2 * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
12 namespace "urn:opendaylight:groupbasedpolicy:policy";
15 import gbp-common {prefix gbp-common;}
16 import ietf-inet-types {prefix inet;}
19 "This module defines the group-based policy configuration
22 revision "2014-04-21" {
33 "Labels are used for matching contracts to endpoint groups
34 through selectors and targets, as well as determining how
35 those contracts will be applied. See more detailed
36 documentation for qualities, conditions, requirements,
40 description "A human-readable description for the label";
41 type gbp-common:description;
44 description "Specify how inheritance will work for this label";
50 "This label will be included normally in the
55 "This label will be excluded from the
56 matching. This allows removing labels that
57 would have otherwise been included because of
64 grouping quality-base {
65 description "Base type for qualities and matcher qualities.";
67 description "A user-visible name for the quality";
68 type gbp-common:quality-name;
74 grouping has-qualities {
75 description "An object with a list of qualities";
78 "A quality is a label which selects which selects the
79 contracts that are in scope. Another name for
80 'quality' could be 'attribute' or 'characteristic.'
81 Qualities can be scoped to either a specific contract
82 or to a target within that contract.
84 Contracts are matched to provider and consumer
85 endpoint groups based on the selectors in those
86 endpoint groups that match the quality.
88 Qualities for a contract are inherited from the
91 Qualities for a target with a given name are
92 inherited both from the enclosing parent contract and
93 from any targets with the same name within the
94 enclosing parent contract.";
101 grouping requirement-base {
102 description "Base type for requirements and matcher requirements.";
104 description "A user-visible name for the requirement";
105 type gbp-common:requirement-name;
111 grouping has-requirements {
114 "A requirement is a label that, along with capabilities,
115 selects how contracts are applied by selecting the
116 applicable subjects within that contract.
117 Requirements represent the fact that an endpoint
118 group requires that some specific functionality be
119 provided to it in order to function.
121 Requirements scoped to an endpoint group (as well as
122 any parent endpoint groups) are inherited by all of
123 that group's contract selectors. Contract selectors
124 also inherit requirements from any contract selectors
125 in the parent groups that have with matching names.
127 Note that requirements play no role in choosing which
128 contracts apply; they only affect how the contracts
129 that are chosen will be interpreted.";
132 uses requirement-base;
136 grouping capability-base {
137 description "Base type for capabilities and matcher capabilities.";
139 description "A user-visible name for the capability";
140 type gbp-common:capability-name;
146 grouping has-capabilities {
149 "A capability is a label that, along with requirements,
150 selects how contracts are applied by selecting the
151 applicable subjects within that contract.
152 Capabilities are specific pieces of functionality
153 that can be exposed to other endpoint groups that may
154 meet functional requirements of those endpoint
157 Capabilities scoped to an endpoint group (as well as
158 any parent endpoint groups) are inherited by all of
159 that group's contract selectors. Contract selectors
160 also inherit capabilities from any contract selectors
161 in the parent groups that have matching names.
163 Note that capabilities play no role in choosing which
164 contracts apply; they only affect how the contracts
165 that are chosen will be interpreted.";
168 uses capability-base;
172 grouping has-conditions {
175 "A condition is a state label for endpoints that can
176 change over time. As conditions change for certain
177 endpoints, this can affect which subjects are in
178 scope as determined by how the clauses in the
179 contract match against the requirements and
180 capabilities for the endpoint group, and the
181 conditions for the endpoints.";
185 description "A user-visible name for the condition";
186 type gbp-common:condition-name;
195 "A matcher allows matching against labels. This is used
196 to both to match contracts to endpoint groups by matching
197 on qualities, and then to match against subjects in the
198 contract by matching on requirements, capabilities, and
203 "Specify how many of the labels must match. If not
204 specified, defaults to 'all'.";
208 "All specified labels must match.";
212 "At least one of the specified labels must match.";
216 "None of the specified labels can match.";
222 grouping has-condition-matchers {
223 description "Objects with condition matchers";
224 list condition-matcher {
225 description "Match against conditions on endpoints.";
230 "A name for the condition matcher";
231 type gbp-common:condition-matcher-name;
240 grouping has-endpoint-identification-constraints {
241 container endpoint-identification-constraints {
243 "Identify endpoints via other attributes other than conditions.
