© 2007 IBM Corporation DMTF Policy: CIM-SPL Policy Language Tutorial July 2007 Portland OR Neeraj R. Joshi [email protected]@us.ibm.com Autonomic

© 2007 IBM Corporation

DMTF Policy: CIM-SPL Policy Language Tutorial

July 2007 Portland OR

Neeraj R. Joshi [email protected] Computing, Tivoli, IBM

2 © 2007 IBM Corporation

Agenda Policy Basics CIM-SPL Overview CIM Policy Model The CIM-SPL Language

Example

Syntax

Language Design Principles

Types and Operators

Association Traversals

Policy Groups

Policy Decisions CIM-SPL Policy Provider in OpenPegasus Use-case 1 – IT Compliance Use-case 2 – Virtualization Demo Conclusion and Future direction References Questions


Policy Basics

Definition “A set of guidelines or considerations designed to guide decisions when a course of action

needs to be selected.”

Automation is key to the reduction of IT budgets

Using a Policy engine, policies can be setup to perform IT management automatically based on events or requests

Examples :“All Systems must have a minimum 8 char password length”

“Firewall must be enabled”

Enabling Features for Policy Success– Leveraging existing data models is key to success of policy based management.

– Allows a more structured approach to policy-based management.

– Have a simple yet powerful method to declare policies


CIM-SPL Overview

CIM-SPL is a Policy Language specification for the CIM environment

Inspired by existing policy languages and models including policy definition language (PDL) from Bell Laboratories, the Ponder policy language from Imperial College, and autonomic computing policy language (ACPL) from IBM Research

Based on the DMTF CIM Policy Model

Approved by the DMTF as a preliminary standard (Jan 2007)

C++ reference implementation by IBM to be shipped with OpenPegasus 2.7.0 (Sept 07 release)

We also intend to provide a Java reference implementation.


CIM Policy Model

The CIM Policy Model is extended by adding a CIM_SPLPolicyRule class which derives from the PolicyRule class of the existing CIM Model

CIM_SPLPolicyRule

String PolicyString

Uint32 evaluatePolicy([in] CIMObjectPath ref arrayOfInstances[]);


CIM-SPL Policy Language - Example

Import SAMPLE CIM_V_2_8_CIM_Core28-Final::PhysicalElement;Strategy Execute_All_Applicable;Declaration{

maxAge = 4;Macro { Name = Age;

Type = Uint64; Arguments Born:CIM_DateTime; Procedure = getYear(getCurrentDateTime()) –

getYear(Born)}

}Policy {

Condition

{

maxAge < Age(installDate) && VendorEquipmentType == "switch“

}

Decision

{

Upgrade (NewSKU = SKU)

}}:1

“For every physical element of type ‘switch’ Check the number of days since installation and upgrade as necessary”


CIM-SPL Policy Language : Rule Syntax

Import <policy Name> <CIM MOF file specification>:<namespase> <Class Name> <filter

expression>; Policy { Declaration {

<List of constant definition> (Optional)<List of macro definitions> (Optional)

} Condition { (Optional) <If Condition> /* java-like boolean expression */ } Decision { (Required) <Then Decision> /* “small” workflow of action */ /* invocations */ }} <priority>;


Language design principles and constraints

Compliance to CIM and CIM Policy Model– Import statement, traversal of associations

– Rules, rule selection, groups

Declarative– loops restricted to collection operations

Evaluation triggering– No commitment, left out of the rule specification

Action specification– Simple workflow, cascade evaluation of policies

Anchor object– CIM-SPL Policies are written under the scope of a single object


CIM-SPL Types and Operators

CIM-SPL defines fourteen basic types: – Uint8, Uint16, Uint32, Uint64, Sint8, Sint16, Sint32, Sint64, Real32, Real64,

Boolean, String, Char16, DateTime and Reference

– Correspond one to one to the CIM Data types

– Arrays of all basic types are also supported 100+ Built in Operators

– Type cast functions (e.g., ToInt, ToFloat, ToBoolean),

– Standard arithmetic functions (e.g., Plus, Max, Log),

– Boolean functions (e.g., And, Not, Equal),

– String manipulation (e.g., ToUpper, LeftSubString),

– Calendar operations (e.g., GetDayOfWeek), and

– Collection operations (e.g., MaxInCollection).


