JP2007041677A - Policy type management device and method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a policy type management device for preventing any problem from being generated by applying policy description. <P>SOLUTION: A model management unit 113 prepares an information model expressing the status of a management object system 13. When the application conditions of policy descriptions are established, an instruction definition interpretation unit 114 applies instruction definition descriptions obtained by describing an action on the management object system 13 as an action on an information model to the information model. A model inspection unit 115 refers to an inspection rule storage part 123, and determines whether or not an inspection rule is satisfied by the information model after applying the instruction definition description. When the inspection rule is satisfied, an instruction execution unit 116 applies the action of the policy descriptions to a management object system 13. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a policy type management apparatus, method, and program. More specifically, the present invention relates to a policy for managing and operating a management target system using a policy description that describes conditions for performing an operation and the contents of the operation. The present invention relates to a mold management apparatus, method, and program.

  A policy type management system is known in which the knowledge of a system administrator is described as if-then type rules called policies, and the managed system is controlled according to the policy descriptions (for example, Patent Document 1, Non-Patent Document). 1). In the policy type management system, for example, when there is a policy description of “If the load of a server providing a service is high, the number of servers providing the service is increased.”, The measured server load is When it gets higher, it works to increase the number of servers. The policy-type management system can realize a reduction in management work and quick response when a problem occurs by automating part of the work that has been done manually by the system.

  FIG. 9 shows a configuration of a conventional general policy type management system. This conventional policy type management system includes a policy type management device 91, a storage device 92, and a management target system 93. The policy type management device 91 includes an event processor 911, a monitor 912, a model manager 913, and an instruction executor 914. The management target system 93 is a distributed system including a plurality of computers, storage devices, and network devices that connect them, which are managed by the policy type management system 90.

  The storage device 92 includes a policy storage unit 921 that stores policy descriptions, and a model storage unit 922 that stores various types of information of the management target system 93. FIG. 10 shows an example of policy description. The policy description 71 includes a unique identifier that is not duplicated in the policy type management system, a conditional clause that indicates when the policy should be executed, and what operation the management target system 93 performs. And an instruction clause describing whether to perform (for policy description, see Non-Patent Document 3). The policy storage unit 921 stores a plurality of policy descriptions as a policy table 711 as shown in FIG.

  The model manager 913 acquires various types of information of the management target system 93 and stores the acquired various types of information in the model storage unit 922 as a common information model. The common information model is obtained by discarding information unique to the manufacturer of various devices constituting the managed system and extracting a common part that does not depend on the manufacturer (see Non-Patent Document 2 for the common information model). .

  12 and 13 show examples of the common information model stored in the model storage unit 922, respectively. The object model 731 (FIG. 12) is a data structure and procedure representing management objects, and the association model 732 (FIG. 13) is a data structure representing relations between management objects. The relation model 732 has two or more identifiers of the object model 731 inside, and indicates that these object models 731 have a relation expressed by the name of the relation model 732. A plurality of data reflecting the state of the management target system 93 is stored in the model storage unit 922 in the data structure of the object model 731 and the related model 732.

  The monitor 912 acquires model information representing the state of the management target system 93 from the model manager 913, and notifies the event processor 911 that an event has been issued when a specific condition is satisfied. The conditions for event issuance are set manually in advance. An example of the event is shown in FIG. The event 72 includes a name indicating the event name and a set of parameters for the event occurrence condition. An example of the parameters is shown in FIG. The parameter 79 is a name / value pair. The parameters included in the event 72 include information indicating the location of the failure, specific observation data related to the event among the data acquired from the model storage unit 922, and the like.

  When the event processor 911 receives an event issuance from the monitoring device 912, the event processor 911 obtains a policy table (FIG. 11) by referring to the policy storage unit 921, and whether there is a policy description that needs to be executed by issuing the event. Inspect. The event processor 911 passes the policy description that needs to be executed to the instruction executor 914, and the instruction executor 914 performs the operation described in the instruction section included in the received policy description 71 on the managed system 93. And execute. Thus, the conventional policy management system monitors the management target system 93 and executes the operation described in the command section of the policy description 71 when the condition described in the policy description 71 is satisfied. This makes it possible to automate management.

JP 2002-111729 A N. Damianou, et al., The PONDER Policy Specification Language, LNCS 1995 (2001), pp. 11-29. 18-39 “CIM Core Model White Paper ver2.4” August 30, 2000 [online] [searched March 8, 2005], Distributed Management Task Force (Distributed) Management Task Force), Internet <URL http://www.dmtf.org/standards/documents/CIM/DSP0111.pdf> B. Moore, et al., Policy Core Information Model, RFC3060, Internet Engineering Task Force, 2001

  In the conventional policy type management system described above, no special consideration is given to means for inspecting problems that occur due to the action of the policy on the management target system in advance. Therefore, before executing the policy, whether or not there is a possibility that a problem occurs in the managed system 93 by executing the operation defined in the command clause of the policy description 71 for the managed system 93. There is a problem that it is not possible to prevent and prevent the occurrence of a problem.

