Latest revision as of 12:41, 25 February 2015

Obsoleted - Policy Guided Fulfillment - Demo Predeploy Enforcement

Introduction

This topic is obsoleted, and shall be removed.

This demo presents how to control Murano environment deployment by Congress policies.

Use case is following:

OpenStack administrator wants to set constraints Murano environments (e.g., use only supported application; use only VM flavors with given RAM size, ...) .
O~S administrator creates Congress policy rules which defines not allowed Murano environments
When an O~S user deploys Murano environment, then it is validated by Congress policy enforcement - based on the enforcement result, environment deployment is allowed or denied

Demo

First we have to have O~S running with all necessary services (with content) as defined in Setup section.

Demo scenario

Administrator creates rules which allows only
- Telnet application
- VM flavors of RAM size max 4096MB
User creates environment with Telnet application with instance of flavor m1.small .
- Enforcement passes - deployment is started

User create environment with Git application with instance of flavor m1.large .
- Enforcement rejects - environment deployment is not started. Log contains reasons
Administrator is contacted by the user to allow Git
- Administrator add rule supporting Git .
User redeploys environment with "Git"
- Deployment fails - the reason is disallowed flavor
User edits environment (or creates new one) and deploys it
- Enforcement passes - deployment is started

Policy Rules Definition

This steps creates rules in Congress policy murano_system . Murano is using predeploy_errors(envId, objId, msg) table (rule) for enforcement. Murano environment is mapped to Congress policy murano on its deploy (technically we are using Congress simulation API, so it is mapped transiently into murano policy. ). See References section for documentation of environment mapping.

As administrator we want to place following enforcements

use only supported Murano application
use only VM flavors with given RAM size

To create rules use following O~S CLI commands (use cd devstack; . ./openrc admin admin prior using it):

openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:parent_types(oid,"io.murano.Application"), not allowedApp(type),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)' openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.WordPress")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.ZabbixAgent")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.ZabbixServer")' openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.ApacheHttpServer")'

openstack congress policy rule create murano_system 'predeploy_errors(eid, oid, msg) :- murano:objects(oid, eid, type), checkIfError(oid), objName(oid, oname), concat( "Instance flavor has RAM size over 4096MB: ", oname, tmsg1), concat( tmsg1, ", of application ", tmsg2), murano:relationships(aid, oid, "instance"), murano:parent_types(aid, "io.murano.Application"),objName(aid, aname), concat(tmsg2, aname, msg)'

openstack congress policy rule create murano_system 'checkIfError(oid) :- murano:parent_types(oid, "io.murano.resources.Instance"), murano:properties(oid, "flavor", fname),nova:flavors(i,fname,v,r,d,e,rx),gt(r,4096)'

openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'

Murano Environment Deployment

Setup

References

Murano policy enforcement developer and user guides. Currently in review stage https://review.openstack.org/#/c/149225/

@@ Line 1: / Line 1: @@
-= Policy Guided Fulfillment - Demo Predeploy Enforcement  =
+= Obsoleted - Policy Guided Fulfillment - Demo Predeploy Enforcement  =
 == Introduction ==
+This topic is obsoleted, and shall be removed.
 This demo presents how to control [https://wiki.openstack.org/wiki/Murano Murano] environment deployment by [https://wiki.openstack.org/wiki/Congress Congress] policies.
@@ Line 11: / Line 12: @@
 == Demo ==
-First we have to have O~S running with all necessary services as defined in '''Setup''' section.
+First we have to have O~S running with all necessary services (with content) as defined in '''Setup''' section.
+'''Demo scenario'''
+* Administrator creates rules which allows only
+** Telnet application
+** VM flavors of RAM size max 4096MB
+* User creates environment with ''Telnet'' application with instance of flavor ''m1.small'' .
+** Enforcement passes - deployment is started
+* User create environment with ''Git'' application with instance of flavor ''m1.large'' .
+** Enforcement rejects - environment deployment is not started. Log contains reasons
+* Administrator is contacted by the user to allow ''Git''
+** Administrator add rule supporting ''Git'' .
+* User redeploys environment with "Git"
+** Deployment fails - the reason is disallowed flavor
+* User edits environment (or creates new one) and deploys it
+** Enforcement passes - deployment is started
-The demo is composed of two steps - create policy rules, and Murano environment deployment.
 === Policy Rules Definition ===
@@ Line 19: / Line 35: @@
 This steps creates rules in Congress policy '''murano_system''' . Murano is using '''predeploy_errors(envId, objId, msg)''' table (rule) for enforcement. Murano environment is mapped to Congress policy '''murano''' on its deploy (technically we are using Congress simulation API, so it is mapped ''transiently'' into '''murano''' policy. ). See References section for documentation of environment mapping.
-So we have to create
+As administrator we want to place following enforcements
+* use only supported Murano application
+* use only VM flavors with given RAM size
+To create rules use following O~S CLI commands (use ''cd devstack; . ./openrc admin admin'' prior using it):
+<nowiki>
+openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:parent_types(oid,"io.murano.Application"), not allowedApp(type),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)'
+openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql")'
+openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.WordPress")'
+openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.ZabbixAgent")'
+openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.ZabbixServer")'
+openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.ApacheHttpServer")'
+</nowiki>
+openstack congress policy rule create murano_system 'predeploy_errors(eid, oid, msg) :- murano:objects(oid, eid, type), checkIfError(oid), objName(oid, oname), concat( "Instance flavor has RAM size over 4096MB: ", oname, tmsg1), concat( tmsg1, ", of application ", tmsg2), murano:relationships(aid, oid, "instance"), murano:parent_types(aid, "io.murano.Application"),objName(aid, aname), concat(tmsg2, aname, msg)'
+openstack congress policy rule create murano_system 'checkIfError(oid) :- murano:parent_types(oid, "io.murano.resources.Instance"), murano:properties(oid, "flavor", fname),nova:flavors(i,fname,v,r,d,e,rx),gt(r,4096)'
+openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'

Difference between revisions of "Obsolete:PolicyGuidedFulfillmentMeetingsDemoPredeployEnforcement"