© 2007 IBM Corporation DMTF Policy: CIM-SPL Policy Language Tutorial July 2007 Portland OR Neeraj R. Joshi [email protected] Autonomic Computing, Tivoli, IBM
Jan 21, 2016
© 2007 IBM Corporation
DMTF Policy: CIM-SPL Policy Language Tutorial
July 2007 Portland OR
Neeraj R. Joshi [email protected] Computing, Tivoli, IBM
2 © 2007 IBM Corporation
Agenda Policy Basics CIM-SPL Overview CIM Policy Model The CIM-SPL Language
Example
Syntax
Language Design Principles
Types and Operators
Association Traversals
Policy Groups
Policy Decisions CIM-SPL Policy Provider in OpenPegasus Use-case 1 – IT Compliance Use-case 2 – Virtualization Demo Conclusion and Future direction References Questions
3 © 2007 IBM Corporation
Policy Basics
Definition “A set of guidelines or considerations designed to guide decisions when a course of action
needs to be selected.”
Automation is key to the reduction of IT budgets
Using a Policy engine, policies can be setup to perform IT management automatically based on events or requests
Examples :“All Systems must have a minimum 8 char password length”
“Firewall must be enabled”
Enabling Features for Policy Success– Leveraging existing data models is key to success of policy based management.
– Allows a more structured approach to policy-based management.
– Have a simple yet powerful method to declare policies
4 © 2007 IBM Corporation
CIM-SPL Overview
CIM-SPL is a Policy Language specification for the CIM environment
Inspired by existing policy languages and models including policy definition language (PDL) from Bell Laboratories, the Ponder policy language from Imperial College, and autonomic computing policy language (ACPL) from IBM Research
Based on the DMTF CIM Policy Model
Approved by the DMTF as a preliminary standard (Jan 2007)
C++ reference implementation by IBM to be shipped with OpenPegasus 2.7.0 (Sept 07 release)
We also intend to provide a Java reference implementation.
5 © 2007 IBM Corporation
CIM Policy Model
The CIM Policy Model is extended by adding a CIM_SPLPolicyRule class which derives from the PolicyRule class of the existing CIM Model
CIM_SPLPolicyRule
String PolicyString
Uint32 evaluatePolicy([in] CIMObjectPath ref arrayOfInstances[]);
6 © 2007 IBM Corporation
CIM-SPL Policy Language - Example
Import SAMPLE CIM_V_2_8_CIM_Core28-Final::PhysicalElement;Strategy Execute_All_Applicable;Declaration{
maxAge = 4;Macro { Name = Age;
Type = Uint64; Arguments Born:CIM_DateTime; Procedure = getYear(getCurrentDateTime()) –
getYear(Born)}
}Policy {
Condition
{
maxAge < Age(installDate) && VendorEquipmentType == "switch“
}
Decision
{
Upgrade (NewSKU = SKU)
}}:1
“For every physical element of type ‘switch’ Check the number of days since installation and upgrade as necessary”
7 © 2007 IBM Corporation
CIM-SPL Policy Language : Rule Syntax
Import <policy Name> <CIM MOF file specification>:<namespase> <Class Name> <filter
expression>; Policy { Declaration {
<List of constant definition> (Optional)<List of macro definitions> (Optional)
} Condition { (Optional) <If Condition> /* java-like boolean expression */ } Decision { (Required) <Then Decision> /* “small” workflow of action */ /* invocations */ }} <priority>;
8 © 2007 IBM Corporation
Language design principles and constraints
Compliance to CIM and CIM Policy Model– Import statement, traversal of associations
– Rules, rule selection, groups
Declarative– loops restricted to collection operations
Evaluation triggering– No commitment, left out of the rule specification
Action specification– Simple workflow, cascade evaluation of policies
Anchor object– CIM-SPL Policies are written under the scope of a single object
9 © 2007 IBM Corporation
CIM-SPL Types and Operators
CIM-SPL defines fourteen basic types: – Uint8, Uint16, Uint32, Uint64, Sint8, Sint16, Sint32, Sint64, Real32, Real64,
Boolean, String, Char16, DateTime and Reference
– Correspond one to one to the CIM Data types
– Arrays of all basic types are also supported 100+ Built in Operators
– Type cast functions (e.g., ToInt, ToFloat, ToBoolean),
– Standard arithmetic functions (e.g., Plus, Max, Log),
– Boolean functions (e.g., And, Not, Equal),
– String manipulation (e.g., ToUpper, LeftSubString),
– Calendar operations (e.g., GetDayOfWeek), and
– Collection operations (e.g., MaxInCollection).
