Skip to main content

Remote Engine

A policy/metric with remote engine, allows users to contact external services to evaluate resources and produce an evaluation result that is compatible with the Computational Governance Platform.

This greatly extends the options available for the platform team to define custom validations using policies. CUE is a very powerful language, that allows for a huge amount of checks to be performed, but having the possibility to invoke also microservices increases the possibilities exponentially. The "remote" engine represents exactly a policy that instead of using CUE script to be evaluated, sends the descriptor to a microservice, and gets the evaluation result from it. For example, you can implement a microservice that performs syntactic validations using another validation tool ( like a rule engine); or you can invoke a microservice that checks that the descriptor is compliant with some values defined in a third-party service, like your data catalog; or you can even define a microservice that queries your existing infrastructure to check that the requested descriptor does not interfere with it.

For metrics, the "remote" engine is the only allowed value, since CUE cannot be used to generate a numeric value for them. All metrics will be evaluated by sending a request to a metric microservice that will return a value as outcome. Also in this case, when the platform team defines the microservice logic, they can do whatever kind of processing they like, as long as they are compatible with the interface specification.

note

Policies with engine "Remote" are called "remote policies". Metrics and remote policies will always have an "Active" trigger, since for "Passive" trigger the engine is meaningless. Please check the Passive Trigger chapter to get more insight on it.

Remote policies and metrics are triggered in the usual way: if they are defined at "Runtime" timing, they will be scheduled to run automatically, while if they are defined at "Deployment" timing, they will be evaluated every time the related resources are deployed.

Remote Engine API

In order to make the service compatible with the Computational Governance Platform specification, the service should implement a POST v1/evaluate route compliant with the Open API specification: POST Evaluate.

Remote Engine OpenAPI Specification
openapi: 3.0.3
info:
title: Remote governance entity specification
description: 'Service responsible to manage requests from the computational governance platform to validate resources.'
version: '0.1'
tags:
- name: RemotePolicyService
- name: MetricService
paths:
/v1/evaluate:
post:
tags:
- name: RemotePolicyService
- name: MetricService
summary: Return a result based on an input resource
operationId: validate
requestBody:
description: An object containing the resource to evaluate using this executor
content:
application/json:
schema:
$ref: '#/components/schemas/InputResource'
required: true
responses:
200:
description: Return a response containing the evaluation result
content:
application/json:
schema:
anyOf:
- $ref: '#/components/schemas/PolicyResult'
- $ref: '#/components/schemas/MetricResult'
400:
description: Invalid input
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
500:
description: System problem
content:
application/json:
schema:
$ref: '#/components/schemas/Error'
components:
schemas:
InputResource:
required:
- content
- resourceType
- resourceId
type: object
properties:
content:
description: the actual resource to which a policy will be applied
type: string
resourceType:
description: resource type that is being sent in the content
type: string
resourceId:
description: resource identifier
type: string
MetricResult:
type: object
required:
- value
properties:
value:
type: number
description: a metric value
details:
type: object
description: a free field of optional informations returned by the external service
errors:
type: array
description: contains a list of possible error as a result of a policy execution
items:
type: string
PolicyResult:
type: object
required:
- satisfiesPolicy
- errors
properties:
satisfiesPolicy:
type: boolean
description: returns whether or not the input resource is valid or not
details:
type: object
description: a free field of optional informations returned by the external service
errors:
type: array
description: contains a list of possible error as a result of a validation
items:
type: string
Error:
required:
- error
type: object
properties:
error:
type: string

The microservice that exposes this endpoint, will receive as input a resource to evaluate. The resource will contain the YAML descriptor, the resource type and identifier. An example of what the input would look like is:

{
"resourceId": "urn:dmb:dp:marketing:a-deployed-dp:0",
"resourceType": "dataproduct",
"content": "name: marketing.a-deployed-dp.0\ndomain: finance"
}

The external service should act as a validator:

  • for policies, it should return a list of errors if there are any, otherwise the error field should be empty and the * Computational Governance Platform* will interpret the policy response as successful.
  • for metrics, it should return a value that represent the outcome of the metric evaluation.

An example of response sent by the microservice for a failed remote policy could be:

{
"satisfiesPolicy": false,
"errors": [
"found one error at line 67. Field 'my-field' not recognized as a valid name"
],
"details": {}
}

while for a metric could be:

{
"value": 65,
"errors": [],
"details": {}
}

In both cases, the errors and details fields are displayed in the UI:

  • the first represents a list of errors occurred during the evaluation, that the user should fix in order to be compliant with the governance rules.
  • the second represents a JSON object that contains additional details related to the policy/metric outcome. It's a field without fixed schema, where you can put a JSON object representing additional information of the result.
note

Even if the policy/metric evaluation is a failure, the HTTP response should always be successful (2XX code) since it means that the evaluation was performed correctly, but the resource was not compliant with the rules defined by the policy/metric. HTTP failures (4XXX and 5XX codes) should be used instead to mark runtime errors that cannot be recovered: services not responding, broken links, connection errors, etc.