Ability to Enable/Disable Policy in PDP Engine

Summary

This operation will allow enabling/disabling individual policies running in PDP engine.

The policy still remains in PDP engine, only the execution of ONSET events/decision calls are stopped temporarily. 

It is mainly beneficial in scenarios where network operators/administrators want to disable a particular policy in PDP engine for a period of time due to a failure in the system or for scheduled maintenance.

Impacted Policy components

Component Name

Feasibility Analysis

Comments

Owner

Component Name

Feasibility Analysis

Comments

Owner

PAP

  



@Ram Krishna Verma

Drools-PDP





@Jorge Hernandez

Apex-PDP





@Ajith Sreekumar

Xacml-PDP





@Pamela Dragosh



Currently available alternative solutions

Solution

Rank

Comments

Solution

Rank

Comments

ACTIVE/PASSIVE state change at PdpGroup Level

LOW

This solution makes all the policies running in PDP engine to stop/start execution.
But the intent is to stop/start individual policies. 

Deploy/Undeploy policy in PDP Engine

MEDIUM

This solution might work but includes overhead of deploying/undeploying policies from PAP to PDP engine.

Delta update might help improve the list sent by PAP.

Also, needs to know what happens if an event is under process and PDP receives message to undeploy policy. 

Proposed plan/changes

Utilize the deploy/undeploy API to achieve the ability for enabling/disabling policy in PDP engine. And make the following changes:

  • Delta policy update between PAP & PDP

Currently the whole list of policies are transferred always between PAP & PDP for any deploy/undeploy operation. This should be changed to only send the policy for which deploy/undeploy operation has to be performed by the PDP.

This will help in not affecting other policies while trying to enable/disable a policy in PDP. Also, improves the overhead of sending the whole list again and again and PDP scanning through the li

As discussed on Policy weekly call (15th July):

  1. Drools PDP : Already has support of scanning the policy list coming from PAP and only deploy/undeploy the policy which is either new in the list or missing in the list. Hence, no impact to other running policies.

  2. Xacml PDP : Also has the same support like drools-pdp.

  3. Apex PDP : Currently when it receives the list of policy, the current instance of engine is brought down and started again with new set of policies. Hence, impacting the other running policies. NEED TO BE FIXED

                

  • Graceful undeploy of policy in PDP

When a PDP engine receives undeploy request from PAP, it should ideally try to finish the processing of any ongoing event and then gracefully undeploy the policy.

As discussed on Policy weekly call (15th July):

  1. Drools PDP : Already has the support.

  2. Xacml PDP : Also has the same support like drools-pdp.

  3. Apex PDP : Currently when it receives the list of policy, the current instance of engine is brought down immediately. Hence, impacting the ongoing event processing. NEED TO BE FIXED