diff options
Diffstat (limited to 'docs/design/InternalPapPdp.rst')
| -rw-r--r-- | docs/design/InternalPapPdp.rst | 428 |
1 files changed, 428 insertions, 0 deletions
diff --git a/docs/design/InternalPapPdp.rst b/docs/design/InternalPapPdp.rst new file mode 100644 index 00000000..998514af --- /dev/null +++ b/docs/design/InternalPapPdp.rst @@ -0,0 +1,428 @@ +.. This work is licensed under a +.. Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 + +.. _pap-pdp-label: + +The Internal Policy Framework PAP-PDP API +######################################### + +.. contents:: + :depth: 3 + +This page describes the API between the PAP and PDPs. The APIs in this section are implemented using `DMaaP +API <https://wiki.onap.org/display/DW/DMaaP+API>`__ messaging. The APIs in this section are used for internal +communication in the Policy Framework. The APIs are NOT supported for use by components outside the Policy Framework and +are subject to revision and change at any time. + +There are four messages on the API: + +1. PDP_STATUS: PDP→PAP, used by PDPs to report to the PAP + +2. PDP_UPDATE: PAP→PDP, used by the PAP to update the policies running on PDPs, triggers a PDP_STATUS message with + the result of the PDP_UPDATE operation + +3. PDP_STATE_CHANGE: PAP→PDP, used by the PAP to change the state of PDPs, triggers a PDP_STATUS message with the result + of the PDP_STATE_CHANGE operation + +4. PDP_HEALTH_CHECK: PAP→PDP, used by the PAP to order a health check on PDPs, triggers a PDP_STATUS message with the + result of the PDP_HEALTH_CHECK operation + +The fields in the table below are valid on API calls: + +=============================== ======== ======== ======== ======= ===================================================== +**Field** **PDP **PDP **PDP **PDP **Comment** + STATUS** UPDATE** STATE HEALTH + CHANGE** CHECK** +=============================== ======== ======== ======== ======= ===================================================== +(message_name) M M M M pdp_status, pdp_update, pdp_state_change, or + pdp_health_check +name M M C C The name of the PDP, for state changes and health + checks, the PDP group and subgroup can be used to + specify the scope of the operation +version M N/A N/A N/A The version of the PDP +pdp_type M M N/A N/A The type of the PDP, currently xacml, drools, or apex +state M N/A M N/A The administrative state of the PDP group: PASSIVE, + SAFE, TEST, ACTIVE, or TERMINATED +healthy M N/A N/A N/A The result of the latest health check on the PDP: + HEALTHY/NOT_HEALTHY/TEST_IN_PROGRESS +description O O N/A N/A The description of the PDP +pdp_group O M C C The PDP group to which the PDP belongs, the PDP group + and subgroup can be used to specify the scope of the + operation +pdp_subgroup O M C C The PDP subgroup to which the PDP belongs, the PDP + group and subgroup can be used to specify the scope + of the operation +supported_policy_types M N/A N/A N/A A list of the policy types supported by the PDP +policies O M N/A N/A The list of policies running on the PDP +->(name) O M N/A N/A The name of a TOSCA policy running on the PDP +->policy_type O M N/A N/A The TOSCA policy type of the policyWhen a PDP starts, + it commences periodic sending of *PDP_STATUS* + messages on DMaaP. The PAP receives these messages + and acts in whatever manner is appropriate. +->policy_type_version O M N/A N/A The version of the TOSCA policy type of the policy +->properties O M N/A N/A The properties of the policy for the XACML, Drools, + or APEX PDP for details +instance M N/A N/A N/A The instance ID of the PDP running in a Kuberenetes + Pod +deployment_instance_info M N/A N/A N/A Information on the node running the PDP +properties O O N/A N/A Other properties specific to the PDP +statistics M N/A N/A N/A Statistics on policy execution in the PDP +->policy_download_count M N/A N/A N/A The number of policies downloaded into the PDP +->policy_download_success_count M N/A N/A N/A The number of policies