copper:copper_work_items:policy_architecture
This is an old revision of the document!
Table of Contents
Policy Architecture
This page will capture issues to be addressed in the overall architecture of OPNFV components.
Definitions
| Term | Meaning |
|---|---|
| State | Information that can be used to convey or imply the state of something, e.g. an application, resource, entity, etc. This can include data held inside OPNFV components, "events" that have occurred (e.g. "policy violation"), etc. |
| Event | An item of significance to the policy engine, for which the engine has become aware through some method of discovery e.g. polling or notification. |
Architectural Concept
Architectural Aspects
- Policies are reflected in two high-level goals
- Ensure resource requirements of VNFs are applied per VNF designer intent
- Ensure that generic policies are not violated, e.g. networks connected to VMs must either be public or owned by the VM owner
- Policies are distributed through two main means
- As part of VNF packages, customized if needed by Service Design tools
- As generic policies provisioned through into VIMs or in a closed loop policy management system through distribution mechanisms
- Policies are mostly locally applied at the resource manager
- Components (e.g. VIMs) can execute some policies locally
- VIMs may need assistance of other actors, e.g. for use cases that can’t be locally applied, or where info from multiple VIMs is needed
- Policies are localized as they are distributed/delegated
- High-level policies (e.g. expressing “intent”) can be translated into VNF package elements or generic policies, perhaps using distinct syntaxes
- Delegated policy syntaxes are likely VIM-specific, e.g. Datalog (Congress) or YANG (SDNC)
- Policy may take multiple paths toward the ultimate component handler
- Config intent as expressed in OVSDB/OpenFlow is likely inadequate for all policy purposes
- Policies expressed as security templates and engineering rules may require use of a model-driven or API-driven interface to the SDNC, if the intent can’t be realized through the OVSDB/OpenFlow interface from Neutron
Requirements
General Requirements
General requirements for a policy architecture are below, with an assessment of the current state of support for these across major OPNFV components (1=poor, 5=excellent).
| Requirement | Description | OpenStack | OpenDaylight |
|---|---|---|---|
| Polled monitoring. | Exposure of state via request-response APIs. | TBD | TBD |
| Notifications. | Exposure of state via pub-sub APIs. | TBD | TBD |
| Realtime/near-realtime notifications. | Notifications that occur in actual or near realtime. | TBD | TBD |
| Delegated policy. | CRUD operations on policies that are distributed to specific components for local handling, including one/more of monitoring, violation reporting, and enforcement. | TBD | TBD |
| Violation reporting. | Reporting of conditions that represent a policy violation. | TBD | TBD |
| Reactive enforcement. | Enforcement actions taken in response to policy violation events. | TBD | TBD |
| Proactive enforcement. | Enforcement actions taken in advance of policy violation events, e.g. blocking actions that could result in a policy violation. | TBD | TBD |
| Compliance auditing. | Periodic auditing of state against policies. | TBD | TBD |
Use-Case Derived Requirements
| Requirement | Description | OpenStack | OpenDaylight |
|---|---|---|---|
| Compute Affinity/Anti-affinity | Place VMs based upon compute resources. | TBD | TBD |
| Storage Affinity/Anti-affinity | Place VMs based upon storage resources. | TBD | TBD |
| Network Affinity/Anti-affinity | Place VMs based upon network resources. | TBD | TBD |
| SDN Controller engineering rules | Apply engineering rule based policies via SDNCs. | TBD | TBD |
| SDN Controller security policies | Apply security policies via SDNCs. | TBD | TBD |
| High Availability | Distribute VMs across diverse resources. | TBD | TBD |
| Geo-Diversity | Distribute VMs across geographically diverse resources. | TBD | TBD |
| Group-Based Policy | Constrain configuration actions based upon association of specific state data to groups, e.g. ownership, group membership, etc. | TBD | TBD |
| Role-Based Access Control | Constrain configuration actions based upon role of the configuration change requester, e.g. owner, group membership, etc. | TBD | TBD |
copper/copper_work_items/policy_architecture.1428615186.txt.gz · Last modified: 2015/04/09 21:33 by Bryan Sullivan
Except where otherwise noted, content on this wiki is licensed under the following license: Creative Commons Attribution 4.0 International License
