2 * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
12 namespace "urn:opendaylight:groupbasedpolicy:policy";
15 import gbp-common {prefix gbp-common;}
16 import ietf-inet-types {
18 revision-date 2010-09-24;
22 "This module defines the group-based policy configuration
25 revision "2014-04-21" {
36 "Labels are used for matching contracts to endpoint groups
37 through selectors and targets, as well as determining how
38 those contracts will be applied. See more detailed
39 documentation for qualities, conditions, requirements,
43 description "A human-readable description for the label";
44 type gbp-common:description;
47 description "Specify how inheritance will work for this label";
53 "This label will be included normally in the
58 "This label will be excluded from the
59 matching. This allows removing labels that
60 would have otherwise been included because of
67 grouping quality-base {
68 description "Base type for qualities and matcher qualities.";
70 description "A user-visible name for the quality";
71 type gbp-common:quality-name;
77 grouping has-qualities {
78 description "An object with a list of qualities";
81 "A quality is a label which selects which selects the
82 contracts that are in scope. Another name for
83 'quality' could be 'attribute' or 'characteristic.'
84 Qualities can be scoped to either a specific contract
85 or to a target within that contract.
87 Contracts are matched to provider and consumer
88 endpoint groups based on the selectors in those
89 endpoint groups that match the quality.
91 Qualities for a contract are inherited from the
94 Qualities for a target with a given name are
95 inherited both from the enclosing parent contract and
96 from any targets with the same name within the
97 enclosing parent contract.";
104 grouping requirement-base {
105 description "Base type for requirements and matcher requirements.";
107 description "A user-visible name for the requirement";
108 type gbp-common:requirement-name;
114 grouping has-requirements {
117 "A requirement is a label that, along with capabilities,
118 selects how contracts are applied by selecting the
119 applicable subjects within that contract.
120 Requirements represent the fact that an endpoint
121 group requires that some specific functionality be
122 provided to it in order to function.
124 Requirements scoped to an endpoint group (as well as
125 any parent endpoint groups) are inherited by all of
126 that group's contract selectors. Contract selectors
127 also inherit requirements from any contract selectors
128 in the parent groups that have with matching names.
130 Note that requirements play no role in choosing which
131 contracts apply; they only affect how the contracts
132 that are chosen will be interpreted.";
135 uses requirement-base;
139 grouping capability-base {
140 description "Base type for capabilities and matcher capabilities.";
142 description "A user-visible name for the capability";
143 type gbp-common:capability-name;
149 grouping has-capabilities {
152 "A capability is a label that, along with requirements,
153 selects how contracts are applied by selecting the
154 applicable subjects within that contract.
155 Capabilities are specific pieces of functionality
156 that can be exposed to other endpoint groups that may
157 meet functional requirements of those endpoint
160 Capabilities scoped to an endpoint group (as well as
161 any parent endpoint groups) are inherited by all of
162 that group's contract selectors. Contract selectors
163 also inherit capabilities from any contract selectors
164 in the parent groups that have matching names.
166 Note that capabilities play no role in choosing which
167 contracts apply; they only affect how the contracts
168 that are chosen will be interpreted.";
171 uses capability-base;
175 grouping has-conditions {
178 "A condition is a state label for endpoints that can
179 change over time. As conditions change for certain
180 endpoints, this can affect which subjects are in
181 scope as determined by how the clauses in the
182 contract match against the requirements and
183 capabilities for the endpoint group, and the
184 conditions for the endpoints.";
188 description "A user-visible name for the condition";
189 type gbp-common:condition-name;
198 "A matcher allows matching against labels. This is used
199 to both to match contracts to endpoint groups by matching
200 on qualities, and then to match against subjects in the
201 contract by matching on requirements, capabilities, and
206 "Specify how many of the labels must match. If not
207 specified, defaults to 'all'.";
211 "All specified labels must match.";
215 "At least one of the specified labels must match.";
219 "None of the specified labels can match.";
225 grouping has-condition-matchers {
226 description "Objects with condition matchers";
227 list condition-matcher {
228 description "Match against conditions on endpoints.";
233 "A name for the condition matcher";
234 type gbp-common:condition-matcher-name;
243 grouping has-endpoint-identification-constraints {
244 container endpoint-identification-constraints {
246 "Identify endpoints via other attributes other than conditions.