  In order to accurately determine whether the action of a specific policy may cause a problem for a managed system, the management target at the time of applying the operation described in the command clause of the policy description 71 It is preferable to perform an inspection on the state of the system 93. Even if a method in which a conventional policy type management system is combined with a test method in which inspection is performed using sample values generally used in software development is used, there is a problem in terms of determination accuracy.

  The present invention solves the above-mentioned problems of the prior art, and is there a possibility that a problem may occur in the managed system by executing the operation defined in the policy description command clause on the managed system? It is an object of the present invention to provide a policy type management apparatus, method, and program capable of determining whether or not a command clause is actually executed and preventing a problem from occurring.

  In order to achieve the above object, the policy type management apparatus of the present invention acquires state information from the information system to be managed, and creates an information model indicating the state of the managed system based on the acquired state information. A model management unit stored in a storage device, and a storage device that stores a policy description including an application condition, an action on an information system to be managed, and an instruction definition description describing the action as an action on the information model. An event processing unit that determines whether or not an application condition of the policy description is satisfied based on a state of the information system to be managed, and extracts the policy description that satisfies the application condition; and the extracted policy For the description, apply the instruction definition description to the information model stored in the storage device, create the information model after applying the policy description, and store it in the storage device. An instruction definition interpreting unit that memorizes and a storage device that stores a check rule that describes a condition to be satisfied in the information model, and whether or not the stored information model after applying the policy description satisfies the check rule A model checking unit that determines whether the model checking unit satisfies the checking rule, and an instruction execution unit that applies the action of the policy description to the information system to be managed. It is characterized by that.

  The policy type management method of the present invention is a method for managing a management target information system using a computer, wherein the computer acquires status information from the management target information system and is based on the acquired status information. Creating an information model indicating the state of the managed system and storing it in the storage device, and the computer describes the application condition, the action on the managed information system, and the action as an action on the information model. The policy description including the command definition description is referred to, and based on the state of the information system to be managed, it is determined whether the policy description application condition is satisfied, and the application condition is satisfied Extracting the policy description to be executed, and the computer stores the extracted policy description in the storage device. Applying an instruction definition description to the information model, creating an information model after applying the policy description and storing the information model in a storage device; and a check rule describing a condition that the computer should satisfy in the information model. A step of determining whether or not the stored information model after application of the policy description satisfies the checking rule with reference to a storing device; and when the computer satisfies the checking rule in the model checking unit Applying the action of the policy description to the information system to be managed for the determined policy description.

  The program of the present invention is a program for a computer that manages an information system to be managed. The computer acquires state information from the information system to be managed in the computer, and the management target is based on the acquired state information. Policy description including processing for creating an information model indicating the state of the system and storing it in the storage device, application conditions, actions on the information system to be managed, and instruction definition description describing the actions as actions on the information model A process for extracting a policy description satisfying the application condition by determining whether an application condition for the policy description is satisfied based on a state of the information system to be managed For the extracted policy description, an instruction definition description is applied to the information model stored in the storage device, and the policy is Information stored after the policy description is applied with reference to the processing for creating the information model after application of the description and storing it in the storage device, and the storage device storing the inspection rule that describes the conditions to be satisfied in the information model The process of determining whether or not the model satisfies the inspection rule, and the policy description determined to satisfy the inspection rule by the model inspection unit, the action of the policy description is applied to the information system to be managed. The processing to be applied is executed.

  In the policy type management apparatus, method, and program of the present invention, before applying the policy description action to the management-symmetric information system, the policy description action is managed in the information model representing the state of the management target information system. Applying an instruction definition that expresses the action on the target information system as an action on the information model, and the information system after applying the instruction definition shows a check rule that indicates the conditions that should be observed in the information model of the information system to be managed It is determined whether or not it is satisfied, and when the inspection rule is satisfied, the action of the policy description is applied to the information system to be managed. By doing so, the application of the policy description that does not satisfy the inspection rule, that is, may cause a problem, to the information system to be managed can be stopped, and the occurrence of the problem can be avoided in advance.

