Retire the Congress Specs project

Recently the TC has worked on determining the criteria for when an
OpenStack project should be retired.  When there was not a PTL nominee
for the Congress project, that triggered the TC to review the project
health per [1], and the TC has determined [2] that development work on
the project has ceased.  This decision was announced in the
openstack-discuss mailing list in April 2020 [3].

This commit retires the repository per the process for governance
removal in the Victoria cycle as specified in the Mandatory Repository
Retirement resolution [4] and detailed in the infra manual [5].

Should interest in developing Congress as part of OpenStack revive,
please revert this commit to have the project rejoin the list of active

The community wishes to express our thanks and appreciation to all of
those who have contributed to the Congress project over the years.



Change-Id: Ide2a1f572f046e2d9f1bf9468556dbb39c736c0f
This commit is contained in:
Nate Johnston 2020-04-21 17:37:25 -04:00
parent 9bf73cc80c
commit d103a89b65
72 changed files with 11 additions and 13527 deletions

View File

@ -1,54 +1,14 @@
Team and repository tags
Welcome to Congress Specs
.. image::
This project is no longer maintained.
.. Change things from this point on
The contents of this repository are still available in the Git
source code management system. To see the contents of this
repository before it reached its end of life, please check out the
previous commit with "git checkout HEAD^1".
OpenStack Congress Specifications
This git repository is used to hold approved design specifications for additions
to the Congress project. Reviews of the specs are done in gerrit, using a similar
workflow to how we review and merge changes to the code itself.
The layout of this repository is::
You can find an example spec in `doc/source/specs/template.rst`.
Specifications are proposed for a given release by adding them to the
`specs/<release>` directory and posting it for review. The implementation
status of a blueprint for a given release can be found by looking at the
blueprint in launchpad. Not all approved blueprints will get fully implemented.
Specifications have to be re-proposed for every release. The review may be
quick, but even if something was previously approved, it should be re-reviewed
to make sure it still makes sense as written.
Prior to the Juno development cycle, this repository was not used for spec
reviews. Reviews prior to Juno were completed entirely through Launchpad
Please note, Launchpad blueprints are still used for tracking the
current status of blueprints. For more information, see::
For more information about working with gerrit, see::
To validate that the specification is syntactically correct (i.e. get more
confidence in the Jenkins result), please execute the following command::
$ tox
After running ``tox``, the documentation will be available for viewing in HTML
format in the ``doc/build/`` directory.
For any further questions, please email or join #openstack-dev on

Publish policy results to DSE message bus
Implement subscriptions for the policy engine. That is, every time an entity
on the DSE subscribes to a policy engine table, the policy engine should
publish the results of that table on the message bus. The implementation
should utilize the trigger mechanism, which is the subject of another spec.
Problem description
Currently, datasource drivers obey the publish/subscribe paradigm for tables.
The policy engine subscribes to the tables it needs from the datasources,
and the datasources publish information as appropriate.
But there are several use cases when other entities on the DSE message bus
(not necessarily "datasources" per se) would like to subscribe to tables
defined within policy.
- Building proof of concepts where an external service is informed of
policy violations and reacts accordingly, implemented for the sake of
convenience as another entity on the DSE message bus.
- Interoperable policy engines that publish their monitoring results
on the bus for other policy engines to consume.
Proposed change
Every time the policy engine gets a subscription request for a specific
table, e.g. 'alice_policy:error', the policy engine registers a trigger
for that trigger. When the trigger fires, it publishes the contents of
that table on the message bus.
Every time the policy engine gets an unsubscribe request for a specific
table, the policy engine removes the trigger for that table.
The subscribe/unsubscribe functionality should be implemented within
Because it is likely that the tables could be large, it makes sense to
publish deltas for those tables on the bus, just as the datasources do.
The functionality that does this for datasource drivers can be found
To implement the delta publishing, we should look into creating a subclass
of dse/ that includes the prepush_processor functionality and
have both DatasourceDriver and DseRuntime inherit from it instead of DeepSix.
The policy engine could publish the entire table to the bus. The downside
is that large tables with frequent small changes would cause a large amount
of unneeded bus traffic. The upside would be that the subscriber might
be simpler to write if it receives the entire table. If that turns out to
be the case, we could always build convenience functions that compute
the entire table from the deltas.
Policy Actions
Data Sources
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Performance will be impacted, but little moreso than because of the triggers.
The triggers will need to compute the delta; that delta will then simply
be published on the message bus. Publishing is fast (especially compared
to computing the contents of tables and then their deltas).
Other deployer impact
Developer impact
Primary assignee:
Other contributors:
Work items
- Create subclass of DeepSix that includes delta publication functionality
and have DatasourceDriver and DseRuntime inherit from that subclass
instead of DeepSix
- Alter DseRuntime so that every subscribe message sets up the appropriate
- Alter DseRuntime so that every unsubscribe message removes the appropriate
* Requires triggers: policy-engine-triggers
Non-tempest tests that subscribe to policy engine tables, cause
changes to those tables, and verify that the appropriate deltas
are sent on the bus are adequate.
Documentation impact
None required--we're just making a policy engine implement the same interface
as datasource drivers.

Currently the congress datasource driver is still pretty complex. This
blueprint aims to simplify it.
Problem description
A detailed description of the problem:
* current there is a lot of logic in the convert_obj() method which is
used to load the data into the data source driver. The majority of this
logic is to validate that the table schema is valid. We should only need
to do this one though on load of the data source driver.
* currently if you list the tables of a data source driver they aren't always
populated in via __init__ self.state[table_name] = set(). I want to add a
method to the DatasourceDriver base class that load_translator() which
will allow one to pass in translators via the __init__ of a
datasource driver. This will validate the schema there.
Proposed change
Add load_translator() to datasource driver base class as descripted as able.
In addition to other refactoring that comes up as this work is being done.
Using the Congress datalog syntax, write out an example policy using
error(vm) :-
ids:ip_packet(src_ip, dst_ip),
neutron:port(vm, src_ip), //finds out the port that has the VM's IP
Policy Actions
Describe the policy activities in terms of monitoring, reactive, proactive,
and other ways to explain how the policy will implement it's desired state.
Data Sources
Describe which projects and/or services the data is coming from
Data model impact
Changes which require modifications to the data model often have a wider impact
on the system. The community often has strong opinions on how the data model
should be evolved, from both a functional and performance perspective. It is
therefore important to capture and gain agreement as early as possible on any
proposed changes to the data model.
Questions which need to be addressed by this section include:
* What new data objects and/or database schema changes is this going to
* What database migrations will accompany this change.
* How will the initial set of new data objects be generated, for example if you
need to take into account existing instances, or modify other existing data
describe how that will work.
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
Developer impact
Primary assignee:
Work items
Push code to do this.
Unit tests and tempest tests will be present to confirm this works as desired.
Documentation impact
Will update docs for how this now works.

Pull common functionality into driver superclass, including data transformation
Include the URL of your launchpad blueprint:
Currently, each datasource driver contains code to convert data from the API
call response to the Congress data tables. This change will make it easier
for a developer to add each incremental data source driver.
Problem description
Today, it takes more code than necessary to write a data source driver.
The code is also more difficult to write than necessary. Some of these API
responses (like in neutron list networks) contain nested data, for example in
the list of networks, each network can contain a sub-list of subnets. The
driver populates a separate table for subnets and the creates a key to link
between the network table and the subnet table.
Proposed change
To generalize the driver, this change will allow a driver class to specify how
to extract data from the API response, and into which table/field to put the
response data.
To handle the sublist conversion, the driver class will specify if a field is
a sublist, and then also specify a key, so that the main table can link to the
subtable. This sublist relationship will be recursive, so that a sublist can
also contain another sublist.
Policy Actions
Data Sources
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
This change will have an effect as soon as it is merged, but Congress should
behave exactly as it did without the change.
Developer impact
The new refactoring will change how programmers write datasource drivers. The
new way should be easier, require less code, and be less bug prone. To take
advantage of the new refactoring, we'll need to rewrite the existing drivers,
but this need not happen at the same time as writing the new datasource driver
Work items
1) Write new superclass.
2) Rewrite Nova driver.
3) Rewrite Neutron driver.
4) Rewrite Keystone driver.
Unit tests for superclass, and modify existing test cases for individual
Documentation impact
This change will include new documentation for how to use the new datasource
driver superclass.

Add Support for Python 3 to Congress
This specification describes how to gradually add Python 3 support to
Problem description
Currently Python 3 tests are failing. In an effort to support both Python 2
and Python 3 concurrently a number of changes to Congress are needed.
Proposed change
This specification will be used to track a number of successive, minor changes
to Congress with the goal of fully supporting Python 3. Each commit will
address one change to Congress to ensure compatibility with Python 3 while
continuing support for Python 2.
Policy actions
Data sources
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
Developer impact
Once fully implemented commits must pass tox tests against py34 and should be
rejected if tests fail.
Primary assignee:
Other contributors:
Work items
- Determine what sections of code need to be modified to ensure Python 3
compatibility. This can be done by generating list of fixers which run
when '2to3' is used to transform code to Python 3.
- Run code through 2to3 for each fixer (see previous bullet), also ensuring
that changes to the code do not break compatibility with Python 2.
- Confirm that changes are gradually improving tox -e py34 test outcomes.
Implementation of this specification should result in tox tests against py34
succeeding. Current unit tests (and the code being tested) may have to be
modified during the course of the implementation of this specification.
Documentation impact

Swift Data Source Driver
This blueprint is to add a data source driver for swift.
Problem description
A datasource driver is required to expose list of containers and
list of objects in each container to the Congress policy framework
so that we can write policies involving object storage entities.
Swift is the OpenStack component that provides object storage service.
The swift-datasource-driver interacts with swift service to provide
object storage specific states to congress for policy monitoring.
Proposed change
Add data source driver that integrates congress with swift.
This will use the congress language. swift:containers(X) etc.
Policy actions
Just monitoring right now.
Data sources
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
Developer impact
Srinivasa Rao Ragolu
Work items
- Implement swift driver with essential tables
- Implement test code to test the driver
- Implement tempest code for real-time tests
- Will need to add unit test code
- Will add tempest tests.
Documentation impact

vCenter Driver
This blueprint is to add a data source driver for vCenter, giving congress
access to new information from an external datasource.
Problem description
Proposed change
Add a data source driver that integrates congress with vCenter by connecting
to vCenter using oslo.vmware.
This will use the congress language. vCenter:hosts(X) etc.
Example - Creating a whitelist of all MAC addresses of hosts found in vCenter
WhiteList(vnic_macs,pnic_macs) :-
Policy Actions
Monitoring Hosts and Virtual Machines
Data Sources
Data model impact
REST API impact
Security impact
This driver will require vCenter credentials to be input into congresses
configuration, and will provide congress data by using those credentials. It
will be important for those implementing this driver to be aware of what data
is visible from congresses API.
Notifications impact
Other end user impact
Performance impact
Implementing this driver will add another data source for congress to parse
data from, and since this driver pulls data from a non-openstack source this
will generate additional traffic on the network.
Other deployer impact
To use this driver a deployer will need to configure this driver in
Developer impact
Primary assignee:
Conner Ferguson
Work items
Documentation impact
Documentation can already be found at
========== - Current code hosting

Add Action Listing to api
Just as the API allows us to query the available tables that a
datasource provides, it should be possible to query the available
actions that a datasource can execute.
Problem description
Currently, datasources have the ability to execute actions, but there is no api
call to ask what the available actions are.
Proposed change
Add an API call that returns the list of available actions.
This requires adding a method to the
class that returns the list of actions that the datasource will execute.
It would be nice if the ExecutionDriver also enforced that it only
executed the actions in that list.
One might consider trying to auto-generate the list of actions based
on the methods available in the python-client being used (for those
datasources using a python-client).
The alternative is to provide no API and ask people to consult the
documentation to find the list of available actions.
This is more
attractive than it sounds because it gives us the freedom to
execute any action that the python-client for the underlying
datasource exposes. If someone adds a new method for the python-client
then a policy writer immediately gets access to that method, without
requiring any changes in Congress.
The downside to this approach is that end-users need to understand
which python client they are using within each datasource driver and
then look up the docs for that python client. So in terms of usability,
it's pretty terrible.
Policy actions
Data sources
Data model impact
There should be no data-model impact, since the added information is
implemented as part of the datasource driver, not stored in the database.
REST API impact
GET /v1/data-sources/<datasource-id>/actions
Should error if the datasource does not implement the proper method.
Result should be an array of dicts, where each dict describes an action:
[{'name': <action-name>,
'args': <list-of-parameter-names>}]
The assignee is free to extend the fields of an action to include additional
meta-information, such as a description of what the action does, or a
description of what each of the parameters are.
Security impact
Notifications impact
Other end user impact
Need to add similar functionality to the python-congressclient.
Performance impact
Other deployer impact
Developer impact
Primary assignee:
Primary assignee:
Other contributors:
<launchpad-id or None>
Work items
0. Modify API design doc (linked from the wiki)
1. Add method to ExecutionDriver in congress/datasources/
2. Add call handler in congress/
3. Add route call in congress/api/
4. Add API implementation to congress/api/
5. Update python-congressclient
- Unit tests for API to congress/tests/
- Unit tests for ExecutionDriver
Documentation impact
Add API call

API Validation
Users (and programs) sometimes provide invalid inputs to APIs. The API should
be resilient to this, and deny bad requests.
Problem description
Any request that does not conform to the form expected by the API is deemed
invalid. Invalid requests should be rejected by the API, along with
information to aid in correcting the problem.
The following features are desirable in an API validation solution:
* Validation should enforce a declarative model that is visible external to
the validation implementation.
* The declarative model should follow standard formatting and conventions
that are understood in the API caller's context.
* For cross-platform APIs, the model should be consumable without knowledge
of a particular programming language.
* The model should provide sufficient information for generation of
resource documentation in associated API reference material.
* Validation should be performed by a common framework which facilitates
binding the declarative models with the API implementation.
* The API implementation may assume trusted inputs by relying on the
framework to offload validation.
* Validation may be selectively enabled on API outputs to facilitate
development and testing.
Proposed change
We will introduce JSON schemas to model the expected inputs and outputs of
each API call.
The API resource manager will be updated to support binding of schemas to
each handler.
When dispatching API calls, the framework will validate the call body using
the 'jsonschema' python validator.
If an optional flag is provided, the dispatcher will validate the API handler
response body before passing the response up the stack.
Other components, such as neutron, have created custom validation utilities.
These utilities are often not as rich as JSON schema, and do not address
many of the desirable features described above.
The nova project is currently retrofitting their API to utilize JSON Schema
Data model impact
REST API impact
The current API provides very minimal validation. This change will add
validation to all existing API calls.
Security impact
Adding validation to the API should increase security of the system by
protecting the API implementation from unexpected inputs.
Notifications impact
Other end user impact
Performance impact
Validation of inputs will have a negative performance impact on latency and
throughput of API calls. JSON schema does not necessarily impose larger
performance impacts than other validation solutions, despite its increased
power and flexibility.
Other deployer impact
Developer impact
After introduction of API validation, new API calls will need to introduce an
associated schema.
Primary assignee:
Other contributors:
Work items
* Create JSON schemas for each API resource (This is already done in the API
design, and simply needs to be translated to the source tree.)
* Add support to the API resource manager to bind schemas with resource
* Add jsonschema as a runtime dependency.
* Use jsonschema to validate requests before dispatching to API implementation.
* Expose flag to support output validation. Optionally use jsonschema to
validate body of API result before returning to the wsgi server.
The schema validator is assumed to be thoroughly tested. We will test that
validation is being performed by issuing requests that should and should not
validate against the schema.
Documentation impact
This change itself does not impact documentation. The addition of schemas
for each API call should be included in the documentation.
JSON Schema definition:
Python jsonschema validator:
Nova spec for updating validation to use JSON Schema:

Support version list API
The Congress API should be able to list current supported API versions.
Problem description
Users want to talk with Congress API, but no API support to query the supported
versions, so users have no idea about which versions can be supported in the
current Congress deployment.
Proposed change
Export the version list API, and show the current API details, include: id,
status, update time, links, like other OpenStack project: nova, neutron and
etc. Although Congress only support one version API(v1) currently, but the
version list API make sense for future API evolution.
Policy actions
Data sources
Data model impact
REST API impact
* Specification for the method
* List the current supported API versions.
* Method type: GET
* Normal http response code(s): 200
* Expected error http response code(s): None
* ``/``
* Parameters which can be passed via the url: None
* JSON schema definition for the body data if allowed: None
* JSON schema definition for the response data if any:
"type": "object",
"properties": {
"versions": {
"type": "array",
"items": {
"type": "object",
"properties": {
"status": {
"type": "string"
"updated": {
"type": "string"
"id": {
"type": "string"
"links": {
"type": "array",
"items": {
"type": "object",
"properties": {
"href": {
"type": "string"
"rel": {
"type": "string"
"additionalProperties": false,
"required": ["href", "rel"]
"additionalProperties": false,
"required": ["status", "updated", "id", "links"]
"additionalProperties": false,
"required": ["versions"]
* Example use case:
"versions": [{
"status": "CURRENT",
"updated": "2015-07-03T11:33:21Z",
"id": "v1",
"links": [{
"href": "",
"rel": "self"
* There should not be any impacts to policy.json files for this change.
Security impact
Notifications impact
Other end user impact
The related works in python-congressclient will also be added.
After this modification, user could get the API version details, like this:
openstack congress version list
Performance impact
Other deployer impact
We modify api-paste.ini to add some stuff, so if the operator prepare to
upgrade from old release, he need to add the new config items to old
api-paste.ini file or override the old using new one.
Developer impact
Primary assignee:
Rui Chen <>
Work items
* Adds Version class to assemble API versions response.
* modify api-paste.ini to route the request to the new logic.
* Make python-congressclient supporting this API.
Some unit tests should been added to cover the new API.
Documentation impact
The related content should be added in Congress API document.

