1 Background
2 Scenario and Need(s)
3 PolicyType and Policy Targets in TOSCA
4 Support for targets in the Policy Framework
5 Policy Execution
- 5.1 Execution Sequence
  - 5.1.1 PlantUML source for Sequence Diagram
- 5.2 Components and APIs
  - 5.2.1 TargetHandling API
    - 5.2.1.1 The TargetHandling Interface
  - 5.2.2 Target REST API
6 Specification of targets in TOSCA
- 6.1 TOSCA Example for PolicyType targets
  - 6.1.1 Targets in Policy Types
- 6.2 TOSCA Example for Policy targets
  - 6.2.1 Targets in Policy
7 Deployment
- 7.1 Development Effort

Background

The Policy Framework solution uses the TOSCA policy model as a way to allow users to access common Policy Framework capabilities. The model is extended for specific PDPs. All concepts supported in Policy Framework are extensions of the concepts specified in the standard TOSCA policy definition specification. The concept of Targets in the TOSCA specification is not implemented in common Policy Framework functionality. However, equivalent functionality can be realized using policies in existing PDPs e.g. to return a decision on a 'guard' policy, an XACML policy can be used, or to apply a filter an Apex policy could be used. Therefore to deploy Target like functionality in the Policy Framework, a PDP is deployed.

Scenario and Need(s)

It is proposed that a PoC should be executed to analyze how the Policy Framework could evolve to support the TOSCA specification for Targets while ensuring that the existing Policy Framework functionality and requirements are maintained. The findings of the PoC will inform requirements for the Policy Framework for the Honolulu release.

Describe how the TOSCA Target concept can be introduced into the ONAP Policy Framework in a common way for all PDPs
Show how the TOSCA modelling will look in this common approach for various policy types and PDPs
Describe the implementation of the common functionality
create a set of sample policy definitions using targets, which follow the TOSCA standard and are supported in the Policy Framework
execute a series of sample UCs to verify that the policies created in the previous step can be successfully processed by the PDPs in the Policy Framework

PolicyType and Policy Targets in TOSCA

The TOSCA specification for for targets on policy types and policies is identical in Versions 1.0, 1.1, 1.2, and 1.3 of the TOSCA Simple Profile in YAML. For both PolicyType and Policy, targets are defined as a list of strings. AS there is no difference in the definition of targets in any of the TOSCA versions above, the approach described on this page applies to all those versions.

Definition of targets for PolicyType from Section 3.7.12.1 of Version 1.3 of the TOSCA specification.

Definition of targets for Policies from Section 3.8.6.1 of Version 1.3 of the TOSCA specification.

Support for targets in the Policy Framework

The TOSCA specification is silent on how targets, should be interpreted. Therefore the Policy Framework will allow the user to specify what way the targets should be treated for each PolicyType or Policy on which targets are specified. This will be achieved by asking the user to specify a XACML policy for each PolicyType or Policy on which targets have been specified.

If targets are specified on a PolicyType or Policy, the user specifies the name and version of an XACML policy to execute prior to execution. The list of targets is passed to the XACML target policy, which returns a boolean value of true or false. Execution of the Policy proper only proceeds if the XACML target policy returns true.

The following properties are introduced on PolicyType and Policy specifications to identify the XACML target policy to execute for targets.

Porperty Name	Required	Type	Description

Porperty Name	Required	Type	Description
targetPolicyName	Conditional	String	The name of an XACML policy to execute to check whether execution should continue for a given set of targets. If the targets keyname is specified and the targetPolicyName property is not specified, policy execution is aborted and an error is reported. If the policy specified in the targetPolicyName property does not exist, policy execution is aborted and an error is reported.
targetPolicyVersion	Optional	String	The version the XACML policy specified in the targetPolicyName property. If the targetPolicyVersion property is not specified, the latest version of the policy specified in the targetPolicyName propertyis used. If the version of the policy specified in the targetPolicyVersion property does not exist, policy execution is aborted and an error is reported.

In the Policy Framework, targets are supported only for policies that are actually fired by the Policy Framework.

Type of Policy	Supported	Description

Type of Policy	Supported	Description
Operational	Yes
Native	Yes
Guard	No	Guard policies may already be called by other policies, and a target policy is similar to a guard policy
Monitoring	No	Monitoring policies are parameter policies and are not fired by the Policy Framework
Optimization	No	Optimization policies are parameter policies and are not fired by the Policy Framework
Match	?	?
Naming	?	?

