Ability to Enable/Disable Policy in PDP Engine
Summary
This operation will allow enabling/disabling individual policies running in PDP engine.
The policy still remains in PDP engine, only the execution of ONSET events/decision calls are stopped temporarily.
It is mainly beneficial in scenarios where network operators/administrators want to disable a particular policy in PDP engine for a period of time due to a failure in the system or for scheduled maintenance.
Impacted Policy components
Component Name | Feasibility Analysis | Comments | Owner |
---|---|---|---|
PAP |
| @Ram Krishna Verma | |
Drools-PDP | @Jorge Hernandez | ||
Apex-PDP | @Ajith Sreekumar | ||
Xacml-PDP | @Pamela Dragosh |
Currently available alternative solutions
Solution | Rank | Comments |
---|---|---|
ACTIVE/PASSIVE state change at PdpGroup Level | LOW | This solution makes all the policies running in PDP engine to stop/start execution. |
Deploy/Undeploy policy in PDP Engine | MEDIUM | This solution might work but includes overhead of deploying/undeploying policies from PAP to PDP engine. Delta update might help improve the list sent by PAP. Also, needs to know what happens if an event is under process and PDP receives message to undeploy policy. |
Proposed plan/changes
Utilize the deploy/undeploy API to achieve the ability for enabling/disabling policy in PDP engine. And make the following changes:
Delta policy update between PAP & PDP
Currently the whole list of policies are transferred always between PAP & PDP for any deploy/undeploy operation. This should be changed to only send the policy for which deploy/undeploy operation has to be performed by the PDP.
This will help in not affecting other policies while trying to enable/disable a policy in PDP. Also, improves the overhead of sending the whole list again and again and PDP scanning through the li
As discussed on Policy weekly call (15th July):
Drools PDP : Already has support of scanning the policy list coming from PAP and only deploy/undeploy the policy which is either new in the list or missing in the list. Hence, no impact to other running policies.
Xacml PDP : Also has the same support like drools-pdp.
Apex PDP : Currently when it receives the list of policy, the current instance of engine is brought down and started again with new set of policies. Hence, impacting the other running policies. NEED TO BE FIXED
Graceful undeploy of policy in PDP
When a PDP engine receives undeploy request from PAP, it should ideally try to finish the processing of any ongoing event and then gracefully undeploy the policy.
As discussed on Policy weekly call (15th July):
Drools PDP : Already has the support.
Xacml PDP : Also has the same support like drools-pdp.
Apex PDP : Currently when it receives the list of policy, the current instance of engine is brought down immediately. Hence, impacting the ongoing event processing. NEED TO BE FIXED