
+ ruleNumber++;
}
return newPolicyType;
}
// Just simply return a Permit response
//
decisionResponse.setStatus(Decision.PERMIT.toString());
- }
- if (xacmlResult.getDecision() == Decision.DENY) {
+ } else {
//
// Just simply return a Deny response
//
decisionResponse.setStatus(Decision.DENY.toString());
}
- if (xacmlResult.getDecision() == Decision.NOTAPPLICABLE) {
- //
- // There is no guard policy, so we return a permit
- //
- decisionResponse.setStatus(Decision.PERMIT.toString());
- }
}
return decisionResponse;
package org.onap.policy.tutorial.tutorial;
+import static org.junit.Assert.assertEquals;
+
import java.io.File;
import java.io.IOException;
import java.util.Iterator;
.getTextFileAsString("src/test/resources/tutorial-decision-request.json"),
DecisionRequest.class);
//
- // Test a decision
+ // Test a decision - should start with a permit
//
Pair<DecisionResponse, Response> decision = service.makeDecision(decisionRequest, null);
LOGGER.info(decision.getLeft().toString());
+ assertEquals("Permit", decision.getLeft().getStatus());
+ //
+ // This should be a deny
+ //
+ decisionRequest.getResource().put("user", "audit");
+ decision = service.makeDecision(decisionRequest, null);
+ LOGGER.info(decision.getLeft().toString());
+ assertEquals("Deny", decision.getLeft().getStatus());
}
}
"resource": {
"user": "demo",
"entity": "foo",
- "permission" : "read"
+ "permission" : "write"
}
}
tosca_definitions_version: tosca_simple_yaml_1_1_0
policy_types:
- -
onap.policies.Authorization:
derived_from: tosca.policies.Root
version: 1.0.0
entry_schema:
type: onap.datatypes.Tutorial
data_types:
- -
onap.datatypes.Tutorial:
- derived_from: tosca.datatypes.Root
- version: 1.0.0
- properties:
- entity:
- type: string
- required: true
- description: The resource
- permission:
- type: string
- required: true
- description: The permission level
- constraints:
- - valid_values: [read, write, delete]
+ derived_from: tosca.datatypes.Root
+ version: 1.0.0
+ properties:
+ entity:
+ type: string
+ required: true
+ description: The resource
+ permission:
+ type: string
+ required: true
+ description: The permission level
+ constraints:
+ - valid_values: [read, write, delete]
+++ /dev/null
-{
- "ONAPName": "TutorialPEP",
- "ONAPComponent": "TutorialPEPComponent",
- "ONAPInstance": "TutorialPEPInstance",
- "requestId": "unique-request-id-tutorial",
- "action": "authorize",
- "resource": {
- "user": "demo",
- "entity": "foo",
- "permission" : "read"
- }
-}
+++ /dev/null
-tosca_definitions_version: tosca_simple_yaml_1_0_0
-topology_template:
- policies:
- -
- onap.policy.tutorial.demo:
- type: onap.policies.Authorization
- version: 1.0.0
- metadata:
- policy-id: onap.policy.tutorial.demo
- properties:
- user: demo
- permissions:
- -
- entity: foo
- permission: read
- -
- entity: foo
- permission: write
- -
- onap.policy.tutorial.audit:
- type: onap.policies.Authorization
- version: 1.0.0
- metadata:
- policy-id: onap.policy.tutorial.bar
- properties:
- user: audit
- permissions:
- -
- entity: foo
- permission: read
+++ /dev/null
-tosca_definitions_version: tosca_simple_yaml_1_0_0
-policy_types:
- -
- onap.policies.Authorization:
- derived_from: tosca.policies.Root
- version: 1.0.0
- description: Example tutorial policy type for doing user authorization
- properties:
- user:
- type: string
- required: true
- description: The unique user name
- permissions:
- type: list
- required: true
- description: A list of resource permissions
- entry_schema:
- type: onap.datatypes.Tutorial
-data_types:
- -
- onap.datatypes.Tutorial:
- derived_from: tosca.datatypes.Root
- version: 1.0.0
- properties:
- entity:
- type: string
- required: true
- description: The resource
- permission:
- type: string
- required: true
- description: The permission level
- constraints:
- - valid_values: [read, write, delete]
this example Policy Type in which an ONAP PEP client would like to enforce an action **authorize**
for a *user* to execute a *permission* on an *entity*.
-.. literalinclude:: tutorial/tutorial-policy-type.yaml
+.. literalinclude:: tutorial/app/src/test/resources/tutorial-policy-type.yaml
:language: yaml
:caption: Example Tutorial Policy Type
:linenos:
an entity called foo, while the audit user can only read the entity called foo. Neither user has Delete
permission.
