2 * Copyright (c) 2014 Cisco Systems, Inc. and others. All rights reserved.
4 * This program and the accompanying materials are made available under the
5 * terms of the Eclipse Public License v1.0 which accompanies this distribution,
6 * and is available at http://www.eclipse.org/legal/epl-v10.html
12 namespace "urn:opendaylight:groupbasedpolicy:policy";
15 import gbp-common {prefix gbp-common;}
16 import ietf-inet-types {prefix inet;}
19 "This module defines the group-based policy configuration
22 revision "2014-04-21" {
33 "Labels are used for matching contracts to endpoint groups
34 through selectors and targets, as well as determining how
35 those contracts will be applied. See more detailed
36 documentation for qualities, conditions, requirements,
40 description "A human-readable description for the label";
41 type gbp-common:description;
44 description "Specify how inheritance will work for this label";
50 "This label will be included normally in the
55 "This label will be excluded from the
56 matching. This allows removing labels that
57 would have otherwise been included because of
64 grouping quality-base {
65 description "Base type for qualities and matcher qualities.";
67 description "A user-visible name for the quality";
68 type gbp-common:quality-name;
74 grouping has-qualities {
75 description "An object with a list of qualities";
78 "A quality is a label which selects which selects the
79 contracts that are in scope. Another name for
80 'quality' could be 'attribute' or 'characteristic.'
81 Qualities can be scoped to either a specific contract
82 or to a target within that contract.
84 Contracts are matched to provider and consumer
85 endpoint groups based on the selectors in those
86 endpoint groups that match the quality.
88 Qualities for a contract are inherited from the
91 Qualities for a target with a given name are
92 inherited both from the enclosing parent contract and
93 from any targets with the same name within the
94 enclosing parent contract.";
101 grouping requirement-base {
102 description "Base type for requirements and matcher requirements.";
104 description "A user-visible name for the requirement";
105 type gbp-common:requirement-name;
111 grouping has-requirements {
114 "A requirement is a label that, along with capabilities,
115 selects how contracts are applied by selecting the
116 applicable subjects within that contract.
117 Requirements represent the fact that an endpoint
118 group requires that some specific functionality be
119 provided to it in order to function.
121 Requirements scoped to an endpoint group (as well as
122 any parent endpoint groups) are inherited by all of
123 that group's contract selectors. Contract selectors
124 also inherit requirements from any contract selectors
125 in the parent groups that have with matching names.
127 Note that requirements play no role in choosing which
128 contracts apply; they only affect how the contracts
129 that are chosen will be interpreted.";
132 uses requirement-base;
136 grouping capability-base {
137 description "Base type for capabilities and matcher capabilities.";
139 description "A user-visible name for the capability";
140 type gbp-common:capability-name;
146 grouping has-capabilities {
149 "A capability is a label that, along with requirements,
150 selects how contracts are applied by selecting the
151 applicable subjects within that contract.
152 Capabilities are specific pieces of functionality
153 that can be exposed to other endpoint groups that may
154 meet functional requirements of those endpoint
157 Capabilities scoped to an endpoint group (as well as
158 any parent endpoint groups) are inherited by all of
159 that group's contract selectors. Contract selectors
160 also inherit capabilities from any contract selectors
161 in the parent groups that have matching names.