  The policy type management apparatus, method, and program according to the present invention comprise a storage device that stores the policy description and the inspection rule in association with each other, and stores in the policy description that the inspection rule is not applied as an exception rule. Refer to and determine whether or not the information model after applying the policy description satisfies the inspection rule by using the inspection rule excluding the inspection rule corresponding to the policy description having the instruction definition description applied to the information model. Configuration can be adopted. In this case, it is possible to prevent a false detection in which a specific policy description is determined to have a problem by the inspection rule even when there is no actual problem.

  In the policy type management apparatus, method, and program of the present invention, the model checking unit further determines whether or not the inspection rule violation should be ignored when the information model after applying the policy description does not satisfy the checking rule. If it is requested that input should be ignored, it is considered that the inspection rule violation has not occurred, and there is a policy description having an instruction definition description applied to the information model and the inspection rule violation to be ignored. A configuration can be adopted in which the generated inspection rules are associated with each other and stored in the storage device as the exception rules. In this case, the inspection rule violation that should be ignored can be applied to the information system to be managed by assuming that no inspection rule violation has occurred. Also, by storing them as exception rules in the storage device, the combination of the policy description and the inspection rules can be excluded from the next inspection whether or not the inspection rules are satisfied, thereby preventing the occurrence of false detections. be able to.

  In the policy type management apparatus, method, and program of the present invention, an information model that represents the state of the information system to be managed is created, and the effect on the information system to be managed is applied to the created information model. The instruction definition expressed as an action is applied, and it is determined whether or not the information system after the application of the instruction definition satisfies an inspection rule representing a condition to be observed in the information model of the information system to be managed. When the inspection rule is satisfied, the policy description action is applied to the information system to be managed. In this way, before applying the policy description action to the managed information system, whether or not a problem occurs in the managed information system due to the application of the policy description action. The occurrence of a problem can be avoided in advance by not applying the action of the policy description that can be determined and does not satisfy the inspection rule, that is, may cause a problem, to the information system to be managed.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 shows the configuration of a policy type management system according to the first embodiment of the present invention. The policy type management system 10 includes a policy type management device 11, a storage device 12, a management target system 13, and an output device 14. The management target system 13 is a distributed system including a plurality of computers, storage devices, and network devices that connect them. The output device 14 is configured as a display device such as a display device or a printing device.

  The storage device 12 includes a policy storage unit 121, a model storage unit 122, and an inspection rule storage unit 123. The policy storage unit 121 stores a policy description describing a method for managing the management target system 13. The model storage unit 122 stores information model data reflecting the state of the management target system 13. The model storage unit 122 stores an inspection rule that describes a rule for inspecting an information model reflecting the state of the management target system 13.

  The policy type management apparatus 11 manages and operates the management target system 13 based on the policy description. The policy type management apparatus 11 includes an event processor 111, a monitor 112, a model manager 113, an instruction definition interpreter 114, a model checker 115, and an instruction executor 116. The model manager 113 manages an information model associated with the management target system 13. The monitor 112 monitors the state of each device of the management target system 13 using the model manager 113. The event processor 111 acquires the policy description from the policy storage unit 121, interprets the conditional clause of the policy description, and transmits the policy description to the instruction definition interpreter 114 as necessary.

  The instruction definition interpreter 114 acquires an information model reflecting the current state of the management target system 13 from the model manager 113, reflects the action of the policy description transmitted from the event processor 111 on the information model, An information model after application of the policy description is generated. The model checker 115 refers to the check rule storage unit 123 and checks whether there is a problem in the information model newly generated by the instruction definition interpreter 114. The instruction executor 116 applies the action of the policy description to the managed system 13 when the model checker 115 determines that there is no problem.

  The data structure of the information model created by the model manager 113 and stored in the model storage unit 122 can be the data structure shown in FIGS. The object model 731 (FIG. 12) is used to represent the object of the management target system 13. The object model 731 includes an identifier uniquely determined in the information model, a name of the management target, a set of parameters indicating an information band of the management target, and a procedure for applying an action to the management target. .

  For example, when the operating system of a computer included in the management target system 13 is handled as one management target, an identifier is assigned to the object model and the name is “operating system”. The set of parameters in this object model includes a parameter named LoadAveragePercentage indicating the current average load state of the operating system, a parameter named OSTypte indicating the type of the operating system, and the like. The procedure in the object model includes reboot for restarting the operating system.

  The association model 732 (FIG. 13) is used to represent an association between managed objects. The association model 732 expresses a relationship between objects by storing two or more identifiers indicating specific data instances of the object model 731 inside. As such an information model, CIM (Common Information Base) can be used.