244 These can be things such as ip-prefix, vlan, mpls label etc. These
245 things are intended to be explicity stated, and should not contain
246 references to other objects like endpointsIDs.";
247 container l3-endpoint-identification-constraints {
248 list prefix-constraint {
258 // ************************
259 // Network domains grouping
260 // ************************
262 grouping network-domain {
264 "A base type for network domains. Network domains
265 represent some logical grouping or namespace of
269 "A human-readable name for the network domain.";
270 type gbp-common:name;
274 "A human-readable description for the context.";
275 type gbp-common:description;
279 grouping forwarding-context {
280 description "A base type for forwarding contexts.";
284 grouping l2-context {
286 "A base type for layer 2 contexts. Layer 2 contexts
287 represent a namespace or logical grouping of layer 2
290 uses forwarding-context;
293 // ************************
294 // Endpoint group groupings
295 // ************************
299 "Relators allow contracts and endpoint groups to be related
300 to each other through a matching process. See target,
301 selection-relator, target-selector, and named-selector
302 for more information.";
305 grouping selection-relator {
307 "Selection relators allow endpoint groups to select
308 contracts based on their name or on their qualities.";
312 description "A name for the selector";
313 type gbp-common:selector-name;
318 grouping consumer-selection-relator {
320 "A selection relator for matching contracts to meet
321 endpoint group requirements. See consumer-named-selector
322 and consumer-target-selector for more details.";
323 uses selection-relator;
324 uses has-requirements;
327 grouping provider-selection-relator {
329 "A selection relator for matching contracts to meet
330 endpoint group requirements. See provider-named-selector
331 and provider-named-selector for more details.";
332 uses selection-relator;
333 uses has-capabilities;
336 grouping named-selector {
338 "A named selector selects a contract based on the name of
339 the contract. Once the contract is selected, the
340 requirements and capabilities are used to select specific
341 subjects within that contract. Named selectors are the
342 simplest way to select a contract. If you need a more
343 advanced selector, see the target selector.
345 There are two kinds of named selector: consumer named
346 selectors and provider named selectors. Consumer named
347 selectors select contracts to meet requirements for the
348 endpoint group, and provider named selectors select
349 contracts to provide capabilities for the endpoint group.";
352 description "Specific contracts to select.";
354 path "/tenants/tenant/contract/id";
359 grouping target-selector {
361 "Target selectors select contracts for the endpoint group.
362 First, the quality matchers are used to select the
363 contracts. Then, the requirements and capabilities are
364 used to select specific subjects within that contract.
365 Target selectors are an advanced method for selecting
366 contracts; for a simpler method, see the named selector.
368 There are two kinds of target selectors: consumer target
369 selectors and provider target selectors. Consumer target
370 selectors select contracts to meet requirements for the
371 endpoint group, and provider target selectors select
372 contracts to provide capabilities to other endpoint
375 list quality-matcher {
377 "A quality matcher is used in a target selector to
378 match against the qualities in a contract target.
379 You can specify a list of qualities to match against.
380 You can choose whether all qualities listed must
381 match or if a match can be made with any of the
386 description "A unique name for the quality matcher";
387 type gbp-common:quality-matcher-name;
393 list matcher-quality {
395 "A matcher quality is a quality with a target name
396 field used in quality matchers. The name of the
397 matcher quality matches against qualities in
403 leaf target-namespace {
405 "The name of the target to match. This allows
406 us to specify that we want to match only
407 qualities scoped to a particular target name.