10 © 2007 IBM Corporation
Traversing Associations
The CIM Model is inherently hierarchical
Policy Conditions often need to traverse multiple associations
E.g. Retrieve all instances of Memory associated with a given Computer System or retrieve all firewall instances associated with a Computer System via an Operating System instance
collect operators allow a user to traverse multiple associations and filter instances in a single statementUse the associatorNames CIM-Operating under the covers
11 © 2007 IBM Corporation
Traversing Associations (continued): collect operators
collect(<RefExpresion>,<association>, <role>, <resultRole>,<CIM Class Name>, <filter expression>)
collect(<RefExpresion>,<association>, <role>, <resultRole>, <CIM Class Name>, <CIM class property name>, <filter expression>)
Where
<RefExpression> MUST be an expression that evaluates to an object reference,
<association> MUST be the name of a CIM association,
<role> and <resultRole> MUST be reference names in the <association>,
<CIM class Name> MUST be the class of the <resultRole> (this argument can be null if there is no ambiguity on the possible classes of the <resultRole>),
<CIM class property name> MUST be the name of a property of objects that might be referenced by the <resultRole> reference in instances of the <association>,
<expression> is a Boolean expression, and the <identifiers> appearing in the <expression> are evaluated under the scope of the objects referenced by the <resultRole> reference in instances of the <association>.
12 © 2007 IBM Corporation
Traversing Associations (continued)
Example1. collect (Self, "CIM_SystemDevice", "GroupComponent", "PartComponent",
"CIM_Memory", true);
Returns an array of CIM_Memory object referenced by traversing the CIM_SystemDevice association from the current object (ComputerSystem) using the given roles
2. collect (Self, “CIM_SystemDevice”, ”GroupComponent”, ”PartComponent”, ”CIM_Memory”,BlockSize,true);
Returns an array of properties of type BlockSize corresponding to each CIM_Memory instance associated with the computer system.
3. collect (Self, "CIM_SystemDevice", "GroupComponent", "PartComponent", "CIM_Memory", true)[0].BlockSize;
Returns the BlockSize property of the first CIM_Memory instance associated with the ComputerSystem
13 © 2007 IBM Corporation
Traversing Multiple AssociationsPhysicalElement ->
(realizes)
LogicalDevice ->
(deviceServiceImplementation)
Service
14 © 2007 IBM Corporation
Traversing Multiple Associations (continued)
collect(PhysicalElement.Self , Realizes, PhysicalElement, LogicalDevice, LogicalDevice, true)[1].deviceID
collect( collect(PhysicalElement.Self , Realizes, PhysicalElement, LogicalDevice, true)[1], DeviceServiceImplementation, LogicalDevice, Service, Service, True)[1].Started
15 © 2007 IBM Corporation
Policy Groups
Aggregate Policies and other Policy Groups
Provides a hierarchical structure to CIM-SPL policies to help model hierarchies in the CIM Model
Simplifies designing of policies for complex CIM systems comprising of several sub-systems.
E.g. A SAN Fabric has a host, switch and array instances (distinguished by the dedicated property). Individual policies can be defined for each of the sub components along with a aggregating Policy group for the entire fabric.
