420 likes | 615 Views
Neeraj R. Joshi jneeraj@us.ibm.com Autonomic Computing, Tivoli, IBM. DMTF Policy: CIM-SPL Policy Language Tutorial July 2007 Portland OR. Agenda. Policy Basics CIM-SPL Overview CIM Policy Model The CIM-SPL Language Example Syntax Language Design Principles Types and Operators
E N D
Neeraj R. Joshi jneeraj@us.ibm.com Autonomic Computing, Tivoli, IBM DMTF Policy: CIM-SPL Policy Language TutorialJuly 2007 Portland OR
Agenda • Policy Basics • CIM-SPL Overview • CIM Policy Model • The CIM-SPL Language • Example • Syntax • Language Design Principles • Types and Operators • Association Traversals • Policy Groups • Policy Decisions • CIM-SPL Policy Provider in OpenPegasus • Use-case 1 – IT Compliance • Use-case 2 – Virtualization • Demo • Conclusion and Future direction • References • Questions
Policy Basics • Definition • “A set of guidelines or considerations designed to guide decisions when a course of action needs to be selected.” • Automation is key to the reduction of IT budgets • Using a Policy engine, policies can be setup to perform IT management automatically based on events or requests • Examples : • “All Systems must have a minimum 8 char password length” • “Firewall must be enabled” • Enabling Features for Policy Success • Leveraging existing data models is key to success of policy based management. • Allows a more structured approach to policy-based management. • Have a simple yet powerful method to declare policies
CIM-SPL Overview • CIM-SPL is a Policy Language specification for the CIM environment • Inspired by existing policy languages and models including policy definition language (PDL) from Bell Laboratories, the Ponder policy language from Imperial College, and autonomic computing policy language (ACPL) from IBM Research • Based on the DMTF CIM Policy Model • Approved by the DMTF as a preliminary standard (Jan 2007) • C++ reference implementation by IBM to be shipped with OpenPegasus 2.7.0 (Sept 07 release) • We also intend to provide a Java reference implementation.
CIM Policy Model The CIM Policy Model is extended by adding a CIM_SPLPolicyRule class which derives from the PolicyRule class of the existing CIM Model CIM_SPLPolicyRule String PolicyString Uint32 evaluatePolicy([in] CIMObjectPath ref arrayOfInstances[]);
CIM-SPL Policy Language - Example “For every physical element of type ‘switch’ Check the number of days since installation and upgrade as necessary” Import SAMPLE CIM_V_2_8_CIM_Core28-Final::PhysicalElement; Strategy Execute_All_Applicable; Declaration { maxAge = 4; Macro { Name = Age; Type = Uint64; Arguments Born:CIM_DateTime; Procedure = getYear(getCurrentDateTime()) – getYear(Born) } } Policy { • Condition • { • maxAge < Age(installDate) && VendorEquipmentType == "switch“ • } • Decision • { • Upgrade (NewSKU = SKU) • } }:1
CIM-SPL Policy Language : Rule Syntax Import <policy Name><CIM MOF file specification>:<namespase> <Class Name> <filter expression>; Policy{ Declaration { <List of constant definition> (Optional) <List of macro definitions> (Optional) } Condition{ (Optional) <If Condition> /* java-like boolean expression */ } Decision{ (Required) <Then Decision> /* “small” workflow of action */ /* invocations */ } } <priority>;
Language design principles and constraints • Compliance to CIM and CIM Policy Model • Import statement, traversal of associations • Rules, rule selection, groups • Declarative • loops restricted to collection operations • Evaluation triggering • No commitment, left out of the rule specification • Action specification • Simple workflow, cascade evaluation of policies • Anchor object • CIM-SPL Policies are written under the scope of a single object
CIM-SPL Types and Operators • CIM-SPL defines fourteen basic types: • Uint8, Uint16, Uint32, Uint64, Sint8, Sint16, Sint32, Sint64, Real32, Real64, Boolean, String, Char16, DateTime and Reference • Correspond one to one to the CIM Data types • Arrays of all basic types are also supported • 100+ Built in Operators • Type cast functions (e.g., ToInt, ToFloat, ToBoolean), • Standard arithmetic functions (e.g., Plus, Max, Log), • Boolean functions (e.g., And, Not, Equal), • String manipulation (e.g., ToUpper, LeftSubString), • Calendar operations (e.g., GetDayOfWeek), and • Collection operations (e.g., MaxInCollection).