Compromised VM
Security policy use case
Problem description
IDS service notices malicious traffic originating from an insider VM trying to
send packets to hosts inside and outside of the tenant perimeter. As this is
detected, some reactive response would need to be taken, such as isolating the
offending VM from the rest of the network. This policy would facilitate one of
the reactive responses to be invoked when a compromise is reported by an IDS
Proposed change
An IDS will need to monitor traffic in and out of virtual machines. The IDS
will maintain the blacklist of known bad destinations. The patterns will need
to maintained in the IDS. While the IDS is monitoring for traffic patterns and
blacklist, it will need to notify Congress of the event through the Congress
IDS plugin. Through the Congress Neutron plugin, Neutron API will need to be
updated blocked IP. Congress-client and Horizon to alert the operator of
Instead of a blacklist maintained by the IDS, use an real time check of a
public blacklist.
Would it be simpler to flag an error anytime a VM was identified by IDS?
error(vm) :- ids:ip_blacklist(ip), neutron:port(vm, ip)
We should try to work out how the reactive bit would work. The way we'll do
that for the beta is to write another policy that dictates which action to take
under certain conditions. Imagine the policy above but instead of error(vm), we
write something like neutron:block_ip(secgrp, ip) :- ids:ip_blacklist(ip),
neutron:port(vm, ip), neutron:security_group(vm, secgrp)
I'm sure not all the details there are right. But ideally the thing in the head
of the rule would be a Neutron API call. In the worst case it can just the name
of a script that we write.
error(vm) :-
ids:ip_packet(src_ip, dst_ip),
neutron:port(vm, src_ip), //finds out the port that has the VM's IP
Policy actions
* Monitoring: report/log the incident including the VM's IP address, external
IP, etc.
* Reactive: Invoke the nova API to add the VM to IDS security group restricting
access to make changes. Invoke neutron to block all traffic to/from the
VM's IP address. Alternatives are to restart the VM on a nova IDS
schedule filter (limiting traffic chaos while maintaining the ability to
access the VM) and/or a no route network or removing the VM network
Data sources
* IDS (intrusion detection service VM): IP address of the offending VM
* neutron: network details, IP details
* nova: VM details; instance ID, interface(s) status, instance state, security
Data model impact
REST API impact
Needs explanation
Security impact
* DoS
Notifications impact
* congress-client
* horizon
Other end user impact
Unknown at this time
Performance impact
Unknown at this time
Other deployer impact
Unknown at this time
Developer impact
Unknown at this time
Unknown at this time
Work items
* Congress IDS plugin
* Compromised VM policy
* Congress client notification
* Horizon notification
Neutron really needs to provide port allow/deny primitive. Today it blocks
everything and we can only poke pin holes what's allowed out -- this makes it
complex to implement policy
Need to understand more about these limitations.
Documentation impact

View File

Translation of Congress Table to Neutron Group-based Policy Tables
This specification describes how to integrate Congress Policy with Neutron
Group-based Policy (GBP).
Problem description
Congress provides a mechanism to allow OpenStack clients to define policy
to be applied across all OpenStack components including networking.
Neutron Group-based policy provides a high level abstraction for defining
network connectivity between groups of endpoints.
It is desirable to integrate Congress and GBP so that Congress can
monitor and enforce GBP policies. A Congress Reachability table
can be used to specify connectivity policy between endpoints. This table
can be translated into a set of tables that represent GBP entities, such as
Policy Target Groups, Policy Rules, Policy Classifier, etc.
Proposed change
GBP can be represented by these tables:
* Endpoints (endpoint_id)
* Endpoint_group (endpoint_id, endpoint_group_id)
* Classifiers (classifier_id, port, protocol, direction)
* Classifier_group (classifier_id, classifer_group_id)
* Actions (action_id, action_type, action_value)
* Action_group (action_id, action_group_id)
* Policy_rule (policy_rule_id, classifier_group_id, action_group_id)
* Contracts (contract_id, policy_rule_id)
* PolicyInstance (endpoint_group_id, relation, contract_id)
A Congress Reachability policy table may be defined to form
a policy between two groups of endpoints:
Reachable (id, group1, group2, src_port, dst_port)
The goal is to translate from the input Reachable policy table to
the output GBP tables using the Congress policy language using
functions such as:
PolicyInstance(group_id1, relation, contract_id) :-
reachable(contract_id, group_id1, group_id2, x, y),
An example of such a policy written using Congress datalog syntax
is shown below for two groups, tier 1 and tier 2, to communicate
bidirectionally on port 80.
Operator Input Data (from operator or cloud management system)
Tier Membership (tier_id, vm_id)
(1, 100)
(1, 101)
(2, 102)
Policy Input Data
Reachability policy table
Reachable (id, src, dst, src_port, dst_port)
(10, tier1, tier2, \*, 80)
(11, tier2, tier1, \*, 80)
Policy Actions
These tables allow Congress to monitor and enforce GBP policies.
Data Sources
Neutron Group-based Policy. Details of GBP can be found here:
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
Developer impact
Primary assignee:
louis.fourie, alex.yip, cathy.zhang
Other contributors:
Work items
* Define translation functions.
* Implement the new constant tables and function tables to perform the
* This is dependent on the implementation of a GBP data-source driver for
Some sample input tables will be created and the translation verified by
checking the contents of the output trigger tables.
Documentation impact
All translation details will be documented.
* Juno Mid-cycle Policy Summit

Datalog aggregates
Add aggregates sum, count, min, max, avg to the policy language.
Problem description
Many policies require counting the number of VMs
with a certain property, computing the average, min, max, or sum
of certain values. Without aggregates, these policies cannot be
expressed in Datalog.
Proposed change
This change adds aggregates to the Datalog policy language.
The alternative is to leave aggregates out of the language. The
drawback is that some common policies would be inexpressible, but
the benefit is that the algorithms for reasoning about policy
would be simpler. By prohibiting aggregates, we exclude the possibility
that the user wants to use aggregates at the cost of their inclusion.
Example: define a table that counts the number of VMs in the web tier
of each application.
app_web_size(id, count(vm)) :-
appservice:webtier(id, vm)
Another option for syntax puts the aggregates into the body of the rule.
This option will likely require new syntactic restrictions on rules
to function properly.
app_web_size(id, cnt) :-
appservice:webtier(id, vm),
count(vm, cnt)
Suggestions for other syntaxes?
Policy actions
Data sources
Data model impact
The syntax for rules will be extended, but the database schema for storing
rules will not, since they are stored as strings.
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
There will be some performance impact in using aggregates since
they cost more to compute. These aggregates will also make reasoning
about the policy itself (i.e. when data is unknown) more difficult.
Other deployer impact
Developer impact
Primary assignee:
<launchpad-id or None>
Other contributors:
<launchpad-id or None>
Work items
0. Choose aggregates to implement, e.g. count, min, max, sum, avg
1. Modify congress/datalog/congress.g to accept the new statements (possibly)
2. Modify congress/datalog/compiler.g to include new datastructures for
representing aggregates internally
3. Modify congress/datalog/ to handle aggregates.
This will require adding in a step after computing all solutions
that applies the aggregate function.
- Unit tests will be added to congress/tests/datalog/
- A unit test or two ensuring the API properly accepts the new syntax
will be added to congress/tests/
Documentation impact
Need to add explanation of new syntax constructs to docs.
1. Overview of a Datalog language with aggregates:
2. Recent Stanford paper on aggregates

Removing d6cage dependency in api process
remove d6cage dependency
Problem description
API server currently relies on d6cage to create new API instances. Congress
will remove d6cage in the next distributed architecture. It needs to remove
dependency on d6cage of API instance creation.
Proposed change
1. Introduce a new dict object to create instances of API models. The dict
has references to each API instances d6cage has as services[name]['object']
now. Then uses the references to register API
with the instance.
2. Change base class of some instances, which aren't need to be a deepsix
class. This BP also changes these kind of class to python normal object.
SchemaModel and DatasourceModel aren't need to be deepSix's subclass both
in the current architecture and in the distributed one. others aren't need
to be deepSix's subclass in the new distributed one.
How to change to distributed version
It replace calling in
with a new API instance creating method which has instantiation steps for
API model in And it's only to make the dict with new
The alternative is to spread codes in into This change is easier to track
in current one process solution.
How to change to distributed version
It need to replace all d6cage.createservice() in APIRouterV1.__init__()
with new API instance creating method. There are a lot of place we have
to change for it. So this way is an alternative for this BP.
Policy actions
Data sources
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
Developer impact
Primary assignee:
Other contributors:
Work items
0. create a new dict to have references to API instances
1. pass it as an argument for
2. use it to register API and the instances
3. remove API instances which don't need to inherit deepsix from d6cage
4. change direct access with variable to indirect access with method
- change Unit tests for non-deepsix object if needed
Documentation impact

Abstraction policy definitions in Horizon
Congress aims to provide an extensible open-source framework for governance
and regulatory compliance across any cloud services. Users can define policies
in congress by pure Datalog. But Datalog, working with data-tables, is a very
difficult and complex description for policies. Users may have some problems
to understand and deploy policies with Datalog. So this specification provides
an abstraction for policies, and shows it in an abstraction form in Horizon,
which will facilitate users to express their policies.
Problem description
Datalog is not intuitive to use, even difficult for users to express their
policies who are not familiar with it. And it may cause some misinterpretation
when translating real intent to Datalog because of the complex logic.
Proposed change
Congress makes the whole cloud compliant by defining violation state and action
for violation.
Policies in Congress can be expressed by BNF as below.
Congress Policy ::= violation-condition, "do" action for violation
So, policy abstraction is to abstract violation state and corresponding action
to make the policy more intuitive and easy to use.
By analyzing typical scenarios, violation mainly can be divided into two parts.
One is the constraint of objects' attributes, and another is the constraint
of relationship between several objects' attributes.
All the objects and constraints are not just a simple set of data source
tables, but they can be divided into some categories according to their
functions and relations. So users just need to choose objects they care about
without worrying about which tables they are in.
The violation-condition can be expressed by BNF as below.
violation-condition ::=object attribute constraint (value | object-attribute)
object-attribute::=object "." attribute
For any violation state, congress will take some actions, such as monitoring,
proactive and reactive. Of course, there may be more than one action defined to
a violation. Though monitoring violation is the fundamental function of
congress, changing cloud state to make the cloud compliant is also an important
function. So, policy abstraction will provide some optional reactive actions
for different objects to resolve violations.
The action for violation state can be expressed by BNF as below.
action ::= ("monitoring"| "proactive"| "reactive action") data
So policies in Congress can be abstracted into "name", "objects",
"violation-condition", "action" and "data".
Among these, element "name" defines a marker of a policy, which is used to
be a unique identification for a policy.
Element "objects" defines all objects which are concerned by this policy.
They are not just simple display of data source tables, but a organized set
which contains the relationship between different tables and objects,
such as, "servers", "networks", "hosts", "subnets", etc.
For example, table "statistics" will not appear as a object, but it will be
a attribute of other objects, such as, "servers", "networks".
Another example is users could choose "servers" and "networks" without caring
about what put them together ("ports", actually).
Element "violation-condition" defines the state of objects' attributes
which can produce violation, and the constraint will include comparison,
arithmetic and some predefined relationship/functions, such as, "same_group".
Element "action" defines the action needs to take for this policy,
and actions will include "proactive", "monitoring" and some specific actions,
such as, "create", "pause". All these actions depend on the ability of
underlying components.
Element "data" defines the information gotten or needed when executing the
action, for example, when monitoring a servers violation, users can define
"data" as servers' name to be a return parameters.
That is, Congress UI will provide many elements of policies as drop-down lists,
and the combination of these elements will form various policies. All these
elements are from the summary of typical scenarios and the ability of
underlying components.
Users need to choose which one can match their needs.
If there are some extensions of underlying component, attributes of any
component, or packaging functions, users could add objects, attributes and
define functions in advanced UI which show all detailed tables and attributes
in the underlying components. All extensions defined in advanced UI will
be available in abstraction UI,so users could customize their own policies
by combining these two UIs.
When user submits what he choose, UI will translate the information in UI
into Datalog.
There is one example to express typical policy by abstraction form in Horizon.
Example: every network connected to a VM must either be public or
owned by someone in the same group as the VM.
For this example, users care about "servers" and "networks", so users will
choose these two objects from a drop-down list.
After users decide the objects,users could make use of these attributes to
define violation state. In this example, violation-condition is that servers
tenant's group is not same with networks tenant's group. So users could choose
these two attributes and set their relation is "not equal".
All the choices will be show as drop-down lists, too.
And users need to choose the action and data to define which actions should be
applied to this violation. For example, users choose "monitoring", attributes
of servers and networks will appear in "data".
In this policy, users can create a policy as below.
| name | objects | violation-condition | action | data |
| policy_1 | servers |not equal(networks.share, public) | monitoring | |
| | networks |not equal(,| | |
If user have defined a packaging function for same_group, it will be added into
violation-condition, so user could choose this function and set which two
attributes are the parameters of this function.
If use take use of this way, above policy will be showed as below.
| name | objects | violation-condition | action | data |
| policy_1 | servers |not equal(networks.share, public) | monitoring | |
| | networks |not same_group(servers.tenant, networks.tenant)| | |
Policy Actions
The action can be monitoring, proactive or some execute actions
which can make the cloud compliant.
Data Source
Data model impact
REST API impact
Security impact
All parameters inputted by users need satisfy predefined standard, for example,
if values inputted in "violation-condition" in reasonable range
(e.g. 0-100% for CPU utilization).
Notifications impact
Other end user impact
End users can be able to write policies in Horizon and use some drop-down lists
and some simple inputs to create a policy. Then Horizon will translate the
information in UI into Datalog, which will be processed in Congress.
Performance impact
Other deployer impact
Developer impact
Primary assignee:
Yali Zhang
Other contributors:
Jim Xu; Yinben Xia
Work items
- Abstraction form to write policies rules and actions for policies.
- Build mapping relationship between abstraction form and Datalog,
so users can write a policy in UI other than Datalog.
- Pass information from Horizon to Congress to finish the policy creation.
Need to be tested with a variety of scenarios.
Documentation impact
Add instructions for policy abstraction in UI.