-.. literalinclude:: tutorial/tutorial-policies.yaml
+.. literalinclude:: tutorial/app/src/test/resources/tutorial-policies.yaml
:language: yaml
:caption: Example Policies Derived From Tutorial Policy Type
:linenos:
For the PEP (Policy Enforcement Point) client applications that call the Decision API, you need
to design how the Decision API Request resource fields will be sent via the PEP.
-.. literalinclude:: tutorial/tutorial-decision-request.json
+.. literalinclude:: tutorial/app/src/test/resources/tutorial-decision-request.json
:language: JSON
:caption: Example Decision Request
:linenos:
-For simplicity, we expect only a *Permit* or *Deny* in the Decision Response.
+For simplicity, this tutorial expects only a *Permit* or *Deny* in the Decision Response. However, one could
+customize the Decision Response object and send back whatever information is desired.
.. literalinclude:: tutorial/tutorial-decision-response.json
:language: JSON
This part of the tutorial assumes you understand how to use Eclipse to create a Maven
project. Please follow any examples for the Eclipse installation you have to create
an empty application. For the tutorial, use groupId *org.onap.policy.tutorial* and artifactId
-*tutorial*.
+*tutorial*. If you wish to go directly to the source code, please see the
+:ref:`Download Tutorial Application Example` below to download it.
.. image:: tutorial/images/eclipse-create-maven.png
Add Dependencies Into Application pom.xml
*****************************************
+Here we import the XACML PDP Application common dependency which has the interfaces we need to implement. In addition,
+we are importing a testing dependency that has common code for producing a JUnit test.
+
.. code-block:: java
:caption: pom.xml dependencies
<dependency>
<groupId>org.onap.policy.xacml-pdp.applications</groupId>
<artifactId>common</artifactId>
- <version>2.1.0-SNAPSHOT</version>
+ <version>2.2.2</version>
+ </dependency>
+ <dependency>
+ <groupId>org.onap.policy.xacml-pdp</groupId>
+ <artifactId>xacml-test</artifactId>
+ <version>2.2.2</version>
+ <scope>test</scope>
</dependency>
Create META-INF to expose Java Service
In the applications *src/test/resources* directory, create a xacml.properties file that will be used by the embedded
XACML PDP Engine when loading.
-.. literalinclude:: tutorial/tutorial-xacml.properties
+.. literalinclude:: tutorial/app/src/test/resources/xacml.properties
:caption: Example xacml.properties file
:linenos:
:emphasize-lines: 20, 25
-Create a JUnit and use the TestUtils.java class in application/common
-*********************************************************************
+Create a JUnit and use the TestUtils.java class in xacml-test dependency
+************************************************************************
Using Eclipse, create a JUnit and be sure to add a setup() method stub. Here you will be utilizing a TestUtils.java
-class from the policy/xamcl-pdp repo's application/common submodule to use some utility methods for building the JUnit test.
+class from the policy/xamcl-pdp repo's xacml-test submodule to use some utility methods for building the JUnit test.
.. image: tutorial/images/eclipse-junit-create.png
-Copy the TOSCA Policy Type :download:`link <tutorial/tutorial-policy-type.yaml>` and the TOSCA Policies :download:`link <tutorial/tutorial-policies.yaml>`
+Copy the TOSCA Policy Type :download:`link <tutorial/app/src/test/resources/tutorial-policy-type.yaml>` and the TOSCA Policies :download:`link <tutorial/app/src/test/resources/tutorial-policies.yaml>`
into the src/test/resources directory.
We will create a temporary folder which is used by the **StdXacmlApplicationServiceProvider** to store working copies of policies as they are loaded
:caption: Example Translator Implementation
:linenos:
-Run the JUnit test!!
+Run the JUnit test. Its easiest to run it via a terminal command line using maven commands.
+
-Where To Go From Here
+.. code-block:: bash
+ :caption: Running Maven Commands
+ :linenos:
+
+ > mvn clean install
+
+Building Docker Image
*********************
Once you have created enough JUnit tests that test the TutorialTranslator.java and TutorialRequest.java classes, you are ready to now make your
-application available to the ONAP XACML PDP Engine. These steps are covered in another tutorial.
+application build a docker image that incorporates your application with the XACML PDP Engine. The XACML PDP Engine
+must be able to *find* your Java.Service in the classpath. This is easy to do, just create a jar file for your application
+and copy into the same directory used to startup the XACML PDP.
+
+Here is a Dockerfile as an example:
+
+.. literalinclude:: tutorial/app/src/main/docker/Dockerfile
+ :caption: Dockerfile
+ :linenos:
+
+Download Tutorial Application Example
+*************************************
+
+If you don't wish to use Eclipse, or go through the steps outlined above. The tutorial is
+available for download:
+
+:download:`Download tutorial tar <tutorial/tutorial.tar>`
+
+After you tar xf tutorial.jar, you can import it into Eclipse or your favorite editor. Or simply
+use a terminal command line to build, test and run the tutorial.
