The Policy subsystem of OpenECOMP maintains, distributes, and operates on the set of rules that underlie OpenECOMP’s control, orchestration, and management functions. Policy provides a centralized environment for the creation and management of easily-updatable conditional rules. It enables users to validate policies and rules, identify and resolve overlaps and conflicts, and derive additional policies where needed. Policies can support infrastructure, products and services, operation automation, and security. Users, who can be a variety of stakeholders such as network and service designers, operations engineers, and security experts, can easily create, change, and manage policy rules from the  Policy Manager in the OpenECOMP Portal.

Policies are used to control, to influence, and to help ensure compliance with goals. A policy can be defined at a high level to create a condition, requirement, constraint, or need that must be provided, maintained, and enforced. A policy can also be defined at a lower or functional level, such as a machine-readable rule or software condition/assertion which enables actions to be taken based on a trigger or request, specific to particular selected conditions in effect at that time.  Some examples of types of policies are

• VM placement — rules governing where VNFs should be placed, including affinity rules
• Data and feed management — what data to collect and when, retention periods, and when to send alarms about issues
• Access control — who (or what) can have access to which data
• Trigger conditions and actions — what conditions are actionable, and what to do under those conditions
• Interactions — how interactions between change management and fault/performance management are handled (for example, should closed loops be disabled during maintenance?)

OpenECOMP supports XACML policies and Drools rules.  Several configuration and operational policies are pre-loaded.

Once validated and corrected for any conflicts, the policies are placed in an appropriate repository, and are made available to the other subsystems and components that might make use of them. In addition, the decisions and actions taken by the policy are distributed. Policies are distributed either in conjunction with installation packages (if for example, the policy is related to service instantiation) or independently, if the policy is unrelated to a particular service.  With this methodology, policies will already be available when needed by a component, minimizing real-time requests to a central policy engine or PDP (Policy Decision Point). This improves scalability and reduces latency.

Figure 1 depicts the Policy architecture.

Figure 1. Policy high-level architecture

System Architecture

OpenECOMP Policy is composed of several subcomponents: the Policy Administration Point (PAP), which offers interfaces for policy creation, and two types of Policy Decision Point (PDP), each based on a specific rules technology.  PDP-X is based on XACML technology  and PDP-D is based on Drools technology.  PDP-X is stateless and can be implemented using a resource pool of PDP-X servers.  The number of servers can be grown to increase both capacity (horizontal scalability) and to increase availability.  The PDP-D is stateful, as it utilizes Drools in its native, stateful way and transactions persist so long as the PDP-D is active.  Persistent Drools sessions, state management, local and geo-redundancy have been deactivated for the initial release of OpenECOMP Policy and will be turned on in a future release.

As illustrated in Figure 2, the Policy components are supported by a number of interfaces and subsystems.  The OpenECOMP Portal provides a human interface for the creation, management and deployment of policies.  It is a web-based system that utilizes internal APIs in the PAP.

Figure 2. Policy subsystem system architecture 

The PAP provides interfaces and management of policy definitions.  It utilizes the XACML database to store policy definitions, which are then distributed to the PDPs.

The XACML and Drools databases are hosted in a MariaDB cluster.  The XACML database is used to persist policy definitions and provide a point for PDPs to retrieve policy definitions.  The XACML database also has tables used for node state management, detection of node failure and failover. As indicated above, the state management tables will only include entries for the PAP and PDP-X as the testing is not yet complete for the PDP-D.

The PDP-X receives deployed policies and has interfaces to handle XACML policy transactions.  These transactions are stateless and once complete, they are removed from memory.  If a policy that is deployed to the PDP-X is of an operational nature it will contain Drools rules and Java executables.  These artifacts are processed into Maven artifacts and pushed to the Maven repository.  The PDP-D is then notified a new policy has been deployed.

When the PDP-D is notified a new policy has been deployed, it downloads it from the Maven repository and assigns it to an internal controller.  This controller provides the external Closed Loop interfaces to the DMaaP message bus over which events and messages are exchanged with external systems.  As events or messages arrive at the PDP-D, they are assigned to the appropriate controller and a Drools session is either created or retrieved from memory.  The events, messages or facts are passed to the Drools session and the rule engine is fired,  resulting in a change of internal session state and possibly actions taken in response to the rule processing. Response messages and requests are passed by the controller back over the DMaaP message bus to the appropriate system.  The Drools session can also have timers and autonomous events. In a future release the PDP-D will enable the node state management and session persistence in the Drools DB. 

Policy Creation

The Policy Creation component of the Policy subsystem enables creation of new policies and modification of existing polices, both online and offline.

Separate notifications or events communicate the link or URL for a policy to the components that need it.  Then, when a component needs the policy, it uses the link to fetch it. Components in some cases might also publish events indicating that they need new policies, eliciting a response with updated links or URLs. Also, in some cases, policies can indicate to components that they should subscribe to one or more policies, so that they receive automatic updates to those policies as they become available.

Policy Decision and Enforcement

Run-time policy enforcement is performed by OpenECOMP subsystems that are called from the policy. For example, policy rules for data collection are enforced by the data collection functionality of DCAE. Analytic policy rules, identification of anomalous or abnormal conditions, and publication of events signaling detection of such conditions are enforced by DCAE analytic applications. Policy rules for associated remedial actions, or for further diagnostics, are enforced by the correct component in a control loop such as the MSO, a Controller, or DCAE.