1 .. This work is licensed under a Creative Commons Attribution 4.0 International License.
2 .. http://creativecommons.org/licenses/by/4.0
6 Policy Administration Point API
7 ###############################
15 Policy Administration Point (PAP) Architecture
16 ==============================================
18 The Policy Administration Point (PAP) keeps track of PDPs, supporting the deployment of PDP groups and the deployment
19 of policies across those PDP groups. Policies are created using the Policy API, but are deployed via the PAP.
21 The PAP is stateless in a RESTful sense, using the database (persistent storage) to track PDPs and the deployment of
22 policies to those PDPs. In short, policy management on PDPs is the responsibility of PAP; management of policies by
23 any other manner is not permitted.
25 Because the PDP is the main unit of scalability in the Policy Framework, the framework is designed to allow PDPs in a
26 PDP group to arbitrarily appear and disappear and for policy consistency across all PDPs in a PDP group to be easily
27 maintained. The PAP is responsible for controlling the state across the PDPs in a PDP group. The PAP interacts with the
28 policy database and transfers policies to PDPs.
30 The unit of execution and scaling in the Policy Framework is a *PolicyImpl* entity. A *PolicyImpl* entity runs on a PDP.
31 As is explained above, a *PolicyImpl* entity is a *PolicyTypeImpl* implementation parameterized with a TOSCA *Policy*.
33 .. image:: images/PolicyImplPDPSubGroup.svg
35 In order to achieve horizontal scalability, we group the PDPs running instances of a given *PolicyImpl* entity logically
36 together into a *PDPSubGroup*. The number of PDPs in a *PDPSubGroup* can then be scaled up and down using Kubernetes. In
37 other words, all PDPs in a subgroup run the same *PolicyImpl*, that is the same policy template implementation (in
38 XACML, Drools, or APEX) with the same parameters.
40 The figure above shows the layout of *PDPGroup* and *PDPSubGroup* entities. The figure shows examples of PDP groups for
41 Control Loop and Monitoring policies on the right.
43 The health of PDPs is monitored by the PAP in order to alert operations teams managing policies. The PAP manages the life
44 cycle of policies running on PDPs.
46 The table below shows the deployment methods in which *PolicyImpl* entities can be deployed to PDP Subgroups.
48 ========== =========================================== ============================== ==================================
49 **Method** **Description** **Advantages** **Disadvantages**
50 ========== =========================================== ============================== ==================================
51 Cold The *PolicyImpl* (*PolicyTypeImpl* and No run time configuration Very restrictive, no run time
52 TOSCA *Policy*) are predeployed on the PDP. required and run time configuration of PDPs is possible.
53 PDP is fully configured and ready to administration is simple.
56 PDPs register with the PAP when they
57 start, providing the *pdpGroup* they
58 have been preconfigured with.
60 Warm The *PolicyTypeImpl* entity is predeployed The configuration, parameters, Administration and management is
61 on the PDP. A TOSCA *Policy* may be loaded and PDP group of PDPs may be required. The configuration and
62 at startup. The PDP may be configured or changed at run time by loading life cycle of the TOSCA policies
63 reconfigured with a new or updated TOSCA or updating a TOSCA *Policy* can change at run time and must be
64 *Policy* at run time. into the PDP. administered and managed.
66 PDPs register with the PAP when they start, Support TOSCA *Policy* entity
67 providing the *pdpGroup* they have been life cycle managgement is
68 predeployed with if any. The PAP may update supported, allowing features
69 the TOSCA *Policy* on a PDP at any time such as *PolicyImpl* Safe Mode
70 after registration. and *PolicyImpl* retirement.
72 Hot The *PolicyImpl* (*PolicyTypeImpl* and The policy logic, rules, Administration and management is
73 TOSCA *Policy*) are deployed at run time. configuration, parameters, and more complex. The *PolicyImpl*
74 The *PolicyImpl* (*PolicyTypeImpl* and PDP group of PDPs may be itself and its configuration and
75 TOSCA *Policy*) may be loaded at startup. changed at run time by loading life cycle as well as the life
76 The PDP may be configured or reconfigured or updating a TOSCA *Policy* cycle of the TOSCA policies can
77 with a new or updated *PolicyTypeImpl* and *PolicyTypeImpl* into the change at run time and must be
78 and/or TOSCA *Policy* at run time. PDP. administered and managed.
