Скачать презентацию Decentralized Workflow Control and Conflict of Interest Vijay Скачать презентацию Decentralized Workflow Control and Conflict of Interest Vijay

c4802771f6770b12567d3cf7f26ec9f5.ppt

  • Количество слайдов: 39

Decentralized Workflow Control and Conflict of Interest Vijay Atluri Soon Ae Chun Pietro Mazzoleni Decentralized Workflow Control and Conflict of Interest Vijay Atluri Soon Ae Chun Pietro Mazzoleni

Our Contributions 4 Decentralized WF Control 4 Contribution Part I: 4 Decentralized WF Control Our Contributions 4 Decentralized WF Control 4 Contribution Part I: 4 Decentralized WF Control Model ¨ Join Relations ¨ SELF describing Workflow, WFMS Stub ¨ WF partition, dependency splitting, dependency evaluation 4 Contribution Part II: 4 Conflict of Interest problem in Decentralized control 4 COI model for decentralized WF 4 Restrictive partition 4 Secure WFMS stub

Centralized Workflow Management gateway Enter Input spec IT Agent bs buy computer Bf or Centralized Workflow Management gateway Enter Input spec IT Agent bs buy computer Bf or p>$400 Bs and p<=$400 DELL XEROX buy printer bs HP GEATWAY bs buy computer external CD writer Bs and Date <3/21/01 IT Agent Notify PANASONIC HP XEROX PANASONIC Performance bottleneck do not scale well not suitable if systems are inherently autonomous and distributed

Decentralized Workflow Management IT agent 1 Enter Input Date/destination bs Reserve Airline 2 Gateway Decentralized Workflow Management IT agent 1 Enter Input Date/destination bs Reserve Airline 2 Gateway 3 Reserve airline bs 5 bf or p>$400 XEROX Rent A car bs 4 Bs and p<=$400 DELL HP 6 Bs and Reserve a Date <3/21/01 7 PANASONIC Rent a car bs IT agent hotel GATEWAY 3 DELL 3 2 4 5 5 6 6 XEROX 7 5 6 HP 7 4 6 7 PANASONIC 7 6 7 Notify

Our Contribution Part 1: 4 WF Model 4 Join Relations 4 Decentralized WF Control Our Contribution Part 1: 4 WF Model 4 Join Relations 4 Decentralized WF Control Model 4 SELF describing Workflow, 4 WF partition 4 dependency splitting, 4 dependency evaluation 4 WFMS Stub

Workflow Model Workflow can be defined as a pair (G, J) where G=(T, D) Workflow Model Workflow can be defined as a pair (G, J) where G=(T, D) is a directed graph with T as a node set for tasks t 1, t 2, . . tn in the workflow and D as an edge set with dependencies, ti tj and J is a set of join relations among dependencies, j 1, j 2. . jp in Task structure: b -a set of visible execution states {initial, executing, done, aborted, success, failed} -a set of task primitives cm {begin, abort, finish, commit, evaluate} Inter-task dependencies -Control-flow (state) dependencies -Value dependencies -External dependencies e. g. Join Relations e. g. e su c ex a e fl Begin on commit dependency (ti nabort dependency (t a tj) i n n ti can begin only if tj's output is x ab c tj) ti can begin only at 9: 00 am or after 24 hrs after the completion of tj n

Join Relations AND/OR split reserve flight bs bs AND Join reserve hotel flight<$200 reserve Join Relations AND/OR split reserve flight bs bs AND Join reserve hotel flight<$200 reserve flight rent a car Reserve Hilton flight>=$200 Country Hill Reserve Hotel AND Book the trip Reserve Flight (Hilton. price + Country. price < $400 Hotel Hilton AND Book the hotel Country Hill (Hiton. double>= 3 OR Country. double>=3) AND (Hiton. single>= 4 OR Country. single>=4)