Policy Execution

Execution Sequence

PlantUML source for Sequence Diagram

@startuml

title Policy Framework Target Execution

autonumber

participant PolicyCaller

box "PolicyFramework" #LightBlue
  participant AnyPDP
  participant XACML_PDP
end box

PolicyCaller --> AnyPDP : policy trigger

loop from root to last descendant PolicyType
  alt targets specified on PolicyType
    AnyPDP --> XACML_PDP : Invoke target policy specified on PolicyType
    alt targets policy rejects execution
      AnyPDP --> PolicyCaller : execution rejected
    end
  end
end

loop from root to last descendant Policy
  alt targets specified on Policy
    AnyPDP --> XACML_PDP : Invoke target policy specified on Policy
    alt targets policy rejects execution
      AnyPDP --> PolicyCaller : execution rejected
    end
  end
end

AnyPDP --> AnyPDP : execute policy

activate AnyPDP
deactivate AnyPDP

AnyPDP --> PolicyCaller : policy result

@enduml

The Policy Framework will introduce common support for targets as a library function that all PDPs can use. This support can be used by any of the Policy Framework PDPs, as shown above.

When a trigger event is received by a PDP (Step 1), the PDP invokes the common handling for targets (Steps 2 to 5). If this common handling permits execution to proceed, policy execution proceeds as normal (Step 6).

The common handling works as follows:

The Policy Framework loops over the root PolicyType to the last descendant PolicyType
- A check of the Policy Type specification is made to see if targets have been specified on it, if so, the XACML PDP is invoked with the specified target policy and the specified targets as parameters (Step 2).
- If the target policy for the Policy Type rejects the targets, execution of the policy proper is rejected (Step 3).
- If no targets are specified on the Policy Type or the target policy for the Policy Type accepts the target, execution continues
The Policy Framework loops over the root Policy to the last descendant Policy
- A check of the Policy specification is made to see if targets have been specified on it, if so, the XACML PDP is invoked with the specified target policy and the specified targets as parameters (Step 4).
- If the target policy for the Policy rejects the targets, execution of the policy proper is rejected (Step 5).
- If no targets are specified on the Policy or the target policy for the Policy accepts the target, execution continues (Step 6)

Components and APIs

The targetsCommon component is a common component in the Policy Framework that can be used by any PDP that wishes to support targets in policy types and policies. The targetsCommon component offers a Java API that PDPs can use to do target checking. The targetsCommon component determines which target policies should be executed by recursing through the policy and policy type hierarchies. It then invokes the XACML PDP for each target policy using the Target REST API.

TargetHandling API

This API provides a common mechanism for handling targets for all PDPs that want to use targets. It is provided as a Java interface by the targetsCommon component.

The TargetHandling Interface

import java.util.Set;
import org.onap.policy.models.tosca.authorative.concepts.ToscaEntityKey;
import org.onap.policy.models.tosca.authorative.concepts.ToscaServiceTemplate;

public interface TargetHandling {
    public boolean checkTargets(final ToscaEntityKey toscaPolicy,
                                final ToscaServiceTemplate serviceTemplate,
                                final Object executionContext);
}

When a PDP receives an event, it determines which policy the event has triggered. It then always calls the checkTargets method on the TargetHandling interface. The The toscaPolicy parameter contains the name and version of the policy that has been triggered. The serviceTemplate parameter provides the policy types and policy definitions that are known to the PDP to the targetsCommon component. The executionContext parameter allows the PDP to pass any extra context it wishes the targetsCommon component and the XACML PDP to consider during the target check.

Once the checkTargets method is called, the algorithm described in the Execution Sequence section above is executed by the targetsCommon component.

Target REST API

The Target REST API is a specific REST API for targets, provided the XACML PDP. It executes a single target policy with each invocation, so it may be called multiple times by the targetsCommon component on a single checkTargets call. The Target REST API is similar in structure and design to the Policy Decision API.

Field	Required	XACML equivalent	Description

Field	Required	XACML equivalent	Description
ONAPName	True	subject	The name of the ONAP project making the call
ONAPComponent	True	subject	The name of the ONAP sub component making the call
ONAPInstance	False	subject	An optional instance ID for that sub component
targets	True	resource	The targets to check
policy	True	resource	The policy to use for the target check
context	False	resource	Extra context to be considered in the target check

The XACML PDP executes the logic and rules of requested target policy on the given targets using the given context. and returns a boolean result of true or false.

