how to code policies in irods
play

How to Code Policies in iRODS Arcot (Raja) Rajasekar Reagan Moore - PowerPoint PPT Presentation

Dec 12, 2022 •366 likes •690 views

How to Code Policies in iRODS Arcot (Raja) Rajasekar Reagan Moore DICE Center/SILS/RENCI University of North Carolina Chapel Hill, NC, USA. Introduction How Policy Is Invoked? Policy Points Where Policy is Invoked in iRODS

  1. How to Code Policies in iRODS Arcot (Raja) Rajasekar Reagan Moore DICE Center/SILS/RENCI University of North Carolina Chapel Hill, NC, USA.

  2. Introduction  How Policy Is Invoked?  Policy Points – Where Policy is Invoked in iRODS  Rules as computed-executable Policies  Semantics of Rule Execution  Data Involved in Policy Execution  Sample Policies through Examples

  3. Using a Policy-EnabledData Grid Seattle San Diego Chapel Hill Meta Data DB Catalog iRODS Server iRODS Server iRODS Server Rule Engine Rule Engine Rule Engine • User asks for data using logical properties • Data request goes to 1 st Server • Server looks up info in Metadata Catalog & Applies policies • Catalog tells 2 nd server has data • 1 st server asks 2 nd server for data • 2 nd server applies policies and serves data

  4. Policy Points in iRODS  Policies are applied at specific points in iRODS  Examples: Just before data creation (useful to find where to put the data,  what access control to apply, what type of streaming to use, versioning of overwritten files,…) Just after data has been transferred into iRODS (useful to perform  metadata extraction and registration into Metadata Catalog, Replicating or Copying Data, Computing Checksums, Giving Other user access permissions, setting flags, launching tasks to create derived products, sending email to subscribed users,…) Just before removing a file/collection (useful to stop this operation,  putting things into trash bin instead of removing it, notifying someone, delaying the operation for a day, removing derived products,…) Just before creating a user (useful to put in groups, creating  system objects such as home collection, trash bin,etc., making more security checks, notifying group managers, creating user profiles, …)

  5. Some Policy Points in iRODS acPostProcForDelete acPreprocForDataObjOpen   acPostProcForCollCreate acPreprocForCollCreate   acPostProcForRmColl acPreprocForRmColl   acPostProcForModifyUser acPreProcForModifyUser   acPostProcForModifyAVUmetadata acPreProcForModifyAVUmetadata   acPostProcForCreateUser acPreProcForCreateUser   acPostProcForDeleteUser acPreProcForDeleteUser   acPostProcForCreateResource acPreProcForCreateResource   acPostProcForCreateToken acPreProcForCreateToken   acPostProcForModifyUserGroup acPreProcForModifyUserGroup   acPostProcForDeleteResource acPreProcForDeleteResource   acPostProcForDeleteToken acPreProcForDeleteToken   acPostProcForModifyResource acPreProcForModifyResource   acPostProcForModifyResourceGroup acPreProcForModifyResourceGroup   acPostProcForModifyCollMeta acPreProcForModifyCollMeta   acPostProcForModifyDataObjMeta acPreProcForModifyDataObjMeta   acPostProcForModifyAccessControl acPreProcForModifyAccessControl   acPostProcForObjRename acPreProcForObjRename   acPostProcForGenQuery acPreProcForGenQuery  

  6. Policy Points in iRODS  Current Policy Points: 64  Strategically placed in the server code  If new ones are needed, we can add them.  Mostly policy points are dual: before and after some data management task.  Each policy point invokes a rule stored in core.irb under a given ruleName  Policies are made of alternative rules but only one policy is executed fully.

