openstack
/
congress
Code Issues Proposed changes

Update README, fix formatting in tutorial 

* README.rst: Add ceilometer and swift services config.

contrib/devstack/
* README.rst: Remove file, to avoid duplication of contents in
  congress/README.rst.

doc/source/
* tutorial-tenant-sharing.rst: Update URL to devstack steps. Fix lines past 79
  characters. Fix preformatted blocks.

Change-Id: Icd2c78d805fa6baadac74c7cb73b5478024a38bc
This commit is contained in:
Janet Yu 2014-11-21 17:17:29 -08:00
parent 58d10be4d6
commit c189adb33b
3 changed files with 109 additions and 128 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
README.rst
View File

@ -103,17 +103,15 @@ To install, make sure you have *git* installed. Then::
$ ./prepare_devstack.sh
Configure ENABLED_SERVICES in the devstack/localrc file ::
Configure ENABLED_SERVICES in the devstack/localrc file::
ENABLED_SERVICES=g-api,g-reg,key,n-api,n-crt,n-obj,n-cpu,n-sch,n-cauth,horizon,mysql,rabbit,sysstat,cinder,c-api,c-vol,c-sch,n-cond,quantum,q-svc,q-agt,q-dhcp,q-l3,q-meta,q-lbaas,n-novnc,n-xvnc,q-lbaas
ENABLED_SERVICES=g-api,g-reg,key,n-api,n-crt,n-obj,n-cpu,n-sch,n-cauth,horizon,mysql,rabbit,sysstat,cinder,c-api,c-vol,c-sch,n-cond,quantum,q-svc,q-agt,q-dhcp,q-l3,q-meta,q-lbaas,n-novnc,n-xvnc,q-lbaas,ceilometer-acompute,ceilometer-acentral,ceilometer-anotification,ceilometer-collector,ceilometer-alarm-evaluator,ceilometer-alarm-notifier,ceilometer-api,s-proxy,s-object,s-container,s-account
Run devstack as normal. Note: the default data source configuration assumes
the admin password is 'password'::
Run devstack as normal. Note: the default data source configuration assumes the
admin password is 'password'::
$ ./stack.sh
4.2 Standalone-install
----------------------
Install the following software, if you haven't already.

20
contrib/devstack/README.rst
View File

@ -1,20 +0,0 @@
The contrib/devstack/ directory contains the files necessary to integrate Congress with devstack.
To install, make sure you have *git* installed. Then::
$ git clone https://git.openstack.org/openstack-dev/devstack
(Or set env variable DEVSTACKDIR to the location to your devstack code)
$ wget http://git.openstack.org/cgit/stackforge/congress/plain/contrib/devstack/prepare_devstack.sh
$ chmod u+x prepare_devstack.sh
$ ./prepare_devstack.sh
Run devstack as normal::
$ ./stack.sh
Note: The recommended ENABLED_SERVICES one should use contains the following options
so that congress can interface with nova, neutron, and ceilometer:
ENABLED_SERVICES=g-api,g-reg,key,n-api,n-crt,n-obj,n-cpu,n-sch,n-cauth,horizon,mysql,rabbit,sysstat,cinder,c-api,c-vol,c-sch,n-cond,quantum,q-svc,q-agt,q-dhcp,q-l3,q-meta,q-lbaas,n-novnc,n-xvnc,q-lbaas,ceilometer-acompute,ceilometer-acentral,ceilometer-anotification,ceilometer-collector,ceilometer-alarm-evaluator,ceilometer-alarm-notifier,ceilometer-api