  FIG. 2 shows the data structure of the policy description stored in the policy storage unit 121. The policy description 61 includes an identifier, a conditional clause, a command clause, and a command definition. When the policy description 61 in this embodiment is compared with the policy description 71 (FIG. 10) in the conventional policy management apparatus, the policy description 61 is different from the conventional policy description 71 in that it includes an instruction definition. The instruction definition explicitly expresses the action of the policy on the management system as an action on the information model. Specifically, a procedure for newly adding a data instance of the object model 731 and the related model 732 to an information model given from the outside, changing or deleting a value of a specific data instance in the given information model is expressed. It is a script.

  In the instruction definition, identifiers and parameters that specify specific management targets that have not been determined when the instruction definition is described are described as variables and are defined to be given externally as arguments for the instruction definition. . Thus, it is possible to describe what changes are made to the information model using information at the time of execution. By including such an instruction definition in the policy description, before the action defined in the instruction section of the policy description is actually applied to the management target system 13, the management is performed with reference to the instruction definition of the policy description. The information model reflecting the state of the target system 13 can be changed by simulating the action defined in the command clause, and the change when the policy action is given is checked using the information model. Therefore, it is possible to prevent the application of a policy that may cause a problem.

  FIG. 3 shows an example of the data structure of the inspection rules stored in the inspection rule storage unit 123. The inspection rule is applicable to the information model generated by the instruction definition interpreter 114 after the action specified by the instruction definition of the policy description is applied, and the action is actually applied to the managed system 13 without any problem. This is data that expresses a specific rule for checking. As the data structure and inspection method of the inspection rules, a method similar to the method of the software rule inspection system described in Japanese Patent Application No. 2003-286850 can be used.

  The inspection rule 62 includes a target designating unit for designating a part that satisfies a condition from the information model, and a predicate logical expression composed of a sequence of predicates connected by a logical operator. The target designating unit includes a function for calculating a set satisfying a specific property from the information model, and a variable indicating that the information belongs to the set. As an example, a case will be described in which CIM is used as an information model and “instances = instanceOf (“ CIM_SoftwareElement ”)” is described in the target designation unit. Here, “instances” is a variable, “insntanceOf” is a function for obtaining a set, and “CIM_SoftwareElement” is an argument given to the function “instanceOf”.

  If the function “instanceOf” is a function that returns all the instances belonging to the class specified by the argument (“CIM_SoftwareElement”) and all the classes that inherited the class, “instances” contains the information model. A set that satisfies the included conditions is bound. This variable instances is used in the predicate logical expression of the check rule 62. In addition to the function and variable for obtaining a set, the target designating part expression can also include a set operator for calculating a union or intersection such as “∪” and “∩”. The expression of the target designating unit can also include quantifiers such as “∀” and “∃” used in the predicate logic, in addition to a function for obtaining a set, a variable, and a set operator.

  The predicate logical expression (FIG. 3) is composed of a predicate and a logical operator corresponding to the analysis function included in the model checker 115. As an example, consider the logical expression “compStrAttr (“ Name ”,“ openssl ”, i)->! IsOlderVersionThan (“ 3.2.2 ”, i)). The predicate compStrAttr corresponds to the name of the parameter in which the information model to be managed indicated by the variable i of the third argument includes the parameter having the name specified by the first argument, that is, “Name” in the above example A predicate whose value is the string specified by the second argument, that is, a predicate declared equal to “openssl” in the above example. The function of checking whether or not this predicate is satisfied is incorporated in the model checker 115 in advance.

  The predicate isOlderVersionThan has a parameter indicating the version in the managed information model indicated by the variable specified by the second argument (variable i), and the version of the parameter is older than the first argument (3.2.2) It is a predicate indicating that it is a version number. A function for checking whether or not the predicate isOlderVersionThan is established is also incorporated in the model checker 115 in advance.

  The above two predicates are linked by the logical operator “->” and isOlderVersionThan is preceded by the logical operator “!”, So “if compStrAttr is true, isOlderVersionThan is false. Is interpreted. In other words, it declares that the value corresponding to the version number included in the information model data to be managed with the name openssl is 3.2.2 or higher. It is assumed that the variable i is bound to an element of the management target set in the target designating unit (FIG. 3) corresponding to the predicate logic.

  The inspection rule can also be embedded in the policy description. FIG. 4 shows a data structure of a policy description having an inspection rule. This policy description 61b has an inspection rule in addition to the policy description 61 shown in FIG. In the inspection of the policy description 61b having such an inspection rule, the model checker 115 performs an inspection using not only the inspection rule stored in the inspection rule storage unit 123 but also the inspection rule included in the policy description 61b. Accordingly, the model checker 115 can check the check conditions peculiar to the specific policy description.