409 This parameter is optional; if not specified,
410 use an inherited target name if it exists, or
411 match against any target name.";
413 type gbp-common:target-name;
419 // ******************
420 // Contract groupings
421 // ******************
423 grouping has-direction {
424 description "Object that have a directionality.";
426 default bidirectional;
430 "Applies to traffic into provider endpoint group";
434 "Applies to traffic out of provider endpoint group";
438 "Applies to traffic in both directions";
444 grouping subject-feature-instance {
446 "Specific instances of subject features with
447 parameters filled in.";
448 list parameter-value {
451 type gbp-common:parameter-name;
460 container range-value {
474 description "Objects containing an order parameter";
477 "Specify the ordering of an ordered list
485 grouping has-classifier-refs {
486 description "Objects containing lists of classifier references";
488 list classifier-ref {
491 "A reference to classifier instance that is used to match
492 traffic traveling between the endpoint groups that
496 description "A unique name for this classifier reference";
497 type gbp-common:classifier-name;
502 description "The name of the classifier instance";
504 path "/tenants/tenant/subject-feature-instances/classifier-instance/name";
509 leaf connection-tracking {
511 "Set up connection tracking for this classifier,
512 which allows the traffic in the reverse direction
513 as connections are established. This enables
514 rules that allow connections to be initiated only
515 from one side, but once initiated the two sides
516 can communicate for that connection.";
522 "Match only traffic matching the classifier
527 "Additionally match reverse traffic for
537 grouping has-action-refs {
538 description "Objects containing lists of action references";
542 "A reference to an action defined in the subject
543 feature instances for the tenant.";
547 description "The name of the action instance";
549 path "/tenants/tenant/subject-feature-instances/action-instance/name";
557 grouping subject-feature-definition {
559 "Base type for subject feature definitions.";
562 description "A user-readable description";
563 type gbp-common:description;
568 "A parameter for the feature that can be
572 description "A user-visible name for the parameter";
573 type gbp-common:parameter-name;
578 "A user-visible description of the meaning of
580 type gbp-common:description;
583 description "The type of the parameter";
587 description "A string-valued parameter";
590 description "An integer-valued parameter";
593 description "An integer-range parameter";
598 description "Specify whether the parameter is
599 required for correct operation.";
603 description "The parameter is required";
606 description "The parameter is optional";
612 leaf fallback-behavior {
614 "Set the behavior when the underlying infrastructure
615 is unable to support a particular feature.";
619 "A fatal exception MUST be raised which will
620 render the enclosing subject inactive.";
622 enum allow-fallback {
624 "The infrastructure MAY fall back to using
625 a parent definition of this feature, and
626 instread raise a nonfatal exception.";
632 // ********************
633 // Global Configuration
634 // ********************
636 container subject-feature-definitions {
638 "Contains configuration for the set of actions and
639 classifiers that can be defined for a subject. This is
640 be specific to the capabilities of the underlying
641 infrastructure, so the policy model does not define the
644 The definitions here provide a generic parameterized base
645 that can be extended by more specific definitions.
646 Extensions must apply all the semantics from their parent
647 object as well as any additional semantics. If the
648 underlying infrastructure is unable to support a
649 particular feature, it MUST trigger an exception that
650 will render the enclosing subject inactive until the
651 exception is resolved. If the fallback-behavior
652 parameter is set to 'allow-fallback', the infrastructure
653 MAY instead apply the parent subject feature and instead
654 raise a nonfatal exception.";
658 list classifier-definition {
660 "A classifier is used to match traffic traveling between
661 the endpoint groups that form the contract.