247 These can be things such as ip-prefix, vlan, mpls label etc. These
248 things are intended to be explicity stated, and should not contain
249 references to other objects like endpointsIDs.";
250 container l3-endpoint-identification-constraints {
251 list prefix-constraint {
261 // ************************
262 // Network domains grouping
263 // ************************
265 grouping network-domain {
267 "A base type for network domains. Network domains
268 represent some logical grouping or namespace of
272 "A human-readable name for the network domain.";
273 type gbp-common:name;
277 "A human-readable description for the context.";
278 type gbp-common:description;
282 grouping forwarding-context {
283 description "A base type for forwarding contexts.";
287 grouping l2-context {
289 "A base type for layer 2 contexts. Layer 2 contexts
290 represent a namespace or logical grouping of layer 2
293 uses forwarding-context;
296 // ************************
297 // Endpoint group groupings
298 // ************************
302 "Relators allow contracts and endpoint groups to be related
303 to each other through a matching process. See target,
304 selection-relator, target-selector, and named-selector
305 for more information.";
308 grouping selection-relator {
310 "Selection relators allow endpoint groups to select
311 contracts based on their name or on their qualities.";
315 description "A name for the selector";
316 type gbp-common:selector-name;
321 grouping consumer-selection-relator {
323 "A selection relator for matching contracts to meet
324 endpoint group requirements. See consumer-named-selector
325 and consumer-target-selector for more details.";
326 uses selection-relator;
327 uses has-requirements;
330 grouping provider-selection-relator {
332 "A selection relator for matching contracts to meet
333 endpoint group requirements. See provider-named-selector
334 and provider-named-selector for more details.";
335 uses selection-relator;
336 uses has-capabilities;
339 grouping named-selector {
341 "A named selector selects a contract based on the name of
342 the contract. Once the contract is selected, the
343 requirements and capabilities are used to select specific
344 subjects within that contract. Named selectors are the
345 simplest way to select a contract. If you need a more
346 advanced selector, see the target selector.
348 There are two kinds of named selector: consumer named
349 selectors and provider named selectors. Consumer named
350 selectors select contracts to meet requirements for the
351 endpoint group, and provider named selectors select
352 contracts to provide capabilities for the endpoint group.";
355 description "Specific contracts to select.";
357 path "/tenants/tenant/contract/id";
362 grouping target-selector {
364 "Target selectors select contracts for the endpoint group.
365 First, the quality matchers are used to select the
366 contracts. Then, the requirements and capabilities are
367 used to select specific subjects within that contract.
368 Target selectors are an advanced method for selecting
369 contracts; for a simpler method, see the named selector.
371 There are two kinds of target selectors: consumer target
372 selectors and provider target selectors. Consumer target
373 selectors select contracts to meet requirements for the
374 endpoint group, and provider target selectors select
375 contracts to provide capabilities to other endpoint
378 list quality-matcher {
380 "A quality matcher is used in a target selector to
381 match against the qualities in a contract target.
382 You can specify a list of qualities to match against.
383 You can choose whether all qualities listed must
384 match or if a match can be made with any of the
389 description "A unique name for the quality matcher";
390 type gbp-common:quality-matcher-name;
396 list matcher-quality {
398 "A matcher quality is a quality with a target name
399 field used in quality matchers. The name of the
400 matcher quality matches against qualities in
406 leaf target-namespace {
408 "The name of the target to match. This allows
409 us to specify that we want to match only
410 qualities scoped to a particular target name.
