update policy for P4 switches

fabric-testbed · Jul 16, 2024 · 335fb33 · 335fb33
1 parent 458f98e
commit 335fb33
Showing 1 changed file with 21 additions and 0 deletions.
diff --git a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa
@@ -18,6 +18,27 @@ namespace fabricTags {
                 clause Attributes.actionId == "create"
             apply permitUnlessDeny
 
+            // Each of the following policies must explicitly say 'permit' or else the policy fails
+            policyset createSwitch = "urn:fabric:authz:xacml:orchestrator:tags:create:switch" {
+                target clause Attributes.resourceType == "sliver"
+                apply denyUnlessPermit
+
+                policy createSwitchPolicy = "urn:fabric:authz:xacml:orchestrator:tags:create:switch:requireP4" {
+                    target clause Attributes.resourceType == "sliver"
+                    apply permitUnlessDeny
+
+                    rule requireSwitchP4Tag {
+                        deny
+                        condition not(Attributes.projectTag == "Switch.P4")
+                        on deny {
+                            advice reasonToDeny {
+                                Attributes.message = "Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch."
+                            }
+                        }
+                    }
+                }
+            }            
+
             // Each of the following policies must explicitly say 'permit' or else the policy fails
             policyset createVM = "urn:fabric:authz:xacml:orchestrator:tags:create:vm" {
                 target clause Attributes.resourceType == "sliver"