Jump to: navigation, search

Congress

Revision as of 23:14, 1 November 2013 by Thinrichs (talk | contribs) (Roadmap)

Policy as a service ("Congress")

Mission

Congress is an OpenStack project to provide Policy as a service across any collection of cloud services in order to offer governance and compliance for dynamic infrastructures.

Why Congress

IT services will always be governed and brought into compliance with business-level policies.

In the past, policy was enforced manually, perhaps by someone sending an email asking for an application to be added to the network, secured by different firewall entries, connected to an agreed-on storage, and so on. In the cloud era, IT has become more agile: users expect immediate delivery of services, a level of responsiveness that is unattainable by the team responsible for governance; hence, manual enforcement is no longer feasible.

Both enterprises and vendors have fielded engines for enforcing policy (semi)-automatically, creating a fragmented market where enterprises reinvent the wheel while maintaining their own code, and vendors fail to meet enterprise needs, either for technical reasons or because their solutions require vertical integration and lock-in.

The congress policy service enables IT services to extend their OpenStack footprint by onboarding new applications while keeping strong compliance and governance dictated by their own business policies. All of that leveraging a community-driven implementation in which vendors would be able to plug into a common interface.

What is Congress

Congress aims to provide an extensible open-source framework for governance and regulatory compliance across any cloud services (e.g. application, network, compute and storage) within a dynamic infrastructure.

Congress aims to include the following functionality:

  • Allow cloud administrators and tenants to use a high-level declarative language to describe business logic like:
    • Application A is only allowed to communicate with application B?
    • Virtual machine owned by tenant A should always have a public network connection if tenant A is part of the group B
    • Virtual machine A should never be provisioned in a different geographic region than storage B
  • Offer a pluggable architecture that connects to any collection of cloud services
  • Enforce policy proactively: preventing violations before they occur
  • Enforce policy reactively: identifying violations after they occur and taking corrective action
  • Providing administrators insight into policy and its violations: identifying violations, explaining their causes, computing potential remediations, simulate a sequence of changes and explain why the result is in or out of compliance.

Development

Roadmap

  • Formalize and implement full introspection and query APIs
  • Integrate with OpenStack services
    • Reactive enforcement: listen to RabbitMQ bus so that we can respond to violations that have already occurred.
    • Proactive enforcement: enable Keystone-like interception of API calls to stop violations before they occur.
  • Investigate and improve performance and scalability
  • Develop dashboard for cloud administrators

Relationship to Other Projects

  • Keystone: Keystone is an identity service providing authentication and high-level authorization for OpenStack. Congress can leverage Keystone as an input for policies. For example, an auditor might want to ensure that the running system is consistent with current Keystone authorization decisions.
  • Heat: Heat is an orchestration service for application provisioning and lifecycle management. Congress can ensure that applications managed by Heat are consistent with business policy.
Retrieved from "https://wiki.openstack.org/w/index.php?title=Congress&oldid=34736"