Dependency/Preconditions 4 Dependency expressions in d in ti Pre(tj) d tj are 4 Pre_begin(tj): Dependency/Preconditions 4 Dependency expressions in d in ti Pre(tj) d tj are 4 Pre_begin(tj): < t 1, commit ^ price >$200, tj, begin> 4 Pre_commit(tj): < t 1, success ^ price >$200, tj, commit> 4 Pre_abort(tj): < t 1, abort, tj, abort> buy CPU bc ^ price>$200 buy HDisk Pre_begin(tj) = (ti. state = commit ^ t 1. price>$200) t 1 t 2 bs t 3 (t 1. price + t 2. price >$200) bs Pre_begin(t 3) = (ti. state = s ^ t 2. state=s ^ t 1. price+t 2. price>$200)

Our Approach to Decentralized Workflow Management 4 Self-describing Workflow 4 Workflow Stub WFMS server Our Approach to Decentralized Workflow Management 4 Self-describing Workflow 4 Workflow Stub WFMS server (A 0) t 1 bs self describing workflow WFMS stub (t 1, A 1, Input (t 1), t 2 t 1 bs bs bs t 2 t 4 t 3 bf t 4 t 3 bs WFMS Stub (t 2, A 2, Input (t 2), t 2 A 2 (t 2) WFMS Stub A 1 (t 1) A 4 (t 4) (t 3, A 3, Input (t 3), t 3 WFMS Stub t 4 bs (t 4, A 4, Input (t 4), A 3 (t 3)

Decentralized Workflow Control Model 4 Self Describing Workflow: 4 Workflow Partition with instance information Decentralized Workflow Control Model 4 Self Describing Workflow: 4 Workflow Partition with instance information 4 ¨ti = task, agent A(ti), activities, input, output ¨PRE(ti)= preconditions for ti’s transition operation ¨Out. State = control, value, external dependency state for ti from previous task tj (tj ti) ¨Pi= workflow partition where ti is the initial task

WFMS Stub 4 Receives the self-describing workflow, 4 extract task 4 Partition remaining workflow WFMS Stub 4 Receives the self-describing workflow, 4 extract task 4 Partition remaining workflow 4 Evaluate precondition 4 Execute task 4 Split dependency into immediate and deferred preconditions 4 Evaluate immediate precondition ¨ adjust OUTSTATE (with signals) 4 Construct self-describing workflow for each partition 4 forwards each self-describing wf to the subsequent task agents

WFMS Stub: Case 1 4 tj can start in parallel with ti (ti audio WFMS Stub: Case 1 4 tj can start in parallel with ti (ti audio card c speakers c tj) xxx 1. A(ti) does not evaluate dependency(tj) 2. Partition Pj and forward SELF(Pj) to A(tj) 3. Execute ti 4. Evaluate dependency 5. Send Out. State(ti) with signals to A(tj)

Workflow Partition for A(ti) Given Pi, For each tj which has outgoing edge from Workflow Partition for A(ti) Given Pi, For each tj which has outgoing edge from ti Pj = a connected path from j P 1 2 1 4 5 3 P 2 : 2 4 5 P 3: SELF(P 2) = 3

WFMS Stub: Case 2 4 ti have to evaluate PRE(tj) (dependency) before sending SELF(Pj) WFMS Stub: Case 2 4 ti have to evaluate PRE(tj) (dependency) before sending SELF(Pj) bs audio card bs speakers Pj 1. if Pre_begin(ti)=true, Execute ti 2. Partition Pj 3. Precondition Splitting =PRE(tj) 4. Evaluate immediate dependency 5. if PRE_begin(tj)=true forward SELF(Pj) to A(tj) else NO forward SELF(Pj) xxx