  The inspection rule specific to the policy satisfies, for example, a condition called a post-condition that must be satisfied in the managed system 13 after giving the managed system 13 the action indicated in the command description of the policy description. It is a rule for checking whether or not. In order to describe the post-condition, it is preferable that the difference between before and after the application of the action is clarified. Therefore, when the policy description 61b is to be applied, the instruction definition interpreter 114 includes the policy description 61b. It is preferable to pass the two data of the information model before giving the action described in the instruction definition and the information model after giving to the model checker 115. Thereby, the model checker 115 can test | inspect the conditions regarding the difference before and behind an effect | action.

  FIG. 5 shows an operation procedure of the policy type management system 10. In the operation of the policy type management system 10, as pre-processing, a policy description set which is data necessary for processing of the policy type management apparatus 11 is stored in the policy storage unit 121, and a test rule set is stored in the test rule storage unit 123. (Step A10). The monitor 112 requests information model data from the model manager 113 at a predetermined timing, and the data instance of the object model 731 (FIG. 12) and the data instance of the related model 732 (FIG. 13) from the model manager 113. And the management target system 13 is monitored (step A20).

  When the model manager 113 receives an information model data acquisition request at a predetermined time interval or from the monitor 112, the model manager 113 acquires information from the management target system 13 and stores the information model data stored in the model storage unit 122. Update. For example, when CIM is used as an information model, the model manager 113 can use a system called CIMOM (CIM Object Manager) that manages the information model. In step A <b> 20, the model manager 113 acquires the data instance of the object model 731 and the set of data instances of the related model 732 from the information model data stored in the model storage unit 122, and monitors them. Pass to.

  The monitor 112 analyzes the set of data instances acquired from the model manager 113, and issues an event when a predetermined condition is met (step A30). The monitor 112 defines an event named “CPU_OverLoad” that is issued when, for example, “CPU average load per unit time is 90% or more”, and CPU average load acquired from the model manager 113 is 90%. When the above is detected, the event “CPU_OverLoad” is issued.

  The event issued by the monitor 112 is received by the event processor 111. Upon receiving the event issue, the event processor 111 retrieves all the policy descriptions from the policy storage unit 121 and checks whether or not the condition indicated in the conditional clause is satisfied by the event issue (step S110). A40). The event processor 111 creates a list of policy descriptions that satisfy the condition of the conditional clause, and transmits the policy descriptions included in the list to the instruction definition interpreter 114 one by one. The event processor 111 checks whether or not all the policy descriptions included in the list have been transmitted to the instruction definition interpreter 114 (step A50). When all the policy descriptions are transmitted, the event processor 111 returns to step A20 to monitor the management target system 13. continue.

  In the condition clause of the policy description, for example, issuance of a “CPU_OverLoad” event is described as a condition for applying the policy description. In addition to the event, there may be a condition regarding specific internal information (parameter) such as “if the CPU of the server with a high load is a specific CPU”. When the issued event is described as an application condition in the policy description and the other parameters match the conditions indicated in the condition clause, the event processor 111 determines the policy description conditions in step A40. It is determined that the condition indicated in the section is satisfied by issuing the event, and the policy description is transmitted to the instruction definition interpreter 114.

  When the instruction definition interpreter 114 receives the policy description from the event processor 111, the instruction definition interpreter 114 acquires information model data from the model manager 113, and performs the action indicated in the received policy description instruction definition on the information model. Apply and generate data of the information model after application (step A60). The instruction definition interpreter 114 transmits the generated data of the information model after applying the policy and the policy description to the model checker 115. At this time, when the policy description is the policy description 61b (FIG. 4) including the inspection rule, the instruction definition interpreter 114 adds the information model before giving the instruction definition action in addition to the generated information model data and policy description. Data is transmitted to the model checker 115.

  When the model checker 115 receives the information model data and the policy description from the instruction definition interpreter 114, the model checker 115 takes out all the check rules from the check rule storage unit 123 and checks the received information model data (step A70). It is checked whether or not the inspection rule is satisfied (step A80). When the received information model data violates any inspection rule, the model checker 115 transmits an error output to the output device 14 (step A100), and reports to the system administrator that an error has occurred. To do. After the error is output, the process returns to step A50 to continue the process for the remaining policy description.

  When the model checker 115 determines in step A80 that the information model satisfies all the rules, the model checker 115 transmits the policy description received from the instruction definition interpreter 114 to the instruction executor 116. When receiving the policy description, the instruction executor 116 applies the action defined in the command section of the policy description to the management target system 13 (step A90). Thereafter, the process returns to step A50, and the process for the remaining policy description is continued.

