Dynamic Middleware for Complex Organizational Systems (Dymacos) - PowerPoint PPT Presentation

About This Presentation
Title:

Dynamic Middleware for Complex Organizational Systems (Dymacos)

Description:

Dynamic Middleware for Complex ... Policies are specified as objects which define a relationship ... Unlike previous work on distributed rule ... – PowerPoint PPT presentation

Number of Views:181
Avg rating:3.0/5.0
Slides: 28
Provided by: Samue123
Category:

less

Transcript and Presenter's Notes

Title: Dynamic Middleware for Complex Organizational Systems (Dymacos)


1
Dynamic Middleware for Complex Organizational
Systems(Dymacos)
  • George Dimitoglou
  • Shmuel Rotenstreich

2
Main Contributions
  • New organizational object
  • Context aware policies
  • Policy driven middleware
  • Generalization of
  • Dynamic policies
  • Policy measurements

3
(No Transcript)
4
Policy
  • A lot of work was done on policy
  • Sloman distributed systems/networks management
  • Sloman authorization policy
  • Lymberopoulos adaptive policy
  • Minsky Enforcement Mechanism
  • Hull Federated Policy Management

5
Distributed systems/networks management
  • Separate management policy from the automated
    managers facilitates the dynamic change of
    behavior of a distributed management system.
  • This permits it to adapt to evolutionary changes
    in the system being managed and to new
    application requirements.
  • Two classes of policy are elaborated
  • authorization policies define what a manager is
    permitted to do and
  • obligation policy define what a manager must do.
  • Policies are specified as objects which define a
    relationship between subjects
  • (managers) and targets (managed objects).
  • Domains are used to group the objects to which a
    policy applies.
  • Policy objects have attributes specifying the
    action to be performed and constraints limiting
    the applicability of the policy.

6
Authorization Policy
  • Authorization policy defines what activities are
    permitted to perform on a target object.
  • An authorization policy may be positive
    (permitting) or negative (prohibiting)
  • Authorization policies are target based
  • i.e. there is a reference monitor associated with
    the target which enforces the policy and decides
    whether an activity is permitted or prohibited.

7
Adaptive policy
  • Proposed solutions are often restricted to
    condition-action rules where conditions are
    matched against incoming traffic flows.
  • Result static policy configurations manual
    intervention is required for configuration
    changes
  • Support
  • automated policy deployment
  • flexible event triggers to permit dynamic policy
    configuration.
  • Current focus rules for low-level device
  • Challenges remain
  • provide policy specification and adaptation
    across different abstraction layers
  • provide tools and services for the engineering of
    policy-driven systems. Policy adaptation includes
    both dynamically changing
  • policy parameters and reconfiguring the policy
    objects.

8
Enforcement Mechanism
  • The only reliable way for ensuring that a
    heterogeneous distributed community of software
    modules and people conforms to a given policy is
    for this policy to be enforced.
  • A mechanism called law-governed interaction.
  • can be used to specify a wide range of policies
    to govern the interactions and to enforce such
    policies in a decentralized manner.
  • A hierarchical inter-policy relation called
    superior/subordinate.
  • This relation is intended to serve two distinct,
    if related, purposes.
  • First, it is to help organize and classify a set
    of enterprise policies.
  • Second, this relation is to help regulate the
    long term evolution of the various policies that
    govern an enterprise.
  • If a policy P is defined as subordinate to
    policy P, P then should conform to all the
    provisions of P.

9
Towards Federated Policy Management
  • We are seeing a substantial growth in the number
    of policy engines and policy-enabled services and
    applications.
  • End-users and network operators need to have a
    unified, view of the policies that they have
    specified and a unified understanding
  • of how the policies will play out.
  • This paper addresses federated policy
    management, which allows users to specify
    preferences and policies at a high level
  • It uses automated tools to map preferences and
    policies into appropriate rule sets running on
    appropriate policy engines.

10
Federated (continued)
  • Unlike previous work on distributed rule
    processing, the focus here is in the context of
    multiple policy decisions within a single process
    flow.
  • Specifically, (in the terminology of IETF and
    Parlay/OSA) we study the case of a service or
    application that has multiple policy enforcement
    points (PEPs).
  • We present a algorithm whereby users can specify
    a single coherent rule-set expressing their
    preferences,
  • This rule-set is mapped to multiple rule-sets,
    one for each PEP in the application.

11
Monitoring Policy Management
  • Bettini Obligation Monitoring in Policy
    Management
  • Pearlman A Community Authorization Service for
    Group Collaboration
  • Jean Bacon Policies in Accountable Contracts

12
Obligation Monitoring Policy Management
  • Many policies require actions to be performed
    after a decision is made in accordance with the
    policy.
  • This paper formalizes the obligations and
    investigates mechanisms for monitoring
    obligations.
  • Especially, the paper discusses various aspects
    of how the system may compensate unfulfilled
    obligations.

13
Community Authorization Group Collaboration
  • In Grids and collaboratories, we find
    distributed communities of resource providers and
    resource consumers, within which often complex
    and dynamic policies.
  • A new approach to the representation,
    maintenance, and enforcement of such policies
    that provides a scalable mechanism for specifying
    and enforcing these policies.
  • allows resource providers to delegate authority
    for maintaining fine-grained access control
    policies to communities,
  • while still maintaining ultimate control over
    their resources.

