PolicyGuidedFulfillmentDemo
Contents
Policy Guided Fulfillment Demo
This topic provides information on demo of Policy Guided Fulfillment .
Demo Scenario
- The cloud admin(s) sets 2 policy rules:
- Tenant A can only use MySQL as a DB vendor
- Tenant B can only use PostgreSQL as a DB vendor
- The admin wishes to model a Tomcat application that depends on a DB
- Tenant A admin models it with a MySQL DB
- Tenant B admin models it with a PostgreSQL DB
- Application developer want to add a workflow to the application deployment that will verify the Tomcat is up and running (by sending a GET request) and will send an email notifying whether the deployment has completed successfully or not.
- The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)
- End user of tenant A wishes to deploy the Tomcat application that relies on PostgreSQL
- Deployment fails since the policy rules restrict this DB for tenant A
- End user of tenant A asks Murano to deploy tomcat with MySQL DB
- Application is deployed
- At the end of deployment phase, the workflow is deployed to Mistral (programmatically, by this specific application deployment logic)
- The workflow is triggered by the application class
- A mail will be sent to the end user indicating whether Tomcat has been deployed and whether it is responsive
Demo Setup Guide
Prerequisities
- OpenStack
- enabled services Murano, Mistral, and Congress
- enabled policy enforcement in Murano documentation http://murano.readthedocs.org/en/latest/articles/policy_enf.html#introduction
- create qa tenant
- assign demo user to roles Member, anotherrole in the tenant (same roles as demo user has in demo tenant)
- assign admin user to role admin in the tenant (same roles as admin user has in demo tenant)
- VM images
- Ubuntu based image
- Centos (RedHat) based image
- Images have to have installed Murano Agent
- if you are behind proxy, then images have to have configured proxy
- Networking
- Access to internet is required
- if you have proxy access to internet, you have to configured it in our lab, and VM images
- Access to internet is required
Application
Application is based on packages used in murano-apps, murano-app-incubator, and hello-world-servlet .
Application packages are available here: https://github.com/filip-blaha/policy-guided-fulfillment-demo :
- io.murano.apps.java.HelloWorld
- main application package.
- it install web application from https://github.com/filip-blaha/hello-world-servlet to Tomcat and configures database.
- has dependency on SqlDatabase, so one of MySql, PostgreSql can be choosen
- has dependency on Tomcat
- io.murano.apps.apache.Tomcat
- Installs Tomcat
- io.murano.databases.SqlDatabase
- Base package for databases. It defines base actions for database configuration.
- io.murano.databases.MySql
- MySql database package
- io.murano.databases.PostgreSql
- Postgres database package
Create packages and upload them into OpenStack:
git clone https://github.com/filip-blaha/policy-guided-fulfillment-demo cd policy-guided-fulfillment-demo . ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually ./package-manager.sh io.murano.apps.apache.Tomcat ./package-manager.sh io.murano.apps.java.HelloWorld ./package-manager.sh io.murano.databases.MySql ./package-manager.sh io.murano.databases.PostgreSql ./package-manager.sh io.murano.databases.SqlDatabase
Policy Rules
Following policy rules defines predeploy enforcement of the demo.
Execute following commands to create the policies and policy rules:
. ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually
# create policy murano and murano_system (it won't be necessary when murano datasource driver will be merged into congress) openstack congress policy create murano openstack congress policy create murano_system
# allowed app main rules openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:properties(eid,"tenant_id",tid), murano:parent_types(oid,"io.murano.Application"), tenantName(tid,tname), not allowedApp(type, tname),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)'
openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'
openstack congress policy rule create murano_system 'tenantName(tid, tname) :- keystone:tenants(en,desc,tname,tid)'
#demo tenant openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql", "demo")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.HelloWorld", "demo")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "demo")'
#qa tenant openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.PostgreSql", "qa")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.HelloWorld", "qa")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "qa")'
Demo Steps
* The cloud admin(s) sets 2 policy rules: ** Tenant A can only use MySQL as a DB vendor ** Tenant B can only use PostgreSQL as a DB vendor
Done by creating policy rules in setup guide.
* The admin wishes to model a Tomcat application that depends on a DB ** Tenant A admin models it with a MySQL DB ** Tenant B admin models it with a PostgreSQL DB
Done by uploading application packages
* Application developer want to add a workflow to the application deployment that will verify the Tomcat is up and running (by sending a GET request) and will send an email notifying whether the deployment has completed successfully or not.
TBD
* The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)
TBD
* End user of tenant A wishes to deploy the Tomcat application that relies on PostgreSQL ** Deployment fails since the policy rules restrict this DB for tenant A
TBD
* End user of tenant A asks Murano to deploy tomcat with MySQL DB ** Application is deployed ** At the end of deployment phase, the workflow is deployed to Mistral (programmatically, by this specific application deployment logic) ** The workflow is triggered by the application class ** A mail will be sent to the end user indicating whether Tomcat has been deployed and whether it is responsive
TBD