1 Strassner-Policy Theory and Practice – IM2001 Purpose of the PCIM Provide a set of classes and...
-
Upload
julie-lamb -
Category
Documents
-
view
217 -
download
3
Transcript of 1 Strassner-Policy Theory and Practice – IM2001 Purpose of the PCIM Provide a set of classes and...
1Strassner-Policy Theory and Practice – IM2001
Purpose of the PCIMPurpose of the PCIM
• Provide a set of classes and relationships that provide an extensible means for defining policy control of managed objects
» Represents the structure, not the contents, of a policy
» Content provided by subclassing classes to derive technology- and vendor-specific conditions, actions, and other elements
2Strassner-Policy Theory and Practice – IM2001
PCIM Overview (1)PCIM Overview (1)
• Policy-based management assumes that the network is modeled as a state machine
• Classes and relationships are used to model:
» the state of an entity
» settings to be applied to an entity that either maintain an entity’s state or move the entityto a new state
» policies that control the application of settings
3Strassner-Policy Theory and Practice – IM2001
PCIM Overview (2)PCIM Overview (2)
• Thus, policy is applied using a set of rules» Each rule has a set of conditions that specify when the
policy should be applied
– Conditions can be specified in CNF or DNF
» Each rule has a set of actions that are executed if the conditions are TRUE
– Execution order can be specified
» Rules may be prioritized and grouped together to model an administrative hierarchy
4Strassner-Policy Theory and Practice – IM2001
Policy Core Model: Groups & RulesPolicy Core Model: Groups & Rules
C reationC lassN am e: string[key]Po licyR uleN am e: string[key]Enab led: u in t16C onditionL istType: u in t16R uleU sage: stringPriority: u in t16M andatory: boo leanSequencedActions: u in t16PolicyR oles: string [ ]
Po licyR ule
Po licyC onditionInPo licyR ule
C reationC lassN am e: string[key]Po licyG roupN am e: string[key]
Po licyG roup
PolicyR ule InPolicyG roup
C om m onN am e: stringPolicyKeyw ords: string [ ]
Po licy (ABSTR AC T)
PolicyG roupInPolicyG roup
PolicyR ule InSystem
System
*
Adm inD om ain
PolicyC onditionInPo licyR eposito ry
Po licyAction InPo licyR eposito ry
Po licyR eposito ry
Po licyR eposito ryInPo licyR epository
Po licyG roupInSystem
w
*
*
*
*
* *
w
*
0..1 0..1
M anagedE lem ent
1 1
**
PolicyC om ponent**
PolicyInSystem
*0..1
System C om ponent**
D ependency**
5Strassner-Policy Theory and Practice – IM2001
Policy ClassPolicy Class
• Policy Class (Abstract)
» Root of the policy tree
» Carries common attributes to all policy classes
–Caption, Description from CIM ME
–OrderedCIMKeys to represent CIM hierarchy
–cn from X.520
–PolicyKeywords
» PolicyElementAuxClass is an aux class to represent this class and enables any object in the DIT to be identified as a policy class
6Strassner-Policy Theory and Practice – IM2001
PolicyRulePolicyRule
• A PolicyRule consists of a set of conditions and a set of actions» Boolean logic assumed
» If condition clause is TRUE, then action clause may execute
» Rule-specific and reusable policy rules are supported by using the PolicyConditionInPolicyRule and PolicyActionInPolicyRule aggregations
» Multiple time periods may be used to define a schedule for which this PolicyRule is active by using the PolicyRuleValidityPeriod aggregation
» Rules may be prioritized
7Strassner-Policy Theory and Practice – IM2001
Types of PolicyRulesTypes of PolicyRules
• Rule-specific PolicyRules are those whose components are embedded in the PolicyRule itself.» The terms making up the PolicyRule can NOT be reused
by other PolicyRules
• Reusable PolicyRules share one or more components with other PolicyRules» PolicyRule components are stored in a common Policy
Repository and referenced by the PolicyRules using them
• Each has implementation implications
8Strassner-Policy Theory and Practice – IM2001
PolicyGroupPolicyGroup
• PolicyRules may be aggregated into PolicyGroups, which may be nested
» Enables hierarchical representation of policy(per-user, per-domain, etc.)
