pyPElib: a python Policy Engine library

Policy management is one of the features a lot of applications need to care of and implement. Policy management and enforcement is indeed of particular interest in applications which offer fully automated IT services (IaaS, SaaS..). Provisioning, service instantiation or monitoring are just examples of application procedures where policy enforcement is highly desirable to be applied (when not a must).

The Ofelia Control Framework (OCF), as the automated testbed management tool being used in OFELIA FP7 and FIBRE FP7 projects, is no exception to that. As a result of the set of requirements comming from the OCF and within joint activities in OFELIA and FIBRE FP7 projects the pyPElib library has been developed, in order to have an homogeneous flexible policy enforcement code base.

In a nutshell pyPElib is a small python library to help programmers use the abstractions provided to apply rule-based policy enforcement in certain scopes of the application.

pyPElib library main features are:

  • Rule-based policy enforcement
  • Rule-based action triggering, logging
  • Multiple scope support within an application
  • Pluggable multi-syntax support.
  • Flexible syntax customization (Resolver and mappings)
  • Pluggable persistence backends.

Quick overview

The library is meant to provide Rule-based policy enforcement mechanisms; one could easily find similarities with iptables. The main interface for the programmer to do so is using so-called RuleTable abstraction.


Each RuleTable instance is meant to encapsulate a set of policies to be applied in a certain scope (e.g. provisioning interface requests). The result of an evaluation will always be a DENY/ACCEPT value. Each table has also a default policy (DENY/ACCEPT), in case no rules match.

Example (syntax is pseudo-code).

Each rule may evaluate a simple or a complex condition, and either return ACCEPT/DENY and optionally execute an action, or only execute an action ( so called action rules or non-terminal rules). Conditions may involve checking of any part of the request, application or external context.

Adaptability: mappings

It is also of particular interest to expose how using the mappings functionality provided by pyPElib, and regardless of the syntax module, rules can be customized in order to check whatever kind of context information, hence be used in any kind of application.

Consider the following rule definition, specifically the condition clause (RegexParser):

if  vm.memory > 256  then DENY denyMessage Memory limit is 256MB

Indeed one can use this simple notation to access vm.memory field, without having to explicitely modify anything from pyPElib, not even the parser, thanks to the mappings and the Resolver class.

Mappings are the key element that allow defining custom labels or keywords to retrieve application specific context (e.g. in a Virtual Machine provisioning system, the requested VM memory, the server memory or the number of VMs in a server) . Consider the following mappings for the example above:

_mappings = {
"":"metaObj['name']",  #metaObj is the object passed to evaluate() routine of RuleTable

Mappings are RuleTable instance dependant, hence adapting at the scope that policies have to be applied, and are used as follows:

myTable = RuleTable("My Engine",_mappings,defaultParser=RegexParser, pType=False)

Note that you can easily point these keywords to any object contained in the metObj(object sent to RuleTable.evaluate), a static value or any global function that returns a value, without touching the parsing modules. Another example of mappings:

_mappings = {
"project.vms":app.models.Project.getVms #function must be defined as "def getVms(metaObj)"
"staticValue": 10,

The next steps

At the time this article is being written version 0.1A is publicly avaliable. It is expected that final 0.1 stable version is released within the next month, containing mostly bug-fixing.

It would be also interesting to see plugins/extensions in the following areas:

  • More persistence backends (currently a Django backend is under development)
  • More (and better) parsing modules
  • Integration (via mappings) with user management frameworks.

More information&code:

Project is open to everyone willing to contribute, and is released in Google Code under GPL license:

This entry was posted in Uncategorized and tagged , , , , , , . Bookmark the permalink.