Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

Background

The Policy Framework solution uses the TOSCA policy model as a way to allow users to access common Policy Framework capabilities. The model is extended for specific PDPs. All concepts supported in Policy Framework are extensions of the concepts specified in the standard TOSCA policy definition specification. The concept of Targets in the TOSCA specification is not implemented in common Policy Framework functionality. However, equivalent functionality can be realized using policies in existing PDPs e.g. to return a decision on a 'guard' policy, an XACML policy can be used, or to apply a filter an Apex policy could be used. Therefore to deploy Target like functionality in the Policy Framework, a PDP is deployed.

...

Type of PolicySupportedDescription
OperationalYes
NativeYes
GuardNoGuard policies may already be called by other policies, and a target policy is similar to a guard policy
MonitoringNoMonitoring policies are parameter policies and are not fired by the Policy Framework
OptimizationNoOptimization policies are parameter policies and are not fired by the Policy Framework
Match??
Naming??

Policy Execution

Execution Sequence

...



Code Block
titlePlantUML source for Sequence Diagram
collapsetrue
@startuml

title Policy Framework Target Execution

autonumber

participant PolicyCaller

box "PolicyFramework" #LightBlue
  participant AnyPDP
  participant XACML_PDP
end box

PolicyCaller --> AnyPDP : policy trigger

loop from root to last descendant PolicyType
  alt targets specified on PolicyType
    AnyPDP --> XACML_PDP : Invoke target policy specified on PolicyType
    alt targets policy rejects execution
      AnyPDP --> PolicyCaller : execution rejected
    end
  end
end

loop from root to last descendant Policy
  alt targets specified on Policy
    AnyPDP --> XACML_PDP : Invoke target policy specified on Policy
    alt targets policy rejects execution
      AnyPDP --> PolicyCaller : execution rejected
    end
  end
end

AnyPDP --> AnyPDP : execute policy

activate AnyPDP
deactivate AnyPDP

AnyPDP --> PolicyCaller : policy result

@enduml

...

  • The Policy Framework loops over the root PolicyType to the last descendant PolicyType
    • A check of the Policy Type specification is made to see if targets have been specified on it, if so, the XACML PDP is invoked with the specified target policy and the specified targets as parameters (Step 2).
    • If the target policy for the Policy Type rejects the targets, execution of the policy proper is rejected (Step 3).
    • If no targets are specified on the Policy Type or the target policy for the Policy Type accepts the target, execution continues
  • The Policy Framework loops over the root Policy to the last descendant Policy
    • A check of the Policy specification is made to see if targets have been specified on it, if so, the XACML PDP is invoked with the specified target policy and the specified targets as parameters (Step 4).
    • If the target policy for the Policy rejects the targets, execution of the policy proper is rejected (Step 5).
    • If no targets are specified on the Policy or the target policy for the Policy accepts the target, execution continues (Step 6)

TOSCA Example for PolicyType targets

...

languageyml
titleTargets in Policy Types
linenumberstrue
collapsetrue

...

Components and APIs

Drawio
bordertrue
diagramNameComponent Diagram
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth581
revision4

The targetsCommon component is a common component in the Policy Framework that can be used by any PDP that wishes to support targets in policy types and policies. The targetsCommon component offers a Java API that PDPs can use to do target checking. The targetsCommon component determines which target policies should be executed by recursing through the policy and policy type hierarchies. It then invokes the XACML PDP for each target policy using the Target REST API.

TargetHandling API

This API provides a common mechanism for handling targets for all PDPs that want to use targets. It is provided as a Java interface by the targetsCommon component.

Code Block
languagejava
titleThe TargetHandling Interface
linenumberstrue
import java.util.Set;
import org.onap.policy.models.tosca.authorative.concepts.ToscaEntityKey;
import org.onap.policy.models.tosca.authorative.concepts.ToscaServiceTemplate;