successfully downloaded into + the PDP +->policy_download_fail_count M N/A N/A N/A The number of policies downloaded into the PDP where + the download failed +->policy_executed_count M N/A N/A N/A The number of policy executions on the PDP +->policy_executed_success_count M N/A N/A N/A The number of policy executions on the PDP that + completed successfully +->policy_executed_fail_count M N/A N/A N/A The number of policy executions on the PDP that + failed +response O N/A N/A N/A The response to the last operation that the PAP + executed on the PDP +->response_to M N/A N/A N/A The PAP to PDP message to which this is a response +->response_status M N/A N/A N/A SUCCESS or FAIL +->response_message O N/A N/A N/A Message giving further information on the successful + or failed operation +=============================== ======== ======== ======== ======= ===================================================== + +YAML is used for illustrative purposes in the examples in this section. JSON (application/json) is used as the content +type in the implementation of this API. + +1 PAP API for PDPs +================== +The purpose of this API is for PDPs to provide heartbeat, status, health, and statistical information to Policy +Administration. There is a single *PDP_STATUS* message on this API. PDPs send this message to the PAP using the +*POLICY_PDP_PAP* DMaaP topic. The PAP listens on this topic for messages. + +When a PDP starts, it commences periodic sending of *PDP_STATUS* messages on DMaaP. The PAP receives these messages and +acts in whatever manner is appropriate. *PDP_UPDATE*, *PDP_STATE_CHANGE*, and *PDP_HEALTH_CHECK* operations trigger a +*PDP_STATUS* message as a response. + +The *PDP_STATUS* message is used for PDP heartbeat monitoring. A PDP sends a *PDP_STATUS* message with a state of +*TERMINATED* when it terminates normally. If a *PDP_STATUS* message is not received from a PDP periodically or in +response to a pdp_update, pdp-state_change, or pdp_health_check message in a certain configurable time, then the PAP +assumes the PDP has failed. + +A PDP may be preconfigured with its PDP group, PDP subgroup, and policies. If the PDP group, subgroup, or any policy +sent to the PAP in a *PDP_STATUS* message is unknown to the PAP, the PAP locks the PDP in state PASSIVE. + +.. code-block:: yaml + :caption: PDP_STATUS message from an XACML PDP running control loop policies + :linenos: + + pdp_status: + name: xacml_1 + version: 1.2.3 + pdp_type: xacml + state: active + healthy: true + description: XACML PDP running control loop policies + pdp_group: onap.pdpgroup.controlloop.operational + pdp_subgroup: xacml + supported_policy_types: + - onap.policies.controlloop.guard.FrequencyLimiter + - onap.policies.controlloop.guard.BlackList + - onap.policies.controlloop.guard.MinMax + policies: + - onap.policies.controlloop.guard.frequencylimiter.EastRegion: + policy_type: onap.policies.controlloop.guard.FrequencyLimiter + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + - onap.policies.controlloop.guard.blacklist.eastRegion: + policy_type: onap.policies.controlloop.guard.BlackList + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + - onap.policies.controlloop.guard.minmax.eastRegion: + policy_type: onap.policies.controlloop.guard.MinMax + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + instance: xacml_1 + deployment_instance_info: + node_address: xacml_1_pod + # Other deployment instance info + statistics: + policy_download_count: 0 + policy_download_success_count: 0 + policy_download_fail_count: 0 + policy_executed_count: 123 + policy_executed_success_count: 122 + policy_executed_fail_count: 1 + +.. code-block:: yaml + :caption: PDP_STATUS message from a Drools PDP running control loop policies + :linenos: + + pdp_status: + name: drools_2 + version: 2.3.4 + pdp_type: drools + state: safe + healthy: true + description: Drools PDP running control loop policies + pdp_group: onap.pdpgroup.controlloop.operational + pdp_subgroup: drools + supported_policy_types: + - onap.controllloop.operational.drools.vCPE + - onap.controllloop.operational.drools.vFW + policies: + - onap.controllloop.operational.drools.vcpe.EastRegion: + policy_type: onap.controllloop.operational.drools.vCPE + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + - onap.controllloop.operational.drools.vfw.EastRegion: + policy_type: onap.controllloop.operational.drools.vFW + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + instance: drools_2 + deployment_instance_info: + node_address: drools_2_pod + # Other deployment instance info + statistics: + policy_download_count: 3 + policy_download_success_count: 3 + policy_download_fail_count: 0 + policy_executed_count: 123 + policy_executed_success_count: 122 + policy_executed_fail_count: 1 + response: + response_to: PDP_HEALTH_CHECK + response_status: SUCCESS + +.. code-block:: yaml + :caption: PDP_STATUS message from an APEX PDP running control loop policies + :linenos: + + pdp_status: + name: drools_2 + version: 2.3.4 + pdp_type: drools + state: safe + healthy: true + description: Drools PDP running control loop policies + pdp_group: onap.pdpgroup.controlloop.operational + pdp_subgroup: drools + supported_policy_types: + - onap.controllloop.operational.drools.vCPE + - onap.controllloop.operational.drools.vFW + policies: + - onap.controllloop.operational.drools.vcpe.EastRegion: + policy_type: onap.controllloop.operational.drools.vCPE + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + - onap.controllloop.operational.drools.vfw.EastRegion: + policy_type: onap.controllloop.operational.drools.vFW + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + instance: drools_2 + deployment_instance_info: + node_address: drools_2_pod + # Other deployment instance info + statistics: + policy_download_count: 3 + policy_download_success_count: 3 + policy_download_fail_count: 0 + policy_executed_count: 123 + policy_executed_success_count: 122 + policy_executed_fail_count: 1 + response: + response_to: PDP_HEALTH_CHECK + response_status: SUCCESS + +.. code-block:: yaml + :caption: PDP_STATUS message from an XACML PDP running monitoring policies + :linenos: + + pdp_status: + name: xacml_1 + version: 1.2.3 + pdp_type: xacml + state: active + healthy: true + description: XACML PDP running monitoring policies + pdp_group: onap.pdpgroup.Monitoring + pdp_subgroup: xacml + supported_policy_types: + - onap.monitoring.cdap.tca.hi.lo.app + policies: + - onap.scaleout.tca:message + policy_type: onap.policies.monitoring.cdap.tca.hi.lo.app + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + instance: xacml_1 + deployment_instance_info: + node_address: xacml_1_pod + # Other deployment instance info + statistics: + policy_download_count: 0 + policy_download_success_count: 0 + policy_download_fail_count: 0 + policy_executed_count: 123 + policy_executed_success_count: 122 + policy_executed_fail_count: 1 + +2 PDP API for PAPs +================== + +The purpose of this API is for the PAP to load and update policies on PDPs and to change the state of PDPs. It also +allows the PAP to order health checks to run on PDPs. The PAP sends *PDP_UPDATE*, *PDP_STATE_CHANGE*, and +*PDP_HEALTH_CHECK* messages to PDPs using the *POLICY_PAP_PDP* DMaaP topic. PDPs listen on this topic for messages. + +The PAP can set the scope of *PDP_STATE_CHANGE* and *PDP_HEALTH_CHECK* messages: + +- PDP Group: If a PDP group is specified in a message, then the PDPs in that PDP group respond to the message and all + other PDPs ignore it. + +- PDP Group and subgroup: If a PDP group and subgroup are specified in a message, then only the PDPs of that subgroup + in the PDP group respond to the message and all other PDPs ignore it. + +- Single PDP: If the name of a PDP is specified in a message, then only that PDP responds to the message and all other + PDPs ignore it. + +Note: *PDP_UPDATE* messages must be issued individually to