Dependency/Precondition Splitting t 1 bs t 2 t 3 (t 1. price + t Dependency/Precondition Splitting t 1 bs t 2 t 3 (t 1. price + t 2. price >$200) bs Pre_begin(t 3) = (ti. state = s ^ t 2. state=s ^ t 1. price+t 2. price>$200) (Hiton. double>= 3 OR Country. double>=3) AND (Hiton. single>= 4 OR Country. single>=4) (CPU. price +HD. price < $400 Immediate v. Deferred Preconditions AND OR t 1. double>= 3 t 2. double>= 3 OR t 1. single>= 4 t 2. single>= 4

Dependency/Precondition Splitting t 1 t 3 t 2 1. Immediate Evaluation only: Pre(tj) =( Dependency/Precondition Splitting t 1 t 3 t 2 1. Immediate Evaluation only: Pre(tj) =( ti. state=s) 2. Deferred Evaluation only: PRE(t 3) = t 1. price+t 2. price>$200 3. Split: partial evaluation at ti, rest in tj PRE(t 3) = (ti. state = s ^ t 2. state=s ^ t 1. price+t 2. price>$200) PRE(t 3) =(Hiton. double>= 3 OR Country. double>=3) AND (Hiton. single>= 4 OR Country. single>=4) Why splitting and immediate evaluation? 1. WF control semantics mandates it. (Control flow) 2. Evaluate only if needed (one OR operand can be skipped) 3. Reduce amount of information (evaluated truth value v. expressions) among task agencies 4. Reveal only need-to-know information

Dependency/Precondition Splitting AND OR t 1. double>= 3 t 2. double>= 3 OR t Dependency/Precondition Splitting AND OR t 1. double>= 3 t 2. double>= 3 OR t 1. single>= 4 t 2. single>= 4 X X R R Immediate Precondition (t 1): ( t 1. double >= 3 OR X ) AND (t 1. single>=4 OR X) Deferred Precondition(t 1) (t 1. singal 1 OR t 2. double>=3) AND (t 1. signal 2 OR t 2. single>=4) Immediate Precondition (t 2): ( X OR t 2. double ) AND (X OR t 2. single>=4) Deferred Precondition(t 2) (t 1. double OR t 2. signal 1) AND (t 1. single>=4 OR t 2. signal 2)

Dependency/Precondition Evaluation Immediate evaluation at t 1 AND OR t 1. double>= 3 OR Dependency/Precondition Evaluation Immediate evaluation at t 1 AND OR t 1. double>= 3 OR X t 1. single>= 4 X Out. State(t 1) ={ t 1. signal 1=F, t 1. signal 2=F} U Out. State(t 1) Deferred Evaluation at t 3 (t 1. singal 1 OR t 2. double>=3) AND (t 1. signal 2 OR t 2. single>=4) Wait results from t 2, and evaluate the whole deferred expression

WFMS Stub: Case 3 4 ti have to wait for a PRE_commit(ti) to complet WFMS Stub: Case 3 4 ti have to wait for a PRE_commit(ti) to complet execution c audio card speakers xxx Pj 1. Partition Pj 2. Precondition Splitting =PRE(tj) 3. execute ti until done 4. Wait until Deferred_PRE= true 5. If no error, commit(ti) 6. Evaluate Immediate dependency 7. forward SELF(Pj) to A(tj)

Our approach to Decentralized Control (So far and future) 4 WF Model 4 Join Our approach to Decentralized Control (So far and future) 4 WF Model 4 Join Relations 4 Decentralized WF Control Model 4 SELF describing Workflow, 4 WF partition 4 dependency splitting (immediate v. deferred) 4 dependency evaluation (signal Out. States) 4 WFMS Stub 4 Need to address 4 Dynamic changes/dynamic customizations 4 handle failure, recovery, compensation

Our Contribution Part 2: 4 Conflict of Interest problem in Decentralized control 4 COI Our Contribution Part 2: 4 Conflict of Interest problem in Decentralized control 4 COI model for decentralized WF 4 Restrictive partition 4 Secure WFMS stub