Traversing Associations

The CIM Model is inherently hierarchical

Policy Conditions often need to traverse multiple associations

E.g. Retrieve all instances of Memory associated with a given Computer System or retrieve all firewall instances associated with a Computer System via an Operating System instance

collect operators allow a user to traverse multiple associations and filter instances in a single statementUse the associatorNames CIM-Operating under the covers


Traversing Associations (continued): collect operators

collect(<RefExpresion>,<association>, <role>, <resultRole>,<CIM Class Name>, <filter expression>)

collect(<RefExpresion>,<association>, <role>, <resultRole>, <CIM Class Name>, <CIM class property name>, <filter expression>)

Where

<RefExpression> MUST be an expression that evaluates to an object reference,

<association> MUST be the name of a CIM association,

<role> and <resultRole> MUST be reference names in the <association>,

<CIM class Name> MUST be the class of the <resultRole> (this argument can be null if there is no ambiguity on the possible classes of the <resultRole>),

<CIM class property name> MUST be the name of a property of objects that might be referenced by the <resultRole> reference in instances of the <association>,

<expression> is a Boolean expression, and the <identifiers> appearing in the <expression> are evaluated under the scope of the objects referenced by the <resultRole> reference in instances of the <association>.


Traversing Associations (continued)

Example1. collect (Self, "CIM_SystemDevice", "GroupComponent", "PartComponent",

"CIM_Memory", true);

Returns an array of CIM_Memory object referenced by traversing the CIM_SystemDevice association from the current object (ComputerSystem) using the given roles

2. collect (Self, “CIM_SystemDevice”, ”GroupComponent”, ”PartComponent”, ”CIM_Memory”,BlockSize,true);

Returns an array of properties of type BlockSize corresponding to each CIM_Memory instance associated with the computer system.

3. collect (Self, "CIM_SystemDevice", "GroupComponent", "PartComponent", "CIM_Memory", true)[0].BlockSize;

Returns the BlockSize property of the first CIM_Memory instance associated with the ComputerSystem


Traversing Multiple AssociationsPhysicalElement ->

(realizes)

LogicalDevice ->

(deviceServiceImplementation)

Service


Traversing Multiple Associations (continued)

collect(PhysicalElement.Self , Realizes, PhysicalElement, LogicalDevice, LogicalDevice, true)[1].deviceID

collect( collect(PhysicalElement.Self , Realizes, PhysicalElement, LogicalDevice, true)[1], DeviceServiceImplementation, LogicalDevice, Service, Service, True)[1].Started


Policy Groups

Aggregate Policies and other Policy Groups

Provides a hierarchical structure to CIM-SPL policies to help model hierarchies in the CIM Model

Simplifies designing of policies for complex CIM systems comprising of several sub-systems.

E.g. A SAN Fabric has a host, switch and array instances (distinguished by the dedicated property). Individual policies can be defined for each of the sub components along with a aggregating Policy group for the entire fabric.


Policy GroupExample


Group Scope Specification

<Name=“System1”> Object associated with the initial call

Import xxx::CIM_AdminDomain

Import yyy::CIM_ComputerSystem: Dedicated ==“switch”

PolicyGroup:CIM_SystemDevice(GroupComponent,PartComponent)

Import yyy::CIM_LogicalPortGroup

Import yyy::CIM_ComputerSystem: Dedicated == “storage”

PolicyGroup:

PolicyGroup:


Decisions in CIM-SPL

Types of Actions a. Invoke a method on the anchor object instance

<method name>(<argument name>=<expression>[,<argument name> = <expression>]*)

b. Modify properties of the anchor object instanceSet(<argument name>=<expression>[,<argument name> = <expression>]*)

c. Invoke a policy (cascaded policy evaluation)InvokePolicy(<policy name>,<expression>)

Action Workflowa. <action block> <action block>

a sequence of Policy Action evaluationsb. <action block> | | <action block>

concurrency "some" semantics c. <action block> && <action block>

concurrency "all" semantics d. <action block> | <action block>

conditional


CIM-SPL Policy Provider in Open Pegasus

CIM-SPL Policy Processor is implemented as an Instance and Method CIM Provider

Pre-Requisites:– Runs on Pegasus 2.7.0

– Requires ANTLR v2.7.7

– ICUv3.2 libraries are optional

Configuration:– Optional compiled in Open Pegasus

– Configured to “run as requestor”

– Logging can be enabled/disabled at runtime


CIM-SPL Provider in Open Pegasus (continued)

Features:– Supports 100+ built-in operators

– Policy executed with requesting user’s privileges

– On demand loading of policies for performance

– Easy to use CLI utility provided

– Audit log generated for all major operation

Limitations:– Policies currently stored as plain text

– Relies on underlying CIM-Server for security

– Only request based evaluation of policies supported (no automatic triggering of evaluations support yet)


CIM-SPL Policy Provider Architecture

CIMOM

Policy Provider

(Method & Instance)

Policy Manager

Policy Data Store

Policy

Repository

Policy Cache

Policy Parser

Actuator

Data Collector


Policy CLI Utility

Sample CLI to be shipped with OpenPegasus

Example Usage:– Create policy : policyprovidertestclient –c <directory where policy is located> <policy

name>

– Modify policy : policyprovidertestclient –m <directory where policy is located> <policy name>

– Delete policy : policyprovidertestclient –d <policy name>

– List policy : policyprovidertestclient –l <policy name>

– Execute policy: policyprovidertestclient –x <policy name>


Use-case 1 : IT Compliance

Goal: As the number of IT resources in an organization grows the task of ensuring compliance to corporate policies continues to get harder. Automate compliance enforcement.