<@Pamela Dragosh please comment here>

Specification of targets in TOSCA

TOSCA Example for PolicyType targets

Targets in Policy Types

tosca_definitions_version: tosca_simple_yaml_1_1_0
policy_types:
    onap.policies.controlloop.Operational:
        derived_from: tosca.policies.Root
        version: 1.0.0
        name: onap.policies.controlloop.Operational
        description: Operational Policy Root Type.
        targets: [ActiveZones, TestZones]
        properties:
            targetPolicyName: onap.policies.targets.Zones
            targetPolicyVersion: 1.6.2
    onap.policies.controlloop.operational.Common:
        derived_from: tosca.policies.Root
        version: 1.0.0
        name: onap.policies.controlloop.operational.Common
        description: |
            Operational Policy for Control Loop execution. Originated in Frankfurt to support TOSCA Compliant
            Policy Types. This does NOT support the legacy Policy YAML policy type.
    onap.policies.controlloop.operational.common.Acme:
        derived_from: onap.policies.controlloop.operational.Common
        type_version: 1.0.0
        version: 1.0.0
        name: onap.policies.controlloop.operational.common.Acme
        description: Operational policies for Acme PDP
        targets: [AcmeManagedControlLoops]
        properties:
            targetPolicyName: onap.policies.targets.AcmeControlLoops
    onap.policies.controlloop.operational.common.acme.VehicleManufacturing:
        derived_from: onap.policies.controlloop.operational.Common
        type_version: 1.0.0
        version: 1.0.0
        name: onap.policies.controlloop.operational.common.Acme
        description: Operational policies for Acme PDP
        targets: [CarManufacturing, TruckManufacturing]
        properties:
            targetPolicyName: onap.policies.targets.controlloop.common.acme.VehicleManufacturingPlants
            targetPolicyVersion: 2.4.1

In the example above, there are four hierarchical levels in the PolicyType definition.

onap.policies.controlloop.Operational: This policy type has targets of ActiveZones and TestZones, and those targets are governed by the target policy onap.policies.targets.Zones version 1.6.2
onap.policies.controlloop.operational.Common: No targets are specified on this policy type so this specific policy type will apply to all targets that have passed the target governance of its parent policy type.
onap.policies.controlloop.operational.common.Acme: This policy type has a target of AcmeManagedControlLoops and that target is governed by the latest version of the target policy onap.policies.targets.AcmeControlLoops
onap.policies.controlloop.operational.common.acme.VehicleManufacturing: This policy type has targets of CarManufacturing and TruckManufacturing, and those targets are governed by the target policy onap.policies.targets.controlloop.common.acme.VehicleManufacturingPlants version 2.4.1

TOSCA Example for Policy targets

Targets in Policy

The example above, the policy operational.vehiclemanufacturing.electric-vehicle has targets Wayne_Line4, Wayne_Line5, Dagenham_Line2 and Koln_line5, and those targets are governed by the target policy onap.policies.targets.enableEVBatteryTesting version 2.1.2.

Deployment

The diagram above shows how policies that use targets are deployed. When targets are specified, an XACML PDP is deployed with the PDP that is executing the policy that uses targets. At least one XACML PDP with a well known REST endpoint must be running in each PDP group that uses targets. For example, in an Kubernetes deployment, an XACML PDP may be instantiated in each POD together with a PDP that will execute policies that use targets.

At deployment, PolicyAdministration (the PAP) checks the policy being deployed to see if it uses targets. if so, the PAP reads the target policies from the policy database and deploys them to the XACML PDPs in the PDP group. It then deploys the policy that uses targets to the PDPs in the PDP group.

Development Effort

The table below gives a rough preliminary calculation of the effort required to develop this feature.

Activity	Component	Module	Effort	Description of Work

Activity	Component	Module	Effort	Description of Work
Design/Coding/Unit Test	policy-models	models-tosca	S	Add parsing and Database persistence for targets
Design/Coding/Unit Test	policy-models	models-pap	XS	Add modelling for targets
Design/Coding/Unit Test	policy-pap	pap-main	L	Add support for deployment of target policies
Design/Coding/Unit Test	policy-models?	targets-common	XL	Implementation of common target handling on event reception
Design/Coding/Unit Test	policy-xacml-pdp	applications.targets	L	Add support for target policies
Design/Coding/Unit Test	policy-xacml-pdp	xacml-main	M	Add Target REST API
Design/Coding/Unit Test	policy-apex-pdp	services-onappf	S	Add check for targets on event reception
Design/Coding/Unit Test	policy-drools		S	Add check for targets on event reception
CSIT			L
Documentation			M

ONAP Wiki

PoC Proposal: Support of TOSCA Targets in the Policy Framework