14
Policies in Accountable Contracts
  • Accounting policies explicitly control resource
    usage within a contract architecture.
  • This allows exchange of high-level computer
    services
  • These services are specified as contracts.
  • Each contract expresses its accounting policy.
  • This is evaluated within a novel resource
    economy, in which physical resources, trust and
    money are treated homogeneously.
  • A second-order trust model continually updates
    trustworthiness opinions, based on contract
    performance.
  • Thus participants can take calculated risks,
    based on expressed policies and trust, and
    rationally choose which contracts to perform.

15
Policy Replacement
  • Granville Automated Replacement of QoS Policies

16
  • This paper introduces the notion of PoP (Policy
    of Policies) to define standard policy
    replacement strategies
  • Also proposes an architecture to support PoP
    within PDPs (Policy Decision Points originally
    defined by the IETF).
  • The notion of PoP, and the proposed architecture
    allow the automation of the policy replacement
    task.

17
Misc
  • Automated Negotiation of Access Control Policies
  • Inter-Domains policy negotiation
  • Explicit Policy Management for Virtual
    Organizations
  • XML-based Policy Engine Framework

18
Meta-Policies
  • Belokosztolszki Meta-Policies for Distributed
    Role-Based Access Control Systems
  • Soriano Policy Infrastructure as an Extension to
    the FIPA Abstract Architecture for Open Agent
    Platform Design
  • Moody OASIS Architecture, Model and Management
    of Policy
  • Chudnow New remedy for storage headaches
    meta-policies ease the pain

19
Meta-Policies for Distributed Role-Based Access
Control Systems
  • It is helpful to have a general policy
    description in order to restrict the ways in
    which policy can be modified.
  • Meta-policies fill this particular role.
  • Thus, changes to policy are subject to predefined
    constraints.
  • Meta-policies are long lived and provide users
    with stable information about the policy of the
    system.
  • They provide external bodies with relevant but
    restricted information about policies, forming a
    basis for co-operation between domains.
  • For example, a domains meta-policy can function
    as a policy interface, establishing a basis for
    agreement on the structure of the objects.
  • This way it is possible to build service level
    agreements between domains automatically.

20
Policy Infrastructure
  • Basic Policies
  • Authorization policies
  • Delegation policies used for the temporary
    transfer of rights between objects.
  • Composite Policies
  • Policy groups are a packaging construct for
    grouping related policies together for the
    purposes of policy organization and reusability.
    A meta-policy specifies constraints on the
    policies within the scope of the group.
  • Subject groups provide a semantic grouping of
    policies with a common role as the subject,
    generally pertaining to a position within an
    object society. So a subject group is a special
    case of a group, in which all the policies have
    the same subject (i.e. object role).
  • Relationships Objects acting in organizational
    positions (roles) interact with each other. A
    relationship groups the policies defining the
    rights and duties of one participating object as
    regards another. It can also include policies
    related to resources that are shared by the roles
    within the relationship. Relationships can have
    nested role definitions.

21
Architecture, Model and Management of Policy
  • Meta-policies as a means of coordinating a policy
    federation
  • Intuition behind our approach to meta-policies
    (decidable and compositional)
  • Formalization of an interface specification at
    policy level
  • specify invariance properties to which local
    managers must comply
  • allow certification of participants in a
    federated application
  • provide a stable framework to support
    interoperation of domains

22
Continued
  • components comprising the formal specification of
    a meta-policy
  • type system information - data types, objects,
    functions
  • access control system signatures - roles,
    appointments

23
Remedy for storage headaches meta-policies ease
the pain
  • Network policies are rule-based scripts that
    identify computer conditions, states, and events,
    and generate appropriate actions.
  • Huge number of proprietary storage assets,
    storage policies are hard-pressed to code
    policies that can run in heterogeneous storage
    environments.
  • Network administrators use policies to help them
    meet service-level agreements (SLAs), keeping
    storage assets provisioned and configured to meet
    space, performance, and availability metrics.
  • Storage-related policies "the measurable,
    enforceable, and realizable specification of
    methods, action and/or desired states that meet
    service requirements in a storage-based
    information infrastructure."
  • Policies can manage storage assets to improve and
    automate backup-and-restore and archiving
    procedures, supply bandwidth to demanding
    applications, and assure that a critical backup
    has the resources it needs.

24
Remedy (continued)
  • Meta-Policies
  • Storage management developers are concentrating
    on developing policies to manage policies
  • Policy engines that can manage, maintain, and
    integrate dozens or hundreds of policies across a
    storage spectrum.
  • Meta-policies are object-based, which allows
    storage administrators to re-use policy objects
    among subordinate policies.
  • A single meta-policy interface allows a storage
    administrator to create and automate sub-policies
    running across different storage devices and
    domains.

25
Remedy (continued)
  • A three-tier policy approach
  • Explicit policies These are user-defined needs,
    goals, and strategies.
  • Rule-based policies if/then events where a cause
    provokes an action.
  • Constraint policies Observe the inherent
    limitations of storage components.

26
Policy goals
  • The Policy Goals may be
  • high-level goals or
  • actions.
  • A high-level goal recover from media failure
  • An action is run the Back Up job on department
    Ds disk files.
  • The distinction between high-level goals and
    actions may depend upon the context.
  • Policy goals are specified by the meta-policy

27
Policy driven middleware
Write a Comment
User Comments (0)
About PowerShow.com