• Special semantics defined in QoS information model to represent different administrative scopes and groupings of rules
9Strassner-Policy Theory and Practice – IM2001
PolicyRepositoryPolicyRepository
• Represents an administratively-defined container for holding REUSABLE policy conditions and actions
» May be extended to hold other types of reusable policy “building blocks”
» May be nested to provide more granular domain control
10Strassner-Policy Theory and Practice – IM2001
PCIM: Conditions & ActionsPCIM: Conditions & Actions
PolicyT im ePeriodC ondition
T im ePeriod: stringM onthO fYearM ask: u in t8 [ ][O cte tstring ]D ayO fM onthM ask: u in t8 [ ][O cte tstring ]D ayO fW eekM ask: u in t8 [ ][O cte tstring ]T im eO fD ayM ask: stringLoca lO rU tcT im e: u in t16
PolicyC ondition (ABSTR AC T)
System C reationC lassN am e: string [key]System N am e: string[key]Po licyR uleC reationC lassN am e: string [key]Po licyR uleN am e: string[key]C reationC lassN am e: string[key]Po licyC onditionN am e: string[key]
C reationC lassN am e: string[key]Po licyR uleN am e: string[key]Enab led: u in t16C onditionL istType: u in t16R uleU sage: stringPriority: u in t16M andatory: boo leanSequencedActions: u in t16PolicyR oles: string [ ]
Po licyR ule
Po licyAction (ABSTR AC T)
System C reationC lassN am e: string [key]System N am e: string[key]Po licyR uleC reationC lassN am e: string [key]Po licyR uleN am e: string[key]C reationC lassN am e: string[key]Po licyActionN am e: string[key]
Po licyAction InPolicyR ule
Po licyC onditionInPo licyR ule
C reationC lassN am e: string[key]Po licyG roupN am e: string[key]
Po licyG roup
PolicyR ule InPolicyG roup
VendorPo licyC ondition
C onstra in t: O cte tstring[ ]C onstra in tEncod ing: string [O ID ]
VendorPo licyAction
ActionD ata : O cte tstring [ ]ActionEncoding: string[O ID ]
Po licyR uleVa lid ityPeriod
C om m onN am e: stringPolicyKeyw ords: string [ ]
Po licy (ABSTR AC T)
Adm inD om ain
PolicyC onditionInPo licyR eposito ry
Po licyAction InPo licyR eposito ry
Po licyR eposito ry
*
*
*
*
*
*
*
*
*
0..1 0..1
PolicyC om ponent
*
11Strassner-Policy Theory and Practice – IM2001
Policy ConditionsPolicy Conditions
• Abstract base class for domain-specific conditions that will be defined by domain-specific models(e.g., QoS model, IPSec model)
• Boolean condition expressed in CNF or DNF» Individual condition terms can be negated
• Only defines keys (7 - System, PolicyRule, and its own CCN, Name, and a user-friendly name)
12Strassner-Policy Theory and Practice – IM2001
Expressing Policy ConditionsExpressing Policy Conditions
• PolicyRule.ConditionListType defines how to interpret the condition (e.g., CNF or DNF)
• PolicyConditionInPolicyRule contains two additional properties:
» GroupNumber indicates the group to which the PolicyCondition belongs
» ConditionNegated is a boolean that, if TRUE, indicates that this condition is negated
13Strassner-Policy Theory and Practice – IM2001
Reusable PolicyConditionsReusable PolicyConditions
• Stored in a PolicyRepository and referenced using the association PolicyConditionInPolicyRepository
» Rule-specific PolicyConditions do NOT use this association; thus:
– Cardinality is 0 for rule-specific, 1 for reusable
» QPIM extends this so that different conditions can be stored in different portions of the repository
– Different portions implies different scopes and application
14Strassner-Policy Theory and Practice – IM2001
PolicyTimePeriodConditionPolicyTimePeriodCondition
• Subclass of PolicyCondition to represent time when PolicyRule is active» If not specified, then rule is always active
» PolicyRuleValidityPeriod is an aggregation that defines the set of time periods for a given PolicyRule
• Instances may have up to 5 properties that together specify the time period» Property values are ANDed to determine the validity
period; properties not present are treated as having their value always enabled
15Strassner-Policy Theory and Practice – IM2001
Policy ActionsPolicy Actions
• Abstract base class for domain-specific actions that will be defined by domain-specific models» Deployed actions are bound to a System; reusable actions
exist in a PolicyRepository