412 This parameter is optional; if not specified,
413 use an inherited target name if it exists, or
414 match against any target name.";
416 type gbp-common:target-name;
422 // ******************
423 // Contract groupings
424 // ******************
426 grouping has-direction {
427 description "Object that have a directionality.";
429 default bidirectional;
433 "Applies to traffic into provider endpoint group";
437 "Applies to traffic out of provider endpoint group";
441 "Applies to traffic in both directions";
447 grouping subject-feature-instance {
449 "Specific instances of subject features with
450 parameters filled in.";
451 list parameter-value {
454 type gbp-common:parameter-name;
463 container range-value {
477 description "Objects containing an order parameter";
480 "Specify the ordering of an ordered list
488 grouping has-classifier-refs {
489 description "Objects containing lists of classifier references";
491 list classifier-ref {
494 "A reference to classifier instance that is used to match
495 traffic traveling between the endpoint groups that
499 description "A unique name for this classifier reference";
500 type gbp-common:classifier-name;
505 description "The name of the classifier instance";
507 path "/tenants/tenant/subject-feature-instances/classifier-instance/name";
512 leaf connection-tracking {
514 "Set up connection tracking for this classifier,
515 which allows the traffic in the reverse direction
516 as connections are established. This enables
517 rules that allow connections to be initiated only
518 from one side, but once initiated the two sides
519 can communicate for that connection.";
525 "Match only traffic matching the classifier
530 "Additionally match reverse traffic for
540 grouping has-action-refs {
541 description "Objects containing lists of action references";
545 "A reference to an action defined in the subject
546 feature instances for the tenant.";
550 description "The name of the action instance";
552 path "/tenants/tenant/subject-feature-instances/action-instance/name";
560 grouping subject-feature-definition {
562 "Base type for subject feature definitions.";
565 description "A user-readable description";
566 type gbp-common:description;
571 "A parameter for the feature that can be
575 description "A user-visible name for the parameter";
576 type gbp-common:parameter-name;
581 "A user-visible description of the meaning of
583 type gbp-common:description;
586 description "The type of the parameter";
590 description "A string-valued parameter";
593 description "An integer-valued parameter";
596 description "An integer-range parameter";
601 description "Specify whether the parameter is
602 required for correct operation.";
606 description "The parameter is required";
609 description "The parameter is optional";
615 leaf fallback-behavior {
617 "Set the behavior when the underlying infrastructure
618 is unable to support a particular feature.";
622 "A fatal exception MUST be raised which will
623 render the enclosing subject inactive.";
625 enum allow-fallback {
627 "The infrastructure MAY fall back to using
628 a parent definition of this feature, and
629 instread raise a nonfatal exception.";
635 // ********************
636 // Global Configuration
637 // ********************
639 container subject-feature-definitions {
641 "Contains configuration for the set of actions and
642 classifiers that can be defined for a subject. This is
643 be specific to the capabilities of the underlying
644 infrastructure, so the policy model does not define the
647 The definitions here provide a generic parameterized base
648 that can be extended by more specific definitions.
649 Extensions must apply all the semantics from their parent
650 object as well as any additional semantics. If the
651 underlying infrastructure is unable to support a
652 particular feature, it MUST trigger an exception that
653 will render the enclosing subject inactive until the
654 exception is resolved. If the fallback-behavior
655 parameter is set to 'allow-fallback', the infrastructure
656 MAY instead apply the parent subject feature and instead
657 raise a nonfatal exception.";
661 list classifier-definition {
663 "A classifier is used to match traffic traveling between
664 the endpoint groups that form the contract.
