congress/doc/source/user
Andreas Jaeger 3c9ca63712 Update api-ref location
The api documentation is now published on docs.openstack.org instead
of developer.openstack.org. Update all links that are changed to the
new location.

Note that redirects will be set up as well but let's point now to the
new location.

For details, see:
http://lists.openstack.org/pipermail/openstack-discuss/2019-July/007828.html

Change-Id: Ib4c5aff2fe02d9511e38e2e26b4361d81d853263
2019-07-30 19:46:15 +02:00
..
jgress_sample_policies [doc only] Doc changes related to json ingester 2019-03-21 15:55:59 -07:00
api.rst Improve documentation of policy create API 2018-12-09 21:02:13 -08:00
architecture.rst move docs into new structure and fix links 2017-08-08 06:58:30 +00:00
cloudservices.rst Add tacker driver to doc 2018-12-10 15:02:43 -08:00
enforcement.rst Replace Chinese punctuation with English punctuation 2018-04-28 19:42:51 +08:00
index.rst [doc only] Doc changes related to json ingester 2019-03-21 15:55:59 -07:00
jgress.rst Update api-ref location 2019-07-30 19:46:15 +02:00
policy-library.rst Final changes for pike RC1 2017-08-10 08:32:51 -07:00
policy.rst Merge "builtins for z3 theories" 2018-12-17 06:38:53 +00:00
readme.rst simplify README.rst 2018-10-06 14:26:31 -04:00
troubleshooting.rst Fix the unintended .: rendering in doc 2018-04-10 18:00:31 +00:00
tutorial-tenant-sharing.rst Modify broken link 2018-01-23 09:48:55 +00:00

Introducing Congress

Why is Policy Important

The cloud is a collection of autonomous services that constantly change the state of the cloud, and it can be challenging for the cloud operator to know whether the cloud is even configured correctly. For example,

  • The services are often independent from each other and do not support transactional consistency across services, so a cloud management system can change one service (create a VM) without also making a necessary change to another service (attach the VM to a network). This can lead to incorrect behavior.
  • Other times, we have seen a cloud operator allocate cloud resources and then forget to clean them up when the resources are no longer in use, effectively leaving garbage around the system and wasting resources.
  • The desired cloud state can also change over time. For example, if a security vulnerability is discovered in Linux version X, then all machines with version X that were ok in the past are now in an undesirable state. A version number policy would detect all the machines in that undesirable state. This is a trivial example, but the more complex the policy, the more helpful a policy system becomes.

Congress's job is to help people manage that plethora of state across all cloud services with a succinct policy language.

Using Congress

Setting up Congress involves writing policies and configuring Congress to fetch input data from the cloud services. The cloud operator writes policy in the Congress policy language, which receives input from the cloud services in the form of tables. The language itself resembles datalog. For more detail about the policy language and data format see Policy <policy>.

To add a service as an input data source, the cloud operator configures a Congress "driver," and the driver queries the service. Congress already has drivers for several types of service, but if a cloud operator needs to use an unsupported service, she can write a new driver without much effort and probably contribute the driver to the Congress project so that no one else needs to write the same driver.

Finally, when using Congress, the cloud operator must choose what Congress should do with the policy it has been given:

  • monitoring: detect violations of policy and provide a list of those violations
  • proactive enforcement: prevent violations before they happen (functionality that requires other services to consult with Congress before making changes)
  • reactive enforcement: correct violations after they happen (a manual process that Congress tries to simplify)

In the future, Congress will also help the cloud operator audit policy (analyze the history of policy and policy violations).

Installing Congress

Please refer to the installation guide