Traversing Associations • The CIM Model is inherently hierarchical • Policy Conditions often need to traverse multiple associations • E.g. Retrieve all instances of Memory associated with a given Computer System or retrieve all firewall instances associated with a Computer System via an Operating System instance • collect operators allow a user to traverse multiple associations and filter instances in a single statement • Use the associatorNames CIM-Operating under the covers
Traversing Associations (continued): collect operators • collect(<RefExpresion>,<association>, <role>, <resultRole>,<CIM Class Name>, <filter expression>) • collect(<RefExpresion>,<association>, <role>, <resultRole>, <CIM Class Name>, <CIM class property name>, <filter expression>) • Where • <RefExpression> MUST be an expression that evaluates to an object reference, • <association> MUST be the name of a CIM association, • <role> and <resultRole> MUST be reference names in the <association>, • <CIM class Name> MUST be the class of the <resultRole> (this argument can be null if there is no ambiguity on the possible classes of the <resultRole>), • <CIM class property name> MUST be the name of a property of objects that might be referenced by the <resultRole> reference in instances of the <association>, • <expression> is a Boolean expression, and the <identifiers> appearing in the <expression> are evaluated under the scope of the objects referenced by the <resultRole> reference in instances of the <association>.
Traversing Associations (continued) Example 1. collect (Self, "CIM_SystemDevice", "GroupComponent", "PartComponent", "CIM_Memory", true); Returns an array of CIM_Memory object referenced by traversing the CIM_SystemDevice association from the current object (ComputerSystem) using the given roles 2. collect(Self, “CIM_SystemDevice”, ”GroupComponent”, ”PartComponent”, ”CIM_Memory”,BlockSize,true); Returns an array of properties of type BlockSize corresponding to each CIM_Memory instance associated with the computer system. 3. collect(Self, "CIM_SystemDevice", "GroupComponent", "PartComponent", "CIM_Memory", true)[0].BlockSize; Returns the BlockSize property of the first CIM_Memory instance associated with the ComputerSystem
Traversing Multiple Associations PhysicalElement -> (realizes) LogicalDevice -> (deviceServiceImplementation) Service
Traversing Multiple Associations (continued) collect(PhysicalElement.Self , Realizes, PhysicalElement, LogicalDevice, LogicalDevice, true)[1].deviceID collect( collect(PhysicalElement.Self , Realizes, PhysicalElement, LogicalDevice, true)[1], DeviceServiceImplementation, LogicalDevice, Service, Service, True)[1].Started
PolicyGroups • Aggregate Policies and other Policy Groups • Provides a hierarchical structure to CIM-SPL policies to help model hierarchies in the CIM Model • Simplifies designing of policies for complex CIM systems comprising of several sub-systems. • E.g. A SAN Fabric has a host, switch and array instances (distinguished by the dedicated property). Individual policies can be defined for each of the sub components along with a aggregating Policy group for the entire fabric.
Group Scope Specification <Name=“System1”> Object associated with the initial call Import xxx::CIM_AdminDomain PolicyGroup: Import yyy::CIM_ComputerSystem: Dedicated ==“switch” PolicyGroup:CIM_SystemDevice(GroupComponent,PartComponent) Import yyy::CIM_LogicalPortGroup PolicyGroup: Import yyy::CIM_ComputerSystem: Dedicated == “storage”
Decisions in CIM-SPL Types of Actions a. Invoke a method on the anchor object instance <method name>(<argument name>=<expression>[,<argument name> = <expression>]*) b. Modify properties of the anchor object instance Set(<argument name>=<expression>[,<argument name> = <expression>]*) c. Invoke a policy (cascaded policy evaluation) InvokePolicy(<policy name>,<expression>) Action Workflow a. <action block> <action block> a sequence of Policy Action evaluations b.<action block> | | <action block> concurrency "some" semantics c. <action block> && <action block> concurrency "all" semantics d. <action block> | <action block> conditional
CIM-SPL Policy Provider in Open Pegasus • CIM-SPL Policy Processor is implemented as an Instance and Method CIM Provider • Pre-Requisites: • Runs on Pegasus 2.7.0 • Requires ANTLR v2.7.7 • ICUv3.2 libraries are optional • Configuration: • Optional compiled in Open Pegasus • Configured to “run as requestor” • Logging can be enabled/disabled at runtime
CIM-SPL Provider in Open Pegasus (continued) • Features: • Supports 100+ built-in operators • Policy executed with requesting user’s privileges • On demand loading of policies for performance • Easy to use CLI utility provided • Audit log generated for all major operation • Limitations: • Policies currently stored as plain text • Relies on underlying CIM-Server for security • Only request based evaluation of policies supported (no automatic triggering of evaluations support yet)
Policy Provider (Method & Instance) Policy Manager CIMOM Policy Data Store Actuator Policy Parser Data Collector Policy Cache Policy Repository CIM-SPL Policy Provider Architecture
Policy CLI Utility • Sample CLI to be shipped with OpenPegasus • Example Usage: • Create policy : policyprovidertestclient –c <directory where policy is located> <policy name> • Modify policy : policyprovidertestclient –m <directory where policy is located> <policy name> • Delete policy : policyprovidertestclient –d <policy name> • List policy : policyprovidertestclient –l <policy name> • Execute policy: policyprovidertestclient –x <policy name>
Use-case 1 : IT Compliance • Goal: As the number of IT resources in an organization grows the task of ensuring compliance to corporate policies continues to get harder. Automate compliance enforcement. • Solution: Convert the IT compliance policy rules to a CIM-SPL policy. Run the policy periodically to automatically reconfigure the resources to make them compliant.