163 Note that capabilities play no role in choosing which
164 contracts apply; they only affect how the contracts
165 that are chosen will be interpreted.";
168 uses capability-base;
172 grouping has-conditions {
175 "A condition is a state label for endpoints that can
176 change over time. As conditions change for certain
177 endpoints, this can affect which subjects are in
178 scope as determined by how the clauses in the
179 contract match against the requirements and
180 capabilities for the endpoint group, and the
181 conditions for the endpoints.";
185 description "A user-visible name for the condition";
186 type gbp-common:condition-name;
195 "A matcher allows matching against labels. This is used
196 to both to match contracts to endpoint groups by matching
197 on qualities, and then to match against subjects in the
198 contract by matching on requirements, capabilities, and
203 "Specify how many of the labels must match. If not
204 specified, defaults to 'all'.";
208 "All specified labels must match.";
212 "At least one of the specified labels must match.";
216 "None of the specified labels can match.";
222 grouping has-condition-matchers {
223 description "Objects with condition matchers";
224 list condition-matcher {
225 description "Match against conditions on endpoints.";
230 "A name for the condition matcher";
231 type gbp-common:condition-matcher-name;
240 // ************************
241 // Network domains grouping
242 // ************************
244 grouping network-domain {
246 "A base type for network domains. Network domains
247 represent some logical grouping or namespace of
251 "A human-readable name for the network domain.";
252 type gbp-common:name;
256 "A human-readable description for the context.";
257 type gbp-common:description;
261 grouping forwarding-context {
262 description "A base type for forwarding contexts.";
266 grouping l2-context {
268 "A base type for layer 2 contexts. Layer 2 contexts
269 represent a namespace or logical grouping of layer 2
272 uses forwarding-context;
275 // ************************
276 // Endpoint group groupings
277 // ************************
281 "Relators allow contracts and endpoint groups to be related
282 to each other through a matching process. See target,
283 selection-relator, target-selector, and named-selector
284 for more information.";
287 grouping selection-relator {
289 "Selection relators allow endpoint groups to select
290 contracts based on their name or on their qualities.";
294 description "A name for the selector";
295 type gbp-common:selector-name;
300 grouping consumer-selection-relator {
302 "A selection relator for matching contracts to meet
303 endpoint group requirements. See consumer-named-selector
304 and consumer-target-selector for more details.";
305 uses selection-relator;
306 uses has-requirements;
309 grouping provider-selection-relator {
311 "A selection relator for matching contracts to meet
312 endpoint group requirements. See provider-named-selector
313 and provider-named-selector for more details.";
314 uses selection-relator;
315 uses has-capabilities;
318 grouping named-selector {
320 "A named selector selects a contract based on the name of
321 the contract. Once the contract is selected, the
322 requirements and capabilities are used to select specific
323 subjects within that contract. Named selectors are the
324 simplest way to select a contract. If you need a more
325 advanced selector, see the target selector.
327 There are two kinds of named selector: consumer named
328 selectors and provider named selectors. Consumer named
329 selectors select contracts to meet requirements for the
330 endpoint group, and provider named selectors select
331 contracts to provide capabilities for the endpoint group.";
334 description "Specific contracts to select.";
336 path "/tenants/tenant/contract/id";
341 grouping target-selector {
343 "Target selectors select contracts for the endpoint group.
344 First, the quality matchers are used to select the
345 contracts. Then, the requirements and capabilities are
346 used to select specific subjects within that contract.
347 Target selectors are an advanced method for selecting
348 contracts; for a simpler method, see the named selector.
350 There are two kinds of target selectors: consumer target
351 selectors and provider target selectors. Consumer target
352 selectors select contracts to meet requirements for the
353 endpoint group, and provider target selectors select
354 contracts to provide capabilities to other endpoint
357 list quality-matcher {
359 "A quality matcher is used in a target selector to
360 match against the qualities in a contract target.
361 You can specify a list of qualities to match against.
362 You can choose whether all qualities listed must
363 match or if a match can be made with any of the
368 description "A unique name for the quality matcher";
369 type gbp-common:quality-matcher-name;
375 list matcher-quality {
377 "A matcher quality is a quality with a target name
378 field used in quality matchers. The name of the
379 matcher quality matches against qualities in
385 leaf target-namespace {
387 "The name of the target to match. This allows
388 us to specify that we want to match only
389 qualities scoped to a particular target name.
