Configure Computational Policies Validators

This document explains how to set up and manage validators for computational policies within ODM.

What is a Policy Validator?

A Validator is a service that evaluates policy requests received from the Policy Service. Think of it as a decision-making engine that determines whether a request complies with defined policies.

  • Policy Engine: The core component that directly executes policies or interacts with dedicated policy services (e.g., Open Policy Agent - OPA).
  • Validator Adapter API: An interface that allows the Policy Service to communicate with the Policy Engine.

In essence, the Policy Service sends a policy evaluation request to the Validator, which uses its configured Policy Engine to assess the request and return a result.

Registering and Configuring a Policy Validator

When registering your validator, you have two options:

  • Use an existing validator: The Open Data Mesh initiative provides a collection of pre-built validators in its GitHub repository. These validators cover common use cases and can be readily integrated into your Policy Service.
  • Create a custom validator: If your requirements are more specific or you need a tailored solution, you can develop your own validator by following the steps outlined in the “Implementing a Custom Policy Validator” section. This allows for greater flexibility and control over the evaluation process.

The Policy Service provides APIs to manage validators. You can register multiple validators with the Policy Service to handle different policy types: for example, more common and easy ones can be implemented with a default policy engine, while more complex ones can be implemented with a custom function. The Policy Service routes requests to the appropriate validator based on the policy engine specified in the policy.

To register a new validator:

  1. Define the Policy Engine: Provide a unique name, display name, and the URL of its Validator Adapter API.
  2. Use the Policy Service API: Make a POST request to {blindata-agent-context-path}/api/v1/pp/policy/policy-engines with the Policy Engine details. DATAOPS_ADMIN permissions required. See DataOps AgentConfiguration to programmatically access ODM API.

Example (OPA Engine):

POST {blindata-agent-context-path}/api/v1/pp/policy/policy-engines

{
"name": "opa-engine",
"displayName": "OPA Policy Engine",
"adapterUrl": "https://{validator-hostname}:{port}"
}

Implementing a Custom Policy Validator

To create a custom validator, you need to implement the Validator API interface. This involves handling requests according the following API:

POST /api/v1/up/validator/evaluate-policy

Request Body:

{
  "policyEvaluationId": 1,
  "policy": {
    "name": "PolicyName",
    "displayName": "Policy Display Name",
    "description": "Policy description",
    "blockingFlag": true, 
    "rawContent": "Policy implementation code or configuration"
  },
  "objectToEvaluate": {
    // Data relevant to the policy evaluation 
    // Depends on the event on which the policy is registered
  }
}

Response Body:

{
  "policyEvaluationId":1,
  //Synthetic results stating if the document is valid or not against the provided policy
  "evaluationResult": true,
  "outputObject":{
    //object containing errors and details about the evaluation
  }
}

Steps to Implement a Custom Validator:

  1. Create a service: Develop a service that exposes the /api/v1/up/validator/evaluate-policy endpoint.
  2. Handle requests: Receive requests, extract the policy and data, and perform the evaluation using your chosen method (custom logic, external engine, etc.).
  3. Return response: Send a response indicating the result of the policy evaluation (e.g., allowed, denied).
  4. Register the validator: Once your custom validator is running, register it with the Policy Service using the API mentioned earlier.

Key Considerations:

  • Technology: You can implement the validator using any suitable technology (e.g., Java, Python, Node.js).
  • Policy Representation: Define how your policies will be represented (e.g., code, rules, configuration files).
  • Evaluation Logic: Implement the logic to evaluate the objectToEvaluate against the provided policy.

Updated on 15 Apr 2025