  7.  Each rule has several parts:  RuleName – so that one can invoke a Policy  There can be more than one rule for a RuleName  Condition – A ‘guard’ which checks if a rule can be fired or not  If one rule does not fire, the next rule with same RuleName is tried  Action chains - Body of the rule  List of Functions (workflow) performed  Made of micro-services and other rules  Recovery chains – What to do when an action fails  Made of micro-services and other rules

  8. Sample Rule Parameters RuleName OnIngestObject (*D ) { Condition ON ($userDept == sils) { Actions ::: null; msiComputeChkSum(*D) ; acReplicateFile(*D, tapeResource) ::: acTrimFile(*D, tapeResource); Micro-Service Rule Policy: On ingestion of a new file by a ‘sils’ user, immediately } compute its checksum and store it in the iCAT. Also replicate the file Recovery in ‘tapeResource’. If the replication fails remove all evidence of the } replica

  9. Sample Rule – Internal Form OnIngestObject (*D ) { ON ($userDept == sils) { msiComputeChkSum(*D) ; acReplicateFile(*D, tapeResource) ::: acTrimFile(*D, tapeResource); } } OnIngestObject(*D) | $userDept == sils | msiComputeChkSum(*D)##acReplicateFile(*D,tapeResource) | null##acTrimFile(*D,tapeResource) Conversion done by “rulegen” utility found in icommands/rulegen See also the “Rules” page in iRODS Wiki

  10. Policy Invocation Find Appropriate Invoke a Policy Rules Select First/Next Rule Failure: No More Rules False Condition Execute Recovery Check MicroService/SubAction True Execute Next MicroService/SubRule Yes No Success Success: No More MS/A

  11. How the Rule Engine Works: A: C1 | M1 M2 | R1 R2 A: C2 | M3 M4 | R3 R4 A: C3 | M5 M6 M7 | R5 R6 R7 A: C4 | M8 M9 | R8 R9 Execute A (Policy Invokes ruleName A) Check C1 (success) Execute M1 (success) Execute M2 (fail) Execute R2 Execute R1 /*R1 is also executed!*/ Check C2 (fail) Check C3 (success) Execute M5 (success) Execute M6 (success) Execute M7 (succes) A succeeds (Policy Succeeds) /* C4 is not even checked */

  12. Data Flow between Micro-services Whiteboard ($) Parameters MS MS MS Side Effects Persistent iCAT (%)

  13. Parameter Passing  Part of the MicroService Signature int findObjType ( msiParam_t *objInParam , msiParam_t *typeOutParam , ruleExecInfo_t *rei ); int ingestBulkMD ( msiParam_t *objInParam, msiParam_t *typInParam, msiParam_t *keyValuePairsInParam, ruleExecInfo *rei);  When used in a rule the “rei” parameter is implicit.

  14. WhiteBoard ($) Variables  They are stored in a structure: rei  Some common ones that are of interest  $objPath collection-path name of data object  $rescName name of resource  $userNameClient name of client-user  How to Use them:  Condition checking: $objPath like /zone/home/sekar/nvo/*  Parameter passing: findObjType($objPath,*Type)  assign($rescName, duke-samqfs )  You can find the $-variable names in:  server/config/reConfigs/core.dvm

  15. Policies And $-variables  Not all $-variables needed for every policy (ruleName).  We can find what $-variable is available at each policy-point from Table 5.2 and 5.3 in iRODS Primer .  Example: acCreateUser : $otherUserName, $otherUserZone, all  connection-level $-variables (called S1). acPreProcForObjRename: $objPath (old path) + S1  acPreProcForCollCreate: $collName, $collParentName  + S1 acPreProcForDataObjOpen: S3 (data object)+ S4  (resources) + S1 (connection) = 50 variable information…..

  16. WhiteBoard: ruleExecInfo (*rei)  A large data structure shared when invoking a rule  Implicitly used throughout the rule processing  MicroServices can access values/structs in the *rei and also set values in the *rei structure  The structure is defined in reGlobalsExtern.h and it can be extended if necessary  Contains various important structures used in the iRODS data management:  *rsComm - client-server communication structure  *doi - dataObject information  *rescGrp - resource (group) informations  *uoic - client user information  and others ….  The rule invoking function should set the proper values…

  17. Example: ATM (1)  Let us try to code the policy for an ATM to disburse money.  Assume that authentication has already been done.  Policy : payMoney If a user asks for money below a ‘ceiling value’ and has a balance above the asking value, disburse the money and debit the user account. Recover from disbursement failure.

