OPA PDP Policy Guide
Policy Creation Steps
Following are the steps in writing a policy.
write rego files for policy.OPA PDP supports rego version v1.
write json file for data
Encode rego files and json to base64
write tosca policy with encoded content
Let us assume we are writing a policy to check whether modifying a PCI value on a cell is allowed.
write rego files for policy
When writing Rego files, if you need to use data, you must reference it with the data key. For example: data.node.cell.consistency.minPCI.
rego code to check PCI range validation1package cell.consistency 2import rego.v1 3import data.cell.consistency.topology 4default allow = false 5# Rule to allow if PCI is within range 1-3000 6allow_if_pci_in_range if { 7 input.PCI >= data.node.cell.consistency.minPCI 8 input.PCI <= data.node.cell.consistency.maxPCI 9} 10# Main rule to determine the final decision 11allow if{ 12 topology.check_cell_consistency 13 allow_if_pci_in_range 14}rego code to check whether PCI change allowed on current cell1package cell.consistency.topology 2import rego.v1 3# Rule to check cell consistency 4check_cell_consistency if { 5 input.cell != data.node.cell.consistency.allowedCellId 6}
Note
OPA PDP supports rego version v1
write json for data
data file which acts as a data source for policy checks1{ 2 "allowedCellId" : 445611193265040129, 3 "minPCI": 1, 4 "maxPCI": 3000 5 }
Encode rego files and json to base64 write tosca policy
tosca policy cell consistency1tosca_definitions_version: tosca_simple_yaml_1_1_0 2topology_template: 3 policies: 4 - cell.consistency: 5 type: onap.policies.native.opa 6 type_version: 1.0.0 7 properties: 8 data: 9 node.cell.consistency: eyAgIAogICJhbGxvd2VkQ2VsbElkIiA6IDQ0NTYxMTE5MzI2NTA0MDEyOSwgCiAgIm1pblBDSSI6IDEsIAogICJtYXhQQ0kiOiAzMDAwICAKIH0= 10 policy: 11 cell.consistency: cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5CmltcG9ydCByZWdvLnYxCmltcG9ydCBkYXRhLmNlbGwuY29uc2lzdGVuY3kudG9wb2xvZ3kKZGVmYXVsdCBhbGxvdyA9IGZhbHNlCiMgUnVsZSB0byBhbGxvdyBpZiBQQ0kgaXMgd2l0aGluIHJhbmdlIDEtMzAwMAphbGxvd19pZl9wY2lfaW5fcmFuZ2UgIGlmIHsKICAgIGlucHV0LlBDSSA+PSBkYXRhLm5vZGUuY2VsbC5jb25zaXN0ZW5jeS5taW5QQ0kKICAgIGlucHV0LlBDSSA8PSBkYXRhLm5vZGUuY2VsbC5jb25zaXN0ZW5jeS5tYXhQQ0kKfQojIE1haW4gcnVsZSB0byBkZXRlcm1pbmUgdGhlIGZpbmFsIGRlY2lzaW9uCmFsbG93ICBpZnsKICAgIHRvcG9sb2d5LmNoZWNrX2NlbGxfY29uc2lzdGVuY3kKICAgIGFsbG93X2lmX3BjaV9pbl9yYW5nZQp9 12 cell.consistency.topology: cGFja2FnZSBjZWxsLmNvbnNpc3RlbmN5LnRvcG9sb2d5CmltcG9ydCByZWdvLnYxCiMgUnVsZSB0byBjaGVjayBjZWxsIGNvbnNpc3RlbmN5CmNoZWNrX2NlbGxfY29uc2lzdGVuY3kgaWYgewogICAgaW5wdXQuY2VsbCAhPSBkYXRhLm5vZGUuY2VsbC5jb25zaXN0ZW5jeS5hbGxvd2VkQ2VsbElkCn0= 13 name: cell.consistency 14 version: 1.0.0 15 metadata: 16 policy-id: cell.consistency 17 policy-version: 1.0.0In the above yaml file two fields that are important are data and policy.Both are of type map they have key and value pair.
Note
while writing policy keys should start with policy-id (eg:cell.consistency,cell.consistency.topology)
while writing data keys should start with node.<policy-id> (eg:node.cell.consistency)
The package name (eg: cell.consistency) inside the rego file should match the policy key.
TOSCA policy names must adhere to naming rules. The OPA PDP emphasizes that each TOSCA policy should have a unique policy name or policy ID. Internally, the OPA PDP creates directories based on the name structure. If two policy names share the same parent hierarchy (considering . as the hierarchy delimiter), deleting a policy higher in the hierarchy will also delete its child policies. To prevent this, the following constraints are added.
Not Allowed: If a policy named onap.org.cell is deployed, then deploying a policy named onap.org.cell.consistency is disallowed because this name shares the direct hierarchical structure.
Not Allowed: If a policy named onap.org.cell is deployed, then deploying a policy named onap.org is disallowed because it is parent directory.
Allowed: If a policy named onap.org.cell is deployed, then deploying a policy named onap.org.consistency,onap.org1.cell,onap1.org.cell is permitted, as it does not share the same hierarchy.