2 * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
12 namespace "urn:opendaylight:groupbasedpolicy:policy";
15 import gbp-common {prefix gbp-common;}
16 import ietf-inet-types {prefix inet;}
19 "This module defines the group-based policy configuration
22 revision "2014-04-21" {
33 "Labels are used for matching contracts to endpoint groups
34 through selectors and targets, as well as determining how
35 those contracts will be applied. See more detailed
36 documentation for qualities, conditions, requirements,
40 description "A human-readable description for the label";
41 type gbp-common:description;
44 description "Specify how inheritance will work for this label";
50 "This label will be included normally in the
55 "This label will be excluded from the
56 matching. This allows removing labels that
57 would have otherwise been included because of
64 grouping quality-base {
65 description "Base type for qualities and matcher qualities.";
67 description "A user-visible name for the quality";
68 type gbp-common:quality-name;
74 grouping has-qualities {
75 description "An object with a list of qualities";
78 "A quality is a label which selects which selects the
79 contracts that are in scope. Another name for
80 'quality' could be 'attribute' or 'characteristic.'
81 Qualities can be scoped to either a specific contract
82 or to a target within that contract.
84 Contracts are matched to provider and consumer
85 endpoint groups based on the selectors in those
86 endpoint groups that match the quality.
88 Qualities for a contract are inherited from the
91 Qualities for a target with a given name are
92 inherited both from the enclosing parent contract and
93 from any targets with the same name within the
94 enclosing parent contract.";
101 grouping requirement-base {
102 description "Base type for requirements and matcher requirements.";
104 description "A user-visible name for the requirement";
105 type gbp-common:requirement-name;
111 grouping has-requirements {
114 "A requirement is a label that, along with capabilities,
115 selects how contracts are applied by selecting the
116 applicable subjects within that contract.
117 Requirements represent the fact that an endpoint
118 group requires that some specific functionality be
119 provided to it in order to function.
121 Requirements scoped to an endpoint group (as well as
122 any parent endpoint groups) are inherited by all of
123 that group's contract selectors. Contract selectors
124 also inherit requirements from any contract selectors
125 in the parent groups that have with matching names.
127 Note that requirements play no role in choosing which
128 contracts apply; they only affect how the contracts
129 that are chosen will be interpreted.";
132 uses requirement-base;
136 grouping capability-base {
137 description "Base type for capabilities and matcher capabilities.";
139 description "A user-visible name for the capability";
140 type gbp-common:capability-name;
146 grouping has-capabilities {
149 "A capability is a label that, along with requirements,
150 selects how contracts are applied by selecting the
151 applicable subjects within that contract.
152 Capabilities are specific pieces of functionality
153 that can be exposed to other endpoint groups that may
154 meet functional requirements of those endpoint
157 Capabilities scoped to an endpoint group (as well as
158 any parent endpoint groups) are inherited by all of
159 that group's contract selectors. Contract selectors
160 also inherit capabilities from any contract selectors
161 in the parent groups that have matching names.
163 Note that capabilities play no role in choosing which
164 contracts apply; they only affect how the contracts
165 that are chosen will be interpreted.";
168 uses capability-base;
172 grouping has-conditions {
175 "A condition is a state label for endpoints that can
176 change over time. As conditions change for certain
177 endpoints, this can affect which subjects are in
178 scope as determined by how the clauses in the
179 contract match against the requirements and
180 capabilities for the endpoint group, and the
181 conditions for the endpoints.";
185 description "A user-visible name for the condition";
186 type gbp-common:condition-name;
195 "A matcher allows matching against labels. This is used
196 to both to match contracts to endpoint groups by matching
197 on qualities, and then to match against subjects in the
198 contract by matching on requirements, capabilities, and
203 "Specify how many of the labels must match. If not
204 specified, defaults to 'all'.";
208 "All specified labels must match.";
212 "At least one of the specified labels must match.";
216 "None of the specified labels can match.";
222 grouping has-condition-matchers {
223 description "Objects with condition matchers";
224 list condition-matcher {
225 description "Match against conditions on endpoints.";
230 "A name for the condition matcher";
231 type gbp-common:condition-matcher-name;
240 // ************************
241 // Network domains grouping
242 // ************************
244 grouping network-domain {
246 "A base type for network domains. Network domains
247 represent some logical grouping or namespace of
251 "A human-readable name for the network domain.";
252 type gbp-common:name;
256 "A human-readable description for the context.";
257 type gbp-common:description;
261 grouping forwarding-context {
262 description "A base type for forwarding contexts.";
266 grouping l2-context {
268 "A base type for layer 2 contexts. Layer 2 contexts
269 represent a namespace or logical grouping of layer 2
272 uses forwarding-context;
275 // ************************
276 // Endpoint group groupings
277 // ************************
281 "Relators allow contracts and endpoint groups to be related
282 to each other through a matching process. See target,
283 selection-relator, target-selector, and named-selector
284 for more information.";
287 grouping selection-relator {
289 "Selection relators allow endpoint groups to select
290 contracts based on their name or on their qualities.";
294 description "A name for the selector";
295 type gbp-common:selector-name;
300 grouping consumer-selection-relator {
302 "A selection relator for matching contracts to meet
303 endpoint group requirements. See consumer-named-selector
304 and consumer-target-selector for more details.";
305 uses selection-relator;
306 uses has-requirements;
309 grouping provider-selection-relator {
311 "A selection relator for matching contracts to meet
312 endpoint group requirements. See provider-named-selector
313 and provider-named-selector for more details.";
314 uses selection-relator;
315 uses has-capabilities;
318 grouping named-selector {
320 "A named selector selects a contract based on the name of
321 the contract. Once the contract is selected, the
322 requirements and capabilities are used to select specific
323 subjects within that contract. Named selectors are the
324 simplest way to select a contract. If you need a more
325 advanced selector, see the target selector.
