openstack/congress
Code Issues Proposed changes

Add congressclient bindings to tutorial

Browse Source 
Change-Id: Ifa9c733f08942f9fed9a5cb1d4cc42982bf14496
This commit is contained in:
Aaron Rosen 2014-09-10 12:10:54 -07:00
parent 7699632508
commit f303fd4c41
1 changed files with 91 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
doc/source/tutorial-tenant-sharing.rst
View File

@ -194,21 +194,69 @@ you will add the congress policy to detect the violation.
12) Add a rule that detects when a VM is connected to a port belonging to a different group::
$ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "}'
CongressClient:
$ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| comment | None |
| id | 3417bf64-af59-4cb3-ade5-66b6152b158a |
| rule | "error(name2) :- |
| | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p |
| | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 |
| | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 |
| | not same_group(tenant_id, tenant_id2)" |
| | |
+---------+----------------------------------------------------------------------------------------+
or
$ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "}'
{"comment": null, "id": "869e6a85-43ed-49fd-9fd7-f649d9c06fc2", "rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2)"}
13) Add a rule that detects when a port is connected to a network belonging to a different group::
$ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "}'
CongressClient:
$ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| comment | None |
| id | de1f2024-e829-456c-91e1-1e68fb2dadd2 |
| rule | "error(name2) :- |
| | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p |
| | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 |
| | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 |
| | not same_group(tenant_id2, tenant_id3)" |
| | |
+---------+----------------------------------------------------------------------------------------+
or
$ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "}'
{"comment": null, "id": "6871ef89-4bec-4b47-ad2f-b71788e9d400", "rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id2, tenant_id3)"}
14) Define a table mapping a tenant_id to any other tenant in the same group::
$ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "same_group(x, y) :- group(x, g), group(y, g) "}'
CongressClient:
$ openstack congress policy rule create classification "same_group(x, y) :- group(x, g), group(y, g) "
+---------+--------------------------------------+
| Field | Value |
+---------+--------------------------------------+
| comment | None |
| id | 7e2e3ec1-73db-4293-859f-fc0818e3b693 |
| rule | "same_group(x, y) :- |
| | group(x, g |
| | group(y, g)" |
| | |
+---------+--------------------------------------+
or
$ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "same_group(x, y) :- group(x, g), group(y, g) "}'
{"comment": null, "id": "9165ab44-ef9e-4561-af55-3d29b9da0bfe", "rule": "same_group(x, y) :- group(x, g), group(y, g)"}
15) Create a table mapping tenant_id to a group name. admin and demo
@ -218,13 +266,42 @@ information from a system like Keystone or ActiveDirectory. In this
tutorial, we'll populate the group table with membership information
manually::
$ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$ADMIN_ID\\\", \\\"IT\\\") :- true \"}"
CongressClient:
{"comment": null, "id": "1554e108-adc5-40e1-870a-dda3b877f2bc", "rule": "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- true()"}
$ openstack congress policy rule create classification "group(\"$ADMIN_ID\", \"IT\") :- true"
+---------+---------------------------------------------------------+
| Field | Value |
+---------+---------------------------------------------------------+
| comment | None |
| id | 6013e6a6-4d06-4d46-be86-a64eba4a754e |
| rule | "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- |
| | true()" |
| | |
+---------+---------------------------------------------------------+
$ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$DEMO_ID\\\", \\\"Marketing\\\") :- true \"}"
or
{"comment": null, "id": "810c2217-0161-4ba6-ab29-a822bfca0f99", "rule": "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- true()"}
$ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$ADMIN_ID\\\", \\\"IT\\\") :- true \"}"
{"comment": null, "id": "1554e108-adc5-40e1-870a-dda3b877f2bc", "rule": "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- true()"}
CongressClient:
$ openstack congress policy rule create classification "group(\"$DEMO_ID\", \"Marketing\") :- true"
+---------+----------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------+
| comment | None |
| id | e76aede7-9f20-49af-b09f-1f293c0e1a52 |
| rule | "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- |
| | true()" |
| | |
+---------+----------------------------------------------------------------+
or
$ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$DEMO_ID\\\", \\\"Marketing\\\") :- true \"}"
{"comment": null, "id": "810c2217-0161-4ba6-ab29-a822bfca0f99", "rule": "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- true()"}
Listing Policy Violations
-------------------------
@ -234,8 +311,14 @@ violations (which there are).
16) List the errors. You should see one entry for "vm-demo".::
$ curl -X GET localhost:1789/policies/classification/tables/error/rows
CongressClient:
$ openstack congress policy row get classification error
#FIXME(arosen): congress seems to have a problem generating this table
# at time of writing....
or
$ curl -X GET localhost:1789/policies/classification/tables/error/rows
[
{
"data": [