5.5 Cloud Audit Policy Language (CAPL)
From the evaluation of the existing security policy language, CIMI seems very suitable for supporting the SAaaS scenario requirements. However, it lacks a policy module. Thus, instead of developing a completely new language, the Cloud Audit Policy Lan- guage (CAPL) was developed as an extension of CIMI. CIMI already delivers a detailed object description of IaaS cloud components and a standardised protocol. Core fea- tures like the object model, the protocol and a simplified variant of CIMI classes (e.g., Machine, MachineConfiguration, MachineImage) are inherited by CAPL. However,
due to the different focus of CIMI on managing cloud infrastructures some classes of CIMI have not been adopted in CAPL, because they are not required for the SAaaS scenario. Others were modified, extended or new classes for the support of policies were added. By staying close to the CIMI standard, it will be possible to define secu- rity policy for any CIMI compatible cloud infrastructure. Thus, the compatibility of the presented SAaaS system is increased.
CAPL User Roles
CAPL uses slightly simplified definitions of the CIMI roles Cloud Provider and Cloud Consumer. The cloud provider manages and provisions cloud services and possesses full access rights. The cloud consumer uses cloud services as well as the service for auditing his virtual machines. The cloud consumer has a limited set of access rights, which are required to define policies and triggering audits.
CAPL Service Interface
CIMI uses a REST based protocol for communication. CAPL adopts the CIMI service interface.
CAPL Language Base
The CAPL language format is technically oriented onto CIMI, which offers XML or JSON as a language format. An advantage of using a XML language is the availability of XML schema, which can be used for data validation. Thus, an incoming policy can be easily checked if all required arguments are provided. To be interoperable with other services and due to the wide distribution of XML in large distributed architectures, XML was preferred over JSON.
CAPL Definition
CAPL is based on a object/class model. Figure 5.3 shows the class diagram. As introduced, CAPL is designed to be oriented closely to the CIMI standard, but missing classes were added. CAPL enhances CIMI by adding several new classes:
• Machine
The Machine class represents a machine, which shall be audited. CIMI uses Machines only for virtual machines. However, CAPL enhances the scope of Machines and includes host machines running virtual machines because those might be as well targets for audits.
• MachineTemplate
The MachineTemplate defines the initial configuration of a VM. • Policy
Defines a policy rule (e.g., “a virtual machine must not contain malware”), which can be assigned to a machine or a group.
• PolicySet
A PolicySet contains multiple Policies. Only if all contained conditions of the rules are fulfilled, the PolicySet evaluates to success. A PolicySet may be used
5.5. Cloud Audit Policy Language (CAPL)
Figure 5.3: CAPL class diagram
like a policy and attached to machines or groups. Rules contained in a Policy- Set may be linked disjunctive or conjunctive (using AND /OR). This behavior originates from the CIM policy model [191].
• Group
Groups are used to manage related objects like multiple rules and machines. In such a case all rules of the group apply to all machines.
• RuleType
RuleType describes what a policy is supposed to check and defines attributes and configurations, which the policy has to set.
In the following, the term “Policies” is uses as a interchangeably for the classes: PolicyRule, PolicySet and MetricRule.
CAPL Namespace
For CAPL, an own namespace has been assigned at http://research.cloud.hs- furtwangen.de/capl/. Thus, a distinct class identification is achieved and conflicts
when using different schemes are avoided. Each CAPL class is assigned under the attribute resourceURI within the namespace.
CAPL Data Types
CAPL uses different data types. If possible, common data types, known from other programming languages were used. Table 5.8 lists available CAPL data types.
Data Type Name Description
Integer Integer A whole number
String Text A sequence of characters including text, numbers and special
characters.
Date Date Timestamp
URI URI Contains a uniform resource identifier
EntityReference Reference A reference to an other object identified by a URI. Used
within objects as href=‘‘uri’’ and represented in the XML schema as EntityReference
EntityReference Collection
List of references Gives back a list of references to class instances. Inherits from Abstract-Collection.
Attributes Key/Value pairs A list of self-defined attributes with a unique name and a
corresponding value. Each key should be unique within a list. Represented as <tagname key=keyname>value</tagname>
Collection List A list of multiple data of one data type.
