A Policy Management Framework for Content-based Publish/Subscribe Middleware

1. A Policy Management Framework for Content-based Publish/Subscribe Middleware Hans-Arno Jacobsen Department of Electrical and Computer Engineering & Department of Computer Science University of Toronto Joint work with Alex Wun. v1.1 http://www.padres.msrg.utoronto.ca Middleware 2007

2. Sensor Network Management Manufacturer Supplier/ Distributor Business Activity Monitoring Content-based Publish/Subscribe (CPS) RFID Tracking SLA Monitoring Retailer Logistics

3. The PADRES Project Acknowledgements Acknowledgements 3 2020/1/2

4. P = publisher = subscriber S P S dest2 B Matching Engine B + Publications Routing Table B dest1 output queue dest2 input queue subscription dest B B dest3 S P output queue dest3 A Pub/Sub Message Broker temperature > 37 dest2 temperature > 40 dest3 temperature = 38 temperature = 42 temperature = 36

5. Content-based Publish/Subscribe • Many additional application-specific features often needed • Security • Message transformation • System debugging & message tracing • Application integration • Different requirements from diverse applications must co-exist on same running infrastructure Middleware 2007

6. Content-based Policy Framework • Policy Framework • Flexible: separates application requirements from infrastructure mechanisms • Dynamic: change behavior of running system • Content-based Policy Framework • Leverage content-based matching to achieve expressive, low overhead policies • More coupled with CPS systems • More efficient than generic policy layer Middleware 2007

7. Contributions and Presentation Agenda • Novel policy model for CPS systems • Focus on post-matching policy model • Implementation of policy framework for CPS systems • Focus on policy mechanisms • Not interested in developing policy language or syntax • Interesting new features enabled by our policy framework • Qualitative validation of approach using application scenarios • Performance overhead experimental results • Quantitative validation of approach Middleware 2007

8. Post-matching Policy Model • In terms of Event-Condition-Action rules: Whencontent-based match occurs If additional policy condition(s) satisfied then Perform Action1 …. ActionN Middleware 2007

9. Post-matching Policy Model Given a message M, matching algorithm computes: Associated Policy Statement Filter (Subscription, Advertisement) Policies T1 … Tn are applied to M M is a publication, contains subscriptions and advertisements M is a subscription, contains advertisements Middleware 2007

10. Associated Policy Policies Applied on Injection Message

11. Policy Composition Publication space: [(a1,x1), … ,(aN,xN)] S1 = [(a1 > T1)] :AuthenticateSender() S2 = [(a1 < T1), (a2 > T2)] :AppendDebug(…) S3 = [(a1 < T3), (a2 > T4)] :TrimAttributes() Require Authentication Append Debugging Info. Trim Attributes Middleware 2007

12. API with Policy Support • publish/subscribe/advertise(Message, PolicyStatement) • setPolicy(MessageID, PolicyStatement) PolicyStatement { On(MessageType) { … @broker: [Overlay location type] If <conditions …> Then <actions …> Elseif <conditions …> Then <actions …> … } … } Middleware 2007

13. Policy Framework Validation Scenarios Enabling policies for Security CPS Semantics Middleware 2007

14. Firewall Content-based Firewall On(Publication) { @broker: Routing If {} Then {BlockMessage()} } • Subscription-associated policy: • (applied to publications) • Acts like negation subscription Middleware 2007

15. Content-based Firewall Individual Subscriptions External Firewall Broker Internal Firewall Broker Merged Subscription

16. Authentication Shared group secret Kg. Brokers either exchange via public/private key mechanisms or are bootstrapped with Kg. On(Publication) { @broker: Ingress,Routing,Egress If {AuthenticateReceiver(group1)} Then {} Elseif {} Then {BlockMessage()} } BG1 • Advertisement-associated policy: • Uncontrolled advertisement and subscription propagation • Controlled publication injection, routing, and delivery P BG1 B B Middleware 2007

17. Authentication Shared group secret Kg. Brokers either exchange via public/private key mechanisms or are bootstrapped with Kg. On(Subscription) { @broker: Ingress,Routing If {AuthenticateReceiver(group1) && AuthenticateSender(group1)} Then {} Elseif {} Then {BlockMessage()} } BG1 S BG1 B • Advertisement-associated policy: • Controlled subscription injection and routing B S Middleware 2007

18. Notification Semantics P1= [(a,1)(b,2)(c,3)] On(Publication) { @broker: Egress If {} Then {TrimAttributes(…), ToXML()} } P2= [(a,9)(b,4)(c,3)] S S • Subscription-associated policy: • Subscribers have fine-grained control over format of delivered publications P1’= [(a,1)] P1’= [(a,1),(b,2)] P2’= [(b,4),(c,3)] P2’= <pub> <a>1</a> <b>4</b> </pub> Middleware 2007