  18. Example: ATM (2) What are the key Policy-Points:  Get User Information  Get Amount & Account Information  Check Balance and Ceiling (CheckMoney)  Subtract from the User Account Value  Count Money into the PayBin  Open the PayBin to Pay the User  Give Receipt  Commit/Rollback Changes  Write Paper Records  Shutdown  Notify User

  19. Example: ATM (3) acCheckMoney (*U, *A) { ON (*A < 300) { display(“You cannot withdraw more than $300”); displayExitMessage; } OR ON (*A < balance(*U) ) { display(“You have insufficient balance”); displayExitMessage; } } *U = user *A = Amount to pay

  20. From Policies to Rules  Write the policy with clear “keywords” that define side-effects that can be performed by micro-services.  Identify recovery mechanisms for failure  Create high-level signatures for the micro- services – split complicated micro-services  Form a workflow based on the micro-services and test various paths  Search existing rules/micro-services which can be used.  Code micro-services, if needed, and unit test  Write and test the rules

  21. Some Sample Policies  acCreateUser (default policy in core.irb)  acDataDeletePolicy (not a default – can be turned on at admin’s discretion)  Policies generated in DCAPE Project

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

iRODS Tutorial I. Getting Started iRODS Tutorial Preview I. iRODS Getting Started unix

iRODS Tutorial I. Getting Started iRODS Tutorial Preview I. iRODS Getting Started unix

iRODS Tutorial I. Getting Started iRODS Tutorial Preview I. iRODS Getting Started unix client usage II. iRODS Data (Grid) Administration installing server and iCAT setting up users adding new resources to a data grid/zone

718 views • 42 slides
iRODS Tutorial II. Data Grid Administration iRODS Tutorial Preview I. iRODS

iRODS Tutorial II. Data Grid Administration iRODS Tutorial Preview I. iRODS

iRODS Tutorial II. Data Grid Administration iRODS Tutorial Preview I. iRODS Getting Started unix client usage II. iRODS Data Grid Administration installing server and iCAT setting up users adding new resources

1.05k views • 71 slides
iRODS Client: iRODS Client: AWS Lambda Function for S3 1.0 AWS Lambda Function for S3 1.0 Terrell

iRODS Client: iRODS Client: AWS Lambda Function for S3 1.0 AWS Lambda Function for S3 1.0 Terrell

iRODS Client: iRODS Client: AWS Lambda Function for S3 1.0 AWS Lambda Function for S3 1.0 Terrell Russell, Ph.D. June 9-12, 2020 @terrellrussell iRODS User Group Meeting 2020 Chief Technologist, iRODS Consortium Virtual Event 1 iRODS

276 views • 8 slides
iRODS Policies integrated Rule Oriented Data System Reagan Moore {moore, sekar, mwan, schroeder,

iRODS Policies integrated Rule Oriented Data System Reagan Moore {moore, sekar, mwan, schroeder,

iRODS Policies integrated Rule Oriented Data System Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine, sheauc}@diceresearch.org {chienyi, marciano, michael_conway}@email.unc.edu 1 Computer Actionable Rules A policy

488 views • 9 slides
More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous

More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous

Transforming Science Through Data-driven Discovery More than just Load Balancing iRODS Using HAProxy Tony Edgin iRODS UGM 2019 Purpose Previous work shows how to proxy iRODS for high availability. High Availability iRODS System (HAIRS)

424 views • 19 slides
iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine,

iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine,

iRODS Micro-Services Reagan Moore {moore, sekar, mwan, schroeder, bzhu, ptooby, antoine, sheauc}@diceresearch.org {chienyi, marciano, michael_conway}@email.unc.edu 1 Implications iRODS policies are enforced at the remote storage location

151 views • 14 slides
iRODS S3 Plugin iRODS S3 Plugin with Direct Streaming with Direct Streaming Justin James June

iRODS S3 Plugin iRODS S3 Plugin with Direct Streaming with Direct Streaming Justin James June

iRODS S3 Plugin iRODS S3 Plugin with Direct Streaming with Direct Streaming Justin James June 9-12, 2020 Applications Engineer iRODS User Group Meeting 2020 iRODS Consortium Virtual Event 1 Existing Cacheless Limitations While the