665 Classifier definitions can define parameters that
666 will need to be filled in when a particular rule
670 uses subject-feature-definition;
673 description "A unique ID for the classifier definition";
674 type gbp-common:classifier-definition-id;
680 "A user-visible name for the classifier definition";
681 type gbp-common:classifier-name;
685 list action-definition {
687 "A action to be applied to traffic across endpoint
688 groups. Action definitions can define parameters
689 that will need to be filled in when a particular rule
693 uses subject-feature-definition;
696 description "A unique ID for the action";
697 type gbp-common:action-definition-id;
702 description "A user-visible name for the action";
703 type gbp-common:action-name;
713 description "The list of all known tenants";
719 "A tenant is a domain of administration which is
720 logically separate from other tenants. Most policy
721 is defined in the context of a particular tenant";
725 description "A unique ID for the tenant";
727 type gbp-common:tenant-id;
730 description "A user-visible name for the tenant";
731 type gbp-common:name;
734 description "A user-readable description for the tenant";
735 type gbp-common:description;
744 "A layer 3 context represents a namespace for layer 3
745 addresses. It represents a domain inside which endpoints
746 can communicate with requiring any address translation.";
749 uses forwarding-context;
753 "A unique ID for the layer 3 context";
754 type gbp-common:l3-context-id;
758 list l2-bridge-domain {
760 "A layer 2 bridge domain represents a domain in which
761 layer 2 communication is possible when allowed by policy.";
766 description "A unique ID for the bridge domain";
767 type gbp-common:l2-bridge-domain-id;
772 "The layer 3 context that contains this bridge domain";
774 path "/tenants/tenant/l3-context/id";
779 list l2-flood-domain {
781 "A layer 2 flood domain represents a domain in which
782 layer 2 broadcast and multicast is allowed.";
787 description "A unique ID for the flood domain";
788 type gbp-common:l2-flood-domain-id;
793 "The bridge domain that contains this flood domain";
795 path "/tenants/tenant/l2-bridge-domain/id";
802 "An IP subnet associated with a layer 2 or layer 3
808 description "A unique ID for the subnet";
809 type gbp-common:subnet-id;
814 "The forwarding context that contains this subnet";
815 type gbp-common:context-id;
819 description "The IP prefix that defines the subnet";
822 leaf virtual-router-ip {
824 "IP address to use for a virtual gateway router
825 for the subnet, if desired.";
826 type inet:ip-address;
830 "External gateways for subnets we serve,
831 includes prefixes for static routing";
834 type inet:ip-address;
850 list endpoint-group {
852 "Endpoint groups are sets of endpoints that share a
853 common set of policies. Endpoint groups are
854 matched to contracts using selectors, contracts
855 determine which endpoints can communicate and in
858 Endpoint groups have both requirements and
859 capabilities, which represent specific pieces of
860 functionality that are exposed at the boundary of
861 those groups. Requirements represent some
862 specific functionality that is needed for the
863 endpoints in the endpoint group to function.
864 Correspondingly, capabilities are pieces of
865 functionality that the endpoints in the endpoint
866 group can provide to other endpoints.
868 Contracts can be selected through either a named
869 selector, which matches specific contracts by
870 name, or by a target selector which will match
871 contracts by matching its list of qualities to
872 the list of qualities for a target on the
873 contract. The contract selectors choose which
874 contracts are in scope. Note that requirements
875 and capabilities are not used when choosing which
876 contracts are in scope; these are used to
877 determine how a contract will be interpreted.
879 There are two broad category of selectors:
880 provider selectors and consumer selectors. The
881 provider selectors allow selecting contracts that
882 allow the endpoint group to expose its
883 capabilities. The consumer selectors allow
884 selecting contracts which allow the endpoint
885 group to meet its requirements.";
891 type gbp-common:endpoint-group-id;
896 "A user-visible name for the endpoint group";
897 type gbp-common:name;
901 "A human-readable description for the endpoint
903 type gbp-common:description;
905 uses has-requirements;
906 uses has-capabilities;
908 leaf intra-group-policy {
910 "Governs how traffic within the endpoint group
916 "Traffic between two endpoints in the group
919 enum require-contract {
921 "Traffic between two endpoints in the group
922 is allowed only when a contract exists to
923 allow it explicitly";
928 list consumer-named-selector {
930 "Consumer named selectors are named selectors
931 that select contracts to meet the
932 requirements of the endpoint group.
934 The consumer named selector selects a
935 contract based on the name of the contract.
936 Once the contract is selected, the
937 requirements are used to select specific
938 subjects within that contract.";
942 uses consumer-selection-relator;
945 list provider-named-selector {
947 "Provider named selectors are named selectors
948 that select contracts to provide capabilties
949 to other endpoint group.
951 The provider named selector selects a
952 contract based on the name of the contract.
953 Once the contract is selected, the capabilies
954 are used to select specific subjects within
959 uses provider-selection-relator;
962 list consumer-target-selector {
964 "Consumer target selectors are target selectors
965 that select contracts to meet the requirements
966 of the endpoint group.