19. Meta-Events On(Subscription) { @broker: Ingress If {AuthenticateSender(group1)} Then {} Elseif {} Then {Publish(“[class,UnauthorizedSubscribe], [message,$message], [brokerID,$brokerID]”)} } S = [(class = UnauthorizedSubscribe), (brokerID = B1)] S B1 • Advertisement-associated policy: • Self-generated event by system in response to unauthorized subscription injection S Middleware 2007

20. Healthcare Example • “Doctors with appropriate specialties may only enter prescriptions for their own patients in their designated ward when they are on shift. If they try to write prescriptions in violation, a notification to be sent to the chief physician” • Features used • Check doctor qualifications (authentication) • Check registration and shift status (authorization) • Report violations (meta-events) Middleware 2007

21. Healthcare Example Advertise Hospital Ward Access Point P [(class = Prescription), (doctor = *),(patient = *), (drug = *),(ward = x)] Policy On(Publication) { @broker: Ingress If {CanPrescribe($doctor) && Registered($doctor,$patient) && OnShift($doctor,$ward)} Then {} Elseif {} Then {Publish(“[class,Violation], [type,prescription], [doctor,$doctor],…”)}} Healthcare Broker Network Subscribe Chief Physician S [(class = Violation), (type = prescription)] Middleware 2007

22. Performance Overhead Setup Each run: 1000 Subscriptions (avg. 4 predicates – Poisson distribution) 1000 Publications (all attributes) ~20 Advertisements From 0% to 100% of Subscriptions/Advertisements associated with policies Publication policy attached to subscriptions: On(Publication) { @broker: Egress If {} Then {Augment($Delay)} } Subscription policy attached to advertisements: On(Advertisement) { @broker: Ingress,Routing If {} Then {BlockMessage()} } On(Subscription) { @broker: Ingress,Routing If {} Then {Flood()}} Middleware 2007

23. Performance Overhead Publication Policy Subscription Policy

24. Conclusions • Applications have diverse feature requirements on messaging middleware • Security • Message transformations • System debugging • Policies can leverage content-based publish/subscribe matching algorithms (Post-matching policies) • Flexible and expressive • Enables interesting features • Low overhead Thank You - Questions? http://www.padres.msrg.utoronto.ca

25. *** Extra Slides *** Middleware 2007

26. Healthcare Example II • “Only members of the finance department with titles of Director or VP can access patient billing history of more than 1 year ago” • Features used • Historic data access (supported by PADRES) • Role-Based Access Control (authentication) • Data privacy (notification trimming) • Alternative: content encryption Middleware 2007

27. Healthcare Example II Advertise Patient Database Client P P [(class = Historic), (patient = *),(billing_info = *), (medical_info = *),(date = *)] Policy On(Publication) { @broker: Egress @attach: always If {AuthenticateReceiver(Director) || AuthenticateReceive(VP)} Then {} Elseif {DateBefore($now-1year)} Then {Trim(billing_info)}} Healthcare Broker Network Subscribe Patient Info Access Point S [(class = Historic), (patient = x),(date after y)] Middleware 2007

28. Security Zones and Privacy Authentication: Control message propagation Message Transformation: Restrict attribute visbility Meta-Events: Monitor unauthorized subscriptions Middleware 2007

29. Authentication Middleware 2007

30. Notification Semantic Middleware 2007

31. Policy Composition Publications of the form: [(class,C),(a1,x1),…,(aN,xN)] Policies Subscriptions : Policy Statements S1 = [(class=c1),(a1<Tlow)] : AppendPrevHop() Ifclass = c1 & a1 < Tlow AppendPrevHop() Ifclass = c1 & a1 > Thigh RemoveAttrs(x2...xN) Ifclass = c2 … S2 = [(class=c1),(a1>Thigh)] : RemoveAttrs(…) S3 = [(class=c2)] : … Middleware 2007

32. Content-based Match Event Message (Publication) Filters (Subscriptions, Advertisements) X O X O Associated Policies Middleware 2007

33. Generic Policy Frameworks • Focus on framework mechanisms and not policy language • If-Then • If conditions evaluate on message content and duplicates work of CPS system • Post-matching policy model for content-based policies Middleware 2007

34. Policy Framework Architecture Matching Engine PreviousBroker orClient Advertisement Subscription Store Next Broker(s) or Client(s) Policy Statement Policy Manager Policy Rule PolicyStore Filter/Message Policy Evaluation Middleware 2007

35. Policy Statement Data Structure If {A & B} Then {C} Elseif {D} Then {E,F} Elseif {} Then {G,H} Policy Statement Policy Rule (on publications @ egress) Policy Rule (on publications @ ingress) A D G Policy Rule (on subscriptions @ ingress) B E H C F Middleware 2007