16 © 2007 IBM Corporation
Policy GroupExample
17 © 2007 IBM Corporation
Group Scope Specification
<Name=“System1”> Object associated with the initial call
Import xxx::CIM_AdminDomain
Import yyy::CIM_ComputerSystem: Dedicated ==“switch”
PolicyGroup:CIM_SystemDevice(GroupComponent,PartComponent)
Import yyy::CIM_LogicalPortGroup
Import yyy::CIM_ComputerSystem: Dedicated == “storage”
PolicyGroup:
PolicyGroup:
18 © 2007 IBM Corporation
Decisions in CIM-SPL
Types of Actions a. Invoke a method on the anchor object instance
<method name>(<argument name>=<expression>[,<argument name> = <expression>]*)
b. Modify properties of the anchor object instanceSet(<argument name>=<expression>[,<argument name> = <expression>]*)
c. Invoke a policy (cascaded policy evaluation)InvokePolicy(<policy name>,<expression>)
Action Workflowa. <action block> <action block>
a sequence of Policy Action evaluationsb. <action block> | | <action block>
concurrency "some" semantics c. <action block> && <action block>
concurrency "all" semantics d. <action block> | <action block>
conditional
19 © 2007 IBM Corporation
CIM-SPL Policy Provider in Open Pegasus
CIM-SPL Policy Processor is implemented as an Instance and Method CIM Provider
Pre-Requisites:– Runs on Pegasus 2.7.0
– Requires ANTLR v2.7.7
– ICUv3.2 libraries are optional
Configuration:– Optional compiled in Open Pegasus
– Configured to “run as requestor”
– Logging can be enabled/disabled at runtime
20 © 2007 IBM Corporation
CIM-SPL Provider in Open Pegasus (continued)
Features:– Supports 100+ built-in operators
– Policy executed with requesting user’s privileges
– On demand loading of policies for performance
– Easy to use CLI utility provided
– Audit log generated for all major operation
Limitations:– Policies currently stored as plain text
– Relies on underlying CIM-Server for security
– Only request based evaluation of policies supported (no automatic triggering of evaluations support yet)
21 © 2007 IBM Corporation
CIM-SPL Policy Provider Architecture
CIMOM
Policy Provider
(Method & Instance)
Policy Manager
Policy Data Store
Policy
Repository
Policy Cache
Policy Parser
Actuator
Data Collector
22 © 2007 IBM Corporation
Policy CLI Utility
Sample CLI to be shipped with OpenPegasus
Example Usage:– Create policy : policyprovidertestclient –c <directory where policy is located> <policy
name>
– Modify policy : policyprovidertestclient –m <directory where policy is located> <policy name>
– Delete policy : policyprovidertestclient –d <policy name>
– List policy : policyprovidertestclient –l <policy name>
– Execute policy: policyprovidertestclient –x <policy name>
23 © 2007 IBM Corporation
Use-case 1 : IT Compliance
Goal: As the number of IT resources in an organization grows the task of ensuring compliance to corporate policies continues to get harder. Automate compliance enforcement.
Solution: Convert the IT compliance policy rules to a CIM-SPL policy. Run the policy periodically to automatically reconfigure the resources to make them compliant.
24 © 2007 IBM Corporation
IT Compliance (continued)
Sample Corporate IT policy–Must have business owner
–Firewall must installed and enabled
–Password length > 8 chars
–Password Expiration < 90
Computer System
GUID
Host Name
IP Address
Location
Business Owner
Firewall
GUID
vendor
status
version
Operating System
GUID
Name
Version
MinPasswordLength
PasswordExpirationDays
installedOn
hasA
CIM Classes
25 © 2007 IBM Corporation
Computer System
GUID = 1111111111
Host Name = “acdemox1”
IP Address = “9.42.117.20”
Location = “RTP”
Business Owner = “”
Firewall
GUID = 211111115
Vendor = “Symantec”
Status = true
Version = “1.0”
Operating System
GUID = 1111111115
Name = “winxp”
Version = “sp2”
MinPasswordLength = 0
PasswordExpiration = 240
Computer System
GUID = 1111111112
Host Name = “acdemox2”
IP Address = “9.42.117.21”
Location = “RTP”
Business Owner = “Prashant”
Firewall
GUID = 211111116
Vendor = “red hat”
Status = false
Version = “1.0”
Operating System
GUID = 1111111116
Name = “rhel4”
Version = “2.6.9”
MinPasswordLength = 8
PasswordExpiration = 240
Computer System
GUID = 1111111113
Host Name = “acdemox3”
IP Address = “9.42.117.22”
Location = “RTP”
Business Owner = “Neeraj”
Firewall
GUID = 211111117
Vendor = “IBM”
Status = true Version = “1.0”
Operating System
GUID = 1111111117
Name = “aix”
Version = “5.3”
MinPasswordLength = 8
PasswordExpiration = 90
Sample CIM Instances
26 © 2007 IBM Corporation
IT Compliance (continued) : Algorithm
For each Computer System instance check the business owner field and correct if necessary
For each Operating System instance related to the current Computer System check its minimum password length and maximum password expiry period
For each Firewall associated with the current Operating System check whether it is enabled and if not enable it.