  FIG. 6 shows a detailed procedure of the operations in steps A60 to A80 in FIG. The instruction definition interpreter 114 receives from the event processor 111 a policy description that satisfies the condition of the conditional clause. At this time, the instruction definition interpreter 114 may receive a set of event generation parameters from the event processor 111 together with the policy description. When receiving the policy description, the instruction definition interpreter 114 acquires information model data from the model manager 113 (step B10). At this time, the instruction definition interpreter 114 obtains only necessary information model data of all information model data by calculating in advance a target to which the command clause of the policy description may act. It is preferable.

  When the command definition interpreter 114 acquires the information model data, the command definition interpreter 114 applies the action indicated in the command definition of the received policy description to the acquired information model (step B20). When the command definition interpreter 114 succeeds in applying the command definition and a new information model after application is obtained, the command definition interpreter 114 transmits the new information model data and the policy description to the model checker 115. On the other hand, the instruction definition interpreter 114 has a reason that the description grammar of the instruction definition is different from the grammar interpretable by the instruction definition interpreter 114, or that a problem has occurred when the instruction definition is applied to the information model. Thus, when application of the instruction definition fails, empty information model data is transmitted to the model checker 115.

  Based on the received information model data, the model checker 115 determines whether or not the instruction definition has been successfully applied in the instruction definition interpreter 114 (step B30). When the received information model data is empty, the model checker 115 proceeds to step A100 (FIG. 5) and sends a character string indicating that the instruction definition cannot be correctly applied to the output device 14, Notify the system administrator. When the received information model data is not empty, the model checker 115 determines that the instruction definition has been successfully applied, and acquires the check rule from the check rule storage unit 123 (step B40). The model checker 115 checks whether or not the acquired check rule is observed on the received information model (step B50).

  The inspection rule storage unit 123 also includes an inspection rule for inspecting a property that does not change due to the action of the applied policy description. Such an inspection rule needs to be an inspection target in step B50. There is no. For example, when the action of the policy description is of a nature that affects the network configuration, it is not necessary to inspect an inspection rule that inspects the software version. Therefore, a table in which the policy description is associated with the inspection rule related to the action of the policy description is prepared in advance, and only the inspection rule corresponding to the applied policy description is acquired in Step B40. By doing in this way, in step B50, it is possible to exclude the examination of the property that does not change due to the action of the policy description.

  The model checker 115 determines whether or not a rule violation has occurred as a result of the check in step B50 (step B60). For example, when using a rule that describes a condition indicating an incorrect state or an illegal state as a check rule, the model checker 115 indicates that the information model after applying the policy description action is indicated by the check rule. When an illegal condition is satisfied, it is determined that a rule violation has occurred. If a rule violation has occurred as a result of the check, that is, there is a problem in the information model, the model checker 115 proceeds to step A100 and outputs a character string indicating that there is a problem in applying the policy description to the output device 14. Output to. If there is no rule violation, the process proceeds to step A90, and the policy description is transmitted to the instruction executor 116.

  In the present embodiment, the policy description includes an instruction definition, and the policy type management apparatus 11 is information indicating the current state of the management target system 13 before applying the policy to the management target system 13. Apply the instruction definition to the model. After that, using the inspection rule, it is inspected whether or not a rule violation has occurred in the information model after the application of the instruction definition. As described above, in the present embodiment, before the policy action is actually applied to the management target system 13, whether or not there is a problem is checked using the information model. Application of policy descriptions that may be generated can be prevented in advance.

  FIG. 7 shows the configuration of a policy type management system according to the second embodiment of the present invention. The policy type management system 10a of the present embodiment is different from the policy type management system 10 of the first embodiment shown in FIG. 1 in that the storage device 12a further includes an exception storage unit 124 that stores the inspection rule for exclusion. To do. In the policy type management system 10 of the first embodiment, when the inspection rule is applied uniformly, even if there is no actual problem for a specific policy description, a false detection that is determined to be a problem by the rule. May occur. The present embodiment addresses such a false detection problem.

  The exception storage unit 124 stores a combination of the policy description identifier and the inspection rule identifier to be excluded. In step B40 (FIG. 6), the model checker 115 refers to the exception storage unit 124 and associates it with the policy description received from the instruction definition interpreter 114 when acquiring the check rule from the check rule storage unit 123. Investigate whether there are inspection rules specified. If there is an inspection rule associated with the policy description, the model checker 115 excludes the inspection rule from the inspection rule acquired from the inspection rule storage unit 123 in step B40.

  The model checker 115 checks the information model data based on the acquired check rule. If the model checker 115 determines that the information model data violates any of the inspection rules, the model checker 115 outputs each inspection rule in which the violation has occurred and the policy description to the output device 14, and notifies the administrator of the violation. Requests to enter whether to ignore or not. The administrator looks at the policy description displayed on the output device 14 and the inspection rule in which the violation has occurred, and uses the input device 15 such as a keyboard and a mouse to ignore the violation for each of the inspection rules in which the violation has occurred. Input whether the policy description should be applied.

