Policy Training

Supported Policy Implementations

Policy Training

Supported Policy Implementations

Jason Coposky

@jason_coposky

Executive Director, iRODS Consortium

August 3-6, 2020

KU Leuven Training

Webinar Presentation

Consortium Supported Policy

The consortium gathers requirements from the community and reflects them back a supported policy implementations

  • AMQP Audit Trail
  • Logical Quotas
  • Hard Links
  • Metadata Guard
  • Storage Tiering
  • Indexing
  • Publishing

Current Policy Implementations:

(referred to as Capabilities)

AMQP Audit Plugin

A packaged plugin that emits an AMQP message with a JSON payload for every event within the system

{
  "instance_name": "irods_rule_engine_plugin-audit_amqp-instance",
  "plugin_name": "irods_rule_engine_plugin-audit_amqp",
  "plugin_specific_configuration" : {
  "amqp_location" : "ANONYMOUS@localhost:5672",
  "amqp_options" : "",
  "amqp_topic" : "audit_messages",
  "pep_regex_to_match" : "audit_.*"
  }
},

...

"rule_engine_namespaces": [
  "", 
  "audit_"
], 

The event stream can be ingested by infrastructure like the Elastic Stack for dashboards as well as provenance

Example Configuration:

Logical Quotas

Allows administrators to track and enforce limits on the number of bytes and data objects in a collection using metadata

"rule_engines": [
    {
        "instance_name": "irods_rule_engine_plugin-logical_quotas-instance",
        "plugin_name": "irods_rule_engine_plugin-logical_quotas",
        "plugin_specific_configuration": {
            "namespace": "irods::logical_quotas",
            "metadata_attribute_names": {
                "maximum_number_of_data_objects": "maximum_number_of_data_objects",
                "maximum_size_in_bytes": "maximum_size_in_bytes",
                "total_number_of_data_objects": "total_number_of_data_objects",
                "total_size_in_bytes": "total_size_in_bytes"
            }
        }
    },
    
    // ... Previously installed rule engine plugin configs ...
]

Example Configuration:

Logical Quotas

The following operations are supported:

  • logical_quotas_count_total_number_of_data_objects
  • logical_quotas_count_total_size_in_bytes
  • logical_quotas_recalculate_totals
  • logical_quotas_set_maximum_number_of_data_objects
  • logical_quotas_set_maximum_size_in_bytes
  • logical_quotas_start_monitoring_collection
  • logical_quotas_stop_monitoring_collection
  • logical_quotas_unset_maximum_number_of_data_objects
  • logical_quotas_unset_maximum_size_in_bytes
  • logical_quotas_unset_total_number_of_data_objects
  • logical_quotas_unset_total_size_in_bytes

 

Which can be used with irule to invoke policy controls for collections

Logical Quotas

irule -r irods_rule_engine_plugin-logical_quotas-instance '{"operation": "logical_quotas_set_maximum_number_of_data_objects", "collection": "/tempZone/home/rods", "value": "100"}' null ruleExecOut

Set a maximum limit on the number of data objects:

irule -r irods_rule_engine_plugin-logical_quotas-instance '{"operation": "logical_quotas_start_monitoring_collection", "collection": "/tempZone/home/rods"}' null ruleExecOut

Start monitoring a collection:

Hard Links

Provides hard link support within iRODS

"rule_engines": [
    {
        "instance_name": "irods_rule_engine_plugin-hard_links-instance",
        "plugin_name": "irods_rule_engine_plugin-hard_links",
        "plugin_specific_configuration": {}
    },
    
    // ... Previously installed rule engine plugin configs ...
]

Configuration

Hard Links

irule -r irods_rule_engine_plugin-hard_links-instance '{"operation": "hard_link_create", "logical_path": "/tempZone/home/rods/foo", "replica_number": "0", "link_name": "/tempZone/home/rods/bar.hl"}' null ruleExecOut

Creating a hard link:

Provides hard link support within iRODS

{
    // One of the operations listed above.
    // Because there is only one operation at this time, this should
    // be set to "hard_link_create".
    "operation": "<value>",

    // The absolute path of the source data object.
    "logical_path": "<value>",

    // The replica number identifying a specific replica under the
    // source data object.
    "replica_number": "<value>",

    // The absolute logical path to use for the new hard linked data object.
    // This path will point to the physical path identified by
    // tuple (logical_path, replica_number).
    "link_name": "<value>"
}

Metadata Guard

Provides access control around metadata

"rule_engines": [
    {
        "instance_name": "irods_rule_engine_plugin-metadata_guard-instance",
        "plugin_name": "irods_rule_engine_plugin-metadata_guard",
        "plugin_specific_configuration": {}
    },
    
    // ... Previously installed Rule Engine Plugin configs ...
]

Configuration:

Metadata Guard

{
    // The list of strings that represent metadata that should be guarded.
    // In this example, any metadata beginning with "irods::" will be treated special
    // and require that the user be an administrator or classified as an editor depending
    // on the configuration.
    "prefixes": ["irods::"],

    // Only administrators are allowed to modify metadata.
    // This option supersedes the "editors" option.
    "admin_only": true,

    // The list of editors that can modify guarded metadata.
    "editors": [
        {
            // The type of entity that is allowed to modify metadata.
            // The following options are available:
            // - "user"
            // - "group"
            "type": "group",

            // The name of the iRODS entity.
            // For remote users, you must include the zone (e.g. "rods#tempZone").
            "name": "rodsadmin"
        }
    ]
}

JSON schema for collection metadata

Metadata Guard

imeta set -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "admin_only": true}'

Usage

Anytime a request to modify metadata is detected by the server, the Rule Engine Plugin will read the JSON config and determine whether the user should be allowed to continue 

Capabilities

Storage Tiering

Indexing

Publishing

Packaged collections of policy which meet specific outcomes

Integrity will be the final packaged capability

Questions?

KU Leuven Policy Training - Supported Policy Implementations

By jason coposky

KU Leuven Policy Training - Supported Policy Implementations

  • 1,045