27 © 2007 IBM Corporation
Policy For Computer System
Policy To check business owner exists
Policy Group for Operating System
Policy Group for Firewall
Check if Firewall is enabled
IT Compliance (continued) : Policy Structure
Policy to check Password length
Policy to check Password Expiration Days
28 © 2007 IBM Corporation
IT Compliance (continued) : CIM-SPL Policy (1 of 4)
Import ITCompliance CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_ComputerSystem;
Strategy Execute_All_Applicable;
Policy
{
Condition
{
StringLength(businessowner) == 0
}
Decision
{
Set(businessowner="Default") == 0
}
}:1;
“Ensure business user is set for every CS in the system, if not set it to default”
29 © 2007 IBM Corporation
IT Compliance (continued) : CIM-SPL Policy (2 of 4)
PolicyGroup : installedOn (system, software){ Import SAMPLE CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_OperatingSystem; Strategy Execute_All_Applicable; Policy { Declaration { requiredPasswordLength = 8; } Condition { requiredPasswordLength > minpasswordlength } Decision { Set(minpasswordlength = requiredPasswordLength) == 0 } }:3;
“For the OS instance associated with current CS ensure minimum password length is 8”
30 © 2007 IBM Corporation
IT Compliance (continued) : CIM-SPL Policy (3 of 4)
Policy { Declaration { requiredMaxExpirationDays = 90; } Condition { requiredMaxExpirationDays < maxpasswordexpirationdays } Decision { Set(maxpasswordexpirationdays = requiredMaxExpirationDays) == 0 } }:4;
“Ensure maximum number of days for password expiration is set to 90”
31 © 2007 IBM Corporation
IT Compliance (continued) : CIM-SPL Policy (4 of 4)
PolicyGroup : hasA (system, software)
{ Import SAMPLE CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_Firewall; Strategy Execute_All_Applicable; Policy { Declaration { desiredStatus = true; } Condition { status != desiredStatus } Decision { Set(status = desiredStatus) == 0 } }:6; }:5; }:2;
“Ensure the Firewall instance associated to the current OS is active”
32 © 2007 IBM Corporation
Use Case 2 : Virtualization
Goal: Dynamically resize the memory of a collection of virtual computer systems based on memory usage.
Solution: A CIM-SPL policy that gathers virtual memories attached to a virtual computer system, check its usage and resize based on set policies
33 © 2007 IBM Corporation
Virtualization (continued) : Virtual resources in the system
34 © 2007 IBM Corporation
Virtualization (continued) : Algorithm
Starting from a virtual CIM_ComputerSystem retrieve the CIM_RegisteredProfile instance associated with it using the elementConformsToProfile association
From this CIM_RegisteredProfile instance retrieve instances of virtual memory registered profile associated with it using the ReferencedProfile association
For the virtual memory registered profile retrieve the CIM_Memory instances associated with it using the elementConformsToProfile association
Check the memory usage of each instance and resize the memory accordingly
35 © 2007 IBM Corporation
Virtualization (continued) : Policy 1 (1 of 2)
Import VirtualizationExample CIM_V_2_8_CIM_Core28Final::root/cimv2 CIM_ComputerSystem;
Strategy Execute_All_Applicable;
Policy { Declaration { instanceOfRegisteredProfileForComputerSystem = collect(Self, "CIM_ElementConformsToProfile",
"ManagedElement", "ConformantStandard", “CIM_RegisteredProfile",true)[0];
Macro { Name = GetInstanceOfRegisteredProfileForMemoryProfile;