» Only defines keys (7 - System, PolicyRule, and its own CCN and Name, and a user-friendly name)
• Stored in a PolicyRepository and referenced using PolicyActionInPolicyRepository association» Rule-specific PolicyConditions do NOT use this association;
thus, cardinality is 0 for rule-specific, 1 for reusable
16Strassner-Policy Theory and Practice – IM2001
Policy Actions (2)Policy Actions (2)
• PolicyActionInPolicyRule aggregation contains the set of action clauses for a given PolicyRule» ActionOrder property indicates relative position of an action
in the sequence of actions associated with a PolicyRule
– If n is a positive integer, it defines the order, with smaller integers being ordered first
– 0 is a special value that indicates “don’t care”
– Two or more properties with the same value can be executed in any order, as long as they are executed in the correct overall order in the sequence
17Strassner-Policy Theory and Practice – IM2001
Rule-Specific Policy StructureRule-Specific Policy Structure
• PolicyRule is a container that holds PolicyConditions and PolicyActions
» QPIM extends this so that a condition is treated as a container
• To do this attachment
» PolicyRule is a structural class
» PolicyCondition and PolicyAction are both auxiliary classes
18Strassner-Policy Theory and Practice – IM2001
Rule-Specific ExampleRule-Specific Example
Condition 1(structural)
Action 1(structural)
Condition 1(aux attached)
Action 1(aux attached)
Represents associationbetween Rule 1and Condition 1
Represents the conditionitself
DN Pointer DN Pointer
Represents associationbetween Rule 1
and Action 1
Represents the actionitself
DITContainment
Rule 1(structural)
19Strassner-Policy Theory and Practice – IM2001
Reusable ComponentsReusable Components
• Policy components can be specific to a rule or reusable among many rules» Rule-specific information is attached to the rule itself
» Reusable information is stored in a container that is referenced by the rule
• The only difference between a reusable and a rule-specific component is in the intent of the administrator» No difference in functionality
20Strassner-Policy Theory and Practice – IM2001
Reusable Components (2)Reusable Components (2)
• PCIM defines a policy repository to store reusable information. This causes some subtle differences, including:
» access control can be specified for rule-specific conditions and actions, but not for reusable ones
» referential integrity should be enforced for rule-specific elements; harder to due in the reusable case
» mapping to a data model is more difficult
21Strassner-Policy Theory and Practice – IM2001
Reusable Rule ExampleReusable Rule Example
ActionInstance(structural)
Represents thecondition
itself
DIT Containment
Rule 1(structural)
DIT Containment
Represents theactionitself
DN Pointer
PolicyRepository(structural)
ConditionInstance(structural)
Condition 1 Aux(aux attachment)
Action 1 Aux(aux attachment)
Action 1(structural)
Represents associationbetween Rule 1and Condition 1
Represents associationbetween Rule 1
and Action 1
DN Pointer
DIT Containment DIT Containment
Condition 1(structural)
22Strassner-Policy Theory and Practice – IM2001
PolicyInstancePolicyInstance
• Uses DIT content rules to allow a PolicyConditionAuxClass or a PolicyActionAuxClass to be attached to it
• Uses DIT structure rules to enable it to be named using either PolicyInstanceName, cn, or OrderedCIMKeys
23Strassner-Policy Theory and Practice – IM2001
PolicySubtreesPtrAuxClassPolicySubtreesPtrAuxClass
• This aux class provides a single multi-valued attribute to point to the root of a set of subtrees that contain policy information
» Attaching this attribute to other class instances enables the administrator to define entry points to related policy information
– Can be used to define the order of visiting information in the policy tree (e.g., for a PDP)
– Can be used to tie different subtrees together
24Strassner-Policy Theory and Practice – IM2001
PolicyElementAuxClassPolicyElementAuxClass
• This class is the aux equivalent of the Policy class
» Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related
» This works through searching on oc=policy
» Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search
25Strassner-Policy Theory and Practice – IM2001