662 Classifier definitions can define parameters that
663 will need to be filled in when a particular rule
667 uses subject-feature-definition;
670 description "A unique ID for the classifier definition";
671 type gbp-common:classifier-definition-id;
677 "A user-visible name for the classifier definition";
678 type gbp-common:classifier-name;
683 "Parent classifier definition from which we inherit";
685 path "/subject-feature-definitions/classifier-definition/id";
690 list action-definition {
692 "A action to be applied to traffic across endpoint
693 groups. Action definitions can define parameters
694 that will need to be filled in when a particular rule
698 uses subject-feature-definition;
701 description "A unique ID for the action";
702 type gbp-common:action-definition-id;
707 description "A user-visible name for the action";
708 type gbp-common:action-name;
713 "Parent action definition from which we inherit";
715 path "/subject-feature-definitions/action-definition/id";
726 description "The list of all known tenants";
732 "A tenant is a domain of administration which is
733 logically separate from other tenants. Most policy
734 is defined in the context of a particular tenant";
738 description "A unique ID for the tenant";
740 type gbp-common:tenant-id;
743 description "A user-visible name for the tenant";
744 type gbp-common:name;
747 description "A user-readable description for the tenant";
748 type gbp-common:description;
757 "A layer 3 context represents a namespace for layer 3
758 addresses. It represents a domain inside which endpoints
759 can communicate with requiring any address translation.";
762 uses forwarding-context;
766 "A unique ID for the layer 3 context";
767 type gbp-common:l3-context-id;
771 list l2-bridge-domain {
773 "A layer 2 bridge domain represents a domain in which
774 layer 2 communication is possible when allowed by policy.";
779 description "A unique ID for the bridge domain";
780 type gbp-common:l2-bridge-domain-id;
785 "The layer 3 context that contains this bridge domain";
787 path "/tenants/tenant/l3-context/id";
792 list l2-flood-domain {
794 "A layer 2 flood domain represents a domain in which
795 layer 2 broadcast and multicast is allowed.";
800 description "A unique ID for the flood domain";
801 type gbp-common:l2-flood-domain-id;
806 "The bridge domain that contains this flood domain";
808 path "/tenants/tenant/l2-bridge-domain/id";
815 "An IP subnet associated with a layer 2 or layer 3
821 description "A unique ID for the subnet";
822 type gbp-common:subnet-id;
827 "The forwarding context that contains this subnet";
828 type gbp-common:context-id;
832 description "The IP prefix that defines the subnet";
835 leaf virtual-router-ip {
837 "IP address to use for a virtual gateway router
838 for the subnet, if desired.";
839 type inet:ip-address;
843 "External gateways for subnets we serve,
844 includes prefixes for static routing";
847 type inet:ip-address;
863 list endpoint-group {
865 "Endpoint groups are sets of endpoints that share a
866 common set of policies. Endpoint groups are
867 matched to contracts using selectors, contracts
868 determine which endpoints can communicate and in
871 Endpoint groups have both requirements and
872 capabilities, which represent specific pieces of
873 functionality that are exposed at the boundary of
874 those groups. Requirements represent some
875 specific functionality that is needed for the
876 endpoints in the endpoint group to function.
877 Correspondingly, capabilities are pieces of
878 functionality that the endpoints in the endpoint
879 group can provide to other endpoints.
881 Contracts can be selected through either a named
882 selector, which matches specific contracts by
883 name, or by a target selector which will match
884 contracts by matching its list of qualities to
885 the list of qualities for a target on the
886 contract. The contract selectors choose which
887 contracts are in scope. Note that requirements
888 and capabilities are not used when choosing which
889 contracts are in scope; these are used to
890 determine how a contract will be interpreted.
892 There are two broad category of selectors:
893 provider selectors and consumer selectors. The
894 provider selectors allow selecting contracts that
895 allow the endpoint group to expose its
896 capabilities. The consumer selectors allow
897 selecting contracts which allow the endpoint
898 group to meet its requirements.";
904 type gbp-common:endpoint-group-id;
909 "A user-visible name for the endpoint group";
910 type gbp-common:name;
914 "A human-readable description for the endpoint
916 type gbp-common:description;
918 uses has-requirements;
919 uses has-capabilities;
921 leaf intra-group-policy {
923 "Governs how traffic within the endpoint group
929 "Traffic between two endpoints in the group
932 enum require-contract {
934 "Traffic between two endpoints in the group
935 is allowed only when a contract exists to
936 allow it explicitly";
941 list consumer-named-selector {
943 "Consumer named selectors are named selectors
944 that select contracts to meet the
945 requirements of the endpoint group.
947 The consumer named selector selects a
948 contract based on the name of the contract.
949 Once the contract is selected, the
950 requirements are used to select specific
951 subjects within that contract.";
955 uses consumer-selection-relator;
958 list provider-named-selector {
960 "Provider named selectors are named selectors
961 that select contracts to provide capabilties
962 to other endpoint group.
964 The provider named selector selects a
965 contract based on the name of the contract.
966 Once the contract is selected, the capabilies
967 are used to select specific subjects within
972 uses provider-selection-relator;
975 list consumer-target-selector {
977 "Consumer target selectors are target selectors
978 that select contracts to meet the requirements
979 of the endpoint group.