type = CIMReference; argument = instanceOfRegisteredProfileForCS:CIMReference;
procedure = collect(instanceOfRegisteredProfileForCS, "CIM_ReferencedProfile", "Antecedent", "Dependant", "CIM_RegisteredProfile", contains(RegisteredName,"Memory")[0]);
} /* End Macro */
“Collect instances of virtual memory associated with the virtual CS that conform to the memory profile”
Retrieve instance of Registered Profile associated with the current
CS
Retrieve instance of Registered Profile for Memory associated with
the Registered Profile obtained earlier
36 © 2007 IBM Corporation
Virtualization (continued) : Policy 1 (2 of 2)
Macro { Name = GetInstancesOfMemoryThatConformToMemoryProfile;
type = CIMReference[];
argument = CIMObjectPath:instanceOfRegisteredMemoryProfile;
procedure = collect(instanceOfRegisteredMemoryProfile, "CIM_ElementConformsToProfile", "ConformantStandard", "ManagedElement", "CIM_Memory", true); } /* End Macro */
memoryOfVirtualSystems = GetInstancesOfMemoryThatConformToMemoryProfile(GetInstanceOfRegisteredProfileForMemoryProfile
(instanceOfRegisteredProfileForComputerSystem) ) } /* End Declaration */
Condition { CollectionSize(memoryOfVirtualSystems) > 0
} Decision {
InvokePolicy("IncreaseMemoryIfRequired",memoryOfVirtualSystems) == 0 }}:1;
Find instances of Memory associated
with Memory Registered Profile obtained earlier
Invoke the IncreaseMemoryIfRequired policy by Passing the obtained memory instances
37 © 2007 IBM Corporation
Virtualization (continued) : Policy2
Import IncreaseMemoryIfRequired CIM_V_2_8_CIM_Core28Final::root/cimv2 CIM_Memory;Strategy Execute_All_Applicable;
Declaration { totalMemory = BlockSize * NumberOfBlocks;
availableMemory = BlockSize * ConsumableBlocks;
memoryIncrementFactor = (5 / 100)* NumberOfBlocks;
memoryDecrementFactor = (5 / 100)* NumberOfBlocks;
Macro { Name = GetPercentageOfFreeMemory; type = Real64; argument = freeMemory:uint64,totMemory:uint64; procedure = (freeMemory / totMemory)*100;
} }Policy {
Condition { GetPercentageOfFreeMemory(availableMemory,totalMemory) < 5
} Decision {
Set(NumberOfBlocks = memoryIncrementFactor + NumberOfBlocks) == 0 }
}:1;Policy {
Condition { totalMemory > 1024 && GetPercentageOfFreeMemory(availableMemory,totalMemory) > 90
} Decision {
Set(NumberOfBlocks = memoryDecrementFactor + NumberOfBlocks) == 0 }
}:2;
“check memory usage, increase or decrease the total size as required”
•Calculate total, available memory
•Calculate the memory increment & decrement factors
calculate the percentage of free memory
If percentage of free memory < 5 increase total memory
If percentage of free memory > 90 decrease total memory
38 © 2007 IBM Corporation
DEMO
39 © 2007 IBM Corporation
Wrap Up and Future direction
In summary the CIM-SPL provides a simple yet powerful mechanism for defining and executing policies in the CIM space.
Future Work– Support for automatic evaluation based on Indications
– Eclipse based policy editor
40 © 2007 IBM Corporation
References
DMTF CIM-SPL Specification http://www.dmtf.org/standards/published_documents/DSP0231.pdf
CIM-SPL OpenPegasus PEP 297 http://www.openpegasus.org/pp/protected/upreviews/20/2343/PEP297_CIMSPL_Support.htm
DMTF CIM Policy Model www.dmtf.org/standards/documents/CIM/DSP0108.pdf
41 © 2007 IBM Corporation
Acknowledgments
Jorge Lobo, David Kaminsky, Dave Sudlik, Prashant Baliga, Xiping Wang, Dakshi Agrawal, Kang-Won Lee, Seraphin Calo
The OpenPegasus Architecture Team and the DMTF Policy WG
42 © 2007 IBM Corporation
Questions?