ONAP Policy Framework
- Saul Gill
The ONAP (Open Network Automation Platform) Policy Framework is responsible for creating, managing, and enforcing policies across the ONAP ecosystem. This framework provides decision-making capabilities based on policies that govern the behavior of ONAP components, services, and infrastructure. The main components of the ONAP Policy Framework include several policy types and decision-making engines. Here's an overview of the key projects:
1. Policy API (policy-api)
Purpose: Provides a RESTful API interface to manage policies in ONAP. It handles the lifecycle of policies, including creation, modification, deletion, and retrieval. It acts as the gateway for clients (such as the Policy Administration Point or PAP) to interact with the ONAP policy system.
Key Features:
Exposes REST endpoints to interact with policies.
Supports creating different policy types (e.g., operational, guard, decision policies).
Interacts with the Policy Database to store and retrieve policy artifacts.
Provides endpoints for policy enforcement data and telemetry.
Role in the Framework: The Policy API serves as the primary entry point for policy management, providing a user-friendly interface for clients to submit and manage policies.
2. Policy PAP (Policy Administration Point - policy-pap)
Purpose: Responsible for managing the policy lifecycle within ONAP, including storing policies, distributing them to the relevant Policy Decision Points (PDPs), and ensuring policies are synchronized and updated across the system.
Key Features:
Manages the registration of PDPs (Apex, Drools, XACML).
Distributes policies to the appropriate PDP based on policy type and target.
Ensures versioning and distribution consistency of policies across the ONAP ecosystem.
Provides APIs for creating, updating, activating, and deleting policies.
Role in the Framework: PAP acts as the policy management controller, overseeing the policy distribution and management across different PDPs.
3. Apex PDP (Apex Policy Decision Point - apex-pdp)
Purpose: A PDP that supports model-driven policies, which are typically more flexible and suitable for managing complex decisions. It allows users to define policies without requiring extensive coding by using higher-level policy models.
Key Features:
Executes decision policies written in a model-driven approach.
Uses event-driven architecture and supports policy decisions based on incoming events.
Supports dynamic policy execution with configurable rules.
Integrates well for real-time decisions based on operational events and conditions.
Role in the Framework: Apex PDP is used for complex, customizable, and model-driven policy decisions, enabling the ONAP system to handle more advanced scenarios, such as service orchestration, resource allocation, and fault recovery.
4. Drools PDP (Drools Policy Decision Point - drools-pdp)
Purpose: A PDP that utilizes the Drools rules engine for rule-based decision-making. It enforces rules defined in the Drools Rule Language (DRL), which is more procedural and suitable for straightforward decision logic based on pre-defined rules.
Key Features:
Executes rules written in the Drools Rule Language.
Integrates with real-time events and facts for decision-making.
Supports stateful and stateless session management in decision processes.
Efficient for operational policies that involve if-then logic for policy enforcement.
Role in the Framework: Drools PDP is primarily used for rule-based decision-making, often for operational policies that involve clear conditions and actions, such as scaling resources or managing traffic routing.
5. XACML PDP (eXtensible Access Control Markup Language Policy Decision Point - xacml-pdp)
Purpose: A PDP that enforces access control policies based on the XACML standard. XACML is widely used in systems requiring fine-grained access control and authorization decisions.
Key Features:
Enforces policies defined using the XACML language.
Specializes in authorization and access control decisions.
Determines whether a subject (e.g., user, service) is allowed to perform a specific action on a resource based on the policies.
Well-suited for role-based access control (RBAC) and attribute-based access control (ABAC).
Role in the Framework: XACML PDP provides fine-grained access control policies and is responsible for making authorization decisions in scenarios where access control is critical, such as API calls or resource access.
How These Components Work Together
Policy Management:
Policies are created and managed via the Policy API.
Once created, the Policy PAP is responsible for distributing these policies to the appropriate PDPs.
Policy Decision and Enforcement:
Policies are enforced by different PDPs:
Apex PDP handles model-driven, complex decision policies.
Drools PDP handles simple, rule-based policies.
XACML PDP handles access control policies.
The PDPs are registered with the PAP, which ensures policies are sent to the correct PDP for execution based on policy type.
Real-Time Policy Execution:
Each PDP listens to events or conditions in the system and makes decisions based on the policies loaded by the PAP.
The PDPs enforce operational decisions, control access, or determine actions based on their specific capabilities.
Typical Use Cases:
Apex PDP: Used for dynamic policy decisions like service orchestration, handling fault recovery, and complex event-driven operations.
Drools PDP: Ideal for operational control policies such as scaling resources, adjusting traffic routing, or managing SLAs.
XACML PDP: Employed for access control decisions, where specific resources need to be protected based on user roles, actions, and permissions.
Each PDP has its strengths and is suited to different policy types, allowing the ONAP Policy Framework to support a wide variety of use cases, from network orchestration and resource management to access control and policy-driven automation.