391 This parameter is optional; if not specified,
392 use an inherited target name if it exists, or
393 match against any target name.";
395 type gbp-common:target-name;
401 // ******************
402 // Contract groupings
403 // ******************
405 grouping has-direction {
406 description "Object that have a directionality.";
408 default bidirectional;
412 "Applies to traffic into provider endpoint group";
416 "Applies to traffic out of provider endpoint group";
420 "Applies to traffic in both directions";
426 grouping subject-feature-instance {
428 "Specific instances of subject features with
429 parameters filled in.";
430 list parameter-value {
433 type gbp-common:parameter-name;
442 container range-value {
456 description "Objects containing an order parameter";
459 "Specify the ordering of an ordered list
467 grouping has-classifier-refs {
468 description "Objects containing lists of classifier references";
470 list classifier-ref {
473 "A reference to classifier instance that is used to match
474 traffic traveling between the endpoint groups that
478 description "A unique name for this classifier reference";
479 type gbp-common:classifier-name;
484 description "The name of the classifier instance";
486 path "/tenants/tenant/subject-feature-instances/classifier-instance/name";
491 leaf connection-tracking {
493 "Set up connection tracking for this classifier,
494 which allows the traffic in the reverse direction
495 as connections are established. This enables
496 rules that allow connections to be initiated only
497 from one side, but once initiated the two sides
498 can communicate for that connection.";
504 "Match only traffic matching the classifier
509 "Additionally match reverse traffic for
519 grouping has-action-refs {
520 description "Objects containing lists of action references";
524 "A reference to an action defined in the subject
525 feature instances for the tenant.";
529 description "The name of the action instance";
531 path "/tenants/tenant/subject-feature-instances/action-instance/name";
539 grouping subject-feature-definition {
541 "Base type for subject feature definitions.";
544 description "A user-readable description";
545 type gbp-common:description;
550 "A parameter for the feature that can be
554 description "A user-visible name for the parameter";
555 type gbp-common:parameter-name;
560 "A user-visible description of the meaning of
562 type gbp-common:description;
565 description "The type of the parameter";
569 description "A string-valued parameter";
572 description "An integer-valued parameter";
575 description "An integer-range parameter";
580 description "Specify whether the parameter is
581 required for correct operation.";
585 description "The parameter is required";
588 description "The parameter is optional";
594 leaf fallback-behavior {
596 "Set the behavior when the underlying infrastructure
597 is unable to support a particular feature.";
601 "A fatal exception MUST be raised which will
602 render the enclosing subject inactive.";
604 enum allow-fallback {
606 "The infrastructure MAY fall back to using
607 a parent definition of this feature, and
608 instread raise a nonfatal exception.";
614 // ********************
615 // Global Configuration
616 // ********************
618 container subject-feature-definitions {
620 "Contains configuration for the set of actions and
621 classifiers that can be defined for a subject. This is
622 be specific to the capabilities of the underlying
623 infrastructure, so the policy model does not define the
626 The definitions here provide a generic parameterized base
627 that can be extended by more specific definitions.
628 Extensions must apply all the semantics from their parent
629 object as well as any additional semantics. If the
630 underlying infrastructure is unable to support a
631 particular feature, it MUST trigger an exception that
632 will render the enclosing subject inactive until the
633 exception is resolved. If the fallback-behavior
634 parameter is set to 'allow-fallback', the infrastructure
635 MAY instead apply the parent subject feature and instead
636 raise a nonfatal exception.";
640 list classifier-definition {
642 "A classifier is used to match traffic traveling between
643 the endpoint groups that form the contract.
644 Classifier definitions can define parameters that
645 will need to be filled in when a particular rule
649 uses subject-feature-definition;
652 description "A unique ID for the classifier definition";
653 type gbp-common:classifier-definition-id;
659 "A user-visible name for the classifier definition";
660 type gbp-common:classifier-name;
665 "Parent classifier definition from which we inherit";
667 path "/subject-feature-definitions/classifier-definition/id";
672 list action-definition {
674 "A action to be applied to traffic across endpoint
675 groups. Action definitions can define parameters
676 that will need to be filled in when a particular rule
680 uses subject-feature-definition;
683 description "A unique ID for the action";
684 type gbp-common:action-definition-id;
689 description "A user-visible name for the action";
690 type gbp-common:action-name;
695 "Parent action definition from which we inherit";
697 path "/subject-feature-definitions/action-definition/id";
708 description "The list of all known tenants";