Example: EntityReferenceCollection is a list of ref- erences. Each single data type also has a corresponding collection for creating an extensive list of this specific data type, such as MachineCollection or GroupCollection IntervalType Unit of interval Describes the unit of an interval. Possible values are:
• no - No Interval, one-time execution • minutes - value in minutes
• hours - value in hours • days - value in days • weeks - value in weeks
ConditionType Composition Defines a composition of multiple rules. Possible values are
either D - Disjunction or C for conjunction
5.5. Cloud Audit Policy Language (CAPL)
CAPL Classes
For CAPL, the following classes are developed, also depicted in the class diagram, shown in Figure 5.3: • CloudEntryPoint • AbstractCollection • Machine • MachineCollection • MachineTemplate • Group • GroupCollection • RuleType • RuleTypeCollection • Policies • PolicySet • PolicyCollection • Action • ActionCollection
To support readability only the most important classes to understand the CAPL language specification are described, in the following. A complete class description of all developed classes is provided in Appendix A.3
Basic Class Structure
Each CAPL class consists of the following basic structure of attributes. They have the same meaning in every class, thus they are going to be presented here once and not included every time in the description of the corresponding classes. Table 5.9 provides a definition of the basic class attributes.
Data Type Name Description
resourceURI URI Contains the URI for identification of type within XML schema
Id URI Object ID under which it can be referenced
name String Name of instance
description String Description of corresponding instance
created Date Gets automatically set at object creation time
updated Date Gets automatically updated at object modification time
Cloud Entry Point
The Cloud Entry Point provides an interface for accessing the CAPL server. It pro- vides an overview over all available resources and their corresponding URIs for a CAPL client (SAaaS Policy Modeller). It does not use the same basic structure, described in Table 5.9. For the SAaaS prototype (see Chapter 7) it is accessible at https://cloud.hs- furtwangen.de/CAPLPrototyp/rest/. Table 5.10 describes the
attributes of the Cloud Entry Point.
Data Type Name Description
id String ID of Cloud Entry Point, e.g. https://research.cloud.hs-
furtwangen.de/ CAPLPrototyp/rest/CEP
baseURI URI Contains the base URI, e.g. https://research.
cloud.hs-furtwangen.de/CAPLPrototyp/rest/
machines EntityReference A reference for MachineCollection, which delivers all Ma-
chineTemplate instances, e.g. https://research.cloud.hs- furtwangen.de/ CAPLPrototyp/rest/MachineTemplates
groups EntityReference A reference for GroupCollection, which delivers all group
instances, e.g. https://research.cloud.hs-furtwangen.de/ CAPLPrototyp/rest/groups
policies EntityReference A reference for PolicyCollection, which delivers all policy
instances, e.g. https://research.cloud.hs-furtwangen.de/ CAPLPrototyp/rest/policies
ruleTypes EntityReference A reference to the list of all available RuleType,
e.g. https:// research.cloud.hs-furtwangen.de
/CAPLPrototyp/rest/ruleTypes
Table 5.10: CAPL class: cloud Entry Point
AbstractCollection
For every class, an additional class with the name schema [Class-Name]Collection is implemented, for providing lists and instances of this class. These “collection-classes” inherit from an abstract class AbstractCollection. Thus, each single class has the same structure as class AbstractCollection. No additional attributes exist. In case, a class contains a collection as an attribute, it is possible to get a list of instances or references (EntityReferenceCollection) for this specific class. Thus, only data which is necessary gets queried and submitted, saving unnecessary data overhead.
5.5. Cloud Audit Policy Language (CAPL)
This design is inherited from the CIMI specification and applied to CAPL as well. Table 5.11 provides a definition of AbstractCollection.
Data Type Name Description
id URI ID of Collection under which it can be referenced
count Integer Number of objects in this list
collection Collection specific data-
type
A list of instances of this data type.
Example: In case of MachineCollection it includes multiple instances of type Machine
Table 5.11: CAPL class: AbstractCollection
Machine
A Machine is an instance which needs to be audited. This can be a physical cloud host or a virtual machine. Audit Policies can be assigned to a Machine. Machines can be logically grouped together via the class Group. Machines are created by read- ing information from the cloud management system, which hosts and VMs exist. A definition of Machine is provided in Table 5.12.