Add policy engine class to API
This blueprint makes it possible to access policy-engines (other than
the domain-agnostic policy engine) via the API.
Problem description
Currently there is no way to access policy engines other than the current
domain-agnostic policy engine through the API. Now that we are adding
other policy engines, we need to give the user a way to interact with them.
In addition to being useful for domain-specific policy engines, enabling
multiple policy engines should make it easier to handle upgrades for the
domain-agnostic policy engine: bring up the new one alongside the old one,
then swap the old one with the new one atomically.
Proposed change
Here we discuss two proposals. We list tradeoffs in the next section.
Proposal 1: Type-based
Here we simply add a top-level 'policy-engines' API endpoint, giving us ...
For example:
Data-sources would support:
* schema: available tables
* actions: available actions
* status: status
Policy-engines would support:
* schema: available tables (e.g. classification:connected_to_internet)
* actions: available actions (e.g. scripts built into a policy-engine for
carrying out some task)
* status: status
* policies: available policies
That is, the only difference between a policy-engine and a data-source is that
the datasource doesn't support 'policies'. If we were to think of 'policies'
as simply 'modules' then we could imagine a datasource-driver exposing
hierarchical tables, just like a policy-engine does. And in that case,
the data-source would have something analogous to the policy-engine 'policies'.
Proposal 2: Service-based
Here we do away with the types policy-engine and data-sources and give clients
the ability to access both policy-engines and datasources from the same
endpoint. This is possible because you cannot give a policy-engine and
a datasource the same name (a restriction in place to ensure references to
other services in policy are unambiguous).
For example:
All services would support:
* schema: available tables (e.g. classification:connected_to_internet)
* actions: available actions (e.g. scripts built into a policy-engine for
carrying out some task)
* status: status
* policies: available policies
In short, this proposal treats everything as if it is a policy-engine. The
datasource policy engines prohibit users from making changes directly (and
even if they did, they would only accept a very restricted form of policy
statements: ground facts).
This approach can be backwards compatible as well. We can still support
which gets routed to
And we can support
as syntactic sugar for
This would enable the user to choose a single touchpoint for managing policy
in the datacenter, while at the same time enabling them direct access to all
the services in the datacenter. (The only worry here is that )
To set the <default-service>, we'd want a parameter the user can set
dynamically (to help with upgrade).
Right now we would set that to /services/agnostic.
And maybe we can have arbitrary aliases for services as well, so that we can
upgrade any service without changing policy.
One worry with providing the /v1/policies, etc. endpoints is that it may
seem to mask Congress's overall status, policies, actions, and tables. That is,
people might expect those endpoints to aggregate all the potential policies,
actions, tables, and statuses. But if such functionality ever becomes
necessary, we can attach those endpoints to /v1/services, giving us the
following end points.
Here is an example of the entry points if we had Nova, GBP, and our policy
engine. The name of the service is whatever name DSE expects.
/services/nova/policies -> empty
/services/nova/actions -> createVM, deleteVM, migrateVM, etc.
/services/nova/tables -> servers, hosts, etc.
One benefit to enabling people to modify domain-specific policy engines
through the Congress API is that we provide a single policy language for
managing all the policy engines running in the datacenter. For delegation,
we already need adapters that translate Datalog into the native language of
each policy engine, so here we expose that functionality directly to the user
as well.
Pros for the type-based approach:
* Easy for users to understand
* Simple extension of the current API
Cons for the type-based approach:
* Awkward that data-sources and policy-engines implement almost exactly the
same interface and have separate namespaces, but are represented as
distinct classes in the API.
* Enables us to build datasources with significantly different programmatic
interface than policy-engines. If at the API-layer the two classes of
objects were almost indistinguishable, it would lead to better abstraction
and interfaces in the underlying implementation.
Pros for the the service-based approach:
* All services running on the DSE are accessed identically from the API. This
is a more natural reflection of the reality of the nature of those services.
Cons for the service-based approach:
* Bigger change
* May be more difficult for users to understand initially.
* Eventually the policy-engine class will include functionality that the
datasource class does not. Executing that functionality on a datasource
will cause a 404, and we cannot predict which will occur based on just the
* Doing something like listing all the datasources will require an API like
/v1/services?action=list&type=datasource instead of the more obvious
Overall, the types (datasource vs. policyengine) will be present in both
proposals, but they will be emphasized much less in the service-based approach.
The service-based approach is closer to Python in that the system isn't able
to look at the code you've written (the URL) and check if the method you asked
for exists. The type-based approach is closer to C/Java in that the system IS
able to tell you if the method exists by just looking at the code (URL).
Typically policy systems are quite dynamic in nature (you can change the
policy/code at runtime), and hence are closer to dynamic programming languages
like Python than to static languages like C/Java. We therefore typically
bias our decisions toward dynamism, which in this case would mean the
service-based approach.
Policy actions
Data sources
Data model impact
REST API impact
See above. No changes to API results--just the paths for invoking them.
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
See above.
Developer impact
Primary assignee:
<launchpad-id or None>
Other contributors:
<launchpad-id or None>
Work items
Once we decide on the approach, we will figure out the necessary work items.
But here's a rough cut.
- type-based approach: add routes, create congress/api/, modify
congress/api/\*_model to enable tables/actions/policies/etc. for engines.
- service-based approach: add routes, create congress/api/,
(including an API to list different types of objects), modify the
congress/api/\*_model to eliminate distinction between datasources and
Assumes that we have added an API call for 'actions', though this work could
be done without that: add-action-listing.
- Change unit tests in congress/tests/
- Change congress_pythonclient (which will handle tempest tests)
Documentation impact
Many URLs may change.

Create table publishing middleware
To lower the barrier to entry for other projects to publish data to Congress
on the (extended) DSE, create middleware that automates as much of the process
as possible.
Problem description
Currently Congress periodically polls the services it is managing to get their
data. It would be preferable if services sent data to Congress only when that
data changes. For example, instead of Congress pulling the list of Nova's
servers every minute, Nova would send its servers to Congress whenever a
new server is created, an existing server is deleted, or an existing server
is updated.
oslo.messaging already makes it possible for projects to publish data
to other projects, but that mechanism is underutilized today.
Proposed change
Solving this problem means making it even easier for other projects to send
their data to Congress than oslo.messaging does. This change will include
middleware, perhaps made available via oslo, that publishes all changes to the
underlying database tables on the bus. Moreover, it will
send not the entire table but rather the delta on the table that occurred.
It will be tightly integrated into existing oslo.db so that existing projects
need make no code changes; they need only include and configure the code.
There will need to be a synchronization mechanism: Congress pulls all the data
once and then needs deltas published on the bus from that point on. The deltas
sent on the bus will include timestamps that allow Congress to synchronize
the initial pull of data with the deltas.
Another option is to have a separate effort, say oslo.publish_tables, that
is not so tightly integrated with oslo.db. The upside to this approach is that
projects not using oslo.db (even those outside of OpenStack) could leverage
the code. The downside to this approach is that projects already using oslo.db
would need to write and maintain a bunch of special-purpose code for publishing
their data--an approach that has seen little success til now.
Perhaps we will find that we can implement both approaches with little extra
effort, but the primary goal of this spec is the tight integration with
Policy Actions
Data Sources
Data model impact
REST API impact
Security impact
Notifications impact
The goal of this spec is to improve the ability of other projects to
utilize the notifications mechanism provided by oslo.messaging.
Other end user impact
Performance impact
There will be minimal performance impact on the projects that utilize this
code because only the deltas that hit the database will be published on
the bus. Moreover, because each project can configure which tables
are published on the bus, the project owner can tune any
possible performance impact.
Other deployer impact
When configuring the middleware, we propose one key configuration option:
which tables should be published on the bus.
Developer impact
Primary assignee:
<launchpad-id or None>
<launchpad-id or None>
- Write basic middleware functionality
- Integrate it into oslo.db
- Install it into an existing service, say Nova.
- Standalone documentation
enable-delta-driven-datasources: enable the datasources/DatasourceDriver
class to connect to datasources that send deltas.
- Unit testing the basic functionality
- Tempest tests
o Verify that changes to tables configured to be published actually
get published
o Verify that changes to tables configured NOT to be published do not
get published
Documentation impact
Need documentation in oslo for the basic middleware.
Need documentation update to oslo.db

Add availability zones to nova datasource driver
This specification presents to extend the current nova datasource driver for
supporting availability zone and its fields available from nova.
Problem description
The current nova provides avaiability zones for server and host. A host is a
part of availability zone and server can be booted on the availability zone.
However, the current nova datasource driver does not support it.
This availability zone are useful for creating any policy related to server
For example, we can specify a policy for checking status of any VMs located in
the specific availability zone. In addition, we can specify an action policy
for migrating some VMs from availability zone A to availability zone B.
Recently, availability zone was added to servers using
OS-EXT-AZ:availability_zone [1].
However, it is hard to make full hierarchy among availability zone, hosts, and
servers and lack of flexiblity and extensibility. If we add the availability
zone to nova data source driver, it will be more flexible and extensible to use
more fields available from the availability zone such as zone state.
Proposed change
Basically, we can extend the curret Nova datasource driver
(datasources/ by adding the following a translator and
two fields.
* availabilty_zones_translator
* zone_name
* zone_state
Using the Congress datalog syntax, write out an example policy using
host_availability_zone(vm,zone_name) :-
Policy actions
Data sources
Data model impact
REST API impact
Security impact
Notifications impact
Other end user impact
Performance impact
Other deployer impact
Developer impact
Primary assignee:
Joon Kang <joon-myung-kang>
Work items
* Implement availability_zone_translator in nova datasource driver
* Perform unit testing
* Perform functional testing for the new field
* Test host and availability zones using the policy
Documentation impact
[1] /congress/commit/9f9e26f850d12c73721b5e6b45ac00997c8c24c2