  When the input device 15 inputs that the policy description should be applied while ignoring the violation, the model checker 115 and the identifier of the policy description and the check rule to be ignored even if the violation has occurred. The identifier is associated with and stored in the exception storage unit 124. Also, the policy description is transmitted to the instruction executor 116 ignoring the inspection rule violation that has occurred. As a result, when a specific inspection rule is not applied to a specific policy description and the policy description to be applied does not violate inspection rules other than the specific inspection rule, the policy description is transmitted to the instruction executor 116. Is transmitted, and the action of the policy description is applied to the management target system 13.

  In the present embodiment, when the information model data violates the inspection rule due to the action of the policy description, the administrator inputs whether to ignore the violation. When the administrator inputs that the violation is to be ignored, the model checker 115 transmits the policy description to the instruction executor 116 as if there was no violation, and does not detect the same check rule violation thereafter. In addition, the exception storage unit 124 stores the combination of the inspection rule to be ignored and the policy description. As a result, even when the inspection rule storage unit 123 includes an inspection rule that causes an erroneous detection that detects an error even though the state is correct in nature, the management process can be appropriately continued. .

  The policy type management apparatus 11 of the first embodiment and the policy type management apparatus 11a of the second embodiment can be realized using a computer that operates under program control. FIG. 8 shows the configuration of a computer that implements the policy type management system 10a shown in FIG. The policy type management system 20 includes a policy type management device 21, a storage device 12 b, an output device 14, and an input device 15. The policy type management device 21 implements the functions of the respective units of the policy type management device 11a by reading and operating the policy type management program 22.

  In each of the embodiments described above, after the monitor 112 issues an event, the event processor 111 checks whether the condition clause of the policy description is satisfied. Instead, the monitor 112 uses the policy description of the policy description. With reference to the conditional clause, the policy description may be transmitted to the instruction definition interpreter 114 when the conditional clause is satisfied. In this case, for example, when there is a policy description in which the condition that “the average load of the CPU per unit time of the designated computer is 90% or more” is described in the conditional clause, the monitor 112 satisfies the condition of the conditional clause. If the condition is satisfied, the policy description is transmitted to the instruction definition interpreter 114 in order to activate the policy.

  Although the present invention has been described based on the preferred embodiment, the policy type management apparatus, method, and program of the present invention are not limited to the above embodiment example, and the configuration of the above embodiment. To which various modifications and changes are made within the scope of the present invention.

The block diagram which shows the structure of the policy type management system of 1st Embodiment of this invention. The block diagram which shows the data structure of the policy description memorize | stored in the policy memory | storage part 121. FIG. The block diagram which shows an example of the data structure of the inspection rule memorize | stored in the inspection rule memory | storage part 123. FIG. The block diagram which shows the data structure of the policy description which has an inspection rule. 6 is a flowchart showing an operation procedure of the policy type management system 10. The flowchart which shows the detailed procedure of operation | movement of step A60-A80 of FIG. The block diagram which shows the structure of the policy type management system of 2nd Embodiment of this invention. The block diagram which shows the structure of the computer which implement | achieves the policy type management system 10a shown in FIG. The block diagram which shows the structure of the conventional general policy type | mold management system. The block diagram which shows an example of the data structure of a policy description. The block diagram which shows the policy table memorize | stored in the policy memory | storage device 921. FIG. The block diagram which shows an example of the data structure of the object model stored in the model memory | storage part 922. FIG. The block diagram which shows an example of the data structure of the related model stored in the model memory | storage part 922. FIG. The block diagram which shows an example of the data structure of an event. The block diagram which shows an example of the data structure of a parameter.

Explanation of symbols

11, 21: Policy type management device 12: Storage device 13: Management target system 14: Output device 15: Input device 22: Policy type management program 61: Policy description 62: Inspection rule 72: Event 79: Parameter 111: Event processing 112: Monitor 113: Model manager 114: Instruction definition interpreter 115: Model checker 116: Instruction executor 121: Policy storage unit 122: Model storage unit 123: Check rule storage unit 124: Exception storage unit

Claims (9)