714 "A tenant is a domain of administration which is
715 logically separate from other tenants. Most policy
716 is defined in the context of a particular tenant";
720 description "A unique ID for the tenant";
722 type gbp-common:tenant-id;
725 description "A user-visible name for the tenant";
726 type gbp-common:name;
729 description "A user-readable description for the tenant";
730 type gbp-common:description;
739 "A layer 3 context represents a namespace for layer 3
740 addresses. It represents a domain inside which endpoints
741 can communicate with requiring any address translation.";
744 uses forwarding-context;
748 "A unique ID for the layer 3 context";
749 type gbp-common:l3-context-id;
753 list l2-bridge-domain {
755 "A layer 2 bridge domain represents a domain in which
756 layer 2 communication is possible when allowed by policy.";
761 description "A unique ID for the bridge domain";
762 type gbp-common:l2-bridge-domain-id;
767 "The layer 3 context that contains this bridge domain";
769 path "/tenants/tenant/l3-context/id";
774 list l2-flood-domain {
776 "A layer 2 flood domain represents a domain in which
777 layer 2 broadcast and multicast is allowed.";
782 description "A unique ID for the flood domain";
783 type gbp-common:l2-flood-domain-id;
788 "The bridge domain that contains this flood domain";
790 path "/tenants/tenant/l2-bridge-domain/id";
797 "An IP subnet associated with a layer 2 or layer 3
803 description "A unique ID for the subnet";
804 type gbp-common:subnet-id;
809 "The forwarding context that contains this subnet";
810 type gbp-common:context-id;
814 description "The IP prefix that defines the subnet";
817 leaf virtual-router-ip {
819 "IP address to use for a virtual gateway router
820 for the subnet, if desired.";
821 type inet:ip-address;
829 list endpoint-group {
831 "Endpoint groups are sets of endpoints that share a
832 common set of policies. Endpoint groups are
833 matched to contracts using selectors, contracts
834 determine which endpoints can communicate and in
837 Endpoint groups have both requirements and
838 capabilities, which represent specific pieces of
839 functionality that are exposed at the boundary of
840 those groups. Requirements represent some
841 specific functionality that is needed for the
842 endpoints in the endpoint group to function.
843 Correspondingly, capabilities are pieces of
844 functionality that the endpoints in the endpoint
845 group can provide to other endpoints.
847 Contracts can be selected through either a named
848 selector, which matches specific contracts by
849 name, or by a target selector which will match
850 contracts by matching its list of qualities to
851 the list of qualities for a target on the
852 contract. The contract selectors choose which
853 contracts are in scope. Note that requirements
854 and capabilities are not used when choosing which
855 contracts are in scope; these are used to
856 determine how a contract will be interpreted.
858 There are two broad category of selectors:
859 provider selectors and consumer selectors. The
860 provider selectors allow selecting contracts that
861 allow the endpoint group to expose its
862 capabilities. The consumer selectors allow
863 selecting contracts which allow the endpoint
864 group to meet its requirements.";
870 type gbp-common:endpoint-group-id;
875 "A user-visible name for the endpoint group";
876 type gbp-common:name;
880 "A human-readable description for the endpoint
882 type gbp-common:description;
884 uses has-requirements;
885 uses has-capabilities;
887 leaf intra-group-policy {
889 "Governs how traffic within the endpoint group
895 "Traffic between two endpoints in the group
898 enum require-contract {
900 "Traffic between two endpoints in the group
901 is allowed only when a contract exists to
902 allow it explicitly";
907 list consumer-named-selector {
909 "Consumer named selectors are named selectors
910 that select contracts to meet the
911 requirements of the endpoint group.
913 The consumer named selector selects a
914 contract based on the name of the contract.
915 Once the contract is selected, the
916 requirements are used to select specific
917 subjects within that contract.";
921 uses consumer-selection-relator;
924 list provider-named-selector {
926 "Provider named selectors are named selectors
927 that select contracts to provide capabilties
928 to other endpoint group.
930 The provider named selector selects a
931 contract based on the name of the contract.
932 Once the contract is selected, the capabilies
933 are used to select specific subjects within
938 uses provider-selection-relator;
941 list consumer-target-selector {
943 "Consumer target selectors are target selectors
944 that select contracts to meet the requirements
945 of the endpoint group.
947 The consumer target selector selects a
948 contract using the quality matchers to match
949 against the qualities specified on the
950 contract targets. Once the contract is
951 selected, the requirements are used to select
952 specific subjects within that contract.";
955 uses target-selector;
956 uses consumer-selection-relator;
959 list provider-target-selector {
961 "Provider target selectors are target selectors
962 that select contracts to provide capabilties
963 to other endpoint group.
