Policy Training
Supported Policy Implementations
Policy Training
Supported Policy Implementations
Jason Coposky
@jason_coposky
Executive Director, iRODS Consortium
August 3-6, 2020
KU Leuven Training
Webinar Presentation
Consortium Supported Policy
The consortium gathers requirements from the community and reflects them back a supported policy implementations
- AMQP Audit Trail
- Logical Quotas
- Hard Links
- Metadata Guard
- Storage Tiering
- Indexing
- Publishing
Current Policy Implementations:
(referred to as Capabilities)
AMQP Audit Plugin
A packaged plugin that emits an AMQP message with a JSON payload for every event within the system
{
"instance_name": "irods_rule_engine_plugin-audit_amqp-instance",
"plugin_name": "irods_rule_engine_plugin-audit_amqp",
"plugin_specific_configuration" : {
"amqp_location" : "ANONYMOUS@localhost:5672",
"amqp_options" : "",
"amqp_topic" : "audit_messages",
"pep_regex_to_match" : "audit_.*"
}
},
...
"rule_engine_namespaces": [
"",
"audit_"
], The event stream can be ingested by infrastructure like the Elastic Stack for dashboards as well as provenance
Example Configuration:
Logical Quotas
Allows administrators to track and enforce limits on the number of bytes and data objects in a collection using metadata
"rule_engines": [
{
"instance_name": "irods_rule_engine_plugin-logical_quotas-instance",
"plugin_name": "irods_rule_engine_plugin-logical_quotas",
"plugin_specific_configuration": {
"namespace": "irods::logical_quotas",
"metadata_attribute_names": {
"maximum_number_of_data_objects": "maximum_number_of_data_objects",
"maximum_size_in_bytes": "maximum_size_in_bytes",
"total_number_of_data_objects": "total_number_of_data_objects",
"total_size_in_bytes": "total_size_in_bytes"
}
}
},
// ... Previously installed rule engine plugin configs ...
]Example Configuration:
Logical Quotas
The following operations are supported:
- logical_quotas_count_total_number_of_data_objects
- logical_quotas_count_total_size_in_bytes
- logical_quotas_recalculate_totals
- logical_quotas_set_maximum_number_of_data_objects
- logical_quotas_set_maximum_size_in_bytes
- logical_quotas_start_monitoring_collection
- logical_quotas_stop_monitoring_collection
- logical_quotas_unset_maximum_number_of_data_objects
- logical_quotas_unset_maximum_size_in_bytes
- logical_quotas_unset_total_number_of_data_objects
- logical_quotas_unset_total_size_in_bytes
Which can be used with irule to invoke policy controls for collections
Logical Quotas
irule -r irods_rule_engine_plugin-logical_quotas-instance '{"operation": "logical_quotas_set_maximum_number_of_data_objects", "collection": "/tempZone/home/rods", "value": "100"}' null ruleExecOutSet a maximum limit on the number of data objects:
irule -r irods_rule_engine_plugin-logical_quotas-instance '{"operation": "logical_quotas_start_monitoring_collection", "collection": "/tempZone/home/rods"}' null ruleExecOutStart monitoring a collection:
Hard Links
Provides hard link support within iRODS
"rule_engines": [
{
"instance_name": "irods_rule_engine_plugin-hard_links-instance",
"plugin_name": "irods_rule_engine_plugin-hard_links",
"plugin_specific_configuration": {}
},
// ... Previously installed rule engine plugin configs ...
]Configuration
Hard Links
irule -r irods_rule_engine_plugin-hard_links-instance '{"operation": "hard_link_create", "logical_path": "/tempZone/home/rods/foo", "replica_number": "0", "link_name": "/tempZone/home/rods/bar.hl"}' null ruleExecOutCreating a hard link:
Provides hard link support within iRODS
{
// One of the operations listed above.
// Because there is only one operation at this time, this should
// be set to "hard_link_create".
"operation": "<value>",
// The absolute path of the source data object.
"logical_path": "<value>",
// The replica number identifying a specific replica under the
// source data object.
"replica_number": "<value>",
// The absolute logical path to use for the new hard linked data object.
// This path will point to the physical path identified by
// tuple (logical_path, replica_number).
"link_name": "<value>"
}Metadata Guard
Provides access control around metadata
"rule_engines": [
{
"instance_name": "irods_rule_engine_plugin-metadata_guard-instance",
"plugin_name": "irods_rule_engine_plugin-metadata_guard",
"plugin_specific_configuration": {}
},
// ... Previously installed Rule Engine Plugin configs ...
]Configuration:
Metadata Guard
{
// The list of strings that represent metadata that should be guarded.
// In this example, any metadata beginning with "irods::" will be treated special
// and require that the user be an administrator or classified as an editor depending
// on the configuration.
"prefixes": ["irods::"],
// Only administrators are allowed to modify metadata.
// This option supersedes the "editors" option.
"admin_only": true,
// The list of editors that can modify guarded metadata.
"editors": [
{
// The type of entity that is allowed to modify metadata.
// The following options are available:
// - "user"
// - "group"
"type": "group",
// The name of the iRODS entity.
// For remote users, you must include the zone (e.g. "rods#tempZone").
"name": "rodsadmin"
}
]
}JSON schema for collection metadata
Metadata Guard
imeta set -C /tempZone irods::metadata_guard '{"prefixes": ["irods::"], "admin_only": true}'Usage
Anytime a request to modify metadata is detected by the server, the Rule Engine Plugin will read the JSON config and determine whether the user should be allowed to continue
Capabilities
Storage Tiering
Indexing
Publishing
Packaged collections of policy which meet specific outcomes
Integrity will be the final packaged capability
Questions?
KU Leuven Policy Training - Supported Policy Implementations
By jason coposky