Aux Containment ClassesAux Containment Classes
• PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass
» Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively
» Enables the administrator to bind PolicyGroups/PolicyRules to a container
26Strassner-Policy Theory and Practice – IM2001
PCIM ExtensionsPCIM Extensions
• New draft to simplify and encourage use of PCIM PolicyRepository broadened & renamed
Rules may contain groups & other rules (context)
Priorities & decision strategies clarified
Refinements in the use of PolicyRoles
Compound conditions & actions (reusable)
Transactional semantics for action execution
Variables & values, for conditions & actions
Packet filtering in policy conditions based on variables/values
27Strassner-Policy Theory and Practice – IM2001
Building PolicyConditionsBuilding PolicyConditions
• The PolicyConditionInPolicyRule association has properties that require special mapping» PolicyRuleConditionAssociation represents the properties and
is attached via DIT containment
» The conditions themselves are represented by the PolicyConditionAuxClass (and its subclasses) which are either
– attached directly to instances of the PolicyRuleConditionAssociation for rule-specific classes, or
– indirectly, using a DN pointer to refer to an instance of a PolicyConditionInstance class
28Strassner-Policy Theory and Practice – IM2001
PolicyRuleConditionAssociation (1)PolicyRuleConditionAssociation (1)
• Contains properties characterizing the relationship between a rule and a condition
» PolicyConditionGroupNumber - used to group conditions according to CNF or DNF
» PolicyConditionNegated - flag defining if a condition is negated or not
» PolicyConditionDN - pointer to a reusable PolicyCondition (should be NULL if rule-specific)
29Strassner-Policy Theory and Practice – IM2001
PolicyRuleConditionAssociation (2)PolicyRuleConditionAssociation (2)
• Semantics defined using DIT structure and content rules
» PolicyConditionAuxClass subclasses are attached using DIT content rules
» Structure rules define naming, scoped by a PolicyRule, using either the OrderedCIMKeys, cn, or PolicyConditionName
30Strassner-Policy Theory and Practice – IM2001
PolicyConditionAuxClassPolicyConditionAuxClass
• Used to bind conditions to rules» Rule-specific conditions defined by attaching
this aux class to either an instance of the PolicyRuleConditionAssociation or the PolicyRule classes
» Reusable conditions defined by attaching this aux class to an instance of the PolicyConditionInstance class
» Note: this class is derived from Top because it attaches to classes already derived from Policy
– otherwise we have property conflict!
31Strassner-Policy Theory and Practice – IM2001
Building PolicyActionsBuilding PolicyActions
• The PolicyConditionInPolicyRule association has properties that require special mapping» PolicyRuleActionAssociation represents the property and is
attached via DIT containment
» The actions themselves are represented by the PolicyActionAuxClass (and its subclasses) which are either
– attached directly to instances of the PolicyRuleActionAssociation for rule-specific classes, or
– indirectly, using a DN pointer to refer to an instance of a PolicyActionInstance class
32Strassner-Policy Theory and Practice – IM2001
PolicyRuleActionAssociationPolicyRuleActionAssociation
• Two properties» PolicyActionOrder determines the order of
executing actions associated with a policy rule
» PolicyActionDN - pointer to a reusable PolicyAction (should be NULL if rule-specific)
• Semantics» PolicyActionAuxClass subclasses are
attached using DIT content rules
» Structure rules define naming, scoped by a PolicyRule, using either the OrderedCIMKeys, cn, or PolicyActionName
33Strassner-Policy Theory and Practice – IM2001
PolicyActionAuxClassPolicyActionAuxClass
• Used to bind actions to rules» Rule-specific conditions defined by attaching
this aux class to either an instance of the PolicyRuleActionAssociation or the PolicyRule classes
» Reusable conditions defined by attaching this aux class to an instance of the PolicyActionInstance class
» Note: this class is derived from Top because it attaches to classes already derived from Policy
– otherwise we have property conflict!
