From f303fd4c4152f1447ccd2d4258f763e0ccf681eb Mon Sep 17 00:00:00 2001 From: Aaron Rosen Date: Wed, 10 Sep 2014 12:10:54 -0700 Subject: [PATCH] Add congressclient bindings to tutorial Change-Id: Ifa9c733f08942f9fed9a5cb1d4cc42982bf14496 --- doc/source/tutorial-tenant-sharing.rst | 99 +++++++++++++++++++++++--- 1 file changed, 91 insertions(+), 8 deletions(-) diff --git a/doc/source/tutorial-tenant-sharing.rst b/doc/source/tutorial-tenant-sharing.rst index 695b600e7..fb8f0f3b4 100644 --- a/doc/source/tutorial-tenant-sharing.rst +++ b/doc/source/tutorial-tenant-sharing.rst @@ -194,21 +194,69 @@ you will add the congress policy to detect the violation. 12) Add a rule that detects when a VM is connected to a port belonging to a different group:: - $ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "}' + CongressClient: + $ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) " + +---------+----------------------------------------------------------------------------------------+ + | Field | Value | + +---------+----------------------------------------------------------------------------------------+ + | comment | None | + | id | 3417bf64-af59-4cb3-ade5-66b6152b158a | + | rule | "error(name2) :- | + | | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p | + | | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 | + | | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 | + | | not same_group(tenant_id, tenant_id2)" | + | | | + +---------+----------------------------------------------------------------------------------------+ + or + + $ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2) "}' {"comment": null, "id": "869e6a85-43ed-49fd-9fd7-f649d9c06fc2", "rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id, tenant_id2)"} 13) Add a rule that detects when a port is connected to a network belonging to a different group:: - $ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "}' + CongressClient: + $ openstack congress policy rule create classification "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) " + +---------+----------------------------------------------------------------------------------------+ + | Field | Value | + +---------+----------------------------------------------------------------------------------------+ + | comment | None | + | id | de1f2024-e829-456c-91e1-1e68fb2dadd2 | + | rule | "error(name2) :- | + | | neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p | + | | nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2 | + | | neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3 | + | | not same_group(tenant_id2, tenant_id3)" | + | | | + +---------+----------------------------------------------------------------------------------------+ + + or + + $ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3) , not same_group(tenant_id2, tenant_id3) "}' {"comment": null, "id": "6871ef89-4bec-4b47-ad2f-b71788e9d400", "rule": "error(name2) :- neutron:ports(a, b, c, d, e, f, g, network_id, tenant_id, j, k, l, m, n, device_id, p), nova:servers(device_id, name2, c2, d2, tenant_id2, f2, g2, h2), neutron:networks(a3, b3, c3, d3, e3, tenant_id3, g3, h3, i3, network_id, k3), not same_group(tenant_id2, tenant_id3)"} 14) Define a table mapping a tenant_id to any other tenant in the same group:: - $ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "same_group(x, y) :- group(x, g), group(y, g) "}' + CongressClient: + $ openstack congress policy rule create classification "same_group(x, y) :- group(x, g), group(y, g) " + +---------+--------------------------------------+ + | Field | Value | + +---------+--------------------------------------+ + | comment | None | + | id | 7e2e3ec1-73db-4293-859f-fc0818e3b693 | + | rule | "same_group(x, y) :- | + | | group(x, g | + | | group(y, g)" | + | | | + +---------+--------------------------------------+ + + or + + $ curl -X POST localhost:1789/policies/classification/rules -d '{"rule": "same_group(x, y) :- group(x, g), group(y, g) "}' {"comment": null, "id": "9165ab44-ef9e-4561-af55-3d29b9da0bfe", "rule": "same_group(x, y) :- group(x, g), group(y, g)"} 15) Create a table mapping tenant_id to a group name. admin and demo @@ -218,13 +266,42 @@ information from a system like Keystone or ActiveDirectory. In this tutorial, we'll populate the group table with membership information manually:: - $ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$ADMIN_ID\\\", \\\"IT\\\") :- true \"}" + CongressClient: - {"comment": null, "id": "1554e108-adc5-40e1-870a-dda3b877f2bc", "rule": "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- true()"} + $ openstack congress policy rule create classification "group(\"$ADMIN_ID\", \"IT\") :- true" + +---------+---------------------------------------------------------+ + | Field | Value | + +---------+---------------------------------------------------------+ + | comment | None | + | id | 6013e6a6-4d06-4d46-be86-a64eba4a754e | + | rule | "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- | + | | true()" | + | | | + +---------+---------------------------------------------------------+ - $ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$DEMO_ID\\\", \\\"Marketing\\\") :- true \"}" + or - {"comment": null, "id": "810c2217-0161-4ba6-ab29-a822bfca0f99", "rule": "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- true()"} + $ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$ADMIN_ID\\\", \\\"IT\\\") :- true \"}" + {"comment": null, "id": "1554e108-adc5-40e1-870a-dda3b877f2bc", "rule": "group(\"7320f8345acb489e8296ddb3b1ad1262\", \"IT\") :- true()"} + + + CongressClient: + + $ openstack congress policy rule create classification "group(\"$DEMO_ID\", \"Marketing\") :- true" + +---------+----------------------------------------------------------------+ + | Field | Value | + +---------+----------------------------------------------------------------+ + | comment | None | + | id | e76aede7-9f20-49af-b09f-1f293c0e1a52 | + | rule | "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- | + | | true()" | + | | | + +---------+----------------------------------------------------------------+ + + or + + $ curl -X POST localhost:1789/policies/classification/rules -d "{\"rule\": \"group(\\\"$DEMO_ID\\\", \\\"Marketing\\\") :- true \"}" + {"comment": null, "id": "810c2217-0161-4ba6-ab29-a822bfca0f99", "rule": "group(\"81084a94769c4ce0accb6968c397a085\", \"Marketing\") :- true()"} Listing Policy Violations ------------------------- @@ -234,8 +311,14 @@ violations (which there are). 16) List the errors. You should see one entry for "vm-demo".:: - $ curl -X GET localhost:1789/policies/classification/tables/error/rows + CongressClient: + $ openstack congress policy row get classification error + #FIXME(arosen): congress seems to have a problem generating this table + # at time of writing.... + or + + $ curl -X GET localhost:1789/policies/classification/tables/error/rows [ { "data": [