968 The consumer target selector selects a
969 contract using the quality matchers to match
970 against the qualities specified on the
971 contract targets. Once the contract is
972 selected, the requirements are used to select
973 specific subjects within that contract.";
976 uses target-selector;
977 uses consumer-selection-relator;
980 list provider-target-selector {
982 "Provider target selectors are target selectors
983 that select contracts to provide capabilties
984 to other endpoint group.
986 The provider target selector selects a
987 contract using the quality matchers to match
988 against the qualities specified on the
989 contract targets. Once the contract is
990 selected, the capabilities are used to select
991 specific subjects within that contract.";
994 uses target-selector;
995 uses provider-selection-relator;
998 leaf network-domain {
1000 "The network domain associated with this endpoint
1001 group. The network domain controls which endpoints
1002 are addressible by the endpoints in the group.";
1003 type gbp-common:network-domain-id;
1008 "Parent endpoint group from which we inherit";
1011 path "/tenants/tenant/endpoint-group/id";
1016 list external-implicit-group {
1024 type gbp-common:endpoint-group-id;
1026 // Fields to be determined and completed before Code Freeze
1029 // *************************
1030 // Subject feature instances
1031 // *************************
1033 container subject-feature-instances {
1035 "Contains instances of subject features. Subject
1036 feature instances reference a subject feature
1037 definition but fill in the required parameters so
1038 that they can be easily references elsewhere.";
1040 list classifier-instance {
1045 description "A name for the classifier instance";
1046 type gbp-common:classifier-name;
1049 leaf classifier-definition-id {
1051 path "/subject-feature-definitions/classifier-definition/id";
1054 uses subject-feature-instance;
1057 list action-instance {
1062 description "A name for the action instance";
1063 type gbp-common:action-name;
1066 leaf action-definition-id {
1068 path "/subject-feature-definitions/action-definition/id";
1071 uses subject-feature-instance;
1081 "Contracts contain a set of subjects that describe
1082 the communication allowed between endpoints in
1083 endpoint groups. Contracts are matched to endpoint
1084 groups by selectors.";
1088 description "A unique ID for the contract";
1089 type gbp-common:contract-id;
1095 "A human-readable description for the contract.";
1096 type gbp-common:description;
1107 "Targets on a contract allow grouping sets of qualities
1108 together, as well as providing a namespace for
1109 the qualities that are matched.";
1114 "The name for this target. This can also be used
1115 by quality matchers as a namespace for qualities.";
1116 type gbp-common:target-name;
1124 // ********************
1125 // Clauses and subjects
1126 // ********************
1130 "Subjects define rules to allow traffic to flow
1131 between endpoints in different endpoint
1132 groups. No communication is allowed unless a
1133 subject allows that communication.
1135 After a contract has been selected, clauses
1136 in that contract match against the
1137 requirements, capabilities, and conditions
1138 that apply to the endpoints or endpoint
1139 groups that are participating in the
1140 contract. Clauses that match each point to a
1141 subject which then becomes active.
1143 An active subject can then apply its rules to
1144 the traffic between the endpoints.";
1148 description "A name for the subject";
1149 type gbp-common:subject-name;
1155 "A rule is applied to traffic between
1156 endpoints in different endpoint groups.
1157 Rules match against the traffic using
1158 classifiers, and then apply actions to
1159 the traffic for matching rules.