327 There are two kinds of named selector: consumer named
328 selectors and provider named selectors. Consumer named
329 selectors select contracts to meet requirements for the
330 endpoint group, and provider named selectors select
331 contracts to provide capabilities for the endpoint group.";
334 description "Specific contracts to select.";
336 path "/tenants/tenant/contract/id";
341 grouping target-selector {
343 "Target selectors select contracts for the endpoint group.
344 First, the quality matchers are used to select the
345 contracts. Then, the requirements and capabilities are
346 used to select specific subjects within that contract.
347 Target selectors are an advanced method for selecting
348 contracts; for a simpler method, see the named selector.
350 There are two kinds of target selectors: consumer target
351 selectors and provider target selectors. Consumer target
352 selectors select contracts to meet requirements for the
353 endpoint group, and provider target selectors select
354 contracts to provide capabilities to other endpoint
357 list quality-matcher {
359 "A quality matcher is used in a target selector to
360 match against the qualities in a contract target.
361 You can specify a list of qualities to match against.
362 You can choose whether all qualities listed must
363 match or if a match can be made with any of the
368 description "A unique name for the quality matcher";
369 type gbp-common:quality-matcher-name;
375 list matcher-quality {
377 "A matcher quality is a quality with a target name
378 field used in quality matchers. The name of the
379 matcher quality matches against qualities in
385 leaf target-namespace {
387 "The name of the target to match. This allows
388 us to specify that we want to match only
389 qualities scoped to a particular target name.
391 This parameter is optional; if not specified,
392 use an inherited target name if it exists, or
393 match against any target name.";
395 type gbp-common:target-name;
401 // ******************
402 // Contract groupings
403 // ******************
405 grouping has-direction {
406 description "Object that have a directionality.";
408 default bidirectional;
412 "Applies to traffic into provider endpoint group";
416 "Applies to traffic out of provider endpoint group";
420 "Applies to traffic in both directions";
426 grouping subject-feature-instance {
428 "Specific instances of subject features with
429 parameters filled in.";
430 list parameter-value {
433 type gbp-common:parameter-name;
442 container range-value {
456 description "Objects containing an order parameter";
459 "Specify the ordering of an ordered list
467 grouping has-classifier-refs {
468 description "Objects containing lists of classifier references";
470 list classifier-ref {
473 "A reference to classifier instance that is used to match
474 traffic traveling between the endpoint groups that
478 description "A unique name for this classifier reference";
479 type gbp-common:classifier-name;
484 description "The name of the classifier instance";
486 path "/tenants/tenant/subject-feature-instances/classifier-instance/name";
491 leaf connection-tracking {
493 "Set up connection tracking for this classifier,
494 which allows the traffic in the reverse direction
495 as connections are established. This enables
496 rules that allow connections to be initiated only
497 from one side, but once initiated the two sides
498 can communicate for that connection.";
504 "Match only traffic matching the classifier
509 "Additionally match reverse traffic for
519 grouping has-action-refs {
520 description "Objects containing lists of action references";
524 "A reference to an action defined in the subject
525 feature instances for the tenant.";
529 description "The name of the action instance";
531 path "/tenants/tenant/subject-feature-instances/action-instance/name";
539 grouping subject-feature-definition {
541 "Base type for subject feature definitions.";
544 description "A user-readable description";
545 type gbp-common:description;
550 "A parameter for the feature that can be
554 description "A user-visible name for the parameter";
555 type gbp-common:parameter-name;
560 "A user-visible description of the meaning of
562 type gbp-common:description;
565 description "The type of the parameter";
569 description "A string-valued parameter";
572 description "An integer-valued parameter";
575 description "An integer-range parameter";
580 description "Specify whether the parameter is
581 required for correct operation.";
585 description "The parameter is required";
588 description "The parameter is optional";
594 leaf fallback-behavior {
596 "Set the behavior when the underlying infrastructure
597 is unable to support a particular feature.";
601 "A fatal exception MUST be raised which will
602 render the enclosing subject inactive.";
604 enum allow-fallback {
606 "The infrastructure MAY fall back to using
607 a parent definition of this feature, and
608 instread raise a nonfatal exception.";
614 // ********************
615 // Global Configuration
616 // ********************
618 container subject-feature-definitions {
620 "Contains configuration for the set of actions and
621 classifiers that can be defined for a subject. This is
622 be specific to the capabilities of the underlying
623 infrastructure, so the policy model does not define the
626 The definitions here provide a generic parameterized base
627 that can be extended by more specific definitions.