Conflict of Interest Problem 4 Execution agents are in conflict of interest 4 one Conflict of Interest Problem 4 Execution agents are in conflict of interest 4 one agent can manipulate control or value dependencies in Workflow for its advantage 4 e. g. price is lowered to $400 at DELL ==> disadvantage against GATEWAY and consumer 4 Simple partition algorithm wouldn’t do gateway Enter Input spec IT Agent bs buy computer DELL Bf or p>$400 Bs and p<=$400 bs buy computer XEROX buy printer bs buy printer HP bs external CD writer Bs and Date <3/21/01 IT Agent Notify PANASONIC

No Conflict of Interest problem in Centralized Control gateway Enter Input spec IT Agent No Conflict of Interest problem in Centralized Control gateway Enter Input spec IT Agent bs buy computer Bf or p>$400 Bs and p<=$400 DELL XEROX buy printer bs HP GEATWAY bs buy computer external CD writer Bs and Date <3/21/01 IT Agent Notify PANASONIC HP XEROX PANASONIC No Conflict of Interest problem arises in centralized Management The control/value dependencies or destination of its output is unknown to a particular A(ti)

Chinese Wall Policy 4 Objective: prevent information flows that cause conflict of interest for Chinese Wall Policy 4 Objective: prevent information flows that cause conflict of interest for individual consultants 4 Brewer and Nash Model ¨Read Rule r Insurance Mandatory access denial consultant Discretionary access r Bank A r X Bank B r Oil B

Chinese wall policy 4 Read Rule: S can read O only if 4 O Chinese wall policy 4 Read Rule: S can read O only if 4 O is within the wall or O is outside the wall 4 Write Rule: S can write O only if 4 S can read O by BN Read rule 4 no object can be read which is in the different company set to the one for which write access is requested Oil A Consultant A r w X r Oil B w Consultant B Bank A

Conflict of Interest Task Agents COI group 1 COI group 2 Continental Delta Avis Conflict of Interest Task Agents COI group 1 COI group 2 Continental Delta Avis Hertz COI group n Holiday Inn Marriot

Chinese Wall Security Model for Decentralized Workflow 4 Object: sensitive v. non-sensitive object 4 Chinese Wall Security Model for Decentralized Workflow 4 Object: sensitive v. non-sensitive object 4 sensitive: dependency, Outstate that changes execution flow > ( e. g. sensitive(d 1) = price) 4 Non-sensitive: output(ti) gateway Enter Input spec IT Agent bs buy computer DELL Bf or p>$400 Bs and p<=$400 bs buy computer XEROX buy printer bs external CD writer HP Bs and Date <3/21/01 Notify PANASONIC 4 Subject: task execution agent, S 4 COI(S) = conflict of interest class S belongs to 4 COI(DELL) = GATEWAY, COMPAQ, . . . 4 O S ==> O COI(S) IT Agent

Chinese Wall Security Model for Decentralized Workflow 4 Read/Evaluate Rule: 4 S can read Chinese Wall Security Model for Decentralized Workflow 4 Read/Evaluate Rule: 4 S can read dependency O if O S or O COI(S) Subject can read and evaluate dependency object of its own company, or any dependency that does not belong to the same COI class as S’s company e. g. (bf OR p>$400) belongs to both DELL and GATEWAY. BOTH can’t read this object, hence can’t evaluate it 4 Write/Partition Rule 4 S can write if S can read Subject is not allowed to construct SELF with sensitive objects that belongs to the same COI class e. g. DELL can’t construct SELF WF for GATEWAY.