981 The consumer target selector selects a
982 contract using the quality matchers to match
983 against the qualities specified on the
984 contract targets. Once the contract is
985 selected, the requirements are used to select
986 specific subjects within that contract.";
989 uses target-selector;
990 uses consumer-selection-relator;
993 list provider-target-selector {
995 "Provider target selectors are target selectors
996 that select contracts to provide capabilties
997 to other endpoint group.
999 The provider target selector selects a
1000 contract using the quality matchers to match
1001 against the qualities specified on the
1002 contract targets. Once the contract is
1003 selected, the capabilities are used to select
1004 specific subjects within that contract.";
1007 uses target-selector;
1008 uses provider-selection-relator;
1011 leaf network-domain {
1013 "The network domain associated with this endpoint
1014 group. The network domain controls which endpoints
1015 are addressible by the endpoints in the group.";
1016 type gbp-common:network-domain-id;
1021 "Parent endpoint group from which we inherit";
1024 path "/tenants/tenant/endpoint-group/id";
1029 list external-implicit-group {
1037 type gbp-common:endpoint-group-id;
1039 // Fields to be determined and completed before Code Freeze
1042 // *************************
1043 // Subject feature instances
1044 // *************************
1046 container subject-feature-instances {
1048 "Contains instances of subject features. Subject
1049 feature instances reference a subject feature
1050 definition but fill in the required parameters so
1051 that they can be easily references elsewhere.";
1053 list classifier-instance {
1058 description "A name for the classifier instance";
1059 type gbp-common:classifier-name;
1062 leaf classifier-definition-id {
1064 path "/subject-feature-definitions/classifier-definition/id";
1067 uses subject-feature-instance;
1070 list action-instance {
1075 description "A name for the action instance";
1076 type gbp-common:action-name;
1079 leaf action-definition-id {
1081 path "/subject-feature-definitions/action-definition/id";
1084 uses subject-feature-instance;
1094 "Contracts contain a set of subjects that describe
1095 the communication allowed between endpoints in
1096 endpoint groups. Contracts are matched to endpoint
1097 groups by selectors.";
1101 description "A unique ID for the contract";
1102 type gbp-common:contract-id;
1108 "A human-readable description for the contract.";
1109 type gbp-common:description;
1120 "Targets on a contract allow grouping sets of qualities
1121 together, as well as providing a namespace for
1122 the qualities that are matched.";
1127 "The name for this target. This can also be used
1128 by quality matchers as a namespace for qualities.";
1129 type gbp-common:target-name;
1137 // ********************
1138 // Clauses and subjects
1139 // ********************
1143 "Subjects define rules to allow traffic to flow
1144 between endpoints in different endpoint
1145 groups. No communication is allowed unless a
1146 subject allows that communication.
1148 After a contract has been selected, clauses
1149 in that contract match against the
1150 requirements, capabilities, and conditions
1151 that apply to the endpoints or endpoint
1152 groups that are participating in the
1153 contract. Clauses that match each point to a
1154 subject which then becomes active.
1156 An active subject can then apply its rules to
1157 the traffic between the endpoints.";
1161 description "A name for the subject";
1162 type gbp-common:subject-name;
1168 "A rule is applied to traffic between
1169 endpoints in different endpoint groups.
1170 Rules match against the traffic using
1171 classifiers, and then apply actions to
1172 the traffic for matching rules.