80 PDPs register with the PAP when they Lifecycle management of TOSCA
81 start, providing the *pdpGroup* they have *Policy* entities and
82 been preconfigured with if any. The PAP may *PolicyTypeImpl* entites is
83 update the TOSCA *Policy* and supported, allowing features
84 *PolicyTypeImpl* on a PDP at any time after such as *PolicyImpl* Safe Mode
85 registration and *PolicyImpl* retirement.
86 ========== =========================================== ============================== ==================================
91 The APIs in the subchapters below are supported by the PAP.
96 The purpose of this API is to support CRUD of PDP groups and subgroups and to support the deployment and life cycles of
97 policies on PDP sub groups and PDPs. This API is provided by the *PolicyAdministration* component (PAP) of the Policy
98 Framework, see the :ref:`ONAP Policy Framework Architecture <architecture-label>` page.
100 PDP groups and subgroups may be prefedined in the system. Predefined groups and subgroups may be modified or deleted
101 over this API. The policies running on predefined groups or subgroups as well as the instance counts and properties may
104 A PDP may be preconfigured with its PDP group, PDP subgroup, and policies. The PDP sends this information to the PAP
105 when it starts. If the PDP group, subgroup, or any policy is unknown to the PAP, the PAP locks the PDP in state PASSIVE.
107 PAP supports the operations listed in the following table, via its REST API:
110 :header: "Operation", "Description"
113 "Health check", "Queries the health of the PAP"
114 "Consolidated healthcheck", "Queries the health of all policy components"
115 "Statistics", "Queries various statistics"
116 "PDP state change", "Changes the state of all PDPs in a PDP Group"
117 "PDP Group create/update", "Creates/updates PDP Groups"
118 "PDP Group delete", "Deletes a PDP Group"
119 "PDP Group query", "Queries all PDP Groups"
120 "Deployment update", "Deploy/undeploy one or more policies in specified PdpGroups"
121 "Deploy policy", "Deploys one or more policies to the PDPs"
122 "Undeploy policy", "Undeploys a policy from the PDPs"
123 "Policy Status", "Queries the status of all policies"
124 "Policy deployment status", "Queries the status of all deployed policies"
125 "PDP statistics", "Queries the statistics of PDPs"
126 "Policy Audit", "Queries the audit records of policies"
131 PAP interacts with the PDPs via the DMaaP Message Router. The messages listed
132 in the following table are transmitted via DMaaP:
135 :header: "Message", "Direction", "Description"
138 "PDP status", "Incoming", "Registers a PDP with PAP; also sent as a periodic heart beat; also sent in response to requests from the PAP"
139 "PDP update", "Outgoing", "Assigns a PDP to a PDP Group and Subgroup; also deploys or undeploys policies from the PDP"
140 "PDP state change", "Outgoing", "Changes the state of a PDP or all PDPs within a PDP Group or Subgroup"
142 In addition, PAP generates notifications via the DMaaP Message Router when policies are successfully or unsuccessfully
143 deployed (or undeployed) from all relevant PDPs.
145 Here is a sample notification:
147 .. literalinclude:: notification/dmaap-pap-notif.json
151 2 PAP REST API Swagger
152 ======================
154 It is worth noting that we use basic authorization for access with user name and password set to *policyadmin* and
155 *zb!XztG34*, respectively.
157 For every call, the client is encouraged to insert a uuid-type *requestID* as parameter. It is helpful for tracking each
158 http transaction and facilitates debugging. More importantly, it complies with Logging requirements v1.2. If the client
159 does not provide the requestID in a call, one will be randomly generated and attached to the response header,
162 In accordance with `ONAP API Common Versioning Strategy Guidelines
163 <https://wiki.onap.org/display/DW/ONAP+API+Common+Versioning+Strategy+%28CVS%29+Guidelines>`_, several custom headers
164 are added in the response to each call:
167 :header: "Header", "Example value", "Description"
170 "x-latestversion", "1.0.0", "latest version of the API"
171 "x-minorversion", "0", "MINOR version of the API"
172 "x-patchversion", "0", "PATCH version of the API"
173 "x-onap-requestid", "e1763e61-9eef-4911-b952-1be1edd9812b", "described above; used for logging purposes"
176 :header: "/healthcheck"
179 `Health Check PAP Swagger <./local-swagger.html#tag/HealthCheckRestControllerV1>`_