965 The provider target selector selects a
966 contract using the quality matchers to match
967 against the qualities specified on the
968 contract targets. Once the contract is
969 selected, the capabilities are used to select
970 specific subjects within that contract.";
973 uses target-selector;
974 uses provider-selection-relator;
977 leaf network-domain {
979 "The network domain associated with this endpoint
980 group. The network domain controls which endpoints
981 are addressible by the endpoints in the group.";
982 type gbp-common:network-domain-id;
987 "Parent endpoint group from which we inherit";
990 path "/tenants/tenant/endpoint-group/id";
995 list external-implicit-group {
1003 type gbp-common:endpoint-group-id;
1005 // Fields to be determined and completed before Code Freeze
1008 // *************************
1009 // Subject feature instances
1010 // *************************
1012 container subject-feature-instances {
1014 "Contains instances of subject features. Subject
1015 feature instances reference a subject feature
1016 definition but fill in the required parameters so
1017 that they can be easily references elsewhere.";
1019 list classifier-instance {
1024 description "A name for the classifier instance";
1025 type gbp-common:classifier-name;
1028 leaf classifier-definition-id {
1030 path "/subject-feature-definitions/classifier-definition/id";
1033 uses subject-feature-instance;
1036 list action-instance {
1041 description "A name for the action instance";
1042 type gbp-common:action-name;
1045 leaf action-definition-id {
1047 path "/subject-feature-definitions/action-definition/id";
1050 uses subject-feature-instance;
1060 "Contracts contain a set of subjects that describe
1061 the communication allowed between endpoints in
1062 endpoint groups. Contracts are matched to endpoint
1063 groups by selectors.";
1067 description "A unique ID for the contract";
1068 type gbp-common:contract-id;
1074 "A human-readable description for the contract.";
1075 type gbp-common:description;
1086 "Targets on a contract allow grouping sets of qualities
1087 together, as well as providing a namespace for
1088 the qualities that are matched.";
1093 "The name for this target. This can also be used
1094 by quality matchers as a namespace for qualities.";
1095 type gbp-common:target-name;
1103 // ********************
1104 // Clauses and subjects
1105 // ********************
1109 "Subjects define rules to allow traffic to flow
1110 between endpoints in different endpoint
1111 groups. No communication is allowed unless a
1112 subject allows that communication.
1114 After a contract has been selected, clauses
1115 in that contract match against the
1116 requirements, capabilities, and conditions
1117 that apply to the endpoints or endpoint
1118 groups that are participating in the
1119 contract. Clauses that match each point to a
1120 subject which then becomes active.
1122 An active subject can then apply its rules to
1123 the traffic between the endpoints.";
1127 description "A name for the subject";
1128 type gbp-common:subject-name;
1134 "A rule is applied to traffic between
1135 endpoints in different endpoint groups.
1136 Rules match against the traffic using
1137 classifiers, and then apply actions to
1138 the traffic for matching rules.
1140 Rules are applied in order according to
1141 their order parameter. Only the first
1142 matching rule will apply. When multiple
1143 subjects are active, the order on each
1144 subject will determine which subjects are
1145 applied first, and all their rules will
1146 take effect before the rules of any
1147 subjects with a higher order value. When
1148 subjects have the same order value, then
1149 they will apply in lexicographic order by
1154 description "A name for the rule";
1155 type gbp-common:rule-name;
1159 uses has-classifier-refs;
1160 uses has-action-refs;
1169 "Clauses are used to determine which subjects are
1170 active once a contract is selected using the
1173 Clauses are activated by matching against
1174 requirements on the consumer endpoint group,
1175 capabilities on the provider endpoint group, and
1176 conditions on the individual endpoints in the
1180 type gbp-common:clause-name;
1187 container consumer-matchers {
1189 "Matchers that apply to the consumer endpoint
1192 // GIC mutually OR'd within role
1193 choice group-identification-constraints {
1194 description "Returns Groups which match, MUTALLY OR within role. Must be Either/Or";
1196 case group-name-constraint-case {
1197 list group-name-constraint {
1198 key endpoint-group-name;
1199 leaf endpoint-group-name {
1200 type gbp-common:name;
1204 case group-requirement-constraint-case {
1205 list requirement-matcher {
1207 "Match against requirements in the consumer
1213 "A name for the requirement matcher";
1214 type gbp-common:requirement-matcher-name;
1219 list matcher-requirement {
1221 "A matcher requirement is a
1222 requirement with a selector name
1223 field used in requirement
1224 matchers. The name of the
1225 matcher requirement matches
1226 against requirements in endpoint
1230 uses requirement-base;
1232 leaf selector-namespace {
1234 "The name of the selector to
1235 match. This allows us to
1236 specify that we want to match
1237 only requirements scoped to a
1238 particular selector name.