public interface TargetHandling {
    public boolean checkTargets(final ToscaEntityKey toscaPolicy,
             properties:             targetPolicyName: onap.policies.targets.Zones     final ToscaServiceTemplate serviceTemplate,
     targetPolicyVersion: 1.6.2     onap.policies.controlloop.operational.Common:         derived_from: tosca.policies.Root         version: 1.0.0 final Object       name: onap.policies.controlloop.operational.Common
        description: |
            Operational Policy for Control Loop execution. Originated in Frankfurt to support TOSCA Compliant
            Policy Types. This does NOT support the legacy Policy YAML policy type.
    onap.policies.controlloop.operational.common.Acme:
        derived_from: onap.policies.controlloop.operational.Common
        type_version: 1.0.0
        version: 1.0.0
        name: onap.policies.controlloop.operational.common.Acme
        description: Operational policies for Acme PDP
        targets: [AcmeManagedControlLoops]
        properties:
            targetPolicyName: onap.policies.targets.AcmeControlLoops
    onap.policies.controlloop.operational.common.acme.VehicleManufacturing:
        derived_from: onap.policies.controlloop.operational.CommonexecutionContext);
}

When a PDP receives an event, it determines which policy the event has triggered. It then always calls the checkTargets method on the TargetHandling interface. The The toscaPolicy parameter contains the name and version of the policy that has been triggered. The serviceTemplate parameter provides the policy types and policy definitions that are known to the PDP to the targetsCommon component. The executionContext parameter allows the PDP to pass any extra context it wishes the targetsCommon component and the XACML PDP to consider during the target check.

Once the checkTargets method is called, the algorithm described in the Execution Sequence section above is executed by the targetsCommon component.

Target REST API

The Target REST API is a specific REST API for targets, provided the XACML PDP. It executes a single target policy with each invocation, so it may be called multiple times by the targetsCommon component on a single checkTargets call. The Target REST API is similar in structure and design to the Policy Decision API.

FieldRequiredXACML equivalentDescription
ONAPNameTruesubjectThe name of the ONAP project making the call
ONAPComponentTruesubjectThe name of the ONAP sub component making the call
ONAPInstanceFalsesubjectAn optional instance ID for that sub component
targetsTrueresourceThe targets to check
policyTrueresourceThe policy to use for the target check
contextFalseresourceExtra context to be considered in the target check

The XACML PDP executes the logic and rules of requested target policy on the given targets using the given context. and returns a boolean result of true or false.

<Pamela Dragosh please comment here>

Specification of targets in TOSCA

TOSCA Example for PolicyType targets

Code Block
languageyml
titleTargets in Policy Types
linenumberstrue
collapsetrue
tosca_definitions_version: tosca_simple_yaml_1_1_0
policy_types:
    onap.policies.controlloop.Operational:
        typederived_versionfrom: 1tosca.0policies.0Root
        version: 1.0.0
        name: onap.policies.controlloop.operational.common.AcmeOperational
        description: Operational policiesPolicy forRoot AcmeType.
PDP         targets: [CarManufacturingActiveZones, TruckManufacturingTestZones]
        properties:
            targetPolicyName: onap.policies.targets.controlloop.common.acme.VehicleManufacturingPlantsZones
            targetPolicyVersion: 21.4.1

In the example above, there are four hierarchical levels in the PolicyType definition.

...

6.2
    onap.policies.controlloop.operational.Common:
        derived_from: tosca.policies.Root
        version: 1.0.0
        name: onap.policies.controlloop.operational.Common

...


        description: |
            Operational Policy for Control Loop execution. Originated in Frankfurt to support TOSCA Compliant
            Policy Types. This does NOT support the legacy Policy YAML policy type.
    onap.policies.controlloop.operational.common.Acme:

...


        derived_from: onap.policies.controlloop.operational.

...

Common
        type_version: 1.0.0
        version: 1.0.0
        name: onap.policies.

...

controlloop.

...

TOSCA Example for Policy targets

Code Block
languageyml
titleTargets in Policy
linenumberstrue
collapsetrue
tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
    policies:
    -   operational.vehiclemanufacturing.electric-vehicleoperational.common.Acme
        description: Operational policies for Acme PDP
        targets: [AcmeManagedControlLoops]
        properties:
            typetargetPolicyName: onap.policies.targets.AcmeControlLoops
    onap.policies.controlloop.operational.common.acme.VehicleManufacturing:
            type_versionderived_from: 1onap.policies.0.0
controlloop.operational.Common
           type_version: 1.0.0
        version: 1.0.0
        name: onap.policies.controlloop.operational.vehiclemanufacturing.electric-vehicle
   common.Acme
        description: Operational policies for Acme PDP
        targets: [Wayne_Line4, Wayne_Line5, Dagenham_Line2, Koln_line5]CarManufacturing, TruckManufacturing]
        properties:
            propertiestargetPolicyName: onap.policies.targets.controlloop.common.acme.VehicleManufacturingPlants
            targetPolicyVersion:    targetPolicyName: onap.policies.targets.enableEVBatteryTesting
                targetPolicyVersion: 2.1.2

...

