POWER Prototype : Towards Integrated Policy-based Management
description
Transcript of POWER Prototype : Towards Integrated Policy-based Management
POSTECHDP & NM Lab.
(1)1999. 9. 7
POWER Prototype
(1)
POWER Prototype : TowardsIntegrated Policy-based Management
Mi-Joung Choi [email protected]
DP&NM
POSTECHDP & NM Lab.
(2)1999. 9. 7
POWER Prototype
Contents• Introduction• Issues and Design objectives• Prerequisite concepts• Architecture
– PTL, ISM, PWE, GUI, Deployable policies database, Device mapper, Expert policy writer, Policy deployer
• Implementation• Summary & Future work• References
POSTECHDP & NM Lab.
(3)1999. 9. 7
POWER Prototype
Introduction• A policy-based management system is useful• Only discussed in the literature, but not realized• POPOlicy WWizard EEngine for RRefinement
– an integrated policy authoring environment developed as a realization of the policy concepts
– POWER prototype : demonstrate a way towards making policy-based management system a reality in practice
– Find a solution for the problem of transforming an abstract policy to implementable configuration
POSTECHDP & NM Lab.
(4)1999. 9. 7
POWER Prototype
Issues and Design objectives• Issues
– Have deep understanding of both the business level policy and domain specific knowledge such as security or network QoS
– Construct a policy by using accurate syntax in addition to having precise semantics
• Design objectives– The business-driven policy maker should be shielded from the
need to have deep domain-specific technical knowledge
– Using the same system, a business level(abstract) policy can be expressed as easily as the device level(configuration) policy
POSTECHDP & NM Lab.
(5)1999. 9. 7
POWER Prototype
Prerequisite Concepts • Policy : the constraints and preferences on the state of a system
• Refinement consists of two aspects– refinement of policy context by making constraints more specific
– refinement of objects used in the policy
• Identifying the user category : Expert & Consultant– Expert : the person with deep domain specific knowledge
– Consultant : the person with deep knowledge of business
• ISM (Information and System Model)– All policy related information is modeled and stored
– Models objects and their relationships - hierarchical inheritance or associations
POSTECHDP & NM Lab.
(6)1999. 9. 7
POWER Prototype
Architecture
Policy WizardEngine
Policy WizardEngine
PolicyDeployer
PolicyDeployer
DeviceMapper
DeviceMapper
Graphical User Interface
Graphical User Interface
Expert PolicyWriter
Expert PolicyWriter
DeployablePolicy
DeployablePolicy
Information &System Model
Information &System Model
Policy TemplateLibrary
Policy TemplateLibrary
Managed System
POSTECHDP & NM Lab.
(7)1999. 9. 7
POWER Prototype
Policy Template Library (PTL)• Store a generic policy description that provide information about
its refinement to the Policy Wizard Engine
• A collection of policy template created by the expert
• Components– Policy Statement : the description of the policy
– Policy Context : the description of contextual constraints within which the policy will operate
– Informational components : provide extra information to the policy user
– Procedural components : embedded process instruction used to drive the “refinement flow”
(Ex) People can carry out some operation on specific information.
Engineers cam add entry in a database that belongs to the department.
POSTECHDP & NM Lab.
(8)1999. 9. 7
POWER Prototype
Information and System Model• Implemented using Common Information Model (CIM)• Implemented as a set of Prolog statements
Object
User
retiree
Organization Information
employee filedepartment Web-pageproject
Association : “user belongs to department”
belongs to
< Example of object hierarchy and object associations >
POSTECHDP & NM Lab.
(9)1999. 9. 7
POWER Prototype
Policy Wizard Engine (PWE)• The heart of the Policy Authoring Environment• Combination of :
– A Prolog inference engine
– An interpreter that manipulates a policy template according to the embedded information, provide support to the GUI
– A module that interacts with the ISM using a defined API
– A module that deals with “deployable policies”
POSTECHDP & NM Lab.
(10)1999. 9. 7
POWER Prototype
PWE - cont’d• Refinement process of PWE
– Load policy template from the library
– Select a relevant template through the use of a GUI
– Interpret the embedded information in the template
– Guide the consultant the refinement process An abstract policy, objects can be made more specific through the
selection of its subclass Legitimate additional constraints can be included as contextual
information
– Save the policy either for further refinement or for it to be used in deployment
POSTECHDP & NM Lab.
(11)1999. 9. 7
POWER Prototype
Deployable Policies Database• Deployable only when, through the use of the ISM, a set of real
world system objects can be found and for which configuration specified
• The system stores those policies in order to perform two activities:– to be uploaded by the “Policy Deployer” and be deployed
– to be available to the consultant or other system modules for further manipulations
• Have hooks to the real world by referring to entities described in the “Information System Model”
POSTECHDP & NM Lab.
(12)1999. 9. 7
POWER Prototype
Device Mapper • Transforms the information stored in the refinement policy into
configuration details
• Using the information contained in the ISM to convert from a policy description in the form of a policy statement and context containing variables into a series of a system specific function calls
(Ex) Access control configuration : represent the relationships between users, operations and resource objects that are to be secured
POSTECHDP & NM Lab.
(13)1999. 9. 7
POWER Prototype
Other Components • GUI : Hides the low-level policy details, Presents an easy and
simplified way to a consultant to access system functionality
• Expert Policy Writer : For the experts to need a good authoring environment in order to create policy templates
• Policy deployer : Policy Distributor
POSTECHDP & NM Lab.
(14)1999. 9. 7
POWER Prototype
Implementation : Prototype • Create by hand
– a set of policy templates which are accessible by the PWE
– an information base to represent the data in the ISM containing hierarchies of classes of objects and associations of objects
• Provide following functions to the consultant via the GUI :– Select policy template set using either keyword combinations or policy
categories
– Refine through object subclass selection suggested by the PWE
– Refine the context suggested by the PWE
– Construct another policy from template or ask the system to “deploy”
– Output in the form of a configuration file (Deployable Policies)
POSTECHDP & NM Lab.
(15)1999. 9. 7
POWER Prototype
Summary & future work• Integrate policy refinement with policy-based configuration
generation
• Objectives - “multi-use view” using the separation of responsibility for “expert” and “consultant” and enabling easy policy authoring, - the exploitation of prevailing modeling paradigm to enable policy refinement
• Implement the missing components in the architecture
• Additional functionality in the PTL & PWE
• Additional modules to the architecture– consistency and conflict analysis
– meta-policies management
POSTECHDP & NM Lab.
(16)1999. 9. 7
POWER Prototype
Current PBMS
Policy Policy Policy Policy
Policies
Policy Server
LDAP PolicyDirectory
Policy Server
Policy Management Tools
Graphical User Interface
POSTECHDP & NM Lab.
(17)1999. 9. 7
POWER Prototype
References• M. Casassa Mont, A. Baldwin, G. Goh, “POWER Prototype :
Towards Integrated Policy-Based Management ,” NOMS 2000 Review, 1999.
• M. Sloman, “Policy Driven Management for Distributed Systems,” Journal of Network and Systems Management, Plenum Press. Vol.2 No.4, 1994, pp333-60.