Computer System GUID Host Name IP Address Location Business Owner Operating System GUID Name Version MinPasswordLength PasswordExpirationDays Firewall GUID vendor status version IT Compliance (continued) CIM Classes • Sample Corporate IT policy • Must have business owner • Firewall must installed and enabled • Password length > 8 chars • Password Expiration < 90 installedOn hasA
Computer System GUID = 1111111111 Host Name = “acdemox1” IP Address = “9.42.117.20” Location = “RTP” Business Owner = “” Computer System GUID = 1111111112 Host Name = “acdemox2” IP Address = “9.42.117.21” Location = “RTP” Business Owner = “Prashant” Computer System GUID = 1111111113 Host Name = “acdemox3” IP Address = “9.42.117.22” Location = “RTP” Business Owner = “Neeraj” Operating System GUID = 1111111115 Name = “winxp” Version = “sp2” MinPasswordLength = 0 PasswordExpiration = 240 Operating System GUID = 1111111116 Name = “rhel4” Version = “2.6.9” MinPasswordLength = 8 PasswordExpiration = 240 Operating System GUID = 1111111117 Name = “aix” Version = “5.3” MinPasswordLength = 8 PasswordExpiration = 90 Firewall GUID = 211111115 Vendor = “Symantec” Status = true Version = “1.0” Firewall GUID = 211111116 Vendor = “red hat” Status = false Version = “1.0” Firewall GUID = 211111117 Vendor = “IBM” Status = true Version = “1.0” Sample CIM Instances
IT Compliance (continued) : Algorithm • For each Computer System instance check the business owner field and correct if necessary • For each Operating System instance related to the current Computer System check its minimum password length and maximum password expiry period • For each Firewall associated with the current Operating System check whether it is enabled and if not enable it.
IT Compliance (continued) : Policy Structure Policy For Computer System Policy To check business owner exists Policy Group for Operating System Policy Group for Firewall Check if Firewall is enabled Policy to check Password length Policy to check Password Expiration Days
IT Compliance (continued) : CIM-SPL Policy (1 of 4) “Ensure business user is set for every CS in the system, if not set it to default” Import ITCompliance CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_ComputerSystem; StrategyExecute_All_Applicable; Policy { Condition { StringLength(businessowner) == 0 } Decision { Set(businessowner="Default") == 0 } }:1;
IT Compliance (continued) : CIM-SPL Policy (2 of 4) “For the OS instance associated with current CS ensure minimum password length is 8” PolicyGroup : installedOn (system, software) { Import SAMPLE CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_OperatingSystem; Strategy Execute_All_Applicable; Policy { Declaration { requiredPasswordLength = 8; } Condition { requiredPasswordLength > minpasswordlength } Decision { Set(minpasswordlength = requiredPasswordLength) == 0 } }:3;
IT Compliance (continued) : CIM-SPL Policy (3 of 4) “Ensure maximum number of days for password expiration is set to 90” Policy { Declaration { requiredMaxExpirationDays = 90; } Condition { requiredMaxExpirationDays < maxpasswordexpirationdays } Decision { Set(maxpasswordexpirationdays = requiredMaxExpirationDays) == 0 } }:4;
IT Compliance (continued) : CIM-SPL Policy (4 of 4) “Ensure the Firewall instance associated to the current OS is active” PolicyGroup : hasA (system, software) { Import SAMPLE CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_Firewall; Strategy Execute_All_Applicable; Policy { Declaration { desiredStatus = true; } Condition { status != desiredStatus } Decision { Set(status = desiredStatus) == 0 } }:6; }:5; }:2;
Use Case 2 : Virtualization • Goal: Dynamically resize the memory of a collection of virtual computer systems based on memory usage. • Solution: A CIM-SPL policy that gathers virtual memories attached to a virtual computer system, check its usage and resize based on set policies
Virtualization (continued) : Virtual resources in the system