628 Extensions must apply all the semantics from their parent
629 object as well as any additional semantics. If the
630 underlying infrastructure is unable to support a
631 particular feature, it MUST trigger an exception that
632 will render the enclosing subject inactive until the
633 exception is resolved. If the fallback-behavior
634 parameter is set to 'allow-fallback', the infrastructure
635 MAY instead apply the parent subject feature and instead
636 raise a nonfatal exception.";
640 list classifier-definition {
642 "A classifier is used to match traffic traveling between
643 the endpoint groups that form the contract.
644 Classifier definitions can define parameters that
645 will need to be filled in when a particular rule
649 uses subject-feature-definition;
652 description "A unique ID for the classifier definition";
653 type gbp-common:classifier-definition-id;
659 "A user-visible name for the classifier definition";
660 type gbp-common:classifier-name;
665 "Parent classifier definition from which we inherit";
667 path "/subject-feature-definitions/classifier-definition/id";
672 list action-definition {
674 "A action to be applied to traffic across endpoint
675 groups. Action definitions can define parameters
676 that will need to be filled in when a particular rule
680 uses subject-feature-definition;
683 description "A unique ID for the action";
684 type gbp-common:action-definition-id;
689 description "A user-visible name for the action";
690 type gbp-common:action-name;
695 "Parent action definition from which we inherit";
697 path "/subject-feature-definitions/action-definition/id";
708 description "The list of all known tenants";
714 "A tenant is a domain of administration which is
715 logically separate from other tenants. Most policy
716 is defined in the context of a particular tenant";
720 description "A unique ID for the tenant";
722 type gbp-common:tenant-id;
725 description "A user-visible name for the tenant";
726 type gbp-common:name;
729 description "A user-readable description for the tenant";
730 type gbp-common:description;
739 "A layer 3 context represents a namespace for layer 3
740 addresses. It represents a domain inside which endpoints
741 can communicate with requiring any address translation.";
744 uses forwarding-context;
748 "A unique ID for the layer 3 context";
749 type gbp-common:l3-context-id;
753 list l2-bridge-domain {
755 "A layer 2 bridge domain represents a domain in which
756 layer 2 communication is possible when allowed by policy.";
761 description "A unique ID for the bridge domain";
762 type gbp-common:l2-bridge-domain-id;
767 "The layer 3 context that contains this bridge domain";
769 path "/tenants/tenant/l3-context/id";
774 list l2-flood-domain {
776 "A layer 2 flood domain represents a domain in which
777 layer 2 broadcast and multicast is allowed.";
782 description "A unique ID for the flood domain";
783 type gbp-common:l2-flood-domain-id;
788 "The bridge domain that contains this flood domain";
790 path "/tenants/tenant/l2-bridge-domain/id";
797 "An IP subnet associated with a layer 2 or layer 3
803 description "A unique ID for the subnet";
804 type gbp-common:subnet-id;
809 "The forwarding context that contains this subnet";
810 type gbp-common:context-id;
814 description "The IP prefix that defines the subnet";
817 leaf virtual-router-ip {
819 "IP address to use for a virtual gateway router
820 for the subnet, if desired.";
821 type inet:ip-address;
829 list endpoint-group {
831 "Endpoint groups are sets of endpoints that share a
832 common set of policies. Endpoint groups are
833 matched to contracts using selectors, contracts
834 determine which endpoints can communicate and in
837 Endpoint groups have both requirements and
838 capabilities, which represent specific pieces of
839 functionality that are exposed at the boundary of
840 those groups. Requirements represent some
841 specific functionality that is needed for the
842 endpoints in the endpoint group to function.