34Strassner-Policy Theory and Practice – IM2001
PolicyTimePeriodConditionAuxClassPolicyTimePeriodConditionAuxClass
• Built as an aux class so it can be attached directly to a policy rule
» Represents periods of time that define when a condition is valid
– time period, plus month, day of month and week, and time of day masks
35Strassner-Policy Theory and Practice – IM2001
Structure of a Rule-Specific PolicyStructure of a Rule-Specific Policy
• PolicyRule is a container that holds PolicyConditions and PolicyActions
» QPIM extends this so that a condition is treated as a container
• To do this attachment
» PolicyRule is a structural class
» PolicyCondition and PolicyAction are both auxiliary classes
36Strassner-Policy Theory and Practice – IM2001
AttachmentAttachment
• Info model defines PolicyRule relationships» PolicyConditionInPolicyRule attaches conditions to a
PolicyRule
» PolicyActionInPolicyRule attaches actions to a PolicyRule
» PolicyRuleInPolicyGroup groups PolicyRules
» PolicyRuleInSystem associates a PolicyRule with a System (e.g., a router or server)
• There can be as many attached conditions and actions as required
37Strassner-Policy Theory and Practice – IM2001
ExampleExample
Condition 1(structural)
Action 1(structural)
Condition 1(aux attached)
Action 1(aux attached)
Represents associationbetween Rule 1and Condition 1
Represents the conditionitself
DN Pointer DN Pointer
Represents associationbetween Rule 1
and Action 1
Represents the actionitself
DITContainment
Rule 1(structural)
38Strassner-Policy Theory and Practice – IM2001
Defining Reusable ElementsDefining Reusable Elements
• Reusable elements are always stored in a special part of the DIT» Modeled using the PolicyRepository class
» Attached (indirectly) using DN pointers to a rule
• Since conditions and actions are aux classes, they need something to attach to» Rule-specific uses the PolicyRule itself
» Reusable uses this class, which is stored in the PolicyRepository
39Strassner-Policy Theory and Practice – IM2001
PolicyInstancePolicyInstance
• Uses DIT content rules to allow a PolicyConditionAuxClass or a PolicyActionAuxClass to be attached to it
• Uses DIT structure rules to enable it to be named using either PolicyInstanceName, cn, or OrderedCIMKeys
40Strassner-Policy Theory and Practice – IM2001
PolicyInstance SubclassesPolicyInstance Subclasses
• Two subclasses, PolicyConditionInstance and PolicyActionInstance, are defined
» Defines additional naming attributes (PolicyConditionName and PolicyActionName)
» DIT content rules enable condition and action aux classes to be attached to it
» DIT structure rules enable it to be named under an instance of PolicyRepository using any of its four attributes
41Strassner-Policy Theory and Practice – IM2001
PolicyRepositoryPolicyRepository
• This is a container for holding reusable policy elements
» DIT structure rules enable it to be named under an instance of PolicyRepository using any of its four attributes
42Strassner-Policy Theory and Practice – IM2001
PolicySubtreesPtrAuxClassPolicySubtreesPtrAuxClass
• This aux class provides a single multi-valued attribute to point to the root of a set of subtrees that contain policy information
» Attaching this attribute to other class instances enables the administrator to define entry points to related policy information
– Can be used to define the order of visiting information in the policy tree (e.g., for a PDP)
– Can be used to tie different subtrees together
43Strassner-Policy Theory and Practice – IM2001
Aux Containment ClassesAux Containment Classes
• PolicyGroupContainmentAuxClass and PolicyRuleContainmentAuxClass
» Each contains a single multi-valued attribute that points to a set of PolicyGroups and PolicyRules, respectively
» Enables the administrator to bind PolicyGroups/PolicyRules to a container
44Strassner-Policy Theory and Practice – IM2001
PolicyElementAuxClassPolicyElementAuxClass
• This class is the aux equivalent of the Policy class
» Enables tagging of selected instances that are outside of the policy class hierarchy, but are nevertheless policy-related
» This works through searching on oc=policy
» Note that some directories don’t support this, so in these cases, policy-related entries must be tagged with the keyword Policy and searched on using an attribute search
45Strassner-Policy Theory and Practice – IM2001
ExampleExample
ActionInstance(structural)
Represents thecondition
itself
DIT Containment
Rule 1(structural)
DIT Containment
Represents theactionitself
DN Pointer
PolicyRepository(structural)
ConditionInstance(structural)
Condition 1 Aux(aux attachment)
Action 1 Aux(aux attachment)
Action 1(structural)
Represents associationbetween Rule 1and Condition 1
Represents associationbetween Rule 1
and Action 1
DN Pointer
DIT Containment DIT Containment
Condition 1(structural)
46Strassner-Policy Theory and Practice – IM2001
PolicyRepositoryPolicyRepository
• Used to define a “repository within a repository” for storing reusable data
» DIT structure rules enable it to be named under an instance of PolicyRepository using any of its three attributes