677 views • 18 slides
iRODS at Bristol Myers Squibb Status and Prospects. Leveraging iRODS for scientific applications

iRODS at Bristol Myers Squibb Status and Prospects. Leveraging iRODS for scientific applications

iRODS at Bristol Myers Squibb Status and Prospects. Leveraging iRODS for scientific applications in Amazon AWS Cloud Mohammad Shaikh | Oleg Moiseyenko Scientific Cloud Computing iRODS UGM, Jun 9-11, 2020 R&amp;D, Informatics &amp; Predictive

361 views • 21 slides
iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht,

iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht,

An authentication solution for iRODS based on the OpenID Connect protocol iRODS UGM 2019 Michele Carpen - m.carpen@cineca.it iRODS UGM 2019 26-27 June 2019, Utrecht, The Netherlands Acronyms PAM Pluggable Authentication Module . Provides

486 views • 13 slides
iRODS Advanced Features Michael Wan mwan@diceresarch.org http://irods.org/ iRods advanced

iRODS Advanced Features Michael Wan mwan@diceresarch.org http://irods.org/ iRods advanced

iRODS Advanced Features Michael Wan mwan@diceresarch.org http://irods.org/ iRods advanced features Data Transfer modes Structured file implementation iRods FUSE implementation Data Transfer Three modes Sequential file

418 views • 15 slides
The SRB service at STFC and the road to iRODS(?) Roger Downing Kevin ONeill iRODS

The SRB service at STFC and the road to iRODS(?) Roger Downing Kevin ONeill iRODS

The SRB service at STFC and the road to iRODS(?) Roger Downing Kevin ONeill iRODS Workshop, Lyon 1 Feb, 2009 Science and Technology Facilities Council STFC Formed by combining CCLRC (labs) &amp; PPARC (PP + astronomy funding)

681 views • 32 slides
iRODS Im Impact on Science and Data Management iRODS UGM 2017 Ashok Krishnamurthy ,Kira

iRODS Im Impact on Science and Data Management iRODS UGM 2017 Ashok Krishnamurthy ,Kira

iRODS Im Impact on Science and Data Management iRODS UGM 2017 Ashok Krishnamurthy ,Kira Bradford, Michael Conway, Michael Shoffner, Justin James iRODS impact on data management for Scienctific domains: 2 Use Cases BRAIN-I A unified

478 views • 23 slides
Using iRODS as an entry point to VITAM for long-term data preservation IRODS UGM 2020

Using iRODS as an entry point to VITAM for long-term data preservation IRODS UGM 2020

Using iRODS as an entry point to VITAM for long-term data preservation IRODS UGM 2020 06/11/20 - Matthieu Caux &amp; Samuel VISCAPI Irods metadata : Archived : False Archived : True Sent : True Sent : False X-Request-Id : Null

146 views • 13 slides
Using iRODS as a presentation layer for Research Data Storage at UCL iRODS User Group meeting

Using iRODS as a presentation layer for Research Data Storage at UCL iRODS User Group meeting

Using iRODS as a presentation layer for Research Data Storage at UCL iRODS User Group meeting 2017, Utrecht. 2017-06-14 Daniel Hanlon (d.hanlon@ucl.ac.uk) - University College London Contents Research Data Services @ UCL iRODS infrastructure

135 views • 9 slides
IRODS IN CONTEXT EXPLORING INTEGRATIONS BETWEEN IRODS AND RESEARCHDRIVE / OWNCLOUD HYLKE KOERS,

IRODS IN CONTEXT EXPLORING INTEGRATIONS BETWEEN IRODS AND RESEARCHDRIVE / OWNCLOUD HYLKE KOERS,

IRODS IN CONTEXT EXPLORING INTEGRATIONS BETWEEN IRODS AND RESEARCHDRIVE / OWNCLOUD HYLKE KOERS, GROUP LEADER DATA MANAGEMENT SERVICES Introducing SURF SURF is the collaborative ICT organisation for Dutch education and research SURF offers