Virtualization (continued) : Algorithm • Starting from a virtual CIM_ComputerSystem retrieve the CIM_RegisteredProfile instance associated with it using the elementConformsToProfile association • From this CIM_RegisteredProfile instance retrieve instances of virtual memory registered profile associated with it using the ReferencedProfile association • For the virtual memory registered profile retrieve the CIM_Memory instances associated with it using the elementConformsToProfile association • Check the memory usage of each instance and resize the memory accordingly
Virtualization (continued) : Policy 1 (1 of 2) “Collect instances of virtual memory associated with the virtual CS that conform to the memory profile” Import VirtualizationExample CIM_V_2_8_CIM_Core28Final::root/cimv2 CIM_ComputerSystem; StrategyExecute_All_Applicable; Policy { Declaration { instanceOfRegisteredProfileForComputerSystem = collect(Self, "CIM_ElementConformsToProfile", "ManagedElement", "ConformantStandard", “CIM_RegisteredProfile",true)[0]; Macro { Name = GetInstanceOfRegisteredProfileForMemoryProfile; type = CIMReference; argument = instanceOfRegisteredProfileForCS:CIMReference; procedure = collect(instanceOfRegisteredProfileForCS, "CIM_ReferencedProfile", "Antecedent", "Dependant", "CIM_RegisteredProfile", contains(RegisteredName,"Memory")[0]); } /* End Macro */ Retrieve instance of Registered Profile associated with the current CS Retrieve instance of Registered Profile for Memory associated with the Registered Profile obtained earlier
Virtualization (continued) : Policy 1 (2 of 2) Find instances of Memory associated with Memory Registered Profile obtained earlier Macro { Name = GetInstancesOfMemoryThatConformToMemoryProfile; type = CIMReference[]; argument = CIMObjectPath:instanceOfRegisteredMemoryProfile; procedure = collect(instanceOfRegisteredMemoryProfile, "CIM_ElementConformsToProfile", "ConformantStandard", "ManagedElement", "CIM_Memory", true); } /* End Macro */ memoryOfVirtualSystems = GetInstancesOfMemoryThatConformToMemoryProfile(GetInstanceOfRegisteredProfileForMemoryProfile (instanceOfRegisteredProfileForComputerSystem) ) } /* End Declaration */ Condition { CollectionSize(memoryOfVirtualSystems) > 0 } Decision { InvokePolicy("IncreaseMemoryIfRequired",memoryOfVirtualSystems) == 0 } }:1; Invoke the IncreaseMemoryIfRequired policy by Passing the obtained memory instances
Virtualization (continued) : Policy2 “check memory usage, increase or decrease the total size as required” Import IncreaseMemoryIfRequired CIM_V_2_8_CIM_Core28Final::root/cimv2 CIM_Memory;Strategy Execute_All_Applicable; Declaration { totalMemory = BlockSize * NumberOfBlocks; availableMemory = BlockSize * ConsumableBlocks; memoryIncrementFactor = (5 / 100)* NumberOfBlocks; memoryDecrementFactor = (5 / 100)* NumberOfBlocks; Macro { Name = GetPercentageOfFreeMemory; type = Real64; argument = freeMemory:uint64,totMemory:uint64; procedure = (freeMemory / totMemory)*100; } } Policy { Condition { GetPercentageOfFreeMemory(availableMemory,totalMemory) < 5 } Decision { Set(NumberOfBlocks = memoryIncrementFactor + NumberOfBlocks) == 0 } }:1; Policy { Condition { totalMemory > 1024 && GetPercentageOfFreeMemory(availableMemory,totalMemory) > 90 } Decision { Set(NumberOfBlocks = memoryDecrementFactor + NumberOfBlocks) == 0 } }:2; Calculate total, available memory Calculate the memory increment & decrement factors calculate the percentage of free memory If percentage of free memory < 5 increase total memory If percentage of free memory > 90 decrease total memory
Wrap Up and Future direction • In summary the CIM-SPL provides a simple yet powerful mechanism for defining and executing policies in the CIM space. • Future Work • Support for automatic evaluation based on Indications • Eclipse based policy editor
References • DMTF CIM-SPL Specification http://www.dmtf.org/standards/published_documents/DSP0231.pdf • CIM-SPL OpenPegasus PEP 297 http://www.openpegasus.org/pp/protected/upreviews/20/2343/PEP297_CIMSPL_Support.htm • DMTF CIM Policy Model www.dmtf.org/standards/documents/CIM/DSP0108.pdf
Acknowledgments • Jorge Lobo, David Kaminsky, Dave Sudlik, Prashant Baliga, Xiping Wang, Dakshi Agrawal, Kang-Won Lee, Seraphin Calo • The OpenPegasus Architecture Team and the DMTF Policy WG