Difference between revisions of "PolicyGuidedFulfillmentDemo"

Revision as of 08:06, 3 April 2015

Policy Guided Fulfillment Demo

This topic provides information on demo of Policy Guided Fulfillment .

Demo Scenario

• The cloud admin(s) sets 2 policy rules:
  • Tenant Demo can only use MySQL as a DB vendor
  • Tenant QA can only use PostgreSQL as a DB vendor
• The admin wishes to model a Tomcat application that depends on a DB
  • Tenant Demo admin models it with a MySQL DB
  • Tenant QA admin models it with a PostgreSQL DB
• Application developer want to add a workflow to the application deployment that
  • populates DB with data
  • or verifies the Tomcat is up and running (by sending a GET request) and will send an email notifying whether the deployment has completed successfully or not.
• The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)
• End user of tenant Demo wishes to deploy the Tomcat application that relies on PostgreSQL
  • Deployment fails since the policy rules restrict this DB for tenant Demo
• End user of tenant Demo asks Murano to deploy tomcat with MySQL DB
  • Application is deployed
    • At the end of deployment phase, the workflow is deployed to Mistral (programmatically, by this specific application deployment logic)
    • The workflow is triggered by the application class
      • data are populated into DB
      • or mail will be sent to the end user indicating whether Tomcat has been deployed and whether it is responsive, if yes then init data will be inserted by the flow.
• When application is deployed, admin user creates error rules to check if deployed application's infrastructure is correct
  • rule will check if VMs created by Murano instance exists
• Admin user removes VM instance of deployed application using Horizon UI
• Admin user then will execute the policy rule to see the invalid application

Demo Setup Guide

Prerequisities

• OpenStack
  • enabled services Murano, Mistral, and Congress
  • enabled policy enforcement in Murano documentation http://murano.readthedocs.org/en/latest/articles/policy_enf.html#introduction
  • create qa tenant
    • assign demo user to roles Member, anotherrole in the tenant (same roles as demo user has in demo tenant)
    • assign admin user to role admin in the tenant (same roles as admin user has in demo tenant)
• VM images
  • Ubuntu based image
  • Centos (RedHat) based image
  • Images have to have installed Murano Agent
  • if you are behind proxy, then images have to have configured proxy
• Networking
  • Access to internet is required
    • if you have proxy access to internet, you have to configured it in our lab, and in VM images
  • It is preferred to have configured float IPs in order to access deployed application from other nodes that DevStack server

Application

Application is based on packages used in murano-apps, murano-app-incubator, and [1] .

Application packages are available here: https://github.com/filip-blaha/policy-guided-fulfillment-demo :

• io.murano.apps.java.PetClinic
  • main application package.
  • it install pet clinic web application to Tomcat, configures database, and deploys Mistral workflow in order to populate DB with data
  • has dependency on SqlDatabase, so one of MySql, PostgreSql can be choosen
  • has dependency on Tomcat
• io.murano.apps.apache.Tomcat
  • Installs Tomcat
• io.murano.databases.SqlDatabase
  • Base package for databases. It defines base actions for database configuration.
• io.murano.databases.MySql
  • MySql database package
• io.murano.databases.PostgreSql
  • Postgres database package

Create packages and upload them into OpenStack:

git clone  https://github.com/filip-blaha/policy-guided-fulfillment-demo
cd policy-guided-fulfillment-demo
. ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually
./package-manager.sh io.murano.apps.apache.Tomcat
./package-manager.sh io.murano.apps.java.PetClinic
./package-manager.sh io.murano.databases.MySql
./package-manager.sh io.murano.databases.PostgreSql
./package-manager.sh io.murano.databases.SqlDatabase

Policy Rules

Following policy rules defines predeploy enforcement of the demo.

Execute following commands to create the policies and policy rules:

. ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually

# create policy murano_system
openstack congress policy create murano_system

# allowed app main rules
openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:properties(eid,"tenant_id",tid), murano:parent_types(oid,"io.murano.Application"), tenantName(tid,tname), not allowedApp(type, tname),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)'

openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'

openstack congress policy rule create murano_system 'tenantName(tid, tname) :- keystone:tenants(en,desc,tname,tid)'

#demo tenant
openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql", "demo")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.PetClinic", "demo")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "demo")'

#qa tenant
openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.PostgreSql", "qa")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.PetClinic", "qa")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "qa")'

Demo Steps

* The cloud admin(s) sets 2 policy rules: 
** Tenant A can only use MySQL as a DB vendor
** Tenant B can only use PostgreSQL as a DB vendor 

Done by creating policy rules in setup guide.

* The admin wishes to model a Tomcat application that depends on a DB
** Tenant A admin models it with a MySQL DB
** Tenant B admin models it with a PostgreSQL DB 

Done by uploading application packages

* The admin deploys the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral). Application developer wants to add a workflow to the application deployment that will verify the Tomcat is up and running (by sending a GET request) and will send an email notifying whether the deployment has completed successfully or not. Then it will insert some initial data to the application (4 new owners) by calling REST API.

The uploading of a flow is done as part of the application PetClinic.yaml. After the upload, the flow is called - it checks the status of Tomcat, sends email and inserts data. The email address that is used is: policyguideddemo@gmail.com

* End user of tenant A wishes to deploy the Tomcat application that relies on PostgreSQL 
** Deployment fails since the policy rules restrict this DB for tenant A 

Environment is created as follow:

• Add Application Pet Clinic into environment
• Add New Database
  • Choose PostgreSql database
  • On Instance panel use Ubuntu VM image
  • End-of-Database
• Add New Container
  • On Instance panel use Centos VM image
  • End-of-Container
• On database panel enter password
• End-of-Application

* End user of tenant A asks Murano to deploy tomcat with MySQL DB 
** Application is deployed
** At the end of deployment phase, the workflow is deployed to Mistral (programmatically, by this specific application deployment logic)
** The workflow is triggered by the application class
** A mail will be sent to the end user indicating whether Tomcat has been deployed and whether it is responsive, if yes init data is inserted to the Pet Clinic application by REST API.