1174 Rules are applied in order according to
1175 their order parameter. Only the first
1176 matching rule will apply. When multiple
1177 subjects are active, the order on each
1178 subject will determine which subjects are
1179 applied first, and all their rules will
1180 take effect before the rules of any
1181 subjects with a higher order value. When
1182 subjects have the same order value, then
1183 they will apply in lexicographic order by
1188 description "A name for the rule";
1189 type gbp-common:rule-name;
1193 uses has-classifier-refs;
1194 uses has-action-refs;
1203 "Clauses are used to determine which subjects are
1204 active once a contract is selected using the
1207 Clauses are activated by matching against
1208 requirements on the consumer endpoint group,
1209 capabilities on the provider endpoint group, and
1210 conditions on the individual endpoints in the
1214 type gbp-common:clause-name;
1221 container consumer-matchers {
1223 "Matchers that apply to the consumer endpoint
1226 // GIC mutually OR'd within role
1227 choice group-identification-constraints {
1228 description "Returns Groups which match, MUTALLY OR within role. Must be Either/Or";
1230 case group-name-constraint-case {
1231 list group-name-constraint {
1232 key endpoint-group-name;
1233 leaf endpoint-group-name {
1234 type gbp-common:name;
1238 case group-requirement-constraint-case {
1239 list requirement-matcher {
1241 "Match against requirements in the consumer
1247 "A name for the requirement matcher";
1248 type gbp-common:requirement-matcher-name;
1253 list matcher-requirement {
1255 "A matcher requirement is a
1256 requirement with a selector name
1257 field used in requirement
1258 matchers. The name of the
1259 matcher requirement matches
1260 against requirements in endpoint
1264 uses requirement-base;
1266 leaf selector-namespace {
1268 "The name of the selector to
1269 match. This allows us to
1270 specify that we want to match
1271 only requirements scoped to a
1272 particular selector name.
1274 This parameter is optional;
1275 if not specified, use an
1276 inherited selector namespace
1277 if it exists, or match
1278 against any selector name.";
1280 type gbp-common:selector-name;
1286 case group-any-case {
1287 container group-any {
1290 "A presence container stating that, if this exists,
1291 the role matcher will match on any group.";
1292 presence "This matches any group";
1299 uses has-condition-matchers;
1301 uses has-endpoint-identification-constraints;
1304 container provider-matchers {
1306 "Matchers that apply to the provider endpoint
1309 // GIC mutually OR'd within role
1310 choice group-identification-constraints {
1311 description "Returns Groups which match, MUTALLY OR within role. Must be Either/Or";
1313 case group-name-constraint-case {
1314 list group-name-constraint {
1315 key endpoint-group-name;
1316 leaf endpoint-group-name {
1317 type gbp-common:name;
1321 case group-capability-constraint-case {
1322 list capability-matcher {
1324 "Match against capabilities in the provider
1330 "A name for the capability matcher";
1331 type gbp-common:capability-matcher-name;
1337 list matcher-capability {
1339 "A matcher capability is a
1340 capability with a selector
1341 name field used in capability
1342 mat chers. The name of the
1343 matcher capability matches
1344 against capabilities in
1348 uses capability-base;
1350 leaf selector-namespace {
1352 "The name of the selector to
1353 match. This allows us to
1354 specify that we want to match
1355 only capabilities scoped to a
1356 particular selector name.
1358 This parameter is optional;
1359 if not specified, use an
1360 inherited selector namespace
1361 if it exists, or match
1362 against any selector name.";
1364 type gbp-common:selector-name;
1369 case group-any-case {
1370 container group-any {
1376 uses has-condition-matchers;
1378 uses has-endpoint-identification-constraints;
1381 container any-matchers {
1383 "Matchers that apply to either provider endpoint group or consumer endpoint group.";
1384 // TODO fill this out, may need additional groupings so as to not confuse capability or requirement.
1387 // ******************
1388 // Subject References
1389 // ******************
1391 leaf-list subject-refs {
1393 "The subjects that will be activated if this
1397 path "/tenants/tenant/contract/subject/name";
1407 description "Parent contract from which we inherit";
1410 path "/tenants/tenant/contract/id";
1417 "Contract references allow forming contracts
1418 between endpoint groups in different tenants.
1419 Once the contract reference is created, it is
1420 then possible to match against the contract using
1421 selectors as though it were a local tenant.
1423 Endpoint groups in the local tenant can serve
1424 only as consumers of the contract. Once the
1425 contract is matched, consumer matchers will apply
1426 to requirements and conditions in the local
1427 tenant, and provider matchers will apply against
1428 capabilities and conditions in the referenced
1435 "The tenant ID of the tenant containing the
1438 path "/tenants/tenant/id";
1442 description "The contract ID of the contract.";
1445 path "/tenants/tenant/contract/id";