181 This operation performs a health check on the PAP.
183 Here is a sample response:
185 .. literalinclude:: response/health-check-pap-resp.json
189 :header: "/pdps/healthcheck"
192 `Consolidated Health Check PAP Swagger <./local-swagger.html#tag/PolicyComponentsHealthCheckControllerV1>`_
194 This operation performs a health check of all policy components. The response
195 contains the health check result of each component. The consolidated health check
196 is reported as healthy only if all the components are healthy, otherwise the
197 "healthy" flag is marked as false.
199 Here is a sample response:
201 .. literalinclude:: response/consolidated-healthcheck-pap-resp.json
205 :header: "/statistics"
208 `Statistics PAP Swagger <./local-swagger.html#tag/StatisticsRestControllerV1>`_
210 This operation allows statistics for PDP groups, PDP subgroups, and individual PDPs to be retrieved.
213 While this API is supported, most of the statistics are not currently updated; that work has been deferred to a later
216 Here is a sample response:
218 .. literalinclude:: response/statistics-pap-resp.json
222 :header: "/pdps/groups/{name}"
225 `PDP State Change PAP Swagger <./local-swagger.html#tag/PdpGroupStateChangeControllerV1>`_
227 The state of PDP groups is managed by this operation. PDP groups can be in states PASSIVE, TEST, SAFE, or ACTIVE. For a full
228 description of PDP group states, see the :ref:`ONAP Policy Framework Architecture <architecture-label>` page.
231 :header: "/pdps/groups/batch"
234 `Group Batch PAP Swagger <./local-swagger.html#tag/PdpGroupCreateOrUpdateControllerV1>`_
236 This operation allows the PDP groups and subgroups to be created and updated. Many PDP groups can be created or updated
237 in a single POST operation by specifying more than one PDP group in the POST operation body.
238 This can be used to create the PDP group by providing all the details including the supported policy types for each subgroup.
239 However, it cannot be used to update policies; that is done using one of
240 the deployment requests. Consequently, the "policies" property of this
241 request will be ignored.
242 This can also be used to update a PDP Group, but supported policy types cannot be updated during the update operation.
243 So, "policies" and "supportedPolicyTypes" properties in the request will be ignored if provided during the PDP Group update operation.
245 The "desiredInstanceCount" specifies the minimum number of PDPs of the given
246 type that should be registered with PAP. Currently, this is just used for
247 health check purposes; if the number of PDPs registered with PAP drops below
248 the given value, then PAP will return an "unhealthy" indicator if a
249 "Consolidated Health Check" is performed.
252 If a subgroup is to be deleted from a PDP Group, then the policies must be removed from
256 Policies cannot be added/updated during PDP Group create/update operations. So, if provided, they are ignored.
257 Supported policy types are defined during PDP Group creation. They cannot be updated once they are created.
258 So, supportedPolicyTypes are expected during PDP Group create, but ignored if provided during PDP Group update.
260 Here is a sample request:
262 .. literalinclude:: request/groups-batch-pap-req.json
266 :header: "/pdps/groups/{name}"
269 `PdpGroup Delete PAP Swagger <./local-swagger.html#tag/PdpGroupDeleteControllerV1>`_
271 The API also allows PDP groups to be deleted. DELETE operations are only permitted on PDP groups in PASSIVE state.
277 `PdpGroup Query PAP Swagger <./local-swagger.html#tag/PdpGroupQueryControllerV1>`_
279 This operation allows the PDP groups and subgroups to be listed as well as the policies that are deployed on each PDP
282 Here is a sample response:
284 .. literalinclude:: response/group-query-pap-resp.json
288 :header: "/pdps/deployments/batch"
291 `Deployments Update PAP Swagger <./local-swagger.html#tag/PdpGroupDeployControllerV1>`_
293 This operation allows policies to be deployed on specific PDP groups.
294 Each subgroup includes an "action" property, which is used to indicate
295 that the policies are being added (POST) to the subgroup, deleted (DELETE)
296 from the subgroup, or that the subgroup's entire set of policies is being
297 replaced (PATCH) by a new set of policies. As such, a subgroup may appear
298 more than once in a single request, one time to delete some policies and
299 another time to add new policies to the same subgroup.
