© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The OpenStack TM attribution statement should used: The
OpenStack wordmark and the Square O Design, together or part, are trademarks or registered trademarks of OpenStack Foundation in the United States and other countries, and are used with the
OpenStack Foundation’s permission.
Vancouver OpenStack®
Summit
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Policy Guided Fulfillmentof Murano ApplicationsRadek Pospíšil / May 21, [email protected]
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3
Motivation: Integration of Business Policies and Application Model
What is Policy Guided Fulfillment?
• Business (Management) policies and Application model are typically independent each other
– Application designer models application without knowledge of existing and/or future policies
– System administrator defines business policies
• i.e., restrictions and/or intended state of your system
• typically without knowing which application will be deployed
• Application can be affected by policies in deployment and runtime
– Policy can modify application model prior it is deployed |
(e.g., enable monitoring, …)
– Deployment of an application
is cancelled if it violates policies
– Policy violation in runtime
means triggering of an action
(e.g., notification, remediation,…)
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.4
Examples of Business Policies
• Security policy rule
– 2 nodes of the cluster cannot reside on same security zone
– Networks used by application must belongs be trusted
– Storages must reside in trusted zone
• Requirements policy rule
– All application layers must be monitored (SLA)
– Application must be composed of certified components
• Finance rule policy
– Placement will be selected according to cost at deployment time
– Only give sizes of flavors are allowed
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.5
UseCases Delivered in Kilo
• Predeployment Policy Enforcement
– Application must comply with policies in order to be deployed
• Runtime Policy Enforcement
– It is possible to check if application does not breaching policies in runtime
• Workflow Embracement
– Workflow can be executed as part of application deployment
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.6
How it works
Application Designer
System Administrator
Application Enduser
Policies
Application
Murano
Congress
Mistral
VM Instances
3. Creates Policies
Predeployment Policy Enfrocement
Workflow Embracement
Runtime Policy Enfrocement
OpenStack
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.7
Policy Part: Murano – Congress Integration
Technical Deep Dive
• Mapping of Murano Environment object model to Congress policy tables
– Murano environment is decomposed to following entities
– Objects – holds individual environment objects
• (e.g., common object types are environment, application, VM instance, …)
– Properties – holds properties of objects
– ParentTypes – holds type full type information of objects
– States – holds state of environment
– Relationships – holds relationships between objects with its type
– Connected – holds all connected objects in environment (both direct and indirects)
• Murano environments are pulled to Congress using datasource driver
– For runtime enforcement
• Congress policy rules can trigger/execute actions
– Currently supports nova client action
– For runtime enforcement
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.8
Policy Part: Policy Validation
Technical Deep Dive
• Deployment scenario
– predeployment_errors is table in Congress queried for deployment enforcement
• Administrator has to create rules reporting violation to this table
– Congress policy simulation API is used to validate if environment violates it or not
• Simulation input is decomposed environment
– Simulation puts temporarily data into Congress DB
• Runtime scenario
– No specific rule is named for runtime, as it is up to Congress administrator to specify handling of rule violation in Congress
• passive (e.g., notification): data from such rules are read by administrator
• active (e.g., action execution): rule triggers an action execution in Congress
– Murano Congress Datasource driver pulls data from Murano environment, so Congress has available up-to-date environment data
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.9
Workflow Part
Technical Deep Dive
• Murano provides Mistral client
• Application Packages (MuranoPL) can use the Mistral Client to
– Deploy workflow to Mistral
– Execute the workflow
• Example
- $ep: $.tomcat.instance.floatingIpAddress + ':8080/petclinic'
- $this.find(std:Environment).reporter.report($this, 'Running at http://' + $ep)
- $mistral_workflow: $resources.string('TestTomcat.yaml')
- $.mistralClient.upload(definition => $mistral_workflow)
- $.mistralClient.run(name => 'test_tomcat', inputs => dict(url => 'http://' + $ep))
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.10
Static Examples
Demo
• Full demo details available at https://wiki.openstack.org/wiki/PolicyGuidedFulfillmentDemo
• Goal
– Allow to deploy only Murano environments with PetClinic using
• MySql in project demo
• Postgresql in project qa
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.11
Business Policy Creation
Demo
# Predeploy policy rules
openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:objects(eid,tid,
"io.murano.Environment"), murano:parent_types(oid,"io.murano.Application"), tenantName(tid,tname), not allowedApp(type,
tname),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)'
# allowed app main rules
openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'
openstack congress policy rule create murano_system 'tenantName(tid, tname) :- keystone:tenants(en,desc,tname,tid)'
#demo tenant
openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql", "demo")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.PetClinic", "demo")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "demo")'
#qa tenant
openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.PostgreSql", "qa")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.PetClinic", "qa")'
openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "qa")'
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.12
Invalid Environment Creation
Demo
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.13
Deployment Failure
Demo
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.14
Next Steps
• Runtime Remediation
– Policy identifies problem/defect/breach/overload/… of application, thus
• (Simple) user/administrator is notified to deal with it
• (Advanced) remediation Mistral workflow is started to deal with it
• More Workflow integration in Murano
– Murano Application implemented by workflows
• Congress Improvements
– Datasources
– UI
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.15
Resources
• https://wiki.openstack.org/wiki/PolicyGuidedFulfillment
• https://wiki.openstack.org/wiki/PolicyGuidedFulfillmentDemo
• http://murano.readthedocs.org/en/latest/articles/policy_enf_index.html
• https://wiki.openstack.org/wiki/Murano
• https://wiki.openstack.org/wiki/Congress
• https://wiki.openstack.org/wiki/Mistral
• Contact us via Murano, Congress, Mistral IRC
© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The OpenStack TM attribution statement should used: The
OpenStack wordmark and the Square O Design, together or part, are trademarks or registered trademarks of OpenStack Foundation in the United States and other countries, and are used with the
OpenStack Foundation’s permission.
Thank you