Push Type DataSource Driver
Problem description
Currently DataSource Driver retrieves all cloud service's info by polling
each datasource. The purpose of the polling is just to monitor cloud
service periodically. Thus Congress can't notice a change in cloud service
just after the change occurs. It means a policy violation isn't detected
until Congress polls the change. Additionally, Congress calls the service's
API to get the data for a table, so datasource table's schema depends on API
response contents.
In the area of monitoring, tons of well-developed monitoring system have
already existed in the world. The systems have an ability to notify a change
in cloud services just after a change occurs. And then these monitoring systems
can detect many kind of changes in cloud services that Congress can't do.
Congress should retrieve the notification as a DataSource since it helps
Congress to calculate a policy violation faster than now and also enables
us to define varied policies and rules.
Proposed change
Following changes are proposed in the BP.
1. Create PollingDataSourceDriver and PushedDataSourceDriver class. Current
DataSourceDriver has 2 features. One is converting data to datasource table
and sending it to Policy Engine. Another is polling data from datasource.
We should separate the polling feature into another class that is subclass
of DataSourceDriver named PollingDataSourceDriver. And we create
PushedDataSourceDriver, which is subclass of DataSourceDriver and receives
data from a monitoring system.
2. Create HttpReceiverDriver subclass or OsloMsgReceiverDriver subclass
Both Drivers are a subclass of PushedDataSourceDriver and receive
datasource info by the protocol the class name has. DataSourceDriver has
to keep datasource status in itself, so the classes will support 2 types
of a data receiving method. One is receiving all status data each push
time. Another is receiving only delta data that represents which row is
deleted or added in the status like REST API.
First of all, the BP chooses and implements one of them based on an usecase,
which needs to use PushedDatasourceDriver.
There are some restrictions as a first implementation.
* Table definitions
Ideally speaking, PushedDataSourceDriver should allow admin to change a
datasource name, table name, schema and so on by Congress API.
PushedDataSourceDriver defines the protocol name as a datasource name in
first implementation. Then the admin can define a translator in another
python file. In the current architecture, the path is set by 'config' key
in a call for create datasource API. In the distributed architecture, the
path is set by a config file for each datasource driver.
The alternative is that Congress allows admin to add and delete a row by API
calls. The API is a REST API, so the benefit is that both create and delete
methods are already developed in itself. However, the way has following
bad points. First is all request needs an authentication to push data. It
means all datasource have to be related to keystone authority. Second is
it's not easy to divide a network segmentation based on each API's purpose.
If Congress enables API to retrieve datasource, the datasource receiver is
exposed to user.
Example: define a table that shows service name related to host's failures
detected by monitoring system.
Assumption: monitoring system pushes data by http. col_1 represents name of
a host where the monitoring system detects
some failure. col_2 represents a failure type.
http:table(col_1=host, col_2="nic_error")
http:table(col_1=host, col_2="disk_error")
failure_effected_service(service, host) :-
nova:service(host_name=host, service=service),
Policy actions
Data sources
Add new datasource model and table.
Data model impact
REST API impact
Creating new datasource name, table name and table schema by API is a future
work. It means this feature is out of scope for this BP.
Security impact
It enables others to push datasource row into the datasource driver. It would
cause undesired policy violation if malicious users send data on purpose.
Notifications impact
Other end user impact
Performance impact
PushedDataSourceDriver notifies a status change when it receives a change from
a monitoring system. If the system frequently sends a notification, it would
make Congress busy with calculating policy table.
Other deployer impact
* Add a config for column number
* Disable the PushedDataSourceDriver in default because of a reason described
in Security Impact section
Developer impact
Primary assignee:
Other contributors:
Work items
0. Create PollingDataSourceDriver subclass and pull out methods related to
polling from DataSourceDriver class into the new Driver
1. Create PushedDataSourceDriver subclass
2. Create HttpReceiverDriver or OsloMsgReceiverDriver
* Add unit tests related to new class
* Add tempest scenario tests which use pushed data in rules if possible
Documentation impact
DataSource list will be updated if the list is described in docs.
Policy Support for Unknown Table Schemas
The new distributed architecture requires the policy engine to
handle the case when the schema for some datasource drivers are
unknown. Today the policy engine assumes the schemas for all
datasource drivers are known at load-time. This spec outlines
a mechanism for supporting unknown schemas.
Problem description
For the new distributed architecture, the policy engine will not know
the schema for all the datasources at the time rules are loaded from the
database. This is currently problematic because column-references are
compiled away at the time rules are loaded from the database, and that
compilation procedure requires the schema. Thus in the new architecture,
the policy engine will crash when it tries to load policy rules that
contain column references.
Proposed change
The fix to this problem is to enable the policy engine to load rules
that include column references without compiling away those column references.
That is, the main reason to compile away column references is that the
internal datastructures for representing rules cannot represent those
column references natively, and hence, the column references must be
removed at load-time. The first task is to extend the internal
datastructures in so they can represent named-columns.
The second reason column references get compiled away is that they cannot
be evaluated (even semantically) without the schema. The second task
is to extend the run-time capabilities of the policy engine so that
rules can be disabled without being deleted. A disabled rule will
be completely hidden from the evaluation engine when answering queries
yet will still be visible but marked as "disabled" when users view
the rules.
Every time a new rule is inserted, if its schema is unknown, that
rule must be disabled. Moreover, every rule using a table dependent
on the table in the head of that rule must be disabled. Similarly
for deletion except that deletion can cause other rules to be enabled.
Every time the schema changes, all rules impacted by that schema
change should be checked for consistency, and disabled rules
must be enabled once all schemas are known. Once a rule
is enabled, the column references are compiled away.
If a 2nd schema arrives (unequal to the first), the policy engine
must check for consistency and recompile any rules whose schema
may have changed.
For example, if the following rule is inserted before the schemas
for nova-servers and neutron-networks is known, the rule will
be disabled since it has column references.
p(x, z) :- nova:servers(id=x, network=y), neutron:networks(id=y, status=z)
Then when the nova schema becomes known this rule is validated
against that schema but is not enabled because the neutron schema
is unknown.
Finally when the neutron schema becomes known, the column references
are compiled away and the rule is officially enabled.
Instead of disabling rules, another option is to modify the
evaluation engine to do a best-effort query evaluation. The evaluation
algorithms themselves would know about column-references, and would
attempt to operate even if the schema was unknown.
The downside to this alternative is that the rules are actually
semantically ambiguous, and hence the result of evaluation has
unknown semantic value.
Policy actions
Data sources
Data model impact
No database modifications are required.
REST API impact
The Rule object will have an additional boolean field representing whether
or not the rule is disabled.
Security impact
Notifications impact
Other end user impact
Performance impact
Rule inserts could now be slower since if the rule inserted gets disabled,
that could cause many other rules to be disabled.
Rule deletions likewise could cause many policy rules to be enabled.
Schema updates are expensive because the policy engine must do consistency
checks on all rules that are relevant, and potentially re-compile rules.
Other deployer impact
Developer impact
Primary assignee:
Other contributors:
Work items
1. Modify datastructures to natively represent column
references. Include a 'disabled' flag.
2. Modify query evaluation engine to ignore disabled rules
3. Modify triggers to ignore disabled tables
4. Enable/disable rules on insert/delete/set-schema
- Write dependency analysis routine to compute the rules/tables
that are disabled once a given table is disabled.
Likely to need a datastructure that tracks disabled tables.
- Modify update routine to do schema check and enable/disable rules
as appropriate using the dependency analysis.
- Modify set-schema to appropriately enable/disable rules
May want to add field to rules that say which tables the compilation
was dependent on.
Unit test coverage should be mostly adequate.
Only real need for tempest tests would be testing the startup of Congress,
but that is not supported with tempest.
Documentation impact
Support high availability, high throughput deployment
Include the URL of your launchpad blueprint:
Some applications require Congress to be highly available (HA). Some
applications require a Congress policy engine to handle a high volume of
queries (high throughput - HT). This proposal describes how we can support
several deployment schemes that address several HA and HT requirements.
Problem description
This spec aims to address three main problems:
1. Congress is not currently able to provide high query throughput because
all queries are handled by a single, single-threaded policy engine instance.
2. Congress is not currently able to failover quickly when its policy engine
becomes unavailable.
3. If the policy engine and a push datasource driver both crash, Congress is
not currently able to restore the latest data state upon restart or
Proposed change
Implement the required code changes and create deployment guides for the
following reference deployments.
Warm standby for all Congress components in single process
- Downtime: ~1 minute (start a new Congress instance and ingest data from
- Reliability: action executions may be lost during downtime.
- Performance considerations: uniprocessing query throughput
- Code changes: minimal
Active-active PE replication, DSDs warm-standby
Run N instances of Congress policy engine in active-active configuration. One
datasource driver per physical datasource published data on oslo-messaging to
all policy engines.
+-------------------------------------+ +--------------+
| Load Balancer (eg. HAProxy) | <----+ Push client |
+----+-------------+-------------+----+ +--------------+
| | |
PE | PE | PE | all+DSDs node
+---------+ +---------+ +---------+ +-----------------+
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
| | API | | | | API | | | | API | | | | DSD | | DSD | |
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
| | PE | | | | PE | | | | PE | | | | DSD | | DSD | |
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
+---------+ +---------+ +---------+ +--------+--------+
| | | |
| | | |
| |
| |
+-------+----+ +------------------------+-----------------+
| Oslo Msg | | DBs (policy, config, push data, exec log)|
+------------+ +------------------------------------------+
- Downtime: < 1s for queries, ~2s for reactive enforcement
- Deployment considerations:
- Cluster manager (eg. Pacemaker + Corosync) can be used to manage warm
- Does not require global leader election
- Performance considerations:
- Multi-process, multi-node query throughput
- No redundant data-pulling load on datasources
- DSDs node separate from PE, allowing high load DSDs to operate more
smoothly and avoid affecting PE performance.
- PE nodes are symmetric in configuration, making it easy to load balance
- Code changes:
- New synchronizer and harness to support two different node types:
API+PE node and all-DSDs node
- Datasource drivers (DSDs):
- One datasource driver per physical datasource.
- All DSDs run in a single DSE node (process)
- Push DSDs: optionally persist data in push data DB, so a new snapshot can
be obtained whenever needed.
- Policy engine (PE):
- Replicate policy engine in active-active configuration.
- Policy synchronized across PE instances via Policy DB
- Every instance subscribes to the same data on oslo-messaging.
- Reactive enforcement:
All PE instances initiate reactive policy actions, but each DSD locally
selects a "leader" to "listen to". The DSD ignores execution requests
initiated by all other PE instances.
- Every PE instance computes the required reactive enforcement actions and
initiate the corresponding execution requests over oslo-messaging.
- Each DSD locally picks PE instance as leader (say the first instance the
DSD hears from in the asymmetric node deployment, or the PE instance on
the same node as the DSD in a symmetric node deployment) and executes
only requests from that PE.
- If heartbeat contact is lost with the leader, the DSD selects a new
- Each PE instance is unaware of whether it is a "leader"
- API:
- Each node has an active API service
- Each API service routes requests for PE to its associated intranode PE
- Requests for any other service(eg. get data source status) are routed to
DSE2, which will be fielded by some active instance of the service on some
- Details:
- in API models, replace every invoke_rpc with a conditional:
- if the target is policy engine, target same-node PE
caller, 'get_row_data', args,
- otherwise, invoke_rpc stays as is, routing to DSE2
self.invoke_rpc(caller, 'get_row_data', args)
- Load balancer:
- Layer 7 load balancer (e.g. HAProxy) distributes incoming API calls among
the nodes (each running API service).
- load balancer optionally configured to use sticky session to pin each API
caller to a particular node. This configuration avoids the experience of
going back in time.
- External components (load balancer, DBs, and oslo messaging bus) can be made
highly available using standard solutions (e.g. clustered LB, Galera MySQL
cluster, HA rabbitMQ)
Dealing with missed actions during failover
When a leader fails (global or local), it takes time for the failure to be
detected and a new leader anointed. During the failover, reactive enforcement
actions expected to be triggered would be missed. Four proposed approaches
are discussed below.
- Tolerate missed actions during failover: for same applications, it may be
acceptable to miss actions during failover.
- Re-execute recent actions after failover
- Each PE instance remembers its recent action requests (including the
requests a follower PE computed but did not send)
- On failover, the DSD requests the recent action requests from the new
leader and executes them (within a certain recency window)
- Duplicate execution expected on failover.
- Re-execute recent unmatched actions after failover (possible future work)
- We can reduce the number of duplicate executions on failover by attempting
to match a new leader's recent action requests with the already executed
requests, and only additionally executing those unmatched.
- DSD logs all recent successfully executed action requests in DB
- Request matching can be done by a combination of the following information:
- the action requested
- the timestamp of the request
- the sequence number of the data update that triggered the action
- the full derivation tree that triggers the action
- Matching is imperfect, but still helpful
- Log and replay data updates (possible future work)
- Log every data update from every data source, and let a new leader replay
the updates where the previous leader left off to generate the needed
action requests.
- The logging can be directly supported by transport or by additional DB
- kafka naturally supports this model
- hard to do directly with oslo-messaging + RabbitMQ
- Leaderless de-duplication (possible future work)
- If a very good matching method is implemented for re-execution for recent
unmatched actions after failover, it is possible to go one stop further
and simply operate in this mode full time.
- Each incoming action request is matched against all recently executed
action requests.
- Discard if matched.
- Execute if unmatched.
- Eliminates the need for selecting leader (global or local) and improves
failover speed
We propose to focus first on supporting the first two options
(deployers' choice). The more complex options may be implemented and supported
in future work.
We first discuss the main decision points before detailing several alternative
For active-active replication of the PE, here are the main decision points:
A. node configurations
- Options:
1. single node-type (every node has API+PE+DSDs).
2. two node-types (API+PE nodes, all-DSDs node). [proposed target]
3. many node-types (API+PE nodes, all DSDs in separate nodes).
- Discussions: The many node-types configuration is most flexible and has
the best support for high-load DSDs, but it also requires the most work to
dev and to deploy.
We propose to target the two node-types configuration because it gives
reasonable support for high-load DSDs while keeping both the development
and the deployment complexities low.
B. global vs local leader for action execution
- Options:
1. global leader: Pacemaker anoints a global leader among PE instances;
only the leader sends action-execution requests.
2. local leader: every PE instance sends action-execution requests, but
each receiving DSD locally picks a "leader" to listen to.
[proposed target]
- Discussions: Because there is a single active DSD for a given data source,
it is a natural spot to locally choose a "leader" among the PE instances
sending reactive enforcement action execution requests.
We propose to target the local leader style because it avoids the
development and deployment complexities associated with global leader
Furthermore, because all PE instances perform reactive enforcement and send
action execution requests, the redundancy opens up the possibility for
zero disruption to reactive enforcement when a PE intance fails.
C. DSD redundancy
- Options:
1. warm standby: only one set of DSDs running at a given time; backup
instances ready to launch.
2. hot standby: multiple instances running, but only one set is active.
3. active-active: multiple instances active.
- Discussions:
- For pull DSDs, we propose to target warm standby seems most appropriate
because warm startup time is low (seconds) relative to frequency of data
- For push DSDs, warm standby is generally sufficient except for use cases
that demand sub-second latency even during a failover. Those use cases
would require active-active replication of the push DSDs. But even with
active-active replication of push DSDs, other unsolved issues in
action-execution prevent us from delivering sub-second end-to-end latency
(push data to triggered action executed) during failover (see leaderless
de-duplication approach for sub-second action execution failover).
Since we cannot yet realize the benefit of active-active replication of
push DSDs, we propose to target a warm-standby deployment, leaving
active-active replication as potential future work.
Active-active PE replication, DSDs hot-standby, all components in one node
Run N instances of single-process Congress.
One instance is selected as leader by Pacemaker. Only the leader has active
datasource drivers (which pull data, accept push data, and accept RPC calls
from the API service), but all instances subscribes to and processes data on
oslo-messaging. Queries are load balanced among instances.
| Load Balancer (eg. HAProxy) |
| | |
| leader | follower | follower
+---------------------+ +---------------------+ +---------------------+
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| | API | |DSD (on) | | | | API | |DSD (off)| | | | API | |DSD (off)| |
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| | PE | |DSD (on) | | | | PE | |DSD (off)| | | | PE | |DSD (off)| |
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
+---------------------+ +---------------------+ +---------------------+
| | |
| | |
| |
| |
+--------------+-----------+ +--------------------+---------------------+
| Oslo Msg | | DBs (policy, config, push data, exec log)|
+--------------------------+ +------------------------------------------+
- Downtime: < 1s for queries, ~2s for reactive policy
- Deployment considerations:
- Requires cluster manager (Pacemaker) and cluster messaging (Corosync)
- Relatively simple Pacemaker deployment because every node is identical
- Requires leader election (handled by Pacemaker+Corosync)
- Easy to start new DSD (make API call, all instances sync via DB)
- Performance considerations:
- [Pro] Multi-process query throughput
- [Pro] No redundant data-pulling load on datasources
- [Con] If some data source drivers have high demand (say telemetry data),
performance may suffer when deployed in the same python process as other
Congress components.
- [Con] Because the leader has the added load of active DSDs, PE performance
may be reduced, making it harder to evenly load balance across instances.
- Code changes:
- Add API call to designate a node as leader or follower
- Custom resource agent that allows Pacemaker to start, stop, promote, and
demote Congress instances
- Pull datasource drivers (pull DSD):
- One active datasource driver per physical datasource.
- Only leader node has active DSDs (active polling loop and active
RPC server)
- On node failure, new leader node activates DSDs.
- Push datasource drivers (push DSD):
- One active datasource driver per physical datasource.
- Only leader node has active DSDs (active RPC server)
- On node failure, new leader node activates DSDs.
- Persist data in push data DB, so a new snapshot can be obtained.
- Policy engine (PE):
- Replicate policy engine in active-active configuration.
- Policy synchronized across PE instances via Policy DB
- Every instance subscribes to the same data on oslo-messaging.
- Reactive enforcement: See later section "Reactive enforcement architecture
for active-active deployments"
- API:
- Add new API calls for designating the receiving node as leader or follower.
The call must complete all tasks before returning (eg. start/stop RPC)
- Each node has an active API service
- Each API service routes requests for PE to its associated intranode PE,
bypassing DSE2.
- Requests for any other service(eg. get data source status) are routed to
DSE2, which will be fielded by some active instance of the service on some
- Details:
- in API models, replace every invoke_rpc with a conditional:
- if the target is policy engine, target same-node PE
caller, 'get_row_data', args,
- otherwise, invoke_rpc stays as is, routing to DSE2
self.invoke_rpc(caller, 'get_row_data', args)
- Load balancer:
- Layer 7 load balancer (e.g. HAProxy) distributes incoming API calls among
the nodes (each running API service).
- load balancer optionally configured to use sticky session to pin each API
caller to a particular node. This configuration avoids the experience of
going back in time.
- Each DseNode is monitored and managed by a cluster manager (eg. Pacemaker)
- External components (load balancer, DBs, and oslo messaging bus) can be made
highly available using standard solutions (e.g. clustered LB, Galera MySQL
cluster, HA rabbitMQ)
- Global leader election with Pacemaker:
- A resource agent contains the scripts that tells a Congress instance it is
a leader or follower.
- Pacemaker decides which Congress instance to promote to leader (master).
- Pacemaker promotes (demotes) the appropriate Congress instance to leader
(follower) via the resource agent.
- Fencing:
- If the leader node stops responding, and a new node is promoted to
leader, it is possible that the unresponsive node is still doing work
(eg. listening on oslo-messaging, issuing action requests).
- It is generally not a catastrophe if for a time there is more than one
Congress node doing the work of a leader. (Potential effects may include:
duplicate action requests and redundant data source pulls)
- Pacemaker can be configured with strict fencing and STONITH for
deployments that require it. (deployers' choice)
- In case of network partitions:
- Pacemaker can be configured to stop each node that is not part of a
cluster reaching quorum, or to allow each partition to continue
operating. (deployers' choice)
Active-active PE replication, DSDs warm-standby, each DSD in its own node
Run N instances of Congress policy engine in active-active configuration. One
datasource driver per physical datasource published data on oslo-messaging to
all policy engines.
| Load Balancer (eg. HAProxy) |
| | |
| | |
+---------+ +---------+ +---------+
| +-----+ | | +-----+ | | +-----+ |
| | API | | | | API | | | | API | |
| +-----+ | | +-----+ | | +-----+ |
| +-----+ | | +-----+ | | +-----+ |
| | PE | | | | PE | | | | PE | |
| +-----+ | | +-----+ | | +-----+ |
+---------+ +---------+ +---------+
| | |
| | |
| | | | |
| | | | |
+----+-------------+-------------+---+ +-------+--------+ +-----+-----+
| Oslo Msg | | Push Data DB | | DBs |
+----+-------------+-------------+---+ ++---------------+ +-----------+
| | | | (DBs may be combined)
+----------+ +----------+ +----------+
| +------+ | | +------+ | | +------+ |
| | Poll | | | | Poll | | | | Push | |
| | Drv | | | | Drv | | | | Drv | |
| | DS 1 | | | | DS 2 | | | | DS 3 | |
| +------+ | | +------+ | | +------+ |
+----------+ +----------+ +----------+
| | |
+---+--+ +---+--+ +---+--+
| | | | | |
| DS 1 | | DS 2 | | DS 3 |
| | | | | |
+------+ +------+ +------+
- Downtime: < 1s for queries, ~2s for reactive policy
- Deployment considerations:
- Requires cluster manager (Pacemaker) and cluster messaging (Corosync)
- More complex Pacemaker deployment because there are many different
kinds of nodes
- Does not require global leader election (but that's not a big saving if
we're running Pacemaker+Corosync anyway)
- Performance considerations:
- [Pro] Multi-process query throughput
- [Pro] No redundant data-pulling load on datasources
- [Pro] Each DSD can run in its own node, allowing high load DSDs to operate
more smoothly and avoid affecting PE performance.
- [Pro] PE nodes are symmetric in configuration, making it easy to load
balance evenly.
- Code changes:
- New synchronizer and harness and DB schema to support per node
Hot standby for all Congress components in single process
Run N instances of single-process Congress, as proposed in:
A floating IP points to the primary instance which handles all queries and
requests, failing over when primary instance is down.
All instances ingest and process data to stay up to date.
| Floating IP | - - - - - - + - - - - - - - - - - - -+
+----+----------+ | |
| | |
+---------------------+ +---------------------+ +---------------------+
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| | API | | DSD | | | | API | | DSD | | | | API | | DSD | |
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| | PE | | DSD | | | | PE | | DSD | | | | PE | | DSD | |
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
| +-----------------+ | | +-----------------+ | | +-----------------+ |
| | Oslo Msg | | | | Oslo Msg | | | | Oslo Msg | |
| +-----------------+ | | +-----------------+ | | +-----------------+ |
+---------------------+ +---------------------+ +---------------------+
| | |
| | |
| Databases |
- Downtime: < 1s for queries, ~2s for reactive policy
- Feature limitations:
- Limited support for action execution: each action execution is triggered
N times)
- Limited support for push drivers: push updates only primary instance
(optional DB-sync to non-primary instances)
- Deployment considerations:
- Very easy to deploy. No need for cluster manager. Just start N independent
instances of Congress (in-process messaging) and setup floating IP.
- Performance considerations:
- Performance characteristics similar to single-instance Congress
- [Con] uniprocessing query throughput (optional load balancer can be added
to balance queries between instances)
- [Con] Extra load on data sources from replicated data source drivers
pulling same data N times
- Code changes:
- (optional) DB-sync of pushed data to non-primary instances
Not applicable
Policy actions
Not applicable
Data sources
Not applicable
Data model impact
No impact
REST API impact
No impact
Security impact
No major security impact identified compared to a non-HA distributed
Notifications impact
No impact
Other end user impact
Proposed changes generally transparent to end user. Some exceptions:
- Different PE instances may be out-of-sync in their data and policies
(eventual consistency). The issue is generally made transparent to the end
user by making each user sticky to a particular PE instance. But if
a PE instance goes down, the end user reaches a different instance and may
experience out-of-sync artifacts.
Performance impact
- In single node deployment, there is generally no performance impact.
- Increased latency due to network communication required by multi-node
- Increased reactive enforcement latency if action executions are persistently
logged to facilitate smoother failover
- PE replication can achieve greater query throughput
Other deployer impact
- New config settings:
- set DSE node type to one of the following:
- PE+API node
- a DSDs node
- all-in-one node (backward compatible default)
- set reactive enforcement failover strategy:
- do not attempt to recover missed actions (backward compatible default)
- after failover, repeat recent action requests
- after failover, repeat recent action requests not matched to logged
- Proposed changes have no impact on existing single-node deployments.
100% backward compatibility expected.
- Changes only have effect if deployer chooses to set up a multi-node
deployment with the appropriate configs.
Developer impact
No major impact identified.
Work to be assigned and tracked via launchpad.
Work items
Items with order dependency:
1. API routing.
Change API routing to support active-active PE replication, routing PE-bound
RPCs to the PE instance on the same node as the receiving API server.
Changes expected to be confined to congress/api/*
2. Reactive enforcement.
Change class to handle action execution
requests from replicated PE-nodes (locally choose leader to follow)
3. (low priority) Missed actions mitigation.
- Implement changes to mitigate missed actions during DSD failover
- Implement changes to mitigate missed actions during PE failover
Items without dependency:
- Push data persistence.
Change class to support
persistence of pushed data. Corresponding DB changes also needed.
- (potential) Leaderless de-duplication of action execution requests.
- HA guide.
Create HA guide sketching the properties and trade-offs of each different
deployment types.
- Deployment guide.
Create deployment guide for active-active PE replication
- Requires Congress to support distributed deployment (for example with policy
engine and datasource drivers on separate DseNodes.) Distributed deployment
has been addressed by several implemented blueprints. The following patch is
expected to be the final piece required.
- This spec does not introduce any new code of library dependencies.
- In line with OpenStack recommendation
(, some
reference deployments use open source software outside of OpenStack:
- HAProxy:
- Pacemaker:
- Corosync:
We propose to add tempest tests for the following scenarios:
- Up to (N - 1) PE-nodes killed
- Previously killed PE-nodes rejoin.
- Kill and restart DSDs-node, possibly at the same time PE-nodes are killed.
Split brain scenarios can be manually tested.
Documentation impact
Deployment guide to be added for each supported reference deployment. No impact
on existing documentation.
- IRC discussion on major design decisions (#topic HA design):
- Notes from summit session:
- OpenStack HA guide:
- HAProxy documentation:
- Pacemaker documentation:
- directory:
- Cluster from scratch:
- Configuration explained:
- OCF resource agents:

@ -1,249 +0,0 @@
This work is licensed under a Creative Commons Attribution 3.0 Unported
Selectability for Translator
Problem description
DataSource Driver creates all translator and publishes its schema when
it's initialized. If the driver is one of polling driver, it polls data
of all translator from related services, even though any policy rules don't
use the schema. The behavior causes performance issues when an unnecessary
translator takes a long time to fetch data from related service.
Admin can choose which DataSource Driver they use or don't use by configuring
congress.conf and creating DataSource by API. On the other hands, there is
no way for admin to choose which translator in the created DataSource publishes
their schema. So when the update frequency of an unnecessary translator is
high, the issue described above also happens.
Proposed change
This BP proposes a new feature that admin can set *lazy* to polling
data from services until other service requires schema of the datasource.
The issue described above doesn't happen in the usual case. So datasources
poll data for all table in default. If admin don't want a datasource to
poll unnecessary data, they disableds polling flag of the datasource and then
the datasource doesn't poll data if not needed.
Admin defines a list of lazy tables in datasource config parameter when
he/she instantiates a new datasouce. The datasource doesn't poll data related
to tables listed in the config value while any policy rule doesn't subscribe
the table. If datasource notices/recieves the subscription it starts to poll
There are 2 possible corner cases.
* lazy parent translator and non-lazy child translator
This issue happens when parent translator is defined as a lazy but child
translator is not defined. Each table is mapped to one translator and
some translators have a hierarchy for extracting one pulled data to some
tables. When admin specifies a table mapped to a child translator as a lazy
but parent translator is not lazy, details of the issue are that the
datasource should pull data or not.
In this proposal, the datasource tries to pull data. Having the hierarchy
is depending on an implementation of the client the datasource uses. If
the client has separeted methods for pulling both data the datasource could
use each method.
* list table row API for a lazy table
This issue happens when user calls list table row API for a lazy table before
any service subscribes it. The table has no data about the table and the
datasource can't return row data. Details of the issue are that the
datasource should pull data and return a response of row or not when user
calls the API.
In this proposal, the API returns 400 Bad Request error with a message about
the table doesn't start to poll since the table is defined as lazy. If the
API returns a response with row data user can't recognize the table is a lazy
and the row data is up-to-date or not.
Specifying a table that doesn't poll is one of alternatives. This allows
admin to handle each table to poll or not. Additionally, the datasource
doesn't pull data in not polling status even though policy rules using the
table are defined. But it also requires admin to manage all table manually.
It's hard to operate.
Enabling admin to config polling time delta for each translator is one of
answers to resolve a polling performance issue. The good point is admin
can write a policy rule related to the translator anytime since PolicyEngine
has its schema. The down side, however, is policy calculation could be delayed
since the delta is longer than in usual case.
Admin can set the enabled flag by config file for each translator too.
Using config file is an easy way to disable it and has low impacts for codes.
However, he/she have to restart DataSource everytime they want to change the
Policy actions
Data sources
Datasource Driver have a functionality to start/stop pull data from service.
Datasource starts to pull ALL data in default just after initialized. If lazy
config is specified to some tables, the datasource waits to start to pull data
related to the tables until other service subscribes the table. And then when
there is no subscriber for the lazy table the datasource stops to pull data.
There is no change from PolicyEngine perspectives.
Data model impact
Datasources have a list of lazy table in its config values. Currently, all
config values are stored in DB, so the list is also stored there.
REST API impact
This proposal expands parameters of existing APIs.
* Define a list of lazy tables
* API Schema
POST /v1/data-sources
* Request Body
.. code-block:: javascript
"config": {
"lazy_table": "[table1-a, table-b]",
* Response Body
.. code-block:: javascript
"config": {
"lazy_table": "[table1-a, table-b]",
List show a datasource details
* API Schema
GET /v1/data-sources/<datasoure-id>
* Response Body
.. code-block:: javascript
"config": {
"lazy_table": "[table1-a, table-b]",
Security impact
Notifications impact
Other end user impact
Performance impact
As described in Problem description section, the feature is to improve
PollingDataSource Driver. It reduces polling time and amount of sent data
from DataSource to PolicyEngine.
Other deployer impact
Developer impact
Developers who write another PollingDataSource Driver
Primary assignee:
Other contributors:
Work items
0. Disable polling data
When no subscrier exists for lazy tables, PollingDataSourceDriver
stops pulling data. And the driver starts pulling data after some
other service start to subscribe the table.
1. "lazy_table" config
Subclass of PollingDataSourceDriver will have "lazy_table" key in
its config parameter. This key is optional config.
* Add unit tests related to the functionality
Documentation impact
API reference will be updated based on the API changes.

@ -1,628 +0,0 @@
This work is licensed under a Creative Commons Attribution 3.0 Unported
Policy Library
Include the URL of your launchpad blueprint:
When Congress is first deployed, it does not perform any monitoring or
enforcement because there are no policies specified. It takes significant
investment in time and energy to learn the policy language and write the
desired policies before Congress provides any value.
Problem description
To help deployers and administrators quickly get started and see value,
we propose to include with Congress a library of useful policies that a
deployer or administrator can easily enable, disable, and customize.
Proposed change
The proposed changes come in two main pieces, the new policy library and the
changes to existing Congress server functionalities to support the use of
policies from the policy library.
The policy library
Introduce a new concept of the policy library in Congress server,
where policies are retained and manipulated but are not used by the policy
engine (for monitoring or enforcement).
Include with Congress server a collection of useful policies,
each in a YAML file. These policies automatically populate the policies
To make it easy for us to populate the library and for admins to modify/create
their own library, the API/CLI/GUI should support full CRUD into the library.
* Congress server can have new config option that points to a directory of
policies to load into the library.
* Once the library is initialized from the files, restart of Congress server
do not re-initialize the policy library from the files
(empty library is assumed to be un-initialized). A new interface
allows an administrator to trigger re-initialization from files.
.. note:: The policy library is persisted in the database and has a
separate existence in Congress server apart from the files in the policy
library directory. See also discussion of the alternative model
_`Policy library directory files as truth`.
* Future feature: reloads changed files automatically into library
* Will not update policies imported from library into policy engine
* Open question:
Should changes to the policy library through the API sync back to the
files in the policy library directory?
* Care must be taken to consider concurrent changes and potential conflicts
from multiple congress server instances.
.. warning:: When Congress server policy engine service is replicated,
different server instances must have the same
policy library files. If not, the library will be populated based on the
an arbitrary combination of the policy files on the different server
* Installation
* Standalone: installer scripts copy the default library directory from the
Congress git repo into /etc/congress/.
* Devstack: same as standalone
Support for using policies from the library
We propose to add all the functionalities required to support the following
workflows for activating a policy from the policy library (i.e., creating an
(active) policy in the policy engine by importing a (inactive) policy from the
policy library).
* Activating a policy from library using CLI/API.
#. Administrator inspects policies in library to find one they want to use.
#. Administrator downloads the relevant policy, in YAML or JSON.
#. Administrator modifies YAML/JSON encoding and uses it as the payload to
create a new policy.
* Activating a policy from library using GUI.
#. Administrator peruses policies in library
#. Administrator clicks on an interesting policy, which brings up a textbox
(or more sophisticated policy editor) to customize.
#. Administrator clicks on a 'Create' button that creates that policy.
Below are the specific functionalities needed to support these workflows.
* A backward compatible change to the policies POST API to allow for a 'rules'
key in the JSON/YAML payload body.
* A new optional parameter to the ``policy create`` CLI command that allows
the administrator to import and activate a policy from a YAML file.
* A new optional parameter to the ``policy create`` CLI command that allows
the administrator to import and activate a policy directly from the policy
library without saving to file.
.. note:: The policy engine rule insert code would require some careful
reworking to ensure policy creation with rules is transactional. That is,
if insertion fails at the third rule (say because of cross-policy
recursion), the first and second rule insertions are undone without having
caused any effect (triggered actions or altered query answers).
Three main things are needed.
* Write to database only after the insertion of all the policy rules have
succeeded in the policy engine.
* Trigger evaluation must be delayed until after all the rules are inserted
* The policy engine must be prevented from answering queries while in the
middle of processing a batch of rule insertions. This can be done either
with locks or by making sure the greenthread executing the batch rule
insertion does not yield.
* A new page in the Horizon GUI where an administrator can perform the
following tasks.
- browse and inspect policies in the policy library
- active (i.e., import to policy engine) a policy from the policy library
- customize a policy in the policy library prior to import
This section discusses several alternative designs and implementation to
various aspects of this proposal.
Policy library strictly external to Congress
* No concept of library in API/data model. The policy library is simply a
directory of files the administrator can import into the policy engine.
* Least development effort.
* Not as usable. Administrator cannot use the existing Congress interface
(CLI/GUI/API) to browse, inspect, customize, and activate policies in the
policy library.
* This version is realized by a subset of the changes proposed in the spec.
This subset should be prioritized in the development to realize the minimal
viable functionality described here.
Policy library directory files as truth
* Instead of database, use the policy files in the policy library directory as
source of truth.
* Complex in error-prone in a setup with multiple policy engines.
* Different model from all the other persisted data in Congress server,
adding more complexity for developers.
Library rules as disabled policy engine rules in the same database table
* Instead of storing the rules in the library policy in a separate logical
repository as well as a separate database table from the active rules in the
rule engine, store all the rules as rules in the rule engine, with an
additional flag indicating which ones are active.
* Complicates the existing data model for rules in the policy engine.
* What is the benefit?
Not applicable.
Policy actions
Not applicable
Data sources
Not applicable.
Data model impact
No impact on existing tables.
One new database tables are needed:
* A ``library_policies`` table to store the policies in the policies library.
Below are the columns.
* ``name =
sa.Column(sa.String(255), nullable=False, unique=True, primary_key=True)``
* ``description = sa.Column(sa.Text(), nullable=False)``
* ``kind = sa.Column(sa.Text(), nullable=False)``
* ``rules = sa.Column(sa.Text(), nullable=False)``
.. note:: Because the rules in the library are accessed at the granularity of
one entire policy, we can improve simplicity and performance by storing the
rules as a text blob instead of as individual rows.
.. warning:: the TEXT type is limited to 2^16 - 1 bytes in length in MySQL.
Very large policies beyond this size are not supported. If this limit turns
out to be too restrictive, MEDIUMTEXT or LONGTEXT type can be forced by
specifying a longer length in the SQL Alchemy column declaration, at the
cost of losing SQLite support (primarily used for unit testing).
Empty tables will be created using sqlalchemy migration scripts. Tables will be
populated by Congress server from policy files in the policy libraries folder.
REST API impact
Policy library methods
* Re-initialize
* Re-initialize policy library from the files in the policy library directory
as set in configuration.
.. warning:: This operation destroys the current content of the policy
* Method type: PUT
* Normal http response code(s): 200
* Expected error http response code(s): 401
* ``/v1/library``
* Parameters which can be passed via the url: None
* JSON schema definition for the body data if allowed: Not allowed
* JSON schema definition for the response data if any: None
* List policies
* List metadata for all policies in the library (id, name, desc, number of
* Method type: GET
* Normal http response code(s): 200
* Expected error http response code(s): None
* ``/v1/library``
* Parameters which can be passed via the url: None
* JSON schema definition for the body data if allowed: Not allowed
* JSON schema definition for the response data if any:
- !Type:
title: collection of PolicyProperties
type: array
type: object
title: Policy unique name
type: string
required: true
title: Policy description
type: string
required: true
title: Policy kind
type: string
required: true
title: Policy name abbreviation
type: string
required: false
* Show policy
* Show specified library policy (in specified format)
* Method type: GET
* Normal http response code(s): 200
* Expected error http response code(s): 401, 404
* ``/v1/library/<policy-name>``
* Parameters which can be passed via the url: None
* JSON schema definition for the body data if allowed: Not allowed
* JSON schema definition for the response data if any:
`Policy full schema`_.
* Create policy
* Create a new policy in library
* Method type: POST
* Normal http response code(s): 200
* Expected error http response code(s): 400, 401, 409
* ``/v1/library``
* Parameters which can be passed via the url: None
* JSON schema definition for the body data if allowed:
`Policy full schema`_.
* JSON schema definition for the response data if any:
`Policy metadata schema without UUID`_.
* Update policy
* Update a policy in library
* Method type: PUT
* Normal http response code(s): 200
* Expected error http response code(s): 400, 401, 404, 409
* ``/v1/library/<policy-name>``
* Parameters which can be passed via the url:
* format: {json, yaml} (default is json)
* JSON schema definition for the body data if allowed:
`Policy full schema`_.
* JSON schema definition for the response data if any:
`Policy metadata schema without UUID`_.
* Delete policy
* Delete policy from library
* Method type: DELETE
* Normal http response code(s): 200
* Expected error http response code(s): 401, 404
* ``/v1/library/<policy-name>``
* Parameters which can be passed via the url: None
* JSON schema definition for the body data if allowed: Not allowed
* JSON schema definition for the response data if any: None
Policy engine methods
* Create policy
* Create a policy in policy engine (either from input data or from library)
* Method type: POST
* Normal http response code(s): 200
* Expected error http response code(s): 400, 401, 404, 409
* ``/v1/policies``
* Parameters which can be passed via the url:
* library_policy=<name of policy in library>. This creates the policy
directly from the library policy, without needing body data. A request
where both this parameter and a body data are specified should result in
error 400.
* JSON schema definition for the body data if allowed: `Policy full schema`_.
* JSON schema definition for the response data if any:
`Policy metadata schema with UUID`_.
Common JSON Schemas
Policy metadata schema without UUID
- !Type:
id: PolicyProperties
title: Policy Properties
type: object
title: Policy unique name
type: string
required: true
title: Policy description
type: string
required: true
title: Policy kind
type: string
required: true
title: Policy name abbreviation
type: string
required: false
.. note:: UUIDs are not used for policies in the policy library. The reason
is gets confusing if the UUID is changed when the policy is activated,
but also problematic if the UUID is retained in the activated policy in
policy engine, leading to two different entities sharing the same UUID.
Policy metadata schema with UUID
- !Type:
id: PolicyProperties
title: Policy Properties
type: object
title: UUID for the policy
type: string
required: true
title: Policy unique name
type: string
required: true
title: Policy description
type: string
required: false
title: Policy kind
type: string
required: false
title: Policy name abbreviation
type: string
required: false
Policy full schema
.. note:: It is a design decision that rules in a policy library do not
have IDs and cannot be referred to individually. Policies in the library
are created, updated, or deleted at the level of the whole policy.
- !Type:
id: PolicyProperties
title: Policy Properties
type: object
title: Policy unique name
type: string
required: true
title: Policy description
type: string
required: true
title: Policy kind
type: string
required: true
title: Policy name abbreviation
type: string
required: false
title: collection of rules
type: array
required: true
type: object
id: PolicyRule
title: Policy rule
type: object
title: Rule definition following policy grammar
type: string
required: true
title: User-friendly name
type: string
required: false
title: User-friendly comment
type: string
required: false
Security impact
In general, no major security impact is expected. However, below are some
security considerations.
* If policy library changes are sync'ed back to the policy library directory on
the server, then an attacker who gains administrative privilege to Congress
can also create and modify files in the policy library directory of the
Congress servers.
* The ability to submit multiple rules in a policy creation API can increase
the potential for resource exhaustion attacks.
Notifications impact
No impact
Other end user impact
No impact to existing work flows.
Performance impact
Minimal performance impact expected. Care must be taken to limit the
performance impact of the feature to automatically detect changes in
the policy library folder and update the policy library accordingly.
Other deployer impact
There is minimal negative impact on deployers.
* No existing database table schemas are changed.
* New database tables are used, which would be added by alembic migration
Developer impact
Minimal developer impact.
Assignment to be done on launchpad.
Work items
To be organized on launchpad.
No new dependencies.
In addition to unit tests, straight-forward additions to the tests in
congress_tempest_tests/tests/scenarios/ would
Documentation impact
Minimal impact.
No references.