534 views • 35 slides
NFSRODS NFSRODS Kory Draughn June 25-28, 2019 korydraughn@renci.org iRODS User Group Meeting

NFSRODS NFSRODS Kory Draughn June 25-28, 2019 korydraughn@renci.org iRODS User Group Meeting

NFSRODS NFSRODS Kory Draughn June 25-28, 2019 korydraughn@renci.org iRODS User Group Meeting 2019 Software Developer, iRODS Consortium Utrecht, Netherlands NFSRODS - Overview What A new iRODS client Presents iRODS as NFSv4.1 Allows an

541 views • 16 slides
A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research International Symposium on Grids &amp; Clouds 2016 15 March 2016 Academia Sinica, Taipei, Taiwan Eisaku

503 views • 17 slides
GANT eduPKI in 3 Slides Servicing GANT Services Reimer Karlsen-Masur, DFN-CERT Services GmbH

GANT eduPKI in 3 Slides Servicing GANT Services Reimer Karlsen-Masur, DFN-CERT Services GmbH

GANT eduPKI in 3 Slides Servicing GANT Services Reimer Karlsen-Masur, DFN-CERT Services GmbH GN3+ TLs meet the PMO Meeting DANTE, Cambridge / UK, 26.03.2013 Slides &amp; Related Materials @ https://www.edupki.org connect

449 views • 6 slides
Quadrature Domains and Equilibrium on the Sphere Alan Legg Department of Mathematical Sciences,

Quadrature Domains and Equilibrium on the Sphere Alan Legg Department of Mathematical Sciences,

Quadrature Domains and Equilibrium on the Sphere Alan Legg Department of Mathematical Sciences, Purdue Fort Wayne MWAA October 7, 2018 Alan Legg Quadrature Domains and Equilibrium on the Sphere This talk will represent work with P. Dragnev,

840 views • 81 slides
On the (In)security of SNARK s in the Presence of Oracles Anca Nitulescu, Dario Fiore cole

On the (In)security of SNARK s in the Presence of Oracles Anca Nitulescu, Dario Fiore cole

On the (In)security of SNARK s in the Presence of Oracles Anca Nitulescu, Dario Fiore cole Normale Suprieure, CNRS and INRIA, Paris, France Delegate NP computation m Delegate NP computation m Proof ? Arguments of knowledge Succinct

686 views • 58 slides
Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of

Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of

Outline Access control: mechanism and policy Unix filesystem concepts CSci 4271W Development of Secure Software Systems Project 1 expectations Day 8: Unix Access Control Unix permissions basics Stephen McCamant Exercise: using Unix

874 views • 6 slides
After Arbitration: Filing Exceptions with the Authority July 18, 2017 Filing Exceptions with the

After Arbitration: Filing Exceptions with the Authority July 18, 2017 Filing Exceptions with the

After Arbitration: Filing Exceptions with the Authority July 18, 2017 Filing Exceptions with the Authority 7/18/2017 2 ? Whats the difference? Filing Exceptions with the Authority 7/18/2017 3 Normally confined to the

1.53k views • 125 slides
Un-scratching Lustre MSST 2019 Cameron Harr (Lustre Ops &amp; Stuff, LLNL) May 21, 2019

Un-scratching Lustre MSST 2019 Cameron Harr (Lustre Ops &amp; Stuff, LLNL) May 21, 2019

Un-scratching Lustre MSST 2019 Cameron Harr (Lustre Ops &amp; Stuff, LLNL) May 21, 2019 LLNL-PRES-773414 This work was performed under the auspices of the U.S. Department of Energy by Lawrence Livermore National Laboratory under Contract

322 views • 14 slides
Nevada Transition to Policy-Based Payments April 9 th 2019 INFORMATION NOT RELEASABLE TO THE

Nevada Transition to Policy-Based Payments April 9 th 2019 INFORMATION NOT RELEASABLE TO THE

Nevada Transition to Policy-Based Payments April 9 th 2019 INFORMATION NOT RELEASABLE TO THE PUBLIC UNLESS AUTHORIZED BY LAW: This information has not been publicly disclosed and may be privileged and confidential. It is for internal government

613 views • 24 slides

More recommend