congress/examples/private_public_network.script

Script for a demo.

*********************************************************************
** Monitoring: Classification and Data sources
*********************************************************************

1) Classification Policy

Informally:
"all vms must be attached to public networks or to private networks owned by someone in the same group as the vm owner"


Cloud services at our disposal:
nova:virtual_machine(vm)
nova:network(vm, network)
nova:owner(vm, owner)
neutron:public_network(network)
neutron:owner(network, owner)
cms:group(user, group)


Formal policy:
error(vm) :- nova:virtual_machine(vm), nova:network(vm, network),
         not neutron:public_network(network),
         neutron:owner(network, netowner), nova:owner(vm, vmowner), not same_group(netowner, vmowner)

same-group(user1, user2) :- cms:group(user1, group), cms:group(user2, group)

--- Commands ------------------------------------
cd congress/congress/policy

PYTHONPATH=../../thirdparty python
>>> import runtime
>>> r = runtime.Runtime()
>>> r.load_file("../../examples/private_public_network.classify")
-------------------------------------------------


2) Are there any violations?  Not yet.

--- Commands ------------------------------------
>>> print r.select("error(x)")

-------------------------------------------------


3) Change some data to create an error: remove "tim" from group "congress"
OR make this change in ActiveDirectory.
--- Commands ------------------------------------
>>> r.delete('cms:group("tim", "congress")')
-------------------------------------------------


4) Check for violations

--- Commands ------------------------------------
>>> print r.select("error(x)")
error("vm1")
-------------------------------------------------


5) Explain the violation:

--- Commands ------------------------------------
>>> print r.explain('error("vm1")')
error("vm1")
 nova:virtual_machine("vm1")
 nova:network("vm1", "net_private")
 not neutron:public_network("net_private")
 neutron:owner("net_private", "martin")
 nova:owner("vm1", "tim")
 not same_group("martin", "tim")
-------------------------------------------------


6) Insert new policy fragment: "Error if vm without a network"

--- Commands ------------------------------------
>>> r.insert('error(vm) :- nova:virtual_machine(vm), not is_some_network(vm)'
             'is_some_network(vm) :- nova:network(vm, x)')
-------------------------------------------------


7) Check for violations

--- Commands ------------------------------------
>>> print r.select("error(x)")
error("vm1") error("vm3")
-------------------------------------------------


8) Explain the new violation

--- Commands ------------------------------------
>>> print r.explain('error("vm3")')
error("vm3")
 nova:virtual_machine("vm3")
 not is_some_network("vm3")
-------------------------------------------------


*********************************************************************
** Enforcement: Action Policy and Operations Policy
*********************************************************************


9) To help with enforcement, Congress needs to know what actions are available to it.  Codify these in the Action policy.

Informal policy:

connect_network(vm, network)
disconnect_network(vm, network)
delete_vm(vm)
make_public(network)

Formal policy:

// connect_network action
action("connect_network")
nova:network+(vm, network) :- connect_network(vm, network)

// disconnect_network action
action("disconnect_network")
nova:network-(vm, network) :- disconnect_network(vm, network)

// delete_vm action
action("delete_vm")
nova:virtual_machine-(vm) :- delete_vm(vm)
nova:network-(vm, network) :- delete_vm(vm), nova:network(vm, network)
nova:owner-(vm, owner) :- delete_vm(vm), nova:owner(vm, owner)

// make_public action
action("make_public")
neutron:public_network+(network) :- make_public(network)

--- Commands ------------------------------------
>>> r.load_file("../../examples/private_public_network.action", target=r.ACTION_THEORY)
-------------------------------------------------


10) Simulate actions and query resulting state (without actually changing state)

--- Commands ------------------------------------
>>> print r.simulate('error(x)', 'connect_network("vm3", "net_public")')
error("vm1")
-------------------------------------------------


11) Ask for remediations: action sequence that when executed will fix a violation.  (Caveat: multiple reasons for a violation--fixing a single reason.)

--- Commands ------------------------------------
>>> print r.remediate('error("vm1")')
nova:virtual_machine-("vm1") :- delete_vm("vm1")
nova:network-("vm1", "net_private") :- disconnect_network("vm1", "net_private")
neutron:public_network+("net_private") :- make_public("net_private")
nova:owner-("vm1", "tim") :- delete_vm("vm1")
-------------------------------------------------


*********************************************************************
** Enforcement: Operations Policy
*********************************************************************

12) Dictate conditions under which actions should automatically be executed: Enforcement policy.

Informal policy:
every time a VM has an error and that VM is connected to a private network not owned by someone in the same group as the VM owner, then execute 'disconnect_network'.

Formal policy:

disconnect_network(vm, network) :-
  error(vm),
  nova:virtual_machine(vm),
  nova:network(vm, network),
  not neutron:public_network(network),
  neutron:owner(network, network_owner),
  nova:owner(vm, vm_owner),
  not same_group(network_owner, vm_owner)

--- Commands ------------------------------------
>>> r.load_file("../../examples/private_public_network.enforce", target=r.ENFORCEMENT_THEORY)
-------------------------------------------------


13) Create an error that the enforcement policy should automatically correct.

--- Commands ------------------------------------
>>> print r.select("error(x)")
error("vm3")
>>> print r.logger.contents()
disconnect_network("vm1", "net_private")
-------------------------------------------------