.. This work is licensed under a Creative Commons Attribution 4.0 International License. .. _xacmltutorial-enforcement-label: Policy XACML - Policy Enforcement Tutorial ########################################## .. toctree:: :maxdepth: 3 This tutorial shows how to build Policy Enforcement into your application. Please be sure to clone the policy repositories before going through the tutorial. See :ref:`policy-development-tools-label` for details. This tutorial can be found in the XACML PDP repository. `See the tutorial `_ Policy Type being Enforced ************************** For this tutorial, we will be enforcing a Policy Type that inherits from the **onap.policies.Monitoring** Policy Type. This Policy Type is used by DCAE analytics for configuration purposes. Any inherited Policy Type is automatically supported by the XACML PDP for Decisions. `See the latest example Policy Type `_ .. code-block:: java :caption: Example Policy Type tosca_definitions_version: tosca_simple_yaml_1_1_0 policy_types: onap.policies.Monitoring: derived_from: tosca.policies.Root version: 1.0.0 name: onap.policies.Monitoring description: a base policy type for all policies that govern monitoring provisioning onap.policies.monitoring.MyAnalytic: derived_from: onap.policies.Monitoring type_version: 1.0.0 version: 1.0.0 description: Example analytic properties: myProperty: type: string required: true Example Policy ************** `See the latest example policy `_ .. code-block:: java :caption: Example Policy tosca_definitions_version: tosca_simple_yaml_1_1_0 topology_template: policies: - policy1: type: onap.policies.monitoring.MyAnalytic type_version: 1.0.0 version: 1.0.0 name: policy1 metadata: policy-id: policy1 policy-version: 1.0.0 properties: myProperty: value1 Example Decision Requests and Responses *************************************** For **onap.policies.Montoring** Policy Types, the action used will be **configure**. For **configure** actions, you can specify a resource by **policy-id** or **policy-type**. We recommend using **policy-type**, as a policy-id may not necessarily be deployed. In addition, your application should request all the available policies for your policy-type that your application should be enforcing. .. code-block:: json :caption: Example Decision Request { "ONAPName": "myName", "ONAPComponent": "myComponent", "ONAPInstance": "myInstanceId", "requestId": "1", "action": "configure", "resource": { "policy-type": "onap.policies.monitoring.MyAnalytic" } } The **configure** action will return a payload containing your full policy: .. code-block: json :caption: Example Decision Response { "policies": { "policy1": { "type": "onap.policies.monitoring.MyAnalytic", "type_version": "1.0.0", "properties": { "myProperty": "value1" }, "name": "policy1", "version": "1.0.0", "metadata": { "policy-id": "policy1", "policy-version": "1.0.0" } } } } Making Decision Call in your Application **************************************** Your application should be able to do a RESTful API call to the XACML PDP Decision API endpoint. If you have code that does this already, then utilize that to do something similar to the following curl command: .. code-block: bash :caption: Example Decision API REST Call using curl curl -k -u https://xacml-pdp:6969/policy/pdpx/v1/decision If your application does not have REST http client code, you can use some common code available in the policy/common repository for doing HTTP calls. .. code-block: java :caption: Policy Common REST Code Dependency org.onap.policy.common policy-endpoints ${policy.common.version} Also, if your application wants to use common code to serialize/deserialize Decision Requests and Responses, then you can include the following dependency: .. code-block: java :caption: Policy Decision Request and Response Classes org.onap.policy.models policy-models-decisions ${policy.models.version} Responding to Policy Update Notifications ***************************************** Your application should also be able to respond to Policy Update Notifications that are published on the Dmaap topic POLICY-NOTIFICATION. This is because if a user pushes an updated Policy, your application should be able to dynamically start enforcing that policy without restart. .. code-block: bash :caption: Example Dmaap REST Call using curl curl -k -u https://dmaap:3904/events/POLICY-NOTIFICATION/group/id?timeout=5000 If your application does not have Dmaap client code, you can use some available code in policy/common to receive Dmaap events. To parse the JSON send over the topic, your application can use the following dependency: .. code-block: java :caption: Policy PAP Update Notification Classes org.onap.policy.models policy-models-pap ${policy.models.version}