Difference between revisions of "PolicyGuidedFulfillmentDemo"

Revision as of 14:25, 25 February 2015

Policy Guided Fulfillment Demo

This topic provides information on demo of Policy Guided Fulfillment .

Demo Scenario

The cloud admin(s) sets 2 policy rules:
- Tenant A can only use MySQL as a DB vendor
- Tenant B can only use PostgreSQL as a DB vendor
The admin wishes to model a Tomcat application that depends on a DB
- Tenant A admin models it with a MySQL DB
- Tenant B admin models it with a PostgreSQL DB
Application developer want to add a workflow to the application deployment that will verify the Tomcat is up and running (by sending a GET request) and will send an email notifying whether the deployment has completed successfully or not.
The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)
End user of tenant A wishes to deploy the Tomcat application that relies on PostgreSQL
- Deployment fails since the policy rules restrict this DB for tenant A
End user of tenant A asks Murano to deploy tomcat with MySQL DB
- Application is deployed
- At the end of deployment phase, the workflow is deployed to Mistral (programmatically, by this specific application deployment logic)
- The workflow is triggered by the application class
- A mail will be sent to the end user indicating whether Tomcat has been deployed and whether it is responsive

Demo Setup Guide

Prerequisities

OpenStack
- enabled services Murano, Mistral, and Congress
- enabled policy enforcement in Murano documentation http://murano.readthedocs.org/en/latest/articles/policy_enf.html#introduction
- create qa tenant
  - assign demo user to roles Member, anotherrole in the tenant (same roles as demo user has in demo tenant)
  - assign admin user to role admin in the tenant (same roles as admin user has in demo tenant)
VM images
- Ubuntu based image
- Centos (RedHat) based image
- Images have to have installed Murano Agent
- if you are behind proxy, then images have to have configured proxy
Networking
- Access to internet is required
  - if you have proxy access to internet, you have to configured it in our lab, and VM images

Application

Application is based on packages used in murano-apps, murano-app-incubator, and hello-world-servlet .

Application packages are available here: https://github.com/filip-blaha/policy-guided-fulfillment-demo :

io.murano.apps.java.HelloWorld
- main application package.
- it install web application from https://github.com/filip-blaha/hello-world-servlet to Tomcat and configures database.
- has dependency on SqlDatabase, so one of MySql, PostgreSql can be choosen
- has dependency on Tomcat
io.murano.apps.apache.Tomcat
- Installs Tomcat
io.murano.databases.SqlDatabase
- Base package for databases. It defines base actions for database configuration.
io.murano.databases.MySql
- MySql database package
io.murano.databases.PostgreSql
- Postgres database package

Create packages and upload them into OpenStack:

git clone  https://github.com/filip-blaha/policy-guided-fulfillment-demo
cd policy-guided-fulfillment-demo
. ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually
./package-manager.sh io.murano.apps.apache.Tomcat
./package-manager.sh io.murano.apps.java.HelloWorld
./package-manager.sh io.murano.databases.MySql
./package-manager.sh io.murano.databases.PostgreSql
./package-manager.sh io.murano.databases.SqlDatabase

Policy Rules

Following policy rules defines predeploy enforcement of the demo.

Execute following commands to create the policies:

. ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually

# allowed app main rules
openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:properties(eid,"tenant_id",tid), murano:parent_types(oid,"io.murano.Application"), tenantName(tid,tname), not allowedApp(type, tname),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)'

openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'

openstack congress policy rule create murano_system 'tenantName(tid, tname) :- keystone:tenants(en,desc,tname,tid)'

#demo tenant
openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql", "demo")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.HelloWorld", "demo")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "demo")'

#qa tenant
openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.PostgreSql", "qa")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.HelloWorld", "qa")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "qa")'

Demo Steps

* The cloud admin(s) sets 2 policy rules: 
** Tenant A can only use MySQL as a DB vendor
** Tenant B can only use PostgreSQL as a DB vendor

Done by creating policy rules in setup guide.

* The admin wishes to model a Tomcat application that depends on a DB
** Tenant A admin models it with a MySQL DB
** Tenant B admin models it with a PostgreSQL DB

Done by uploading application packages

* Application developer want to add a workflow to the application deployment that will verify the Tomcat is up and running (by sending a GET request) and will send an email notifying whether the deployment has completed successfully or not.

TBD

* The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)

TBD

* End user of tenant A wishes to deploy the Tomcat application that relies on PostgreSQL 
** Deployment fails since the policy rules restrict this DB for tenant A

TBD

* End user of tenant A asks Murano to deploy tomcat with MySQL DB 
** Application is deployed
** At the end of deployment phase, the workflow is deployed to Mistral (programmatically, by this specific application deployment logic)
** The workflow is triggered by the application class
** A mail will be sent to the end user indicating whether Tomcat has been deployed and whether it is responsive

TBD

Revision as of 14:25, 25 February 2015 (view source) Radek Pospisil (talk \| contribs) ← Older edit		Revision as of 14:25, 25 February 2015 (view source) Radek Pospisil (talk \| contribs) Newer edit →
Line 118:		Line 118:


−	* The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)	+	* The admins deploy the application models to Murano. The package will also include the Mistral workflow (so we will not depend on it being pre-deployed to Mistral)
	TBD		TBD