Solution: Convert the IT compliance policy rules to a CIM-SPL policy. Run the policy periodically to automatically reconfigure the resources to make them compliant.


IT Compliance (continued)

Sample Corporate IT policy–Must have business owner

–Firewall must installed and enabled

–Password length > 8 chars

–Password Expiration < 90

Computer System

GUID

Host Name

IP Address

Location

Business Owner

Firewall

GUID

vendor

status

version

Operating System

GUID

Name

Version

MinPasswordLength

PasswordExpirationDays

installedOn

hasA

CIM Classes


Computer System

GUID = 1111111111

Host Name = “acdemox1”

IP Address = “9.42.117.20”

Location = “RTP”

Business Owner = “”

Firewall

GUID = 211111115

Vendor = “Symantec”

Status = true

Version = “1.0”

Operating System

GUID = 1111111115

Name = “winxp”

Version = “sp2”

MinPasswordLength = 0

PasswordExpiration = 240

Computer System

GUID = 1111111112


IP Address = “9.42.117.21”


Business Owner = “Prashant”

Firewall

GUID = 211111116

Vendor = “red hat”

Status = false

Version = “1.0”

Operating System

GUID = 1111111116

Name = “rhel4”

Version = “2.6.9”



Computer System

GUID = 1111111113


IP Address = “9.42.117.22”


Business Owner = “Neeraj”

Firewall

GUID = 211111117

Vendor = “IBM”

Status = true Version = “1.0”

Operating System

GUID = 1111111117

Name = “aix”

Version = “5.3”



Sample CIM Instances


IT Compliance (continued) : Algorithm

For each Computer System instance check the business owner field and correct if necessary

For each Operating System instance related to the current Computer System check its minimum password length and maximum password expiry period

For each Firewall associated with the current Operating System check whether it is enabled and if not enable it.


Policy For Computer System

Policy To check business owner exists

Policy Group for Operating System

Policy Group for Firewall

Check if Firewall is enabled

IT Compliance (continued) : Policy Structure

Policy to check Password length

Policy to check Password Expiration Days


IT Compliance (continued) : CIM-SPL Policy (1 of 4)

Import ITCompliance CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_ComputerSystem;

Strategy Execute_All_Applicable;

Policy

{

Condition

{

StringLength(businessowner) == 0

}

Decision

{

Set(businessowner="Default") == 0

}

}:1;

“Ensure business user is set for every CS in the system, if not set it to default”



PolicyGroup : installedOn (system, software){ Import SAMPLE CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_OperatingSystem; Strategy Execute_All_Applicable; Policy { Declaration { requiredPasswordLength = 8; } Condition { requiredPasswordLength > minpasswordlength } Decision { Set(minpasswordlength = requiredPasswordLength) == 0 } }:3;

“For the OS instance associated with current CS ensure minimum password length is 8”



Policy { Declaration { requiredMaxExpirationDays = 90; } Condition { requiredMaxExpirationDays < maxpasswordexpirationdays } Decision { Set(maxpasswordexpirationdays = requiredMaxExpirationDays) == 0 } }:4;

“Ensure maximum number of days for password expiration is set to 90”



PolicyGroup : hasA (system, software)

{ Import SAMPLE CIM_V_2_8_CIM_Core28Final::root/cimv2 AC_Firewall; Strategy Execute_All_Applicable; Policy { Declaration { desiredStatus = true; } Condition { status != desiredStatus } Decision { Set(status = desiredStatus) == 0 } }:6; }:5; }:2;

“Ensure the Firewall instance associated to the current OS is active”


Use Case 2 : Virtualization

Goal: Dynamically resize the memory of a collection of virtual computer systems based on memory usage.