PDPs because the *PDP_UPDATE* operation can change the PDP +group to which a PDP belongs. + +2.1 PDP Update +-------------- + +The *PDP_UPDATE* operation allows the PAP to modify the PDP group to which a PDP belongs and the policies in a PDP. + +The following examples illustrate how the operation is used. + +.. code-block:: yaml + :caption: PDP_UPDATE message to upgrade XACML PDP control loop policies to version 1.0.1 + :linenos: + + pdp_update: + name: xacml_1 + pdp_type: xacml + description: XACML PDP running control loop policies, Upgraded + pdp_group: onap.pdpgroup.controlloop.operational + pdp_subgroup: xacml + policies: + - onap.policies.controlloop.guard.frequencylimiter.EastRegion: + policy_type: onap.policies.controlloop.guard.FrequencyLimiter + policy_type_version: 1.0.1 + properties: + # Omitted for brevity + - onap.policies.controlloop.guard.blackList.EastRegion: + policy_type: onap.policies.controlloop.guard.BlackList + policy_type_version: 1.0.1 + properties: + # Omitted for brevity + - onap.policies.controlloop.guard.minmax.EastRegion: + policy_type: onap.policies.controlloop.guard.MinMax + policy_type_version: 1.0.1 + properties: + # Omitted for brevity + +.. code-block:: yaml + :caption: PDP_UPDATE message to a Drools PDP to add an extra control loop policy + :linenos: + + pdp_update: + name: drools_2 + pdp_type: drools + description: Drools PDP running control loop policies, extra policy added + pdp_group: onap.pdpgroup.controlloop.operational + pdp_subgroup: drools + policies: + - onap.controllloop.operational.drools.vcpe.EastRegion: + policy_type: onap.controllloop.operational.drools.vCPE + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + - onap.controllloop.operational.drools.vfw.EastRegion: + policy_type: onap.controllloop.operational.drools.vFW + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + - onap.controllloop.operational.drools.vfw.WestRegion: + policy_type: onap.controllloop.operational.drools.vFW + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + +.. code-block:: yaml + :caption: PDP_UPDATE message to an APEX PDP to remove a control loop policy + :linenos: + + pdp_update: + name: apex_3 + pdp_type: apex + description: APEX PDP updated to remove a control loop policy + pdp_group: onap.pdpgroup.controlloop.operational + pdp_subgroup: apex + policies: + - onap.controllloop.operational.apex.bbs.EastRegion: + policy_type: onap.controllloop.operational.apex.BBS + policy_type_version: 1.0.0 + properties: + # Omitted for brevity + +2.2 PDP State Change +-------------------- + +The *PDP_STATE_CHANGE* operation allows the PAP to order state changes on PDPs in PDP groups and subgroups. The +following examples illustrate how the operation is used. + +.. code-block:: yaml + :caption: Change the state of all control loop Drools PDPs to ACTIVE + :linenos: + + pdp_state_change: + state: active + pdp_group: onap.pdpgroup.controlloop.Operational + pdp_subgroup: drools + +.. code-block:: yaml + :caption: Change the state of all monitoring PDPs to SAFE + :linenos: + + pdp_state_change: + state: safe + pdp_group: onap.pdpgroup.Monitoring + +.. code-block:: yaml + :caption: Change the state of a single APEX PDP to TEST + :linenos: + + pdp_state_change: + state: test + name: apex_3 + +2.3 PDP Health Check +-------------------- + +The *PDP_HEALTH_CHECK* operation allows the PAP to order health checks on PDPs in PDP groups and subgroups. The +following examples illustrate how the operation is used. + +.. code-block:: yaml + :caption: Perform a health check on all control loop Drools PDPs + :linenos: + + pdp_health_check: + pdp_group: onap.pdpgroup.controlloop.Operational + pdp_subgroup: drools + +.. code-block:: yaml + :caption: perform a health check on all monitoring PDPs + :linenos: + + pdp_health_check: + pdp_group: onap.pdpgroup.Monitoring + +.. code-block:: yaml + :caption: Perform a health check on a single APEX PDP + :linenos: + + pdp_health_check: + name: apex_3 |