207
doc/source/tutorial-tenant-sharing.rst
View File

@ -32,13 +32,14 @@ The first step is to install and configure Devstack + Congress:
1) Install Devstack and Congress using the directions in the following
README. When asked for a password, type "password" without the quotes.
https://github.com/stackforge/congress/blob/master/contrib/devstack/README.rst
https://github.com/stackforge/congress/blob/master/README.rst#41-devstack-install
2) Change OS_USERNAME to "admin" in both nova and neutron::
/etc/congress/datasources.conf
3) Change auth_strategy from "keystone" to "noauth" in /etc/congress/congress.conf
3) Change auth_strategy from "keystone" to "noauth" in
/etc/congress/congress.conf
4) Restart congress-server::
@ -61,11 +62,12 @@ network and subnet owned by the "admin" tenant, a port owned by the
$ cd /opt/stack/congress
6) Login as the admin tenant.::
6) Login as the admin tenant::
$ source ~/devstack/openrc admin admin
7) Create a network called "network-admin". Note this is owned by the admin tenant. ::
7) Create a network called "network-admin". Note this is owned by the admin
tenant::
$ neutron net-create network-admin
Created a new network:
@ -82,7 +84,8 @@ network and subnet owned by the "admin" tenant, a port owned by the
| tenant_id | 7320f8345acb489e8296ddb3b1ad1262 |
+-----------------------+--------------------------------------+
8) Create a subnet called "subnet-admin". Noce this is owned by the admin tenant.::
8) Create a subnet called "subnet-admin". Note this is owned by the admin
tenant::
$ neutron subnet-create network-admin 2.2.2.0/24 --name subnet-admin
Created a new subnet:
@ -133,7 +136,8 @@ network and subnet owned by the "admin" tenant, a port owned by the
$ PORT_ID=`grep " id " port-create.log | awk '{print $4}'`
10) Create vm named "vm-demo" with the newly created port. The vm is owned by the demo tenant::
10) Create vm named "vm-demo" with the newly created port. The vm is owned by
the demo tenant::
$ nova boot --image cirros-0.3.2-x86_64-uec --flavor 1 vm-demo --nic port-id=$PORT_ID
+--------------------------------------+----------------------------------------------------------------+
@ -192,48 +196,49 @@ At this point, demo's vm exists and its port is connected to an
network belonging to admin. This is a violation of the policy. Now
you will add the congress policy to detect the violation.
12) Add a rule that detects when a VM is connected to a port belonging to a different group::
12) Add a rule that detects when a VM is connected to a port belonging to a
different group::
CongressClient:
$ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| comment | None |
| id | 3417bf64-af59-4cb3-ade5-66b6152b158a |
| rule | "error(name2) :- |
| | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p |
| | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 |
| | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 |
| | not same_group(tenant_id, tenant_id2)" |
| | |
+---------+----------------------------------------------------------------------------------------+
$ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2)"
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| comment | None |
| id | 3417bf64-af59-4cb3-ade5-66b6152b158a |
| rule | "error(name2) :- |
| | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p |
| | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 |
| | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 |
| | not same_group(tenant_id, tenant_id2)" |
| | |
+---------+----------------------------------------------------------------------------------------+
or
or::
$ curl -X POST localhost:1789/v1/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "}'
{"comment": null, "id": "869e6a85-43ed-49fd-9fd7-f649d9c06fc2", "rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2)"}
13) Add a rule that detects when a port is connected to a network belonging to a different group::
13) Add a rule that detects when a port is connected to a network belonging to
a different group::
CongressClient:
$ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3)"
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| comment | None |
| id | de1f2024-e829-456c-91e1-1e68fb2dadd2 |
| rule | "error(name2) :- |
| | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p |
| | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 |
| | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 |
| | not same_group(tenant_id2, tenant_id3)" |
| | |
+---------+----------------------------------------------------------------------------------------+
$ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| comment | None |
| id | de1f2024-e829-456c-91e1-1e68fb2dadd2 |
| rule | "error(name2) :- |
| | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p |
| | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 |
| | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 |
| | not same_group(tenant_id2, tenant_id3)" |
| | |
+---------+----------------------------------------------------------------------------------------+
or
or::
$ curl -X POST localhost:1789/v1/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "}'
{"comment": null, "id": "6871ef89-4bec-4b47-ad2f-b71788e9d400", "rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id2, tenant_id3)"}
@ -241,67 +246,64 @@ you will add the congress policy to detect the violation.
14) Define a table mapping a tenant_id to any other tenant in the same group::
CongressClient:
$ openstack congress policy rule create classification "same_group(x, y) :- group(x, g), group(y, g)"
+---------+--------------------------------------+
| Field | Value |
+---------+--------------------------------------+
| comment | None |
| id | 7e2e3ec1-73db-4293-859f-fc0818e3b693 |
| rule | "same_group(x, y) :- |
| | group(x, g |
| | group(y, g)" |
| | |
+---------+--------------------------------------+
