1 © 2003, cisco systems, inc. all rights reserved. ieee policy conference 2004 cim and ponder...

1© 2003, Cisco Systems, Inc. All rights reserved.

IEEE Policy Conference 2004CIM and Ponder

Andrea Westerinen, Cisco

[email protected]

June, 2004


Purpose

• Determine if the DMTF approach for writing policy rules is workable

• Compare the CIM representation with a “known” language


DMTF’s Policy Model in CIM

• Instances and groups of PolicyRules

• Rules aggregate PolicyConditions and PolicyActions

• Conditions can be combined in conjunctive or disjunctive sets

• Actions can be sequenced

• Domain-specific subclassing For example, IPsec or Authentication/Authorization rules

• New work in support of generic Event-Condition-Action policy rules


CIM Policy Classes

CommonName: stringPolicyKeywords: string[ ]

Policy (Abstract)

ManagedElement (Abstract)

PolicyComponent

*

*

PolicySet (Abstract)

PolicyDecisionStrategy: uint16{Enum}Enabled: uint16 {Enum} = 1

PolicyActionInPolicyRuleActionOrder: uint16

*

PolicyConditionInPolicyRule GroupNumber: uint16 ConditionNegated: boolean

*

PolicySetComponentPriority: uint16

PolicyCondition (Abstract)

<naming properties>

PolicyAction (Abstract)

<naming properties>DoActionLogging: boolean

*

***

PolicySetApplies

ToElement

*

*

PolicyRule

<naming properties>ConditionListType: uint16 {Enum}RuleUsage: stringSequencedActions: uint16 {Enum}ExecutionStrategy: uint16 {Enum}

PolicyGroup

<naming properties>


Authentication/Authorization Rules in CIM

PolicyRule (CIM_)

ConditionListType: uint8 {enum= 2=”DNF - Groups ORed and Conditions within Groups ANDed”, “CNF - Groups ANDed and Conditions within Groups ORed"}SequencedActions: uint8 {enum= 2=”Mandatory”, “Recommended”, “Don’t Care”}ExecutionStrategy: uint8 {enum= 2=“Do Until Successful”, “Do All”, “Do Until Failure”}

PolicySet (CIM_)

PolicyDecisionStrategy: uint8 {enum= 2=“First Match”, “Match All”}SetEnabled: boolean

PolicySetComponent (CIM_)Subclass of Component

(PolicyGroups and Rules can be constructedfrom other Groups and Rules)

Priority: uint16

*

*

(Implicit action to set theCurrentlyAuthenticated boolean of anIdentity associated byPolicySetAppliesToElement)

AuthenticationRule (CIM_) AuthorizationRule (CIM_) {Exp}

(Implicit action to permit/deny thePrivilege(s) for any Identities associated byAuthorizationRuleAppliesToIdentity /Necessary to distinguish Identitiesseparately since they also may be Targets)


CIM Event-Condition-Action Classes

Can identify “rule triggering” conditions/events

PolicyCondition (Abstract)

<naming properties>

PolicyAction (Abstract)

<naming properties>DoActionLogging: boolean

QueryCondition

Query: stringQueryLanguage: uint16 {enum}Trigger: boolean

MethodAction

Query: stringQueryLanguage: uint16 {enum}


PONDER Policies

• Declarative

• Three categories of policy rules

Authorization, Obligation, Delegation

• Both positive and negative

Negative obligation rules are coded as “refrain”

inst oblig <rule name> {

on <event identifier> ;

subject <subject name> = <domain name or expression> ;

target <target name> = <domain name or expression> ;

do <one or more actions> ; }


Policy, Pigs and PONDER Discussion in DMTF Policy WG

If at least two of a farmer’s pigs are squealing, then he/she must feed one of the pigs that is not squealing.

Farmer

<Some properties>

HandleAnimal ( [IN] Animal: ref Animal, [IN] HandleAction: uint16{enum}): uint32

WorkCrop ( [IN] Field: ref Crop, [IN] WorkAction: uint16 {enum}): uint32

Animal

<Some properties>

Pig

isSquealing:boolean

Cow

NeedsMilking: boolean

Horse

<Someproperties>

Crop

<Some properties>

Raises

Cultivates*

**

*


Policy and Pigs – CIM Representation

MethodAction’s Query clause MUST specify the method to be called and its parameters

QueryConditionInstanceForFarmer-Pig

<naming properties>Query = “SELECT OBJECTPATH (F1) // Farmer’s identity FROM Farmer F1, Farmer F2, Pig P1, Pig P2, Raises R1, Raises R2 WHERE P1.IsSquealing = TRUE And P2.IsSquealing = TRUE // 2 pigs are squealing And OBJECTPATH (P1) <> OBJECTPATH (P2) // Different pigs And R1.Animal = OBJECTPATH (P1) // Assoc refs pigs P1 & P2 And R2.Animal = OBJECTPATH (P2) And R1.Farmer = OBJECTPATH (F1) // Assoc refs a farmer And R2.Farmer = OBJECTPATH (F2) And OBJECTPATH (F1) = OBJECTPATH (F2) // The same farmer”QueryLanguage = 2 (“CIM Query”)Trigger = TRUE

MethodActionInstanceForFarmer-Pig

<naming properties>Query = “SELECT OBJECTPATH (F1), ‘HandleAnimal’ AS InvokedMethod, OBJECTPATH (P1) AS Animal, ‘2’ AS HandleAction // HandleAction, 2, is Feed FROM QueryConditionResult QCR, Farmer F1, Pig P1, Raises R1 WHERE QCR.QueryConditionPath = <Ref to QueryConditionInstance ForFarmer-Pig> And OBJECTPATH (F1) = OBJECTPATH (QCR) // The QueryResult attribute is named as in the SELECT clause // Finds the referenced farmer And R1.Farmer = OBJECTPATH (F1) // Follow Raises assoc for the farmer And R1.Animal = OBJECTPATH (P1) // Assoc leads to an animal And CLASS (P1) ISA \”Pig\” // Animal ISA Pig And P1.IsSquealing = FALSE // Pig is not squealing”QueryLanguage = 2 (“CIM Query”)

Farmer-PigPolicyRuleInstance

<rule properties>

PolicyConditionInPolicyRuleForFarmer-Pig GroupNumber = 1 ConditionNegated = FALSE

PolicyActionInPolicyRuleFor

Farmer-PigActionOrder = 0


Policy and Pigs – PONDER Representation

oblig feedNotSquealingPig { on CIM_AtLeastTwoSquealingPigs ; // 2 or more squealing pigs subject /farmers ; // i.e., all farmers do (t = self.Raises->reject(isSquealing)) -> self.HandleAnimal(t, 2) ; } // where 2=‘feed’


Conclusions

• Both Ponder and CIM - Declarative rules with backing semantics

• Ponder – Concise and explicit

• CIM – Language neutral and reusing infrastructure

• Query expression is “not natural”

• Initial rendering/testing successful (SNIA SMI-S)


Questions?

1 © 2003, cisco systems, inc. all rights reserved. ieee policy conference 2004 cim and ponder...

Documents

cisco systems

cim slide

cim policy classes

feed slide

cim declarative rules

action policy rules

writing policy rules

cim instances