Solution: A CIM-SPL policy that gathers virtual memories attached to a virtual computer system, check its usage and resize based on set policies


Virtualization (continued) : Virtual resources in the system


Virtualization (continued) : Algorithm

Starting from a virtual CIM_ComputerSystem retrieve the CIM_RegisteredProfile instance associated with it using the elementConformsToProfile association

From this CIM_RegisteredProfile instance retrieve instances of virtual memory registered profile associated with it using the ReferencedProfile association

For the virtual memory registered profile retrieve the CIM_Memory instances associated with it using the elementConformsToProfile association

Check the memory usage of each instance and resize the memory accordingly


Virtualization (continued) : Policy 1 (1 of 2)

Import VirtualizationExample CIM_V_2_8_CIM_Core28Final::root/cimv2 CIM_ComputerSystem;

Strategy Execute_All_Applicable;

Policy { Declaration { instanceOfRegisteredProfileForComputerSystem = collect(Self, "CIM_ElementConformsToProfile",

"ManagedElement", "ConformantStandard", “CIM_RegisteredProfile",true)[0];

Macro { Name = GetInstanceOfRegisteredProfileForMemoryProfile;

type = CIMReference; argument = instanceOfRegisteredProfileForCS:CIMReference;

procedure = collect(instanceOfRegisteredProfileForCS, "CIM_ReferencedProfile", "Antecedent", "Dependant", "CIM_RegisteredProfile", contains(RegisteredName,"Memory")[0]);

} /* End Macro */

“Collect instances of virtual memory associated with the virtual CS that conform to the memory profile”

Retrieve instance of Registered Profile associated with the current

CS

Retrieve instance of Registered Profile for Memory associated with

the Registered Profile obtained earlier


Virtualization (continued) : Policy 1 (2 of 2)

Macro { Name = GetInstancesOfMemoryThatConformToMemoryProfile;

type = CIMReference[];

argument = CIMObjectPath:instanceOfRegisteredMemoryProfile;

procedure = collect(instanceOfRegisteredMemoryProfile, "CIM_ElementConformsToProfile", "ConformantStandard", "ManagedElement", "CIM_Memory", true); } /* End Macro */

memoryOfVirtualSystems = GetInstancesOfMemoryThatConformToMemoryProfile(GetInstanceOfRegisteredProfileForMemoryProfile

(instanceOfRegisteredProfileForComputerSystem) ) } /* End Declaration */

Condition { CollectionSize(memoryOfVirtualSystems) > 0

} Decision {

InvokePolicy("IncreaseMemoryIfRequired",memoryOfVirtualSystems) == 0 }}:1;

Find instances of Memory associated

with Memory Registered Profile obtained earlier

Invoke the IncreaseMemoryIfRequired policy by Passing the obtained memory instances


Virtualization (continued) : Policy2

Import IncreaseMemoryIfRequired CIM_V_2_8_CIM_Core28Final::root/cimv2 CIM_Memory;Strategy Execute_All_Applicable;

Declaration { totalMemory = BlockSize * NumberOfBlocks;

availableMemory = BlockSize * ConsumableBlocks;

memoryIncrementFactor = (5 / 100)* NumberOfBlocks;

memoryDecrementFactor = (5 / 100)* NumberOfBlocks;

Macro { Name = GetPercentageOfFreeMemory; type = Real64; argument = freeMemory:uint64,totMemory:uint64; procedure = (freeMemory / totMemory)*100;

} }Policy {

Condition { GetPercentageOfFreeMemory(availableMemory,totalMemory) < 5

} Decision {

Set(NumberOfBlocks = memoryIncrementFactor + NumberOfBlocks) == 0 }

}:1;Policy {

Condition { totalMemory > 1024 && GetPercentageOfFreeMemory(availableMemory,totalMemory) > 90

} Decision {

Set(NumberOfBlocks = memoryDecrementFactor + NumberOfBlocks) == 0 }

}:2;

“check memory usage, increase or decrease the total size as required”

•Calculate total, available memory

•Calculate the memory increment & decrement factors

calculate the percentage of free memory

If percentage of free memory < 5 increase total memory

If percentage of free memory > 90 decrease total memory


DEMO


Wrap Up and Future direction

In summary the CIM-SPL provides a simple yet powerful mechanism for defining and executing policies in the CIM space.

Future Work– Support for automatic evaluation based on Indications

– Eclipse based policy editor


References

DMTF CIM-SPL Specification http://www.dmtf.org/standards/published_documents/DSP0231.pdf

CIM-SPL OpenPegasus PEP 297 http://www.openpegasus.org/pp/protected/upreviews/20/2343/PEP297_CIMSPL_Support.htm

DMTF CIM Policy Model www.dmtf.org/standards/documents/CIM/DSP0108.pdf


Acknowledgments

Jorge Lobo, David Kaminsky, Dave Sudlik, Prashant Baliga, Xiping Wang, Dakshi Agrawal, Kang-Won Lee, Seraphin Calo

The OpenPegasus Architecture Team and the DMTF Policy WG


Questions?

Documents

© 2007 IBM Corporation DMTF Policy: CIM-SPL Policy Language Tutorial July 2007 Portland OR Neeraj R. Joshi [email protected]@us.ibm.com Autonomic