301 Here is a sample request:
303 .. literalinclude:: request/deployment-batch-pap-req.json
306 Here is a sample response:
308 .. literalinclude:: response/deployment-pap-resp.json
312 :header: "/pdps/policies"
315 `Deploy PAP Swagger <./local-swagger.html#operation/deployPolicies>`_
317 This operation allows policies to be deployed across all relevant PDP groups.
318 PAP will deploy the specified policies to all relevant subgroups. Only the
319 policies supported by a given subgroup will be deployed to that subgroup.
322 The policy version is optional. If left unspecified, then the latest version of the policy is deployed. On the other
323 hand, if it is specified, it may be an integer, or it may be a fully qualified version (e.g., "3.0.2").
324 In addition, a subgroup to which a policy is being deployed must have at
325 least one PDP instance, otherwise the request will be rejected.
327 Here is a sample request:
329 .. literalinclude:: request/policy-deploy-pap-req.json
332 Here is a sample response:
334 .. literalinclude:: response/deployment-pap-resp.json
338 :header: "/pdps/policies/{name}"
341 `Undeploy PAP Swagger <./local-swagger.html#operation/deletePolicy>`_
343 This operation allows policies to be undeployed from PDP groups.
346 If the policy version is specified, then it may be an integer, or it may be a fully qualified version (e.g., "3.0.2").
347 On the other hand, if left unspecified, then the latest deployed version will be undeployed.
350 Due to current limitations, a fully qualified policy version must always be specified.
352 Here is a sample response:
354 .. literalinclude:: response/deployment-pap-resp.json
358 :header: "/policies/status"
361 `All Policy Status PAP Swagger <./local-swagger.html#operation/getStatusOfAllPolicies>`_
364 This operation allows the status of all policies that are deployed or undeployed to be listed together.
365 The result can be filtered based on pdp group name, policy name & version.
368 When a policy is successfully undeployed, it will no longer appear in the policy status response.
370 Here is a sample response:
372 .. literalinclude:: response/policy-status-pap-resp.json
376 :header: "/policies/deployed"
379 `Deployed Policy Status PAP Swagger <./local-swagger.html#operation/queryAllDeployedPolicies>`_
381 This operation allows the deployed policies to be listed together with their respective deployment status.
382 The result can be filtered based on policy name & version.
384 Here is a sample response:
386 .. literalinclude:: response/deployed-policy-pap-resp.json
390 :header: "/pdps/statistics"
393 `Policy Statistics PAP Swagger <./local-swagger.html#tag/StatisticsRestControllerV1>`_
395 This operation allows the PDP statistics to be retrieved for all registered PDPs.
396 The result can be filtered based on PDP group, PDP subgroup & PDP instance.
397 Along with record count, start time & end time as query parameters.
399 Here is a sample response:
401 .. literalinclude:: response/pdp-statistics-pap-resp.json
405 :header: "/policies/audit"
408 `Policy Status PAP Swagger <./local-swagger.html#tag/PolicyAuditControllerV1>`_
410 This operation allows the audit records of policies to be listed together.
411 The result can be filtered based on pdp group name, policy name & version.
412 Along with record count, start time & end time as query parameters.
414 Here is a sample response:
416 .. literalinclude:: response/policy-audit-pap-resp.json
422 The *PolicyAdministration* component (PAP) is initialized using a configuration file: `papParameters.yaml
423 <https://github.com/onap/policy-pap/blob/master/packages/policy-pap-tarball/src/main/resources/etc/papParameters.yaml>`_
425 The configuration file is a YAML file containing the relevant fields for configuring the REST server, Database and DMaaP connectivity and so on.
427 3.1 Disable collection of PDP Statistics
428 ========================================
430 This configuration is to inform PAP to not save the PDP statistics in the database.
432 In *papParameters.yaml*, add or change the property savePdpStatisticsInDb to false.
435 By default, if the property is not present, it will be considered as false and
436 PDP statistics will not be saved in the database.
Code Review / policy / parent.git / blob