POSTECHDP & NM Lab.

(1)1999. 9. 7

POWER Prototype

(1)

POWER Prototype : TowardsIntegrated Policy-based Management

Mi-Joung Choi mjchoi@postech.ac.kr

DP&NM

POSTECHDP & NM Lab.

(2)1999. 9. 7

POWER Prototype

Contents• Introduction• Issues and Design objectives• Prerequisite concepts• Architecture

– PTL, ISM, PWE, GUI, Deployable policies database, Device mapper, Expert policy writer, Policy deployer

• Implementation• Summary & Future work• References

POSTECHDP & NM Lab.

(3)1999. 9. 7

POWER Prototype

Introduction• A policy-based management system is useful• Only discussed in the literature, but not realized• POPOlicy WWizard EEngine for RRefinement

– an integrated policy authoring environment developed as a realization of the policy concepts

– POWER prototype : demonstrate a way towards making policy-based management system a reality in practice

– Find a solution for the problem of transforming an abstract policy to implementable configuration

POSTECHDP & NM Lab.

(4)1999. 9. 7

POWER Prototype

Issues and Design objectives• Issues

– Have deep understanding of both the business level policy and domain specific knowledge such as security or network QoS

– Construct a policy by using accurate syntax in addition to having precise semantics

• Design objectives– The business-driven policy maker should be shielded from the

need to have deep domain-specific technical knowledge

– Using the same system, a business level(abstract) policy can be expressed as easily as the device level(configuration) policy

POSTECHDP & NM Lab.

(5)1999. 9. 7

POWER Prototype

Prerequisite Concepts • Policy : the constraints and preferences on the state of a system

• Refinement consists of two aspects– refinement of policy context by making constraints more specific

– refinement of objects used in the policy

• Identifying the user category : Expert & Consultant– Expert : the person with deep domain specific knowledge

– Consultant : the person with deep knowledge of business

• ISM (Information and System Model)– All policy related information is modeled and stored

– Models objects and their relationships - hierarchical inheritance or associations

POSTECHDP & NM Lab.

(6)1999. 9. 7

POWER Prototype

Architecture

Policy WizardEngine

Policy WizardEngine

PolicyDeployer

PolicyDeployer

DeviceMapper

DeviceMapper

Graphical User Interface

Graphical User Interface

Expert PolicyWriter

Expert PolicyWriter

DeployablePolicy

DeployablePolicy

Information &System Model

Information &System Model

Policy TemplateLibrary

Policy TemplateLibrary

Managed System

POSTECHDP & NM Lab.

(7)1999. 9. 7

POWER Prototype

Policy Template Library (PTL)• Store a generic policy description that provide information about

its refinement to the Policy Wizard Engine

• A collection of policy template created by the expert

• Components– Policy Statement : the description of the policy

– Policy Context : the description of contextual constraints within which the policy will operate

– Informational components : provide extra information to the policy user

– Procedural components : embedded process instruction used to drive the “refinement flow”

(Ex) People can carry out some operation on specific information.

Engineers cam add entry in a database that belongs to the department.

POSTECHDP & NM Lab.

(8)1999. 9. 7

POWER Prototype

Information and System Model• Implemented using Common Information Model (CIM)• Implemented as a set of Prolog statements

Object

User

retiree

Organization Information

employee filedepartment Web-pageproject

Association : “user belongs to department”

belongs to

< Example of object hierarchy and object associations >

POSTECHDP & NM Lab.

(9)1999. 9. 7

POWER Prototype

Policy Wizard Engine (PWE)• The heart of the Policy Authoring Environment• Combination of :

– A Prolog inference engine

– An interpreter that manipulates a policy template according to the embedded information, provide support to the GUI

– A module that interacts with the ISM using a defined API

– A module that deals with “deployable policies”

POSTECHDP & NM Lab.

(10)1999. 9. 7

POWER Prototype

PWE - cont’d• Refinement process of PWE

– Load policy template from the library

– Select a relevant template through the use of a GUI

– Interpret the embedded information in the template

– Guide the consultant the refinement process An abstract policy, objects can be made more specific through the

selection of its subclass Legitimate additional constraints can be included as contextual

information

– Save the policy either for further refinement or for it to be used in deployment

POSTECHDP & NM Lab.

(11)1999. 9. 7

POWER Prototype

Deployable Policies Database• Deployable only when, through the use of the ISM, a set of real

world system objects can be found and for which configuration specified

• The system stores those policies in order to perform two activities:– to be uploaded by the “Policy Deployer” and be deployed

– to be available to the consultant or other system modules for further manipulations

• Have hooks to the real world by referring to entities described in the “Information System Model”

POSTECHDP & NM Lab.

(12)1999. 9. 7

POWER Prototype

Device Mapper • Transforms the information stored in the refinement policy into

configuration details

• Using the information contained in the ISM to convert from a policy description in the form of a policy statement and context containing variables into a series of a system specific function calls

(Ex) Access control configuration : represent the relationships between users, operations and resource objects that are to be secured

POSTECHDP & NM Lab.

(13)1999. 9. 7

POWER Prototype

Other Components • GUI : Hides the low-level policy details, Presents an easy and

simplified way to a consultant to access system functionality

• Expert Policy Writer : For the experts to need a good authoring environment in order to create policy templates

• Policy deployer : Policy Distributor

POSTECHDP & NM Lab.

(14)1999. 9. 7

POWER Prototype

Implementation : Prototype • Create by hand

– a set of policy templates which are accessible by the PWE

– an information base to represent the data in the ISM containing hierarchies of classes of objects and associations of objects

• Provide following functions to the consultant via the GUI :– Select policy template set using either keyword combinations or policy

categories

– Refine through object subclass selection suggested by the PWE

– Refine the context suggested by the PWE

– Construct another policy from template or ask the system to “deploy”

– Output in the form of a configuration file (Deployable Policies)

POSTECHDP & NM Lab.

(15)1999. 9. 7

POWER Prototype

Summary & future work• Integrate policy refinement with policy-based configuration

generation

• Objectives - “multi-use view” using the separation of responsibility for “expert” and “consultant” and enabling easy policy authoring, - the exploitation of prevailing modeling paradigm to enable policy refinement

• Implement the missing components in the architecture

• Additional functionality in the PTL & PWE

• Additional modules to the architecture– consistency and conflict analysis

– meta-policies management

POSTECHDP & NM Lab.

(16)1999. 9. 7

POWER Prototype

Current PBMS

Policy Policy Policy Policy

Policies

Policy Server

LDAP PolicyDirectory

Policy Server

Policy Management Tools

Graphical User Interface

POSTECHDP & NM Lab.

(17)1999. 9. 7

POWER Prototype

References• M. Casassa Mont, A. Baldwin, G. Goh, “POWER Prototype :

Towards Integrated Policy-Based Management ,” NOMS 2000 Review, 1999.

• M. Sloman, “Policy Driven Management for Distributed Systems,” Journal of Network and Systems Management, Plenum Press. Vol.2 No.4, 1994, pp333-60.