1240 This parameter is optional;
1241 if not specified, use an
1242 inherited selector namespace
1243 if it exists, or match
1244 against any selector name.";
1246 type gbp-common:selector-name;
1252 case group-any-case {
1253 container group-any {
1256 "A presence container stating that, if this exists,
1257 the role matcher will match on any group.";
1258 presence "This matches any group";
1265 uses has-condition-matchers;
1267 container endpoint-identification-constraints {
1269 "Identify endpoints via other attributes other than conditions.
1270 These can be things such as ip-prefix, vlan, mpls label etc. These
1271 things are intended to be explicity stated, and should not contain
1272 references to other objects like endpointsIDs.";
1273 container l3-endpoint-identification-constraints {
1274 list prefix-constraint {
1277 type inet:ip-prefix;
1284 container provider-matchers {
1286 "Matchers that apply to the provider endpoint
1289 // GIC mutually OR'd within role
1290 choice group-identification-constraints {
1291 description "Returns Groups which match, MUTALLY OR within role. Must be Either/Or";
1293 case group-name-constraint-case {
1294 list group-name-constraint {
1295 key endpoint-group-name;
1296 leaf endpoint-group-name {
1297 type gbp-common:name;
1301 case group-capability-constraint-case {
1302 list capability-matcher {
1304 "Match against capabilities in the provider
1310 "A name for the capability matcher";
1311 type gbp-common:capability-matcher-name;
1317 list matcher-capability {
1319 "A matcher capability is a
1320 capability with a selector
1321 name field used in capability
1322 mat chers. The name of the
1323 matcher capability matches
1324 against capabilities in
1328 uses capability-base;
1330 leaf selector-namespace {
1332 "The name of the selector to
1333 match. This allows us to
1334 specify that we want to match
1335 only capabilities scoped to a
1336 particular selector name.
1338 This parameter is optional;
1339 if not specified, use an
1340 inherited selector namespace
1341 if it exists, or match
1342 against any selector name.";
1344 type gbp-common:selector-name;
1349 case group-any-case {
1350 container group-any {
1356 uses has-condition-matchers;
1358 container endpoint-identification-constraints {
1360 "Identify endpoints via other attributes other than conditions.
1361 These can be things such as ip-prefix, vlan, mpls label etc. These
1362 things are intended to be explicity stated, and should not contain
1363 references to other objects like endpointsIDs.";
1364 container l3-endpoint-identification-constraints {
1365 list prefix-constraint {
1368 type inet:ip-prefix;
1375 container any-matchers {
1377 "Matchers that apply to either provider endpoint group or consumer endpoint group.";
1378 // TODO fill this out, may need additional groupings so as to not confuse capability or requirement.
1381 // ******************
1382 // Subject References
1383 // ******************
1385 leaf-list subject-refs {
1387 "The subjects that will be activated if this
1391 path "/tenants/tenant/contract/subject/name";
1401 description "Parent contract from which we inherit";
1404 path "/tenants/tenant/contract/id";
1411 "Contract references allow forming contracts
1412 between endpoint groups in different tenants.
1413 Once the contract reference is created, it is
1414 then possible to match against the contract using
1415 selectors as though it were a local tenant.
1417 Endpoint groups in the local tenant can serve
1418 only as consumers of the contract. Once the
1419 contract is matched, consumer matchers will apply
1420 to requirements and conditions in the local
1421 tenant, and provider matchers will apply against
1422 capabilities and conditions in the referenced
1429 "The tenant ID of the tenant containing the
1432 path "/tenants/tenant/id";
1436 description "The contract ID of the contract.";
1439 path "/tenants/tenant/contract/id";
Code Review / groupbasedpolicy.git / blob