Currently, when policies are updated via one of the PAP APIs, the entire list of policies is transmitted to the PDPs. The communication between PAP and the PDPs should be enhanced so that only the changes need be transmitted.
After receiving the request from REST layer, PAP does the basic validation checks and then generate a PDP_UPDATE message with full list of policies for that particular PdpSubGroup and sends it to the PDPs through DMaaP. And PDPs on the other side scans through the list and identifies the policies that needs to be deployed or undeployed. Thereby making PDPs share the work which ideally PAP should be doing as an administrator component.
The aim is to send only the requested & validated policies that needs to be deployed or undeployed in PDPs. So that PDPs can remove the scanning logic and focus more on the "execution" than "administration". And it also reduces the data transmitting over DMaaP (network) and making the layer more robust and resilient.
Important Note:
- The change needs to be designed in a way so that it doesn't break the currently working contract between PAP & PDPs. And allow sometime for PDPs to adapt and move to the newer (simpler) way of managing policies.
- The change shouldn't affect the PDP registration flow. Because there we would like to continue sending the FULL list of policies that are currently supported in PdpSubGroup in which the PDP is getting registered.
Current thoughts/suggestions:
- Enhance PDP_UPDATE message to contain two new lists (deploy and undeploy), while maintaining its current full list of policies. When the PDPs support delta policies we can then remove the original full list.
- Enhance PDP_UPDATE message to contain one new list of policies to be updated, and a boolean value to determine whether to deploy/undeploy the policies while maintaining the full list of policies. When the PDPs support the delta policies we can remove the original list.