Data Type Name Description
resourceURI URI Contains the base URI, e.g. https://research.cloud.hs-
furtwangen.de/CAPLPrototyp/rest/machines
cpu Integer Number of CPUs
memory Integer Size of RAM
machineTemplate EntityReference A reference to MachineTemplate, which this instance is
based on
ip String IP of instance
domain String Domain of instance
policies EntityReferenceCollection A list with references to policies which apply for this instance groups EntityReferenceCollection A list of references to groups this instance is a member of
Table 5.12: CAPL class: Machine
MachineCollection
Delivers a list of instances of type Machine. Table 5.13 provides a definition of all attributes.
Data Type Name Description
id URI ID of Collection under which it can be referenced
count Integer Number of objects in this list
collection Machine A list of Machine instances
Table 5.13: CAPL class: MachineCollection
Group
The class Group provides the possibility to group Policies or Machines. All assigned policies of a certain Group apply for all Machines of this group.
Table 5.14 provides attributes of class Group.
Data Type Name Description
resourceURI URI Contains the base URI, e.g. https://research.cloud.hs-
furtwangen.de/CAPLPrototyp/rest/groups
enabled Boolean Defines if group is enabled or not (not implemented in SAaaS
prototype)
policies EntityReference A list of references on policies which are assigned to Machines of this group
machines EntityReference A list of Machines, which are member of this group. All
member inherit all policies of this group
Table 5.14: CAPL class: Group
RuleType
RuleType defines the type of a rule and representing the SAaaS agent type. For each
existing agent type a RuleType exists. RuleTypes are managed by the cloud provider. The class was defined to be very general, to support a variety of different rules. Since different rules contain different attributes, rule specific attributes get defined by the the attribute properties. Properties need to be provided at creation of a policy. They are used as a context-based attribute. They are stored in a hash map and assigned to the target agent upon agent configuration time. They are representing an agent’s configuration. Context-based attributes can be assigned to simple data types, thus the CAPL server can evaluate if a context-based attribute is provided correctly and
5.5. Cloud Audit Policy Language (CAPL)
can validate it. As an example a reference on a group can be assigned to the data type GroupReference. To provide information on available RuleTypes, a policy developer
can access them from the CAPL server via a GET request. A definition of RuleTypes is given in Table 5.15. For the SAaaS prototype, RuleTypes for the defined policy scenarios presented in Section 5.3 are implemented.
Data Type Name Description
resourceURI URI Contains the base URI, e.g. https://research.cloud.hs-
furtwangen.de/CAPLPrototyp/rest/ruleTypes
category String Enables categorisation of RuleTypes for sorting possibilities
visibility Boolean Defines if a RuleType is accessible for cloud user. Used for
development, for beta RuleTypes during development
attributeKey String Context-based value, which needs to be defined in a policy.