@ -1,365 +0,0 @@
This work is licensed under a Creative Commons Attribution 3.0 Unported
OpenStack Configuration Files Validation
Congress could be used by cloud operators to formalize the constraints between
options defined in configuration files with the help of business rules written
in Datalog and verify the compliance of their deployments automatically.
It is intended to be complementary to config management systems
that should only create valid configuration files
and to integration tests such as RefStack.
Problem description
Each OpenStack service on each node in parameterized by a set of configuration
files describing the value of the various configuration options. In this
proposal we only consider configuration files managed by the oslo-config
library. Configuration options are not independent:
* Each option value is constrained but the constraints may go beyond the
expressive power of oslo-config type system.
* For a given service on a given node, constraints may exist between different
* On a given node, constraints and incompatibilities may exist between various
options belonging to different services. For example, when a functionality in
a given service depends on the availability of another functionality in
another service.
* Between nodes, other constraints exist either for a given service or between
Constraints may be defined by different actors:
* Service developers know the constraints on the options they define and
usually document them informally in the source code in the description field
associated to the option.
* Cloud integrators will discover additional constraints when they develop
deployment code. Most of the time those options are only implicitly defined
in the source code of the scripts.
* Administrators may want to enforce additional constraints reflecting the
operational environment constraints.
* For companies having multiple instances of OpenStack, rules could be
used to ensure compliance of the instances with their global engineering
* Although OpenStack provides abstractions that hide implementation details
from end-users, some back-ends or some back-end combinations may impose
constraints on what is available to the end-user. When administrators
discover some back-end limitations, it may be useful to add congress rules
reflecting those limitations before a more permanent solution is found.
Datalog could be used as a formal language to describe those constraints and
Congress could be used to enforce those constraints if the configuration files
were available for processing. Although Congress is usually used for more
dynamic data coming from running instances, nothing precludes the use of more
static data sources.
Proposed change
The extension adds a new agent deployed on OpenStack nodes that collect the
configuration files as defined in its own configuration. The agent communicates
with a datasource driver included in the congress analyzer through the
message bus. The agent is configured with its own configuration file describing
the files it transmit (an example configuration file is given in the 'Other
deployer impact' section).
The agent is responsible for conveying information on option values but also on
their meta-data: layout in groups, type, flags such as deprecation, secret
status, etc. Meta-data are described in templates which are in fact
a collection of namespaces. Namespace contain the actual definition of
meta-data. To avoid versionning problems, Meta-data must be obtained directly
from the service.
To limit the amount of traffic between the driver and agents, template files
are hashed. Agents first reply to queries with hashes. The driver will request
the content only if the hash is unknown.
The same process is used for namespaces.
The only processing performed by agents on the option files is the removal of
the values of secret options.
The datasource driver is responsible for populating the extensional database
with information provided by the agents:
* option definitions are extracted from templates and namespaces and translated
in new Datalog tables.
* option values are parsed by the oslo-config library and stored with an
identification of the origin (file and node).
The Datalog model defines several tables:
* hosts
* files
* templates
* namespaces
* option values
The definition of an option is split between three tables:
* The option table defines the mapping between the option id and the fields
that build up the key: name, namespace and group of the option.
* The option_info table defines the type and the flags of the option. It uses
the id defined in the option table to uniquely identify the option.
* Depending on the type of the option, attributes specific to a given type are
defined in a specialized table. The option id is used again as a key to refer
to the option table.
Regarding the uniqueness of configuration meta-data in the extensional
database, the driver must ensure that the ids are deterministic. An option
identified by the same name, same group name and same namespace name should
always be given the same unique id. The use of the MD5 hash function (there is
no cryptographic requirement) guarantees uniqueness and determinism.
Installers usually generate correct set of configuration files for a
more or less extensible set of options but provide little help for live
maintenance of those files. They may also restrict the configuration
space beyond what is necessary.
The proposed change must be considered as a work in progress. It does not fully
address the problem of the location and the management of constraints. Most
constraints are known by the service developers and should be maintained in the
source code of services in a dedicated meta-data field of
the option definition.
The use of an external agent to push a service configuration is not the only
solution. The oslo-config library could be modified to push the configuration
read by the service to the datasource driver. This could be done through
the use of a hook in oslo-config. It would require additional configuration of
the services to identify the endpoint.
We would like to aggregate policy violations in a few tables partitioning
violations by their degree (error, warn, info).
X: neutron-server host
Y: ovs-agt host
Z: lb-agt host
warn('Multinode OVS and linuxbridge use incompatible UDP ports',
'vxlan_conflicting_ovs_lb_udp_ports') :-
vxlan_conflicting_ovs_lb_udp_ports(Y, Z) :-
value(X, 'neutron.conf', 'DEFAULT', 'core_plugin', 'ml2'),
value(X, 'ml2_conf.ini', 'ml2', 'type_drivers', 'vxlan'),
value(X, 'ml2_conf.ini', 'ml2', 'mechanism_drivers', 'openvswitch'),
value(X, 'ml2_conf.ini', 'ml2', 'mechanism_drivers', 'linuxbridge'),
value(Y, 'openvswitch_agent.ini', 'agent', 'tunnel_types', 'vxlan'),
not value(Y, 'openvswitch_agent.ini', 'agent', 'vxlan_udp_port', 8472),
value(Z, 'linuxbridge_agent.ini', 'vxlan', 'enable_vxlan', 'True')
We'd like the 'value' table to be intelligible to most potential contributor,
and also meaningful enough to spare them from predictable joins.
Currently the 'value' table is derived from the extensional tables, which
describe configuration files and their meta-data. Although it is defined
intentionally, it could be useful to consider it as an extensional predicate.
Here is how we derived it:
value(hostname, file, group, name, value) :-
config:option(id=option_id, group=group, name=name),
config:file(id=file_id, host_id=host_id, name=file),
config:host(id=host_id, name=hostname),
config:value(option_id=option_id, file_id=file_id, val=value)
Policy actions
Data sources
The data sources are the different configuration files of OpenStack projects
using the Oslo.config library for their configuration.
Data model impact
REST API impact
Security impact
Configuration files contain sensitive credentials. Those credentials MUST NOT
be transmitted to the Congress engine. The agent has access to types and must
filter out credentials. Values of any option marked as secret will not be
available within the engine.
Notifications impact
Other end user impact
None other than the usual management of the datasource and policy.
Eventually, we would like to feed the engine with rules that are coming from
and maintained in the services source code.
Performance impact
Performance impact should be limited because of the static nature of the values
provided by this datasource.
The main impact is the traffic on the message bus used to exchange
configuration files between agents and Congress server. The server may
rate-limit this traffic. If performance is still a concern, another solution is
to limit the use of the bus to announcement and use a REST endpoint on the
server to record new configuration files.
We give the driver control over the way data is retrieved. We want to prevent
the duplicated sending of files and templates, and to prevent overloading the
driver. When the driver is activated, it periodically notifies agents, over the
communication bus requesting their data description. An agent send description
of the files it has been set to provide. The description contains hashes of
namespaces, templates and configs. The driver then requests the resources,
which hashes have not been recognized.
We use the RPC server of the datasource associated DseNode.
Other deployer impact
We add a dedicated group and options to configure an agent and the
configuration files to manage.
A string option serving as a node id, in a way that is meaningful to
A string option introducing the notion of version and what it would be on this
node. It could be used to discriminate handling of different version of a
config-file coexisting in a cloud instance during a migration.
This information may be provided differently in the future to be defined
at the services level.
An dict option describing the OpenStack services activated on this node. The
values are also dictionaries. Keys are paths to config-files,
values are paths to the associated templates. For instance::
congress: { /etc/congress/congress.conf:
/opt/stack/congress/etc/congress-config-generator.conf }
Example config :
transport_url = rabbit://..@control:5672/
services = nova : { /etc/nova.conf:
version = ocata
host = node_A
Developer impact
Discuss things that will affect other developers working on OpenStack,
such as:
* If the blueprint proposes a change to the driver API, discussion of how
other hypervisors would implement the feature is required.
Primary assignees:
* Valentin Matton
* Pierre Crégut
Work items
* Agent to collect the config files
* Datasource interacting with the agents
* Integration to devstack
We will depend on oslo-config-generator config-files, which can be used to
describe OS services config-files.
We rely extensively on the oslo-config lib.
We propose to use tempest tests in a setting with 2 nodes. One of which hosts
the congress-server and the second an agent. Communications will be tested :
sending of meta-data and files.
Documentation impact
This feature introduces an agent component that requires separate
configuration. It also defines new datasources.