843 Correspondingly, capabilities are pieces of
844 functionality that the endpoints in the endpoint
845 group can provide to other endpoints.
847 Contracts can be selected through either a named
848 selector, which matches specific contracts by
849 name, or by a target selector which will match
850 contracts by matching its list of qualities to
851 the list of qualities for a target on the
852 contract. The contract selectors choose which
853 contracts are in scope. Note that requirements
854 and capabilities are not used when choosing which
855 contracts are in scope; these are used to
856 determine how a contract will be interpreted.
858 There are two broad category of selectors:
859 provider selectors and consumer selectors. The
860 provider selectors allow selecting contracts that
861 allow the endpoint group to expose its
862 capabilities. The consumer selectors allow
863 selecting contracts which allow the endpoint
864 group to meet its requirements.";
870 type gbp-common:endpoint-group-id;
875 "A user-visible name for the endpoint group";
876 type gbp-common:name;
880 "A human-readable description for the endpoint
882 type gbp-common:description;
884 uses has-requirements;
885 uses has-capabilities;
887 leaf intra-group-policy {
889 "Governs how traffic within the endpoint group
895 "Traffic between two endpoints in the group
898 enum require-contract {
900 "Traffic between two endpoints in the group
901 is allowed only when a contract exists to
902 allow it explicitly";
907 list consumer-named-selector {
909 "Consumer named selectors are named selectors
910 that select contracts to meet the
911 requirements of the endpoint group.
913 The consumer named selector selects a
914 contract based on the name of the contract.
915 Once the contract is selected, the
916 requirements are used to select specific
917 subjects within that contract.";
921 uses consumer-selection-relator;
924 list provider-named-selector {
926 "Provider named selectors are named selectors
927 that select contracts to provide capabilties
928 to other endpoint group.
930 The provider named selector selects a
931 contract based on the name of the contract.
932 Once the contract is selected, the capabilies
933 are used to select specific subjects within
938 uses provider-selection-relator;
941 list consumer-target-selector {
943 "Consumer target selectors are target selectors
944 that select contracts to meet the requirements
945 of the endpoint group.
947 The consumer target selector selects a
948 contract using the quality matchers to match
949 against the qualities specified on the
950 contract targets. Once the contract is
951 selected, the requirements are used to select
952 specific subjects within that contract.";
955 uses target-selector;
956 uses consumer-selection-relator;
959 list provider-target-selector {
961 "Provider target selectors are target selectors
962 that select contracts to provide capabilties
963 to other endpoint group.
965 The provider target selector selects a
966 contract using the quality matchers to match
967 against the qualities specified on the
968 contract targets. Once the contract is
969 selected, the capabilities are used to select
970 specific subjects within that contract.";
973 uses target-selector;
974 uses provider-selection-relator;
977 leaf network-domain {
979 "The network domain associated with this endpoint
980 group. The network domain controls which endpoints
981 are addressible by the endpoints in the group.";
982 type gbp-common:network-domain-id;
987 "Parent endpoint group from which we inherit";
990 path "/tenants/tenant/endpoint-group/id";
995 // *************************
996 // Subject feature instances
997 // *************************
999 container subject-feature-instances {
1001 "Contains instances of subject features. Subject
1002 feature instances reference a subject feature
1003 definition but fill in the required parameters so
1004 that they can be easily references elsewhere.";
1006 list classifier-instance {
1011 description "A name for the classifier instance";
1012 type gbp-common:classifier-name;
1015 leaf classifier-definition-id {
1017 path "/subject-feature-definitions/classifier-definition/id";
1020 uses subject-feature-instance;
1023 list action-instance {
1028 description "A name for the action instance";
1029 type gbp-common:action-name;
1032 leaf action-definition-id {
1034 path "/subject-feature-definitions/action-definition/id";
1037 uses subject-feature-instance;
1047 "Contracts contain a set of subjects that describe
1048 the communication allowed between endpoints in
1049 endpoint groups. Contracts are matched to endpoint
1050 groups by selectors.";
1054 description "A unique ID for the contract";
1055 type gbp-common:contract-id;
1061 "A human-readable description for the contract.";
1062 type gbp-common:description;
1073 "Targets on a contract allow grouping sets of qualities
1074 together, as well as providing a namespace for
1075 the qualities that are matched.";
1080 "The name for this target. This can also be used
1081 by quality matchers as a namespace for qualities.";
1082 type gbp-common:target-name;
1090 // ********************
1091 // Clauses and subjects
1092 // ********************
1096 "Subjects define rules to allow traffic to flow
1097 between endpoints in different endpoint
1098 groups. No communication is allowed unless a
1099 subject allows that communication.