A model management unit that acquires state information from the information system to be managed, creates an information model indicating the state of the management target system based on the acquired state information, and stores the information model in a storage device;
Reference is made to a storage device that stores a policy description including an application condition, an action on the information system to be managed, and an instruction definition description describing the action as an action on the information model, and is based on the state of the information system to be managed An event processing unit that determines whether or not an application condition of the policy description is satisfied, and extracts a policy description that satisfies the application condition;
An instruction definition interpretation unit that applies an instruction definition description to the information model stored in the storage device for the extracted policy description, creates an information model after applying the policy description, and stores the information model in the storage device;
A model checking unit that refers to a storage device that stores a check rule that describes a condition to be satisfied in the information model, and that determines whether the stored information model after applying the policy description satisfies the check rule; ,
A policy type management comprising: an instruction execution unit that applies an action of the policy description to a management target information system for a policy description determined by the model checking unit to satisfy the checking rule. apparatus.   The model checking unit further stores the policy description and the check rule in association with each other, refers to a storage device that stores the exception rule indicating that the check rule is not applied to the policy description, and stores the policy description in the information model. 2. The method according to claim 1, wherein it is determined whether or not the information model after applying the policy description satisfies the inspection rule by using an inspection rule excluding the inspection rule corresponding to the policy description having the applied instruction definition description. Policy type management device.   Further, when the information model after applying the policy description does not satisfy the inspection rule, the model checking unit requests an input as to whether or not the inspection rule violation should be ignored. Assuming that the inspection rule violation has not occurred, the policy description having the instruction definition description applied to the information model is associated with the inspection rule in which the inspection rule violation to be ignored is associated and stored as the exception rule. The policy type management apparatus according to claim 2, which is stored in the apparatus. A method for managing an information system to be managed using a computer,
The computer acquires state information from the information system to be managed, creates an information model indicating the state of the management target system based on the acquired state information, and stores the information model in a storage device;
The computer refers to a storage device for storing a policy description including an application condition, an action on the information system to be managed, and an instruction definition description describing the action as an action on the information model, and the information system to be managed Determining whether an application condition of the policy description is satisfied based on the state of the policy description, and extracting a policy description satisfying the application condition;
The computer applies an instruction definition description to the information model stored in the storage device for the extracted policy description, creates an information model after applying the policy description, and stores the information model in the storage device;
The computer refers to a storage device that stores a check rule describing a condition to be satisfied in the information model, and determines whether or not the stored information model after applying the policy description satisfies the check rule. Steps,
And a step of applying the action of the policy description to the information system to be managed for the policy description determined by the model checking unit to satisfy the checking rule. Management method.   The determination step refers to a storage device that stores the policy description and the inspection rule in association with each other and stores the exception description indicating that the inspection rule is not applied to the policy description, and the instruction applied to the information model 5. The policy type management according to claim 4, wherein it is determined whether or not the information model after applying the policy description satisfies the inspection rule by using an inspection rule excluding the inspection rule corresponding to the policy description having the definition description. Method.   When the information model after application of the policy description does not satisfy the inspection rule, the determination step asks for an input as to whether or not the inspection rule violation should be ignored. Assuming that no violation has occurred, the policy description having the instruction definition description applied to the information model is associated with the inspection rule in which the inspection rule violation to be ignored is associated and stored in the storage device as the exception rule. The policy type management method according to claim 5. A program for a computer that manages an information system to be managed, the computer comprising:
Processing for acquiring state information from the information system to be managed, creating an information model indicating the state of the management target system based on the acquired state information, and storing the information model in a storage device;
Reference is made to a storage device that stores a policy description including an application condition, an action on the information system to be managed, and an instruction definition description describing the action as an action on the information model, and is based on the state of the information system to be managed Determining whether the policy description application condition is satisfied, and extracting the policy description satisfying the application condition;
A process of applying an instruction definition description to the information model stored in the storage device for the extracted policy description, creating an information model after applying the policy description, and storing the information model in the storage device;
A process of referring to a storage device that stores a check rule describing a condition to be satisfied in the information model, and determining whether or not the stored information model after applying the policy description satisfies the check rule;
A program for causing a policy description determined by the model checking unit to satisfy the checking rule to execute processing for applying the action of the policy description to an information system to be managed.   The determination process is applied to the information model with reference to a storage device that stores the policy description and the inspection rule in association with each other and stores the policy description as an exception rule in the policy description. The program according to claim 7, wherein it is determined whether or not the information model after applying the policy description satisfies the inspection rule by using an inspection rule excluding the inspection rule corresponding to the policy description having the instruction definition description.   When the information model after applying the policy description does not satisfy the inspection rule, the determination process requests an input as to whether or not the inspection rule violation should be ignored. Assume that no rule violation has occurred, associate the policy description having the instruction definition description applied to the information model with the check rule in which the check rule violation to be ignored occurred, and store it as the exception rule in the storage device. The program according to claim 8, which is stored.

Images