$ openstack congress policy rule create classification "same_group(x, y) :- group(x, g), group(y, g) "
+---------+--------------------------------------+
| Field | Value |
+---------+--------------------------------------+
| comment | None |
| id | 7e2e3ec1-73db-4293-859f-fc0818e3b693 |
| rule | "same_group(x, y) :- |
| | group(x, g |
| | group(y, g)" |
| | |
+---------+--------------------------------------+
or
or::
$ curl -X POST localhost:1789/v1/policies/classification/rules -d '{"rule": "same_group(x, y) :- group(x, g), group(y, g) "}'
{"comment": null, "id": "9165ab44-ef9e-4561-af55-3d29b9da0bfe", "rule": "same_group(x, y) :- group(x, g), group(y, g)"}
15) Create a table mapping tenant_id to a group name. admin and demo
are in two separate groups called "IT" and "Marketing" respectively.
In practice, this "group" table would receive group membership
information from a system like Keystone or ActiveDirectory. In this
tutorial, we'll populate the group table with membership information
manually::
15) Create a table mapping tenant_id to a group name. admin and demo are in
two separate groups called "IT" and "Marketing" respectively. In practice,
this "group" table would receive group membership information from a system
like Keystone or ActiveDirectory. In this tutorial, we'll populate the
group table with membership information manually::
CongressClient:
$ openstack congress policy rule create classification "group(\"$ADMIN_ID\", \"IT\") :- true"
+---------+---------------------------------------------------------+
| Field | Value |
+---------+---------------------------------------------------------+
| comment | None |
| id | 6013e6a6-4d06-4d46-be86-a64eba4a754e |
| rule | "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- |
| | true()" |
| | |
+---------+---------------------------------------------------------+
$ openstack congress policy rule create classification "group(\"$ADMIN_ID\", \"IT\") :- true"
+---------+---------------------------------------------------------+
| Field | Value |
+---------+---------------------------------------------------------+
| comment | None |
| id | 6013e6a6-4d06-4d46-be86-a64eba4a754e |
| rule | "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- |
| | true()" |
| | |
+---------+---------------------------------------------------------+
or::
or
$ curl -X POST localhost:1789/v1/policies/classification/rules -d "{\"rule\": \"group(\\\"$ADMIN_ID\\\", \\\"IT\\\") :- true \"}"
{"comment": null, "id": "1554e108-adc5-40e1-870a-dda3b877f2bc", "rule": "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- true()"}
$ curl -X POST localhost:1789/v1/policies/classification/rules -d "{\"rule\": \"group(\\\"$ADMIN_ID\\\", \\\"IT\\\") :- true \"}"
{"comment": null, "id": "1554e108-adc5-40e1-870a-dda3b877f2bc", "rule": "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- true()"}
Then::
CongressClient:
$ openstack congress policy rule create classification "group(\"$DEMO_ID\", \"Marketing\") :- true"
+---------+----------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------+
| comment | None |
| id | e76aede7-9f20-49af-b09f-1f293c0e1a52 |
| rule | "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- |
| | true()" |
| | |
+---------+----------------------------------------------------------------+
CongressClient:
or::
$ openstack congress policy rule create classification "group(\"$DEMO_ID\", \"Marketing\") :- true"
+---------+----------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------+
| comment | None |
| id | e76aede7-9f20-49af-b09f-1f293c0e1a52 |
| rule | "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- |
| | true()" |
| | |
+---------+----------------------------------------------------------------+
or
$ curl -X POST localhost:1789/v1/policies/classification/rules -d "{\"rule\": \"group(\\\"$DEMO_ID\\\", \\\"Marketing\\\") :- true \"}"
{"comment": null, "id": "810c2217-0161-4ba6-ab29-a822bfca0f99", "rule": "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- true()"}
$ curl -X POST localhost:1789/v1/policies/classification/rules -d "{\"rule\": \"group(\\\"$DEMO_ID\\\", \\\"Marketing\\\") :- true \"}"
{"comment": null, "id": "810c2217-0161-4ba6-ab29-a822bfca0f99", "rule": "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- true()"}
Listing Policy Violations
-------------------------
@ -309,28 +311,29 @@ Listing Policy Violations
Finally, we can print the error table to see if there are any
violations (which there are).
16) List the errors. You should see one entry for "vm-demo".::
16) List the errors. You should see one entry for "vm-demo"::
CongressClient:
$ openstack congress policy row get classification error
#FIXME(arosen): congress seems to have a problem generating this table
# at time of writing....
CongressClient:
$ openstack congress policy row get classification error
#FIXME(arosen): congress seems to have a problem generating this table
# at time of writing....
or
or::
$ curl -X GET localhost:1789/v1/policies/classification/tables/error/rows
[
{
"data": [
"vm-demo"
]
}
]
$ curl -X GET localhost:1789/v1/policies/classification/tables/error/rows
[
{
"data": [
"vm-demo"
]
}
]
Fix the Policy Violation
------------------------
17) To fix the policy violation, we'll remove the demo's port from admin's network.::
17) To fix the policy violation, we'll remove the demo's port from admin's
network::
$ neutron port-delete $PORT_ID
Deleted port: 066c5cfc-949e-4d56-ad76-15528c68c8b8
@ -338,8 +341,8 @@ Fix the Policy Violation
Relisting Policy Violations
---------------------------
18) Now, when print the error table it will be empty because there are
no violations.::
18) Now, when print the error table it will be empty because there are no
violations::
$ curl -X GET localhost:1789/v1/policies/classification/tables/error/rows
[]