@ -1,314 +0,0 @@
This work is licensed under a Creative Commons Attribution 3.0 Unported
Z3 as an alternative Datalog engine
Z3 is an open source Datalog engine developed by Microsoft.
We propose an extension of Congress that lets the user define
theories (ie. set of rules producing new tables from existing ones
that can be later used by other theories) that will be treated
by the Z3 engine instead of the existing one.
Problem description
A cloud operator may want to check if connectivity exists between two machines
or if they are effectively isolated. This means understanding how traffic is
routed (ie. what are the path the traffic may take) and how security groups and
firewall rules are applied along those path.
Here are the main characteristics needed by the Datalog engine for
solving such problems:
* Recursion: routing packets means building paths (link paths, networks)
and paths are naturally described recursively.
* Efficient representation of IP addresses and IP address ranges as commonly
found in switching devices and firewalls.
* Efficient handling of large volumes of data.
Proposed change
We propose to integrate Z3, Microsoft open-source automatic prover, as an
alternate Datalog engine for Congress.
Z3 theories will be expressed in the same syntax as standard theories.
But the Datalog language supported by these theories will be tailored to what
Z3 supports in Datalog mode:
* different and reduced set of built-ins as explained in the Policy section,
* no modals.
A new kind of theory will be introduced alongside the classical
NonRecursiveTheory. Z3 theories will consume data from
other theories and use the Z3 engine to apply rules.
There will be one single Z3 solver instance per analyzer that will be
abstracted in Python as a Z3 context object. Z3 context will host all tables
of Z3 theories in Z3 format.
Z3 theories should be callable from other theories in particular from
regular non-recursive theories.
Z3 theories can use data from other theories. The external tables used by
Z3 theories will be completely imported in the Z3 context.
Compilation of Z3 theories will be delayed until queries are done on those
theories. We will regularly update the representation of external tables in
the Z3 engine to keep them synchronized. Z3 does not support undoing relations
or rules, so a new context must be created each time a change occurs.
Z3 requires typed data. Type-checking will be completely implicit and we will
not add type-constraints in the language.
The type-checker will preserve the types from external tables. It will raise
an error if a variable should have two different types according to two
different tables.
The type-checker will try to give the most precise type to constants that
appear in Datalog programs to make them compatible with external tables.
For example the value ``Ingress`` is usually typed as a string (``Str`` type)
but in the context of a Neutron security group, it will be given the type
To be able to have two representations for a value, we will introduce
explicit converter built-ins: ``builtin:cast(x, 'Direction', y, 'Str')``
will convert a variable ``x`` of type ``Direction`` in a variable ``y``
of the standard string type. It will be implemented as a table where each
row is a pair of the representations in the two different types of a same
object. Those tables will be filled when constants in programs are compiled
and external tables are imported.
The same trick will be used to have a bit field representation of Ip addresses.
Finally the type-checker should support some kind of generic polymorphism for
built-ins. For example equalities and comparison should work as long as the
compared objects are of the same type, addition of two items belonging to a
given subtype of integers should give back an item in the same subtype. We do
not plan to support user-defined polymorphic tables. For example the following
rule is ill defined: ::
add3(x,y,z,t) :- builtin:plus(x,y,u), builtin:plus(u,z,t)
It may be desirable to have type-constraints in the language to constrain
such variables.
Internal representations
Internally Z3 will use bit-vectors. Integers will be translated in 32 bits
bit-vectors. Strings will be bijectively associated with an integer and
represented by its associated bit-vector.
When possible we will use finer types (enumerations) that require smaller
We could try to rephrase the theories to fit the current engine. For example we
could unroll recursive calls up to a reasonable depth (packets have a TTL).
Unfortunately this solution does not scale well. Unrolling recursive calls
change in fact the overall complexity of the program. Experiments with octant
have shown that some problems that require several minutes of computation with
the current engine can be solved in tenth of seconds with octant.
We could try to incorporate Z3 algorithmic in Congress engine: this would be
time consuming and hazardous. Z3 uses very efficient C++ data structures to
represent tables and more that ten years have been devoted to its development.
We could use another external engine: there may be cases where another Datalog
engine could be a better candidate. The new Congress architecture with explicit
data-type has been designed to let several engines share a same pool of data.
The strong points of Z3 are its overall efficiency and its data-structures
specially crafted for network related problems.
There may be cases where we may wish to have several Z3 contexts with different
settings. Contexts define the variant of the Z3 engine in use and different
theories may benefit from different settings.
Here are the main characteristics of Z3 policies:
* Adds support for recursive rules.
* Support of built-in predicates for equalities / comparison
* Support for basic bit arithmetic (to be used with IP address).
* New built-ins for converting opaque IpAddress to bit fields and IpNetwork
to a pair of bit-fields (mask and address).
* Built-ins to convert a value that exists in different types from one
representation to the other.
The last two kinds of built-ins will in fact be implemented by tables computed
when data-sources and programs are synchronized.
Here is an example of policy that verifies if two networks are connected by
a chain of routers and if VMs are attached to two networks that belong to two
sets of networks that should be kept isolated: ::
connect1(X) :- neutronv2:networks(id=X, name="N1")
connect2(X) :- neutronv2:networks(id=X, name="N2")
linked(X,Y) :-
neutronv2:ports(network_id=X, device_id=Z), neutronv2:routers(id=Z),
neutronv2:ports(network_id=Y, device_id=Z)
path(X,Y) :- linked(X,Y)
path(X,Y) :- path(X,Z), linked(Z,Y)
interco_error(X,Y) :- connect1(X), connect2(Y), path(X,Y)
network1(X) :- connect1(Y), path(Y, X)
network2(X) :- connect2(Y), path(Y, X)
double_attach(X) :-
neutronv2:ports(network_id=X, device_id=Y), network1(Y),
neutronv2:ports(network_id=X, device_id=Z), network2(Z)
Policy actions
None. Z3 theories will not support actions. Support may be added later.
Data sources
Independent from the data-source used.
Data model impact
REST API impact
We may want to move to more atomic definitions of theories. A theory is
a complete program and should be considered as such. Adding and removing
rules on the fly makes compilation and type-checking unnecessarily complex.
Security impact
Notifications impact
Other end user impact
For python-congressclient, when a new theory is created, there is a new
kind alternative: z3.
Performance impact
Well behaved Z3 theories will be much faster than equivalent non-recursive
theories. But programs that require too much computing power may be harder to
abort on the Z3 engine.
Other deployer impact
Z3 is not a pypi package. There is an unofficial z3solver package but it has
some limitations (not an up-to-date version and a version emitting a lot of
spurious messages). For some Linux distributions, there is no pre-compiled
version of Z3 available. Z3 must be compiled from source on those systems.
Due to all these constraints, we have chosen NOT to add z3 as a requirement.
z3theory will be available IF z3 has been deployed on the server hosting
Developer impact
Primary assignee:
Other contributors:
Work items
For Rocky we do not plan to add built-ins. The basic Datalog language is
sufficient for interesting examples.
During Stein iteration, built-ins and the treatment of polymorphism
in the type-checker will be added.
This feature depends on Microsoft theorem prover Z3.
Unit tests will be done with a mock of z3 library.
For integration tests, new settings will be added to devstack so that Z3
can be either installed from source (rather slow) or directly deployed from
a pre-compiled release (only available for Ubuntu 14.04, 16.04 and Debian
8.10). As the python package is deployed globally, tempest may skip Z3 tests
if it cannot import the python package.
Documentation impact
Documentation should at least mention:
* How to enable Z3,
* Z3 theories and the kind of builtins supported,
* Explain the benefit of recusive theories.

@ -1,678 +0,0 @@
This work is licensed under a Creative Commons Attribution 3.0 Unported
Explicit Data Types
In preparation to support more policy engines in addition to the standard
Congress policy engine (e.g., ones based on SQL, influxDB, or Z3), we need
explicit typing of table columns in the data sources and the
data service engine. This spec proposes to support explicit typing, including
custom types, in an extensible, evolutionary, and backwards-compatible manner.
Problem description
Because every rule engine has limits in expressiveness and performance, there
is no one-size-fits-all rule engine that works well for all use cases. For
this reason, Congress was architected from the beginning to support multiple
policy engines in addition to the standard ``agnostic`` engine.
One problem is that Congress deals with untyped table columns, which
conflicts with many candidate bases for policy engines (e.g., SQL, influxDB,
To have an open framework in which multiple policy engines and mulitple
data sources work well together, we need an explicit type system that is
extensible (to fit the particular needs for different data sources and
different policy engines), loosely-coupled (between different data sources and
policy engines), and backwards-compatible with the standard ``agnostic`` engine
and existing data source drivers.
As an illustration of the need for extensibility and loose-coupling, consider
that a SMT-based Z3 prover needs types that are as narrow as possible
(e.g., enum{'ingress', 'egress'}), but another engine does not understand
such narrow types. A data source driver then must specify its types
in a way that works well for both engines.
Proposed change
The basic idea is that we let each data source driver describe its data as
precisely and narrowly as practical using as combination of base types
and custom types.
Then each policy engine is responsible for using that information to represent
the data using its internal representation. A policy engine would likely not
understand every custom type used by a data source driver (especially because
we expect new ones to be introduced over time). To allow a policy engine to
handle custom data types it does not "understand", we require that every
custom data type inherit from another data type, all of which ultimately
inherit from one of the base types all policy engines must handle. That way,
when a policy engine encounters a value of a custom type
it does not understand, the policy engine can fall back to handling the value
according to an ancestor type the engine does understand.
What is a type?
To define what a type is in this spec, we first establish four related
#. *source representation*: the representation used in the data received from
an external source. Each external data source has its own source
representation defined outside of Congress. In an IP address example, one
source could use IPv4 dotted decimal string ``""`` while another
source could use IPv6 (short) hexadecimal string ``"::ffff:100:1"``.
#. *internal representation*: the representation used by a Congress service
(e.g., a policy engine). Each Congress service can use a different internal
representation. For example, the IP address may be represented as a string
in one engine, as an integer another engine, and as a bit-vector in yet
another engine.
#. *exchange representation*: the representation used as the data is published
and received among Congress services. In the IP address example, this could
be the integer ``0x01000001``.
Data is received from an external data source in the form of the
*source representation*. The data source driver converts from the source
representation to the *exchange representation* before publishing the data to
Congress services such as the policy engine. A Congress service such as a
policy engine will process the data and use some form of
*internal representation* for storing the data for future use.
The primary purpose of a Congress data type is to be an exchange format
specification used between the various Congress data sources and services each
with their own representations. The developers of each Congress service
can use the Congress data type of a piece of data or a table column to
know what exchange format to expect and what is being represented. For this
purpose, a Congress data type can be thought of as a tag associated with each
piece of data or table column.
As a secondary convenience, each Congress data type also provides helpful
methods for processing a value of that type. At a minimun, the Congress
data type would provide a method for validating a value as valid for that
Finally, the entire collection of Congress data types cannot be anticipated
upfront. So it is impractical for each Congress data consumer to be programmed
to recognize and handle every Congress data type. We need a more structured
and extensible collection of "tags". We organize the Congress data types
in an is-a hierarchy. First there are a number of base types which all
Congress data consumers must recognize and handle. All additional non-base
types inherit from a base type or another non-base type in a well-founded
hierarchy. Then, each data consumer can handle all data types simply by
treating each piece of data according to its base type. Optionally, a data
consumer can add special handling of certain non-base types.
As an example of inheritance, the IP address type could inherit from the
general string type so that policy engines which do not specifically
handle the IP address type will handle the data as a general string.
Putting all three of the above pieces together, we define a Congress data type
as a subclass of the following ``CongressDataType`` abstract base class.
.. code-block:: python
class CongressDataType(object):
def validate(cls, value):
'''Validate a value as valid for this type.
:Raises ValueError: if the value is not valid for this type
raise NotImplementedError
def _get_parent(cls):
congress_parents = [parent for parent in cls.__bases__
if issubclass(parent, CongressDataType)]
if len(congress_parents) == 1:
return congress_parents[0]
elif len(congress_parents) == 0:
raise cls.CongressDataTypeNoParent(
'No parent type found for {0}'.format(cls))
raise cls.CongressDataTypeHierarchyError(
'More than one parent type found for {0}: {1}'
.format(cls, congress_parents))
.. important::
These classes are not expected to be instantiated as wrapper objects, but
they merely act as organizing units of these class methods that serve to
describe and manipulate the values as well as encode the data type hierarchy.
The reason why classes are used is two fold.
1. The Python inheritance hierarchy is a convenient way to declare and access
the relationship between the Congress data types. Each non-root concrete
subclass (A) of CongressDataType inherits from exactly one other concrete
subclass (B) of CongressDataType to encode that (A) is a subtype of (B)
in the data type hierarchy. A concrete subclass of CongressDataType may
inherit from multiple parent Python classes, but among the parents there
must not be more than one subclass of CongressDataType.
2. Python inheritance makes it convenient for a Congress data type to reuse
the code in a parent Congress data type.
Further details
Specification of data types
Data source drivers may optionally specify explicit data types in its
value translator definition. The data service base class attaches data type
information (table schema) in each table publish.
For flexibility and backwards-compatibility, an explicit type is not required
for every column.
The standard ``agnostic`` engine handles untyped table columns.
Other policy engines may or may not handle untyped tables columns.
When a policy engine that requires typing receives untyped data, the policy
engine may either reject the data or impose typing.
Below is a sample translator definition showing how the explicit data types
could be specified for the ``flavors`` table in the Nova data source driver.
.. code-block:: python
flavors_translator = {
'translation-type': 'HDICT',
'table-name': FLAVORS,
'selector-type': 'DOT_SELECTOR',
({'fieldname': 'id', 'desc': 'ID of the flavor',
'translator': {'translation-type': 'VALUE',
'data-type': CongressStr}},
{'fieldname': 'name', 'desc': 'Name of the flavor',
'translator': {'translation-type': 'VALUE',
'data-type': CongressStr}},
{'fieldname': 'vcpus', 'desc': 'Number of vcpus',
'translator': {'translation-type': 'VALUE',
'data-type': CongressInt}},
{'fieldname': 'ram', 'desc': 'Memory size in MB',
'translator': {'translation-type': 'VALUE',
'data-type': CongressInt}},
{'fieldname': 'disk', 'desc': 'Disk size in GB',
'translator': {'translation-type': 'VALUE',
'data-type': CongressInt}},
{'fieldname': 'ephemeral', 'desc': 'Ephemeral space size in GB',
'translator': {'translation-type': 'VALUE',
'data-type': CongressInt}},
{'fieldname': 'rxtx_factor', 'desc': 'RX/TX factor',
'translator': {'translation-type': 'VALUE',
'data-type': CongressFloat}})
Union of types
When a policy engine derives a new table out from existing tables, it create
a table column which contains data from more than one type. In these cases,
the new column shall be typed as the least common ancestor type of all the
constituent data types. To ensure that a least common ancestor type always
exists, we establish the Congress string type as the root parent of all the
other types.
Types hierarchy
This spec proposes a flexible and extensible type framework. The precise
collection of types would be decided in implementation patches and also
evolved over time. As point of reference, we provide below a sample hierarchy
of types below. (Items enclosed in are abstract categories of types.)
- string
- [bounded length sting]
- string of length up to N
- [string enumerations]
- boolean
- network direction (ingress and egress)
- [fixed length string]
- string of length N
- decimal (fixed precision rational number represented as a string)
- integer
- [integer enumerations]
- integer between A and B
- short integer
- floating point
- IP address
Data types sample code
Sample code for a few selected data types are included here for reference.
.. code-block:: python
class CongressStr(CongressDataType):
'''Base type representing a string.
Sample implementation only. Final implementation needs to deal with
nullability, unicode, and other issues.'''
def validate(cls, value):
if not isinstance(value, six.string_types):
raise ValueError
class CongressBool(CongressStr):
def validate(cls, value):
if not isinstance(value, bool):
raise ValueError
class CongressIPAddress(CongressStr):
def validate(cls, value):
except ipaddress.AddressValueError:
ipv6 = ipaddress.IPv6Address(value)
if ipv6.ipv4_mapped:
# as a design decision in standardized format
# addresses in ipv4 range should be in ipv4 syntax
raise ValueError
except ipaddress.AddressValueError:
raise ValueError
Abstract categories of data types
Sometimes, a collection of types all follow a certain pattern. In these
cases, we can provide a framework for creating and handling these types in
a more generic way.
For example, many types are characterized by a fixed, finite domain of strings.
In such cases, we can provide a type factory for creating types in this space.
The following is a sample implementation for a type factory function for
a fixed, finite domain of strings.
In addition, we can also provide a mix-in abstract base class that data
consumers can use to handle the data in a more generic way. In this case,
the abstract base class ``CongressTypeFiniteDomain`` stipulates that
each type inheriting from this class must have a class variable DOMAIN
which is a frozenset of the set of values allowed in the type.
A data consumer may use this information to handle the value in a generic
way without recognizing the specific concrete type used.
Sample code included below for reference.
.. code-block:: python
class CongressTypeFiniteDomain(object):
'''Abstract base class for a Congress type of bounded domain.
Each type inheriting from this class must have a class variable DOMAIN
which is a frozenset of the set of values allowed in the type.
def create_congress_str_enum_type(class_name, enum_items):
'''Return a sub-type of CongressStr for representing a string from
a fixed, finite domain.'''
for item in enum_items:
if not isinstance(item, six.string_types):
raise ValueError
class NewType(CongressStr, CongressTypeFiniteDomain):
DOMAIN = frozenset(enum_items)
def validate(cls, value):
if not value in cls.DOMAIN:
raise ValueError
NewType.__name__ = class_name
return NewType
As an example, a particular data source driver dealing with firewall rules may
use the factory function to create a custom type as follows.
.. code-block:: python
NetworkDirection = create_congress_str_enum_type(
'NetworkDirection', ('ingress', 'egress'))
Converting to ancestor types
Generally, each descendent type value is directly interpretable as a value
of an ancestor type. Ideally, every policy engine would recognize and support
The only exception is that values of the non-string types
inheriting from CongressStr need to be converted to string to be interprable
as a value of CongressStr type.
The CongressDataType abstract base class can include additional helper methods
to make the interpretation easy. Below is an expanded
CongressDataType definition including the additional helper methods.
.. code-block:: python
class CongressDataType(object):
def validate(cls, value):
'''Validate a value as valid for this type.
:Raises ValueError: if the value is not valid for this type
raise NotImplementedError
def least_ancestor(cls, target_types):
'''Find this type's least ancestor among target_types
This method helps a data consumer find the least common ancestor of
this type among the types the data consumer supports.
:param supported_types: iterable collection of types
:returns: the subclass of CongressDataType
which is the least ancestor
target_types = frozenset(target_types)
current_class = cls
while current_class not in target_types:
current_class = current_class._get_parent()
return current_class
except cls.CongressDataTypeNoParent:
return None
def convert_to_ancestor(cls, value, ancestor_type):
'''Convert this type's exchange value
to ancestor_type's exchange value
Generally there is no actual conversion because descendant type value
is directly interpretable as ancestor type value. The only exception
is the conversion from non-string descendents to string. This
conversion is needed by Agnostic engine does not support boolean.
.. warning:: undefined behavior if ancestor_type is not
an ancestor of this type.
if ancestor_type == CongressStr:
return json.dumps(value)
return value
def _get_parent(cls):
congress_parents = [parent for parent in cls.__bases__
if issubclass(parent, CongressDataType)]
if len(congress_parents) == 1:
return congress_parents[0]
elif len(congress_parents) == 0:
raise cls.CongressDataTypeNoParent(
'No parent type found for {0}'.format(cls))
raise cls.CongressDataTypeHierarchyError(
'More than one parent type found for {0}: {1}'
.format(cls, congress_parents))
class CongressDataTypeNoParent(TypeError):
class CongressDataTypeHierarchyError(TypeError):
Re-imposing types
(Potential future work included here for reference.)
Policy engines may publish data for consumption by other policy engines.
When a policy engine (e.g., Z3) with narrower types publish to another policy
engine (e.g., Congress agnostic) with
unfixed types or broader types, the handling is natural. When the reverse
situation happens, the receiving policy engine may be unable to handle the
As future work, the publishing policy engine can optionally infer and
re-impose narrower types where possible.
Also as future work, policy engines that require narrower types can employ
an additional import construct that imposes narrower types on the tables they
subscribe to from other policy engines.
In this section we discuss a few ways alternative proposals may deviate from
this spec.
#. Require that all policy engines support untyped data.
This alternative would rule out many top candidates for policy engines
(e.g., SQL-based, influxDB-based, Z3-based).
#. Use a fixed set of types all data sources and all policy engines use.
A fixed set of types should be a first candidate because it is the simplest
approach. Unfortunately, it is impossible to anticipate all the types
needed. Whenever a new policy engine is added, distinctions that may not
have mattered before becomes critical. For example, without an SMT-based
engine such as Z3, string enum types are not so important to distinguish
from general string types. So when a Z3 engine is introduced, we then need
to 1) create new types, 2) update data source drivers to specify using the
new types, and 3) update the existing policy engines to handle the new
The decoupled and extensible approach proposed in this spec provides for a
much smoother way to evolve the types. Each data source driver specifies
types as narrowly as practical, without regard to what the policy engines
want. Each policy engine can then make use of the type information as much
or as little as needed to map data to its own internal representations.
So when new types, new data source drivers, or new policy engines are
introduced, none of the existing code need to change.
#. Instead of specifying types in the data publisher, let types be imposed
exclusively in the data consumer.
This alternative is helpful when a fixed data type cannot be obtained from
the data publisher (see point 5 in the section above). When a data
source/publisher does have information on a fixed data type (inferred from
fixed data types defined in code), it is better to avoid the unnecessary
operational burden of the operator having to define data types at the point
of consumption.
#. Instead of requiring that each value of a child type be directly
interpretable as a value of a parent type, allowing a conversion between
child and parent can give more flexibility to choose the exchange
representation that best fits a particular type, independently of
the type's parent type. For example, an IP address can be represented
as a single integer value instead of as a string.
The increase flexibility could be useful, but so far has not proven to be
Not applicable.
Policy actions
Not applicable.
Data sources
Each data source driver may optionally specify data types in its value
translator. Data source drivers can be updated with explicit types as needed
by new use cases and new policy engines.
See section `Specification of data types`_ for additional details.
Data model impact
No impact on Congress's data model as defined in congress/db/
REST API impact
No impact on REST API.
Security impact
There is little new security impact. Because new/custom types include
new/custom data handling methods, it does theoretically increase the attack
surface. Care needs to be taken to make sure the data handling methods are safe
against malformed or possibility malicious input. There are well-known best
practices to minimize such risks.
Notifications impact
No impact.
Other end user impact
No immediate impact on end users. This spec can indirectly benefits end
users through the additional policy engines made possible.
All existing behaviors and workflows are preserved.
Performance impact
The data and memory impact is expected to be minimal because the data is stored
and transmitted in primitive form without the overhead of custom objects.
The other main performance impact is the treatment of a piece of data as an
ancestor type.
Identifying the least ancestor type by tracing up the type hierarchy. Done
on a per-column basis, this step has negligible performance cost because the
type hierarchy is shallow and because each type has at most one ancestor. The
tracing up has worst case running time linear in the depth of the type
(See `Converting to ancestor types`_ for sample
Other deployer impact
No direct impact on deployers. This spec can indirectly benefits end
users through the additional policy engines made possible.
All existing behaviors and workflows are preserved.
Developer impact
No significant changes are forced on a developer. Use of type information by
a policy engine is optional. Specification of type information in a data source
driver is also optional.
Individual tasks will be picked up and tracked on launchpad. Primary contact is
ekcs <>.
Work items
- Minimal implementation.
- Abstract base class for type
- Primitive types
- Data Service Engine (DSE) changes to store and convey (optional) type
information on columns.
- Further implementation. These further implementations are optional and can be
done in an incremental fashion as needed by use cases.
- Adding type information to data source drivers.
- Standard policy engine (Agnostic) changes to use type information.
- Extended types (e.g., IP address)
- Categories of types (e.g., fixed enumeration of strings)
- Framework for loading custom types defined in data source drivers
- Inference and re-imposition of types when a policy engine publishes tables
- Subscriber-end imposition of additional type information
No notable external dependencies.
The incorporation of additional type information in the data service engine
will primarily tested through unit tests in the style of the existing tests in
When a data source driver is updated to include additional type information,
additional checks on the type information can be naturally added to the
existing tempest tests that compares an independently obtained service state
to the state obtained by the data source driver and translated into tables.
Documentation impact
No direct impact.
A relevant type system for a Z3-based datalog solver:

View File

@ -1,511 +0,0 @@
This work is licensed under a Creative Commons Attribution 3.0 Unported
Experimental component for a JSON data model
The translation from JSON source data to tabular Congress data places the
limited resources of Congress developers in the way of the Congress users
having the flexibility to quickly try/use any data source and data field as
the need arises in their policy use cases. This spec is a proposal to
experiment with removing the translation step, thus retaining the source JSON
data model, as a promising way to overcome the limitation.
Problem description
In cloud computing, most of the source data is JSON. In the Congress model,
the developers carefully understand and curate the source data to develop the
data source drivers that make the data available to end users in table form.
The translation into table model has the advantage of presenting a simpler
and more consistent data model to the user writing policy on the data.
However, with so many sources of data out there and new data being added to
existing sources through frequent microversions (e.g., Nova), it is impossible
for Congress developers to anticipate and keep up with all the data sources or
even all the data fields in a given data source the end users desire.
It often happens that as the user writes policy, the user finds out that
additional data fields or sources are needed for the policy. In that case,
the user needs to contact upstream developers, wait for them to add the data
fields or sources, then wait for the new release, then upgrade to the latest
release. All this before the end user can even test out the desired policy.
In order to better support those operators who have rapidly emerging and
evolving use cases, we need to experiment with an additional model: remove
translation and developer curation from the loop, allowing users to integrate
new data sources without code change.
Proposed change
Create an experimental component of Congress (tentatively congress-json)
to allow writing policy over json data stored in PostgreSQL json data model.
Congress-CloudState would ingest the source data mostly as-is, in JSON format,
into a PostgreSQL database using the JSONB column type in PostgreSQL. The
`PostgreSQL JSON syntax
(see the policy_ section for examples) would allow for rules (SQL views) to
operate directly over the JSON data.
Because no translation is needed, new data sources can be configured without
code change. For example, the following sample YAML config file configures
Congress-CloudState to poll the nova endpoint. It tells Congress-CloudState to
poll the path servers/detail, extract the results using the jsonpath
expression ``$.servers[:]``, and finally populate the nova.servers table with
the results.
name: nova
poll: 60
type: keystone_password
user: congress_access
password: secret
api_path: servers/detail
api_verb: get
jsonpath: $.servers[:]
The architecture is fairly simple. Congress-CloudState has two major
- The data ingestor polls the cloud services via API and populates the
database with the data. The ingestor also accepts webhook notifications.
- The executor reads from the database to determine what actions to execute,
then calls the appropriate APIs in the cloud services to execute the
The users mostly interact directly with the database to add/remove policy
rules and query policy results.
The following diagram shows the high level components and flow of data.
| Cloud Services |
| |
| |
+------v--------+ +---------------+ +----------------+
| Congress-JSON | | | | Congress-JSON |
| Data Ingestor +----> PostgreSQL +----> Executor |
| | | | | |
+---------------+ +----------^----+ +----------------+
| |
| |
| |
| Users |
| |
- Very easy to add new data source because no translation is required. This
`blog post
has more discussion of the pros and cons of the approach (schema-on-read).
- No code change and release needed to consume a new field in a new API
microversion. The operator simply changes the desired microversion in
Congress-CloudState configuration.
This `patch <>`_ is a recent
example of how much time and work it takes to consume a new field previously
not included by Congress, not to mention the delay for users waiting for a
new release to consume a new field.
- Much is available in the way of editors, debuggers, tutorials, and online
help for PostgreSQL language, making it easy for new users to write
- PostgreSQL has `JSON indexing support
which allows for a wide class of performant queries.
- Directly make changes to Congress agnostic policy engine to support JSON data
- Here is a rough estimate of the work required to implement similar
functionality in Congress itself.
- Design a new version of Datalog language to support JSON. This step is
hard. As of now, there is no concensus in the Datalog community on how
best to do this.
- Major changes to congress/datalog/* to process the new language.
- Major changes to the policy engine to support the new language.
- Changes to congress/dse2/* to accommodate JSON data.
- Instead of attempting all the work outlined above, we propose to create
a very simple new component which leverages PostgreSQL allow policy over
JSON data.
If the approach proves successful, a decision could be made in the future
to allow congress-json to be used as a tool for extracting from JSON data
the table data needed by other parts of Congress (e.g., agnostic, z3).
- Homegrow a policy engine supporting JSON data rather than use one
- It would take a tremendous amount of unnecessary development and
maintenance work.
- Choose a datastore other than PostgreSQL
- The following are the major requirements for the datastore
- JSON data support
- Widely-adopted declarative language
- Performant (off-key) join
- Support for rules (views)
- Transactional write
- Strong open source community with appropriate licensing
- Highly-available deployment option
- Fine-grained permissions
- Most of the well-known NoSQL solutions do not provide performant off-key
- MySQL/MariaDB has support for JSON data but limited indexing support
(typically requiring the indexed value be declared as a virtual column)
- Among all the options evaluated, PostgreSQL best satisfies the
requirements, with the following notable features:
- Flexible indexing for JSONB data type supporting performant off-key
- Very strong open source community with permissive license
- A wealth of (first party and third party) tools and online knowledge for
learning, query writing, query debugging, and performance-tuning
- A flexible and expressive permissions system
- We propose to start with PostgreSQL, while leaving the option open to add
support for other datastores down the road through a plugin architecture.
Here we give several examples to demonstrate how policy and rules would be
created. Each interaction is shown in both classic Congress interaction as
well as Congress-CloudState interaction for readers understanding.
Sample data
The nova.servers table is the collection of all the JSON documents
representing servers, each document in a row with a single column d containing
the document. Each server is represented by a JSON document as supplied by
Novas list servers (detailed) API. Here is a simplified version of a sample
JSON document representing a Nova server (the UUIDs have been replaced with
more readable strings for ease of illustration):
"name":"server 134",
"flavor": {
"disk": 1,
"ephemeral": 0,
"extra_specs": {
"hw:cpu_policy": "dedicated",
"hw:mem_page_size": "2048"
"original_name": "m1.tiny.specs",
"ram": 512,
"swap": 0,
"vcpus": 1
Example 1
- Create policy (schema).
- Congress syntax:
congress policy create vm_error
- Congress-CloudState equivalent:
CREATE SCHEMA vm_host_down;
- Create policy rule (view) identifying those servers whose host is down.
- Congress syntax:
congress policy rule create vm_host_down '
error(server_id) :-
nova:servers(id=server_id, host_id=host_id),
nova:hypervisors(id=host_id, state="DOWN")'
- Congress-CloudState equivalent:
CREATE VIEW vm_host_down.error AS
SELECT d->>'id' AS server_id
FROM nova.servers
WHERE d->>'host_status' = 'DOWN';
- Note on syntax: the :code:`->>` operator accesses the content of a JSON
object field and returns the result as text.
- Query the results in the policy table.
- Congress syntax:
congress policy row list vm_host_down error
- Congress-CloudState equivalent:
SELECT * FROM vm_host_down.error;
- Create policy rule (view) identifying 'critical'-tagged servers whose host
is down.
- Congress syntax:
congress policy rule create vm_host_down '
critical(server_id) :-
nova:servers(id=server_id, host_id=host_id),
nova:hypervisors(id=host_id, state="DOWN"),
nova:tags(server_id=server_id, tag="critical")'
- Congress-CloudState equivalent:
CREATE VIEW vm_host_down.critical AS
SELECT d->>'id' AS server_id
FROM nova.servers
WHERE d->>'host_status' = 'DOWN'
AND d->'tags' ? 'critical';
- Note on syntax:
- The :code:`->` operator accesses the content of a JSON object field
and returns the result as JSON. In this example, :code:`d->'tags'`
returns the array of tags associated with each server.
- The :code:`?` operator checks that a string is a top-level key/element
in a JSON structure. In this example, the
:code:`d->'tags' ? 'critical'` condition checks that the string
'critical' is in the array of tags retrieved by :code:`d->'tags'`.
Example 2
- Create policy (schema).
- Congress syntax:
congress policy create production_stable
- Congress-CloudState equivalent:
CREATE SCHEMA production_stable;
- Create policy rule (view) identifying production servers using an unstable
- Congress syntax:
congress policy rule create production_stable '
error(id) :-
nova:servers(id=id, image=image_id),
nova:tags(id=id, tag="production"),
glance:tags(image_id=image_id, tag="unstable")'
- Congress-CloudState equivalent:
CREATE VIEW production_stable.error AS
SELECT server.d->>'id' AS server_id,
image.d->>'id' AS image_id
FROM nova.servers server
JOIN glance.images image
ON server.d->'image'->'id' = image.d->'id'
WHERE (server.d->'tags' ? 'production')
AND (image.d->'tags' ? 'unstable');
- Note on syntax: the join-condition
:code:`server.d->'image'->'id' = image.d->'id'` matches the glance image
with the server whose image ID matches the glance image ID.
Example 3
This example illustrates that accessing deeply nested data can be relatively
The following view (rule) identifies all the servers using a flavor with cpu
policy 'dedicated'. Despite the information being buried several layers deep,
it is relatively straightforward to access simply by following the structure.
CREATE VIEW dedicated_servers AS
FROM nova.servers
WHERE d -> 'flavor' -> 'extra_specs' ->> 'hw:cpu_policy' = 'dedicated';
Policy actions
Policy actions would work similarly to agnostic engine.
The policy writer would define a policy rule (view) specifying in each row
what action to call on which service using what parameter values.
As in agnostic engine, the new component would query the 'execute' table and
then call the appropriate client/API methods according to the rows in the
'execute' table of each policy.
Data sources
A new type of data source is introduced which is configured through YAML files
and stores data in the original JSON format without translation.
Data model impact
No impact on the data model.
REST API impact
Minimal REST API impact. The webhook model for accepting webhooks is naturally
extended to the JSON data sources when configured.
Security impact
No security impact when the experimental component is not explicitly.
When enabled, there is an additional data access which would be protected by
PostgreSQL permissions set up by Congress.
Notifications impact
No impact.
Other end user impact
End users will have the option of using the well-known
PostgreSQL syntax to write policy directly on the source data format,
having direct access to all the source data fields.
Performance impact
Preliminary performance testing on 100,000 records show adequate performance
on both data ingestion and query evaluation. If a query performance issues
does arise, there is a wealth of tools and knowledge for tuning query
performance in PostgreSQL.
Other deployer impact
Additional config/commandline options to control the deployment of the new
experimental component.
Developer impact
congress-json is expected to be a very simple component. As a result,
congress-json is expected to require very minimal maintenance from
Primary assignee: ekcs
Others welcome to pick up tasks.
Work items
- Database initializer
- JSON-postgres data source driver
- Integration testing
The only major new dependency is PostgreSQL, which is already used in
OpenStack deployments. Version 9.4 or higher required (Ubuntu xenial comes with
9.5). It affects only those enabling the experimental new component.
Simple tempest scenarios for the new component. They may piggyback on the
existing congress-tempest-postgres jobs.
Documentation impact
Standard documentation expected for the new component.
* `Schema-on-read pros and cons
* `PostgreSQL JSON operators and functions
* `PostgreSQL JSON syntax cheat sheet
* `JSON indexing support