Our Approach: Restrictive Partition partition Pj does not contain any sensitive object O COI Our Approach: Restrictive Partition partition Pj does not contain any sensitive object O COI (A(tj)) 3 TA 2 2 4 3 TA 3 5 5 6 SAME COI 7 4 6 7 TA 4

Critical Partition: non-adjacent tasks SAME COI 3 5 Critical Partition 2 4 6 7 Critical Partition: non-adjacent tasks SAME COI 3 5 Critical Partition 2 4 6 7 Bf or price > $400 TA 3 3 4 5 TA 4 4 signal 6 6 7 TA 4 TA 6 6 7 Bf or price > $400

Critical Partition -adjacent tasks 3 5 4 6 2 3 TA 3 3 4 Critical Partition -adjacent tasks 3 5 4 6 2 3 TA 3 3 4 5 2 SAME COI Critical Partition 7 2 6 5 Bf or price > $400 7 TA 4

Secure WFMS Stub at A(ti) Given SELF(ti) extract ti Pj = Restrictive Partition of Secure WFMS Stub at A(ti) Given SELF(ti) extract ti Pj = Restrictive Partition of Pi Restrictive dependency splitting Construct SELF(Pj) CASE 1: tj can be parallel with ti, forward SELF(Pj) Evaluate DEFERRED_PRE(begin), execute ti Evaluate IMMEDIATE_PRE(ti), send DEFERRED_PRE(commit) CASE 2: Evaluate DEFERRED_PRE(begin), execute ti Evaluate IMMEDIATE_PRE(ti), send SELF(Pj) CASE 3: ( ti was in parallel with previous task) execute ti until done wait until signal is received if (DEFERRED-PRE(commit)=true) then finish up ti Evaluate IMMEDIATE_PRE(ti), send SELF(Pj)

Working on 4 AND join -- sensitive dependency splitting 3 1 5 AND 2 Working on 4 AND join -- sensitive dependency splitting 3 1 5 AND 2 4 6 7

Related Work 4 Cryptography: 4 Onion Ring: Mobile code security, distributed computing ¨ A Related Work 4 Cryptography: 4 Onion Ring: Mobile code security, distributed computing ¨ A message for each execution agent is encrypted with the agent’s key ¨ Assumes static execution path => can’t workflow: dynamic execution state and results into account P m 1 m 2 m 3 host 1 Key(A) Key(B) Key(C) Encrypted control information and destination: wouldn’t be able to evaulate control info or destination

Related work: 4 Static distribution of control flow 4 EXOTICA/Flowmark (Mohan & Alonso 1995): Related work: 4 Static distribution of control flow 4 EXOTICA/Flowmark (Mohan & Alonso 1995): ¨ decomposition of workflow is done centrally ¨ distributed partitions in designated hosts statically h 1 h 2 h 3 For different workflow or different partitioning of workflow, need to configure the hosts differently Do not address COI problem

Related Work 4 METEOR 2(ORBWork, WEBWork): (Sheth et al: 1997) – Workflow code generator Related Work 4 METEOR 2(ORBWork, WEBWork): (Sheth et al: 1997) – Workflow code generator reads workflow specification and creates task manager routines which contain the scheduling logic – Each task manager is aware of its immediate successors and capable of activating the follow-up task managers once the task it controls terminates Designer Automatic code generation TM task TM task Task Manager code can be cracked for Do not address COI problem control and value dependency

Architecture Agency 1 Task Execution Agent Interoperability WFMS Stub Workflow Interface Workflow Customized Composition Architecture Agency 1 Task Execution Agent Interoperability WFMS Stub Workflow Interface Workflow Customized Composition Worflow Generation generator Local DB WFMS Stub Agency N Workflow Form & Service Task Execution Agent Interoperability WFMS Stub Local DB

Architecture Agency 1 Task Execution Agent Interoperability WFMS Stub Workflow Interface Customized Worflow generator Architecture Agency 1 Task Execution Agent Interoperability WFMS Stub Workflow Interface Customized Worflow generator Local DB WFMS Stub Agency N Workflow Form & Service Task Execution Agent Interoperability WFMS Stub Local DB

References 4 Brewer & Nash 1989 4 Sandu 1992 4 Alonso, Mohan & et References 4 Brewer & Nash 1989 4 Sandu 1992 4 Alonso, Mohan & et al. 1995 4 Sheth et al. ORBWORK, 1997 4 A. Myers: Jflow: Practical mostly-static information flow control, 1999