1161 Rules are applied in order according to
1162 their order parameter. Only the first
1163 matching rule will apply. When multiple
1164 subjects are active, the order on each
1165 subject will determine which subjects are
1166 applied first, and all their rules will
1167 take effect before the rules of any
1168 subjects with a higher order value. When
1169 subjects have the same order value, then
1170 they will apply in lexicographic order by
1175 description "A name for the rule";
1176 type gbp-common:rule-name;
1180 uses has-classifier-refs;
1181 uses has-action-refs;
1190 "Clauses are used to determine which subjects are
1191 active once a contract is selected using the
1194 Clauses are activated by matching against
1195 requirements on the consumer endpoint group,
1196 capabilities on the provider endpoint group, and
1197 conditions on the individual endpoints in the
1201 type gbp-common:clause-name;
1208 container consumer-matchers {
1210 "Matchers that apply to the consumer endpoint
1213 // GIC mutually OR'd within role
1214 choice group-identification-constraints {
1215 description "Returns Groups which match, MUTALLY OR within role. Must be Either/Or";
1217 case group-name-constraint-case {
1218 list group-name-constraint {
1219 key endpoint-group-name;
1220 leaf endpoint-group-name {
1221 type gbp-common:name;
1225 case group-requirement-constraint-case {
1226 list requirement-matcher {
1228 "Match against requirements in the consumer
1234 "A name for the requirement matcher";
1235 type gbp-common:requirement-matcher-name;
1240 list matcher-requirement {
1242 "A matcher requirement is a
1243 requirement with a selector name
1244 field used in requirement
1245 matchers. The name of the
1246 matcher requirement matches
1247 against requirements in endpoint
1251 uses requirement-base;
1253 leaf selector-namespace {
1255 "The name of the selector to
1256 match. This allows us to
1257 specify that we want to match
1258 only requirements scoped to a
1259 particular selector name.
1261 This parameter is optional;
1262 if not specified, use an
1263 inherited selector namespace
1264 if it exists, or match
1265 against any selector name.";
1267 type gbp-common:selector-name;
1273 case group-any-case {
1274 container group-any {
1277 "A presence container stating that, if this exists,
1278 the role matcher will match on any group.";
1279 presence "This matches any group";
1286 uses has-condition-matchers;
1288 uses has-endpoint-identification-constraints;
1291 container provider-matchers {
1293 "Matchers that apply to the provider endpoint
1296 // GIC mutually OR'd within role
1297 choice group-identification-constraints {
1298 description "Returns Groups which match, MUTALLY OR within role. Must be Either/Or";
1300 case group-name-constraint-case {
1301 list group-name-constraint {
1302 key endpoint-group-name;
1303 leaf endpoint-group-name {
1304 type gbp-common:name;
1308 case group-capability-constraint-case {
1309 list capability-matcher {
1311 "Match against capabilities in the provider
1317 "A name for the capability matcher";
1318 type gbp-common:capability-matcher-name;
1324 list matcher-capability {
1326 "A matcher capability is a
1327 capability with a selector
1328 name field used in capability
1329 mat chers. The name of the
1330 matcher capability matches
1331 against capabilities in
1335 uses capability-base;
1337 leaf selector-namespace {
1339 "The name of the selector to
1340 match. This allows us to
1341 specify that we want to match
1342 only capabilities scoped to a
1343 particular selector name.
1345 This parameter is optional;
1346 if not specified, use an
1347 inherited selector namespace
1348 if it exists, or match
1349 against any selector name.";
1351 type gbp-common:selector-name;
1356 case group-any-case {
1357 container group-any {
1363 uses has-condition-matchers;
1365 uses has-endpoint-identification-constraints;
1368 container any-matchers {
1370 "Matchers that apply to either provider endpoint group or consumer endpoint group.";
1371 // TODO fill this out, may need additional groupings so as to not confuse capability or requirement.
1374 // ******************
1375 // Subject References
1376 // ******************
1378 leaf-list subject-refs {
1380 "The subjects that will be activated if this
1384 path "/tenants/tenant/contract/subject/name";
1394 description "Parent contract from which we inherit";
1397 path "/tenants/tenant/contract/id";
1404 "Contract references allow forming contracts
1405 between endpoint groups in different tenants.
1406 Once the contract reference is created, it is
1407 then possible to match against the contract using
1408 selectors as though it were a local tenant.
1410 Endpoint groups in the local tenant can serve
1411 only as consumers of the contract. Once the
1412 contract is matched, consumer matchers will apply
1413 to requirements and conditions in the local
1414 tenant, and provider matchers will apply against
1415 capabilities and conditions in the referenced
1422 "The tenant ID of the tenant containing the
1425 path "/tenants/tenant/id";
1429 description "The contract ID of the contract.";
1432 path "/tenants/tenant/contract/id";