1101 After a contract has been selected, clauses
1102 in that contract match against the
1103 requirements, capabilities, and conditions
1104 that apply to the endpoints or endpoint
1105 groups that are participating in the
1106 contract. Clauses that match each point to a
1107 subject which then becomes active.
1109 An active subject can then apply its rules to
1110 the traffic between the endpoints.";
1114 description "A name for the subject";
1115 type gbp-common:subject-name;
1121 "A rule is applied to traffic between
1122 endpoints in different endpoint groups.
1123 Rules match against the traffic using
1124 classifiers, and then apply actions to
1125 the traffic for matching rules.
1127 Rules are applied in order according to
1128 their order parameter. Only the first
1129 matching rule will apply. When multiple
1130 subjects are active, the order on each
1131 subject will determine which subjects are
1132 applied first, and all their rules will
1133 take effect before the rules of any
1134 subjects with a higher order value. When
1135 subjects have the same order value, then
1136 they will apply in lexicographic order by
1141 description "A name for the rule";
1142 type gbp-common:rule-name;
1146 uses has-classifier-refs;
1147 uses has-action-refs;
1156 "Clauses are used to determine which subjects are
1157 active once a contract is selected using the
1160 Clauses are activated by matching against
1161 requirements on the consumer endpoint group,
1162 capabilities on the provider endpoint group, and
1163 conditions on the individual endpoints in the
1168 type gbp-common:clause-name;
1176 container consumer-matchers {
1178 "Matchers that apply to the consumer endpoint
1180 list requirement-matcher {
1182 "Match against requirements in the consumer
1188 "A name for the requirement matcher";
1189 type gbp-common:requirement-matcher-name;
1194 list matcher-requirement {
1196 "A matcher requirement is a
1197 requirement with a selector name
1198 field used in requirement
1199 matchers. The name of the
1200 matcher requirement matches
1201 against requirements in endpoint
1205 uses requirement-base;
1207 leaf selector-namespace {
1209 "The name of the selector to
1210 match. This allows us to
1211 specify that we want to match
1212 only requirements scoped to a
1213 particular selector name.
1215 This parameter is optional;
1216 if not specified, use an
1217 inherited selector namespace
1218 if it exists, or match
1219 against any selector name.";
1221 type gbp-common:selector-name;
1225 uses has-condition-matchers;
1228 container provider-matchers {
1230 "Matchers that apply to the provider endpoint
1233 list capability-matcher {
1235 "Match against capabilities in the provider
1241 "A name for the capability matcher";
1242 type gbp-common:capability-matcher-name;
1248 list matcher-capability {
1250 "A matcher capability is a
1251 capability with a selector
1252 name field used in capability
1253 mat chers. The name of the
1254 matcher capability matches
1255 against capabilities in
1259 uses capability-base;
1261 leaf selector-namespace {
1263 "The name of the selector to
1264 match. This allows us to
1265 specify that we want to match
1266 only capabilities scoped to a
1267 particular selector name.
1269 This parameter is optional;
1270 if not specified, use an
1271 inherited selector namespace
1272 if it exists, or match
1273 against any selector name.";
1275 type gbp-common:selector-name;
1279 uses has-condition-matchers;
1282 // ******************
1283 // Subject References
1284 // ******************
1286 leaf-list subject-refs {
1288 "The subjects that will be activated if this
1292 path "/tenants/tenant/contract/subject/name";
1302 description "Parent contract from which we inherit";
1305 path "/tenants/tenant/contract/id";
1312 "Contract references allow forming contracts
1313 between endpoint groups in different tenants.
1314 Once the contract reference is created, it is
1315 then possible to match against the contract using
1316 selectors as though it were a local tenant.
1318 Endpoint groups in the local tenant can serve
1319 only as consumers of the contract. Once the
1320 contract is matched, consumer matchers will apply
1321 to requirements and conditions in the local
1322 tenant, and provider matchers will apply against
1323 capabilities and conditions in the referenced
1330 "The tenant ID of the tenant containing the
1333 path "/tenants/tenant/id";
1337 description "The contract ID of the contract.";
1340 path "/tenants/tenant/contract/id";