Table 5.15: CAPL class: RuleTypes
Policies
Each policy contains the same basic structure, as shown in Table 5.16. Additionally, each policy contains policy specific attributes with context-based attributes. They are depending on the type of policy and defined by the attribute RuleType. They are resulting in an agent’s configuration. Policies can be assigned to Machines, MachineTemplates, and Groups. A possible policy could be “Configuration of web
server apache2 is finished”. This results in a policy configuring a SAaaS inotify agent to monitor the file httpd.conf for filesystem changes. This functionality is implemented with the context-based attributes, defined by the attribute attribute. Its context is defined by the corresponding RuleType. Listing 5.2 elaborates how the attributes correspond to each other: The listing shows a policy which forbids changes on the file httpd.conf. Line 2-10 are common attributes, which are equally available in different policies. Line 11-15 show the context-based values, which are defined by the RuleType inotify (line 8). Line 12 states that a change (attribute action, line 13) of
the file httpd.conf (attribute path, line 14) is not allowed (attribute permission, line 12). 1 <P o l i c y R u l e> 2 <name>F r e e z e h t t p d . c o n f</name> 3 <refName>f r e e z e h t t p d</refName> 4 <d e s c r i p t i o n>h t t p d . c o n f i s f i n a l , must n o t be changed .</d e s c r i p t i o n> 5 <c r e a t e d>0 4 . 0 2 . 2 0 1 3</c r e a t e d> 6 <updated>0 4 . 0 2 . 2 0 1 3</updated> 7 <e n a b l e d>t r u e</e n a b l e d> 8 <r u l e T y p e> i n o t i f y</r u l e T y p e> 9 <t a r g e t R e s s o u r c e h r e f=” h t t p : // example . o r g / m a c h i n e s /www1”/> 10 <i n t e r v a l T y p e>no</i n t e r v a l T y p e> 11 < p r o p e r t i e s> 12 <p e r m i s s i o n>d e n i e d</p e r m i s s i o n> 13 <a c t i o n>c h a n g e</a c t i o n> 14 <path>/ e t c / a p a c h e 2 / h t t p d . c o n f</path> 15 </ p r o p e r t i e s> 16 </ P o l i c y R u l e>
Listing 5.2: CAPL Policy: config freeze httpd.conf
Data Type Name Description
resourceURI URI Contains the base URI, e.g. https://research.cloud.hs-
furtwangen.de/CAPLPrototyp/rest/policies
enabled Boolean Defines if policy is enabled or not
deploymentRessource EntityReference Is used in case a policy gets executed by a different Machine. targetRessource EntityReference Machine, MachineTemplate or Group a policy is assigned to
intervalType IntervalType Defines interval a policy should be executed
interval Integer Defines value of interval
attribute Attribute Key/value pair containing context-based attributes of policy.
Context is defined by RuleType. Can be used multiple times within a policy
Table 5.16: CAPL class: Policies
PolicySet
A PolicySet is a Policy which contains multiple policies. A PolicySet can be assigned to a Machine, a MachineTemplate and a Group. The attribute ConditionType
5.5. Cloud Audit Policy Language (CAPL)
defines, how the policies are connected with each other. Possible values are: D - Disjunction, or C - Conjunction. In case of a conjunct connection, all policies need to be fulfilled for the PolicySet to be fulfilled. This corresponds to a traditional AND connection. In case of a disjunctive connection, only on policy needs to be fulfilled fort he PolicySet to be fulfilled. This method was adapted from the CIM Policy model [191]. A description of class PolicySet is provided in Table 5.17
Data Type Name Description
resourceURI URI Contains the base URI
enabled Boolean Defines if PolicySet is enabled or not
conditionType ConditionType Defines Type of Condition. For SAaaS prototype values D or
C are available
targetRessource EntityReference Machine, MachineTemplate or Group a policy is assigned to policies EntityReferenceCollection List of URIs to PolicyRule or MetricRule
intervalType IntervalType Defines interval a PolicySet should be executed
interval Integer Defines value of interval
Table 5.17: CAPL class: PolicySet
Action
Action enables the executed of operations. It is used for execution policies and if a
Machine is added to a Group. Its definition is provided in Table 5.18.
Data Type Name Description
resourceURI URI Contains the base URI
action String Defines type of action. Possible values for SAaaS prototype:
• addMachine - add a Machine to a Group
• removeMachine - removes a Machine from a Group • run - start audit
target Reference Contains resource which the action applies to. In case of
addMachine it contains the Machine which to add to a Group.
Table 5.18: CAPL class: Action
As already mentioned, a comprehensive definition of all CAPL classes is provided in Appendix A.3. Javadoc documentation can be found on the CD attached to this PhD
thesis in the folder “CloudAuditPolicyLanguageJavaDoc”. CAPL is implemented as a client-server architecture using a database backend for serialisation of objects. Its technical implementation is described in Chapter 7, Section 7.4.
CAPL Library
All classes necessary for serialisation are stored in a CAPL library libCAPL.jar. It is used by the CAPL server and client for de-/ serialisation in XML or JSON. It enables the development of new CAPL clients. It is provided as Open Source software at the SAaaS website [139].
An example, which depicts the key features of CAPL, is shown in listing 5.3. This Policy describes the conditions under which upscaling of Web server VMs is allowed. In this case, it is measured whether upscaling is allowed or not.