Saturday Dec 22, 2007

A stand alone policy rule engine rule verifier

We want admins to be able to debug policy engine rulesets - they need to be able to determine before hand which rule will apply and they need to be able to see afterwards which rule applied.

Some background, a policy rule states that if an expression of attributes evaluates to true, then a file create under pNFS will be given a certain layout. And a layout is basically a stripe count and width. The count is the number of DS to stripe the file across and the width is how large of a chunk of data to send to each DS.

A client can generate a layout hint that it can send to the server. And the server is free to reject it, especially if the server already has a rule. The way to think of this is that it allows an admin on the client, who does not have administration rights on the server, to define new policies in the middle of the night. I.e., no need to wake the server admin up.

The client's hint lacks the final necessary information, the set of DS to be used. So even if the server accepts the hint, it needs to be instantiated with the actual DS hosts. The server policy engine will determine that set by looking at usage information for the DS - or it might just pick them in some round robion fashion. This is a classic scheduling problem from AI.

To enable the admin to debug, we need to allow access to both the client and server policy rulesets. But we should start simple and get some code which works on a ruleset.

I'm going to skip how rules are loaded to the sped (Simple Policy Engine Daemon) and how we get our hands on them from it. Instead, I'm going to create a tool which handles a flat file. Furthermore, that format may not be what I end up using - right now this debug tool is also a design tool.

I could write it in Perl, which is perfect for basically string processing, but I think I will be stealing major chunks of the code for sped. So, I'll write it in C.

The very first thing I want to look at are the parameters to the program. I need to get at attributes such as the path, the extension, the UID, the GID, and the IP. I was going to grab the time and day from the system, but I just realized I can be doing postmortem debugging and need to get these. Okay, I also need to be able to get the policy rulesets read in from a file.

I'm going to present a chunk of code, of which I'll end up throwing some away. I want to look at option handling and make sure it works before I do anything else:

#include <stdio.h>
#include <stdarg.h>
#include <unistd.h>

int
main(int argc, char \*argv[])
{
        int     i;
        int     iFlags = 0;
        int     ch;

        int     iFoundSome = 0;

        while ((ch = getopt(argc, argv, "?vr:p:u:g:i:h:d:")) != -1) {
                iFoundSome = 1;

                switch (ch) {
                case 'v' :
                        fprintf(stdout, "Oh, be chatty!\\n");
                        break;
                case 'r' :
                        fprintf(stdout, "The rules are in %s!\\n", optarg);
                        break;
                case 'h' :
                        fprintf(stdout, "The hour is %s!\\n", optarg);
                        break;
                case 'd' :
                        fprintf(stdout, "The day is %s!\\n", optarg);
                        break;
                case 'p' :
                        fprintf(stdout, "with the %s!\\n", optarg);
                        break;
                case 'u' :
                        fprintf(stdout, "It was %s,\\n", optarg);
                        break;
                case 'g' :
                        fprintf(stdout, "The group is %s!\\n", optarg);
                        break;
                case 'i' :
                        fprintf(stdout, "in the %s,\\n", optarg);
                        break;
                case '?' :
                default :
                        goto usage;
                }
        }

        if (!iFoundSome)
                goto usage;

        argc -= optind;
        argv += optind;

        return (0);

usage:

        fprintf(stderr,
                "speadm explain -r rules-file [-v]" 
                " [-p proposed-filename] [-u uid] [-g gid] [-i ip]"
                " [-h hour] [-d day]\\n");
        return (1);
}

Okay, as an aside, OSX Leopard cut and paste can rock! Seeing the text being dragged from the Terminal to Firefox was amazing.

The first thing to notice is that I've used -h for hour and not help. Next notice that the rule file is not optional. But I've used a flag for it. I did this to allow it to appear anywhere in the argument list. I will have to eventually add some code to make sure it is present.

A short test run shows us some neat things that getopt() does for us:

stealth:spe tdh$ gcc main.c 
stealth:spe tdh$ ./a.out 
speadm explain -r rules-file [-v] [-p proposed-filename] [-u uid] [-g gid] [-i ip] [-h hour] [-d day]
stealth:spe tdh$ ./a.out -r tests/simple.txt 
The rules are in tests/simple.txt!
stealth:spe tdh$ ./a.out -r 
./a.out: option requires an argument -- r
speadm explain -r rules-file [-v] [-p proposed-filename] [-u uid] [-g gid] [-i ip] [-h hour] [-d day]
stealth:spe tdh$

I didn't have to explicitly enter in error handling for detecting when an option was missing. But wait, does it work like I want:

stealth:spe tdh$ ./a.out -r -v
The rules are in -v!

In the next entry, I'll do the sanity checking for the arguments. This will include setting the default values. And it will also have to consider if an argument is allowed to begin with a '-'...


Originally posted on Kool Aid Served Daily
Copyright (C) 2007, Kool Aid Served Daily
About

tdh

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today