2.4.1

In the example above, there are four hierarchical levels in the PolicyType definition.

  • onap.policies.controlloop.Operational: This policy type has targets of ActiveZones and TestZones, and those targets are governed by the target policy onap.policies.targets.Zones version 1.6.2
  • onap.policies.controlloop.operational.Common: No targets are specified on this policy type so this specific policy type will apply to all targets that have passed the target governance of its parent policy type.

  • onap.policies.controlloop.operational.common.Acme: This policy type has a target of AcmeManagedControlLoops and that target is governed by the latest version of the target policy onap.policies.targets.AcmeControlLoops

  • onap.policies.controlloop.operational.common.acme.VehicleManufacturing: This policy type has targets of CarManufacturing and TruckManufacturing, and those targets are governed by the target policy onap.policies.targets.controlloop.common.acme.VehicleManufacturingPlants version 2.4.1

TOSCA Example for Policy targets

Code Block
languageyml
titleTargets in Policy
linenumberstrue
collapsetrue
tosca_definitions_version: tosca_simple_yaml_1_1_0
topology_template:
    policies:
    -   operational.vehiclemanufacturing.electric-vehicle:
            type: onap.policies.controlloop.operational.common.acme.VehicleManufacturing
            type_version: 1.0.0
            version: 1.0.0
            name: operational.vehiclemanufacturing.electric-vehicle
            targets: [Wayne_Line4, Wayne_Line5, Dagenham_Line2, Koln_line5]
            properties:
                targetPolicyName: onap.policies.targets.enableEVBatteryTesting
                targetPolicyVersion: 2.1.2

The example above, the policy operational.vehiclemanufacturing.electric-vehicle has targets Wayne_Line4, Wayne_Line5, Dagenham_Line2 and Koln_line5, and those targets are governed by the target policy onap.policies.targets.enableEVBatteryTesting version 2.1.2.

Deployment

Drawio
bordertrue
diagramNameTarget Policy Deployment
simpleViewerfalse
width
linksauto
tbstyletop
lboxtrue
diagramWidth641
revision1

The diagram above shows how policies that use targets are deployed. When targets are specified, an XACML PDP is deployed with the PDP that is executing the policy that uses targets. At least one XACML PDP with a well known REST endpoint must be running in each PDP group that uses targets. For example, in an Kubernetes deployment, an XACML PDP may be instantiated in each POD together with a PDP that will execute policies that use targets.

At deployment, PolicyAdministration (the PAP) checks the policy being deployed to see if it uses targets. if so, the PAP reads the target policies from the policy database and deploys them to the XACML PDPs in the PDP group. It then deploys the policy that uses targets to the PDPs in the PDP group.

Development Effort

The table below gives a rough preliminary calculation of the effort required to develop this feature.

ActivityComponentModuleEffortDescription of Work
Design/Coding/Unit Testpolicy-modelsmodels-toscaSAdd parsing and Database persistence for targets
Design/Coding/Unit Testpolicy-modelsmodels-papXSAdd modelling for targets
Design/Coding/Unit Testpolicy-pappap-mainLAdd support for deployment of target policies
Design/Coding/Unit Testpolicy-models?targets-commonXLImplementation of common target handling on event reception
Design/Coding/Unit Testpolicy-xacml-pdpapplications.targetsLAdd support for target policies
Design/Coding/Unit Testpolicy-xacml-pdpxacml-mainMAdd Target REST API
Design/Coding/Unit Testpolicy-apex-pdpservices-onappfSAdd check for targets on event reception
Design/Coding/Unit Testpolicy-drools
SAdd check for targets on event reception
CSIT

L
Documentation

M