1 © 2003, cisco systems, inc. all rights reserved. ieee policy conference 2004 cim and ponder...
TRANSCRIPT
1© 2003, Cisco Systems, Inc. All rights reserved.
IEEE Policy Conference 2004CIM and Ponder
Andrea Westerinen, Cisco
June, 2004
222© 2003, Cisco Systems, Inc. All rights reserved.
Purpose
• Determine if the DMTF approach for writing policy rules is workable
• Compare the CIM representation with a “known” language
333© 2003, Cisco Systems, Inc. All rights reserved.
DMTF’s Policy Model in CIM
• Instances and groups of PolicyRules
• Rules aggregate PolicyConditions and PolicyActions
• Conditions can be combined in conjunctive or disjunctive sets
• Actions can be sequenced
• Domain-specific subclassing For example, IPsec or Authentication/Authorization rules
• New work in support of generic Event-Condition-Action policy rules
444© 2003, Cisco Systems, Inc. All rights reserved.
CIM Policy Classes
CommonName: stringPolicyKeywords: string[ ]
Policy (Abstract)
ManagedElement (Abstract)
PolicyComponent
*
*
PolicySet (Abstract)
PolicyDecisionStrategy: uint16{Enum}Enabled: uint16 {Enum} = 1
PolicyActionInPolicyRuleActionOrder: uint16
*
PolicyConditionInPolicyRule GroupNumber: uint16 ConditionNegated: boolean
*
PolicySetComponentPriority: uint16
PolicyCondition (Abstract)
<naming properties>
PolicyAction (Abstract)
<naming properties>DoActionLogging: boolean
*
***
PolicySetApplies
ToElement
*
*
PolicyRule
<naming properties>ConditionListType: uint16 {Enum}RuleUsage: stringSequencedActions: uint16 {Enum}ExecutionStrategy: uint16 {Enum}
PolicyGroup
<naming properties>
555© 2003, Cisco Systems, Inc. All rights reserved.
Authentication/Authorization Rules in CIM
PolicyRule (CIM_)
ConditionListType: uint8 {enum= 2=”DNF - Groups ORed and Conditions within Groups ANDed”, “CNF - Groups ANDed and Conditions within Groups ORed"}SequencedActions: uint8 {enum= 2=”Mandatory”, “Recommended”, “Don’t Care”}ExecutionStrategy: uint8 {enum= 2=“Do Until Successful”, “Do All”, “Do Until Failure”}
PolicySet (CIM_)
PolicyDecisionStrategy: uint8 {enum= 2=“First Match”, “Match All”}SetEnabled: boolean
PolicySetComponent (CIM_)Subclass of Component
(PolicyGroups and Rules can be constructedfrom other Groups and Rules)
Priority: uint16
*
*
(Implicit action to set theCurrentlyAuthenticated boolean of anIdentity associated byPolicySetAppliesToElement)
AuthenticationRule (CIM_) AuthorizationRule (CIM_) {Exp}
(Implicit action to permit/deny thePrivilege(s) for any Identities associated byAuthorizationRuleAppliesToIdentity /Necessary to distinguish Identitiesseparately since they also may be Targets)
666© 2003, Cisco Systems, Inc. All rights reserved.
CIM Event-Condition-Action Classes
Can identify “rule triggering” conditions/events
PolicyCondition (Abstract)
<naming properties>
PolicyAction (Abstract)
<naming properties>DoActionLogging: boolean
QueryCondition
Query: stringQueryLanguage: uint16 {enum}Trigger: boolean
MethodAction
Query: stringQueryLanguage: uint16 {enum}
777© 2003, Cisco Systems, Inc. All rights reserved.
PONDER Policies
• Declarative
• Three categories of policy rules
Authorization, Obligation, Delegation
• Both positive and negative
Negative obligation rules are coded as “refrain”
inst oblig <rule name> {
on <event identifier> ;
subject <subject name> = <domain name or expression> ;
target <target name> = <domain name or expression> ;
do <one or more actions> ; }
888© 2003, Cisco Systems, Inc. All rights reserved.
Policy, Pigs and PONDER Discussion in DMTF Policy WG
If at least two of a farmer’s pigs are squealing, then he/she must feed one of the pigs that is not squealing.
Farmer
<Some properties>
HandleAnimal ( [IN] Animal: ref Animal, [IN] HandleAction: uint16{enum}): uint32
WorkCrop ( [IN] Field: ref Crop, [IN] WorkAction: uint16 {enum}): uint32
Animal
<Some properties>
Pig
isSquealing:boolean
Cow
NeedsMilking: boolean
Horse
<Someproperties>
Crop
<Some properties>
Raises
Cultivates*
**
*
999© 2003, Cisco Systems, Inc. All rights reserved.
Policy and Pigs – CIM Representation
MethodAction’s Query clause MUST specify the method to be called and its parameters
QueryConditionInstanceForFarmer-Pig
<naming properties>Query = “SELECT OBJECTPATH (F1) // Farmer’s identity FROM Farmer F1, Farmer F2, Pig P1, Pig P2, Raises R1, Raises R2 WHERE P1.IsSquealing = TRUE And P2.IsSquealing = TRUE // 2 pigs are squealing And OBJECTPATH (P1) <> OBJECTPATH (P2) // Different pigs And R1.Animal = OBJECTPATH (P1) // Assoc refs pigs P1 & P2 And R2.Animal = OBJECTPATH (P2) And R1.Farmer = OBJECTPATH (F1) // Assoc refs a farmer And R2.Farmer = OBJECTPATH (F2) And OBJECTPATH (F1) = OBJECTPATH (F2) // The same farmer”QueryLanguage = 2 (“CIM Query”)Trigger = TRUE
MethodActionInstanceForFarmer-Pig
<naming properties>Query = “SELECT OBJECTPATH (F1), ‘HandleAnimal’ AS InvokedMethod, OBJECTPATH (P1) AS Animal, ‘2’ AS HandleAction // HandleAction, 2, is Feed FROM QueryConditionResult QCR, Farmer F1, Pig P1, Raises R1 WHERE QCR.QueryConditionPath = <Ref to QueryConditionInstance ForFarmer-Pig> And OBJECTPATH (F1) = OBJECTPATH (QCR) // The QueryResult attribute is named as in the SELECT clause // Finds the referenced farmer And R1.Farmer = OBJECTPATH (F1) // Follow Raises assoc for the farmer And R1.Animal = OBJECTPATH (P1) // Assoc leads to an animal And CLASS (P1) ISA \”Pig\” // Animal ISA Pig And P1.IsSquealing = FALSE // Pig is not squealing”QueryLanguage = 2 (“CIM Query”)
Farmer-PigPolicyRuleInstance
<rule properties>
PolicyConditionInPolicyRuleForFarmer-Pig GroupNumber = 1 ConditionNegated = FALSE
PolicyActionInPolicyRuleFor
Farmer-PigActionOrder = 0
101010© 2003, Cisco Systems, Inc. All rights reserved.
Policy and Pigs – PONDER Representation
oblig feedNotSquealingPig { on CIM_AtLeastTwoSquealingPigs ; // 2 or more squealing pigs subject /farmers ; // i.e., all farmers do (t = self.Raises->reject(isSquealing)) -> self.HandleAnimal(t, 2) ; } // where 2=‘feed’
111111© 2003, Cisco Systems, Inc. All rights reserved.
Conclusions
• Both Ponder and CIM - Declarative rules with backing semantics
• Ponder – Concise and explicit
• CIM – Language neutral and reusing infrastructure
• Query expression is “not natural”
• Initial rendering/testing successful (SNIA SMI-S)