Policy OPA PDP Engine

Policy OPA PDP Engine

The ONAP OPA Policy PDP Engine leverages OPA, an open source implementation, to support fine-grained policy decisions in the ONAP. The REGO 1.0 Standard serves as the policy language for access control decisions. The ONAP OPA PDP translates TOSCA Compliant Policies into the Rego language, loads them into the OPA engine, exposes a decision api for delivering decisions.

ONAP OPA PDP Supported Policy Types

Currently, only Native Policy is supported. This policy type can be used by any client or ONAP component that requires native OPA evaluation:

Supported Base Policy Types

Application

Base Policy Type

Description

Native

onap.policies.native.opa

OPA PDP Policies

The TOSCA template for the OPA policy type is shown below:

OPA Policy type
 1tosca_definitions_version: tosca_simple_yaml_1_1_0
 2policy_types:
 3  onap.policies.Native:
 4    derived_from: tosca.policies.Root
 5    description: a base policy type for all native PDP policies
 6    version: 1.0.0
 7    name: onap.policies.Native
 8  onap.policies.native.opa:
 9    derived_from: onap.policies.Native
10    version: 1.0.0
11    name: onap.policies.native.opa
12    description: a policy type for native opa policies
13    properties:
14      data:
15        type: map
16        type_version: 0.0.0
17        description: The base64 encoded json data for Policy.
18        required: false
19        metadata:
20          encoding: Base64
21      policy:
22        type: map
23        type_version: 0.0.0
24        description: The base64 encoded rego PolicySet or Policy.
25        required: true
26        metadata:
27          encoding: Base64

How OPA PDP Works in ONAP Policy Framework

opa-pdp integrates into policy framework like any other pdp engine in policy framework

  1. Policy Definition: Policies are defined using native opa policytype and stored in a central repository.

  2. Policy Deployment: The Policy Administration Point (PAP) deploys these policies to the OPA PDP instances.

  3. Policy Evaluation: When a policy decision is needed, ONAP components can query the OPA PDP, which evaluates the request against the deployed policies and returns a decision.

  4. Policy Updates: The PAP can update policies dynamically, and OPA PDP instances will automatically pick up these changes without downtime.

ONAP POLICY FRAMEWORK