+In addition, there is a POSTMAN collection available for setting up and running tests against a
+running instance of ONAP Policy Components (api, pap, dmaap-simulator, tutorial-xacml-pdp).
+:download:`Download tutorial POSTMAN Collection <tutorial/PolicyApplicationTutorial.postman_collection.json>`
See the :ref:`policy-development-tools-label` for more information on cloning and developing the policy repositories.
-XACML-PDP applications are located in the 'applications' sub-module in the policy/xacml-pdp repo. `Click here to view the applications sub-modules <https://github.com/onap/policy-xacml-pdp/tree/master/applications>`_
+XACML-PDP applications are located in the 'applications' sub-module in the policy/xacml-pdp repo. `Click here to view the applications sub-modules <https://github.com/onap/policy-xacml-pdp/tree/frankfurt/applications>`_
XACML PDP TOSCA Translators
===========================
---------------------------------------------
A simple translator that wraps the TOSCA policy into a XACML policy and performs matching of the policy based on either policy-id and/or policy-type. The use of this translator is discouraged as it behaves like a database call and does not take advantage of the fine-grain decision making features described by the XACML OASIS 3.0 standard. It is used to support backward compatibility of legacy "configure" policies.
-`Implementation of Combined Results Translator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdCombinedPolicyResultsTranslator.java>`_.
+`Implementation of Combined Results Translator <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdCombinedPolicyResultsTranslator.java>`_.
The Monitoring and Naming applications use this translator.
Each of the properties designated as "matchable" are treated relative to each other as an "AND" during a Decision request call. In addition, each value of a "matchable property that is an array, is treated as an "OR". The more properties specified in a decision request, the more fine-grained a policy will be returned. In addition, the use of "policy-type" can be used in a decision request to further filter the decision results to a specific type of policy.
-`Implementation of Matchable Translator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdMatchableTranslator.java>`_.
+`Implementation of Matchable Translator <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdMatchableTranslator.java>`_.
The Optimization application uses this translator.
-----------------------------------------------
These two translators are used by the Guard application and are very specific to those Policy Types. They are good examples on how to build your own translator for a very specific implementation of a policy type. This can be the case if any of the Std* translators are not appropriate to use directly or override for your application.
-`Implementation of Guard Translator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardTranslator.java>`_
+`Implementation of Guard Translator <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/GuardTranslator.java>`_
-`Implementation of Coordination Translator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/CoordinationGuardTranslator.java>`_
+`Implementation of Coordination Translator <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/guard/src/main/java/org/onap/policy/xacml/pdp/application/guard/CoordinationGuardTranslator.java>`_
Native XACML OAISIS 3.0 XML Policy Translator
-----------------------------------------------
This translator pulls a URL encoded XML XACML policy from a TOSCA Policy and loads it into a XACML Engine. This allows native XACML policies to be used to support complex use cases in which a translation from TOSCA to XACML is too difficult.
-`Implementation of Native Policy Translator <https://github.com/onap/policy-xacml-pdp/tree/master/applications/native/src/main/java/org/onap/policy/xacml/pdp/application/nativ>`_
+`Implementation of Native Policy Translator <https://github.com/onap/policy-xacml-pdp/tree/frankfurt/applications/native/src/main/java/org/onap/policy/xacml/pdp/application/nativ>`_
Monitoring Policy Types
=======================
XacmlApplicationServiceProvider
===============================
-`Interface for XacmlApplicationServiceProvider <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/XacmlApplicationServiceProvider.java>`_
+`Interface for XacmlApplicationServiceProvider <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/XacmlApplicationServiceProvider.java>`_
See each of the ONAP Policy Type application implementations which re-use the **StdXacmlApplicationServiceProvider** class. This implementation can be used as a basis for your own custom applications.
-`Standard Application Service Provider implementation <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdXacmlApplicationServiceProvider.java>`_
+`Standard Application Service Provider implementation <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdXacmlApplicationServiceProvider.java>`_
ToscaPolicyTranslator
=====================
Your custom **XacmlApplicationServiceProvider** must provide an implementation of a *ToscaPolicyTranslator*.
-`Interface for ToscaPolicyTranslator <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaPolicyTranslator.java>`_
+`Interface for ToscaPolicyTranslator <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/ToscaPolicyTranslator.java>`_
See each of the ONAP Policy type application implementations which each have their own *ToscaPolicyTranslator*. Most use or extend the **StdBaseTranslator**.
-`Standard Tosca Policy Translator implementation <https://github.com/onap/policy-xacml-pdp/blob/master/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdBaseTranslator.java>`.
+`Standard Tosca Policy Translator implementation <https://github.com/onap/policy-xacml-pdp/blob/frankfurt/applications/common/src/main/java/org/onap/policy/pdp/xacml/application/common/std/StdBaseTranslator.java>`.
XACML Application Tutorial
==========================
Code Review / policy / parent.git / commitdiff