Cleanup action policies will be created manually as described in this documentation

Change-Id: Ia7e01a58cf655b3da13759c72be927c9d7384c66
Partial-Bug: #1439595

doc/source/articles/policy_enf.rst

@@ -28,38 +28,9 @@ records in the *murano* policy. Congress will only give feedback on whether the
 
 Example
 =======
-In this example we will
-    #. Set-up murano to perform validation using congress engine.
-    #. Create rules that prohibit creating VM instances with flavor with more than 2048 MB ram.
+In this example we will create rules that prohibit creating VM instances with flavor with more than 2048 MB ram.
 
-Setup
------
-#. Enable policy enforcement in murano
-
-    - edit */etc/murano/murano.conf*:
-
-    .. code-block:: ini
-
-        [engine]
-        # Enable model policy enforcer using Congress (boolean value)
-        enable_model_policy_enforcer = true
-    ..
-
-    - restart murano-engine
-
-#. Create **murano** and **murano_system** policies
-
-    - Check if policies **murano** and **murano_system** were created by datasource driver:
-        ``congress policy list``
-    - If there are no **murano** and **murano_system** policies then create them by performing following commands:
-
-    .. code-block:: console
-
-        (openstack) congress policy create murano
-        (openstack) congress policy create murano_system
-    ..
-
-    .. note:: Commands are performed in console started by ``openstack`` command
+Prior creating rules your OpenStack installation has to be configured as described in :ref:`policyenf_setup`.
 
 Example rules
 -------------
@@ -73,7 +44,9 @@ Example rules
     .. code-block:: console
 
         predeploy_errors(eid, obj_id, msg) :-
-           murano:objects(obj_id, eid, type),
+           murano:objects(obj_id, pid, type),
+           murano:objects(eid, tid, "io.murano.Environment"),
+           murano:connected(eid, pid),
            murano:properties(obj_id, "flavor", flavor_name),
            flavor_ram(flavor_name, ram),
            gt(ram, 2048),
@@ -85,7 +58,7 @@ Example rules
 
     .. code-block:: console
 
-      congress policy rule create murano_system "predeploy_errors(eid, obj_id, msg) :- murano:objects(obj_id, eid, type), murano:properties(obj_id, \"flavor\", flavor_name), flavor_ram(flavor_name, ram), gt(ram, 2048), murano:properties(obj_id, \"name\", obj_name), concat(obj_name, \": instance flavor has RAM size over 2048MB\", msg)"
+      congress policy rule create murano_system "predeploy_errors(eid, obj_id, msg) :- murano:objects(obj_id, pid, type), murano:objects(eid, tid, \"io.murano.Environment\"), murano:connected(eid, pid), murano:properties(obj_id, \"flavor\", flavor_name), flavor_ram(flavor_name, ram), gt(ram, 2048), murano:properties(obj_id, \"name\", obj_name), concat(obj_name, \": instance flavor has RAM size over 2048MB\", msg)"
     ..
 
     In this example we used data from policy **murano** which is represented by ``murano:properties``. There are stored rows with decomposition of model representing murano application. We also used built-in functions of congress - ``gt`` - greater-than, and ``concat`` which joins two strings into variable.

doc/source/articles/policy_enf_dev.rst

@@ -2,6 +2,8 @@
 Murano Policy Enforcement - Developer Guide
 ===========================================
 
+.. _policyenf_dev:
+
 This document describes internals of murano policy enforcement.
 
 Model Decomposition
@@ -11,16 +13,17 @@ Models of Murano applications are transformed to set of rules that are processed
 
 There are several "tables" created in murano policy for different kind of rules:
 
-- ``murano:objects(environment_id, object_id, type_name)``
+- ``murano:objects(object_id, parent_id, type_name)``
 - ``murano:properties(object_id, property_name, property_value)``
 - ``murano:relationships(source, target, name)``
-- ``murano:parent_types(object_id, parent_name)``
+- ``murano:connected(source, target)``
+- ``murano:parent_types(object_id, parent_type_name)``
 - ``murano:states(environment_id, state)``
 
-``murano:objects(environment_id, object_id, type_name)``
+``murano:objects(object_id, parent_id, type_name)``
 """"""""""""""""""""""""""""""""""""""""""""""""""""""""
 
-This rule is used for representation of all objects in murano model (environment, applications, instances, ...).
+This rule is used for representation of all objects in Murano model (environment, applications, instances, ...).
 Value of property ``type`` is used as ``type_name`` parameter:
 
 .. code-block:: yaml
@@ -128,6 +131,32 @@ There are special relationships "services" from the environment to its applicati
 - ``murano:relationships+("env_id", "app_id", "services")``
 
 
+``murano:connected(source, target)``
+""""""""""""""""""""""""""""""""""""
+
+This table stores both direct and indirect connections between instances. It is derived from the ``murano:relationships``:
+
+.. code-block:: yaml
+
+    applications:
+    - '?':
+        id: 0aafd67e
+        type: io.murano.databases.MySql
+      instance:
+        '?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}
+    - '?':
+        id: 50fa68ff
+        type: io.murano.apps.WordPress
+      database: 0aafd67e
+..
+
+Transformed to rules:
+
+- ``murano:connected+("50fa68ff", "0aafd67e")`` # WordPress to MySql
+- ``murano:connected+("50fa68ff", "ed8df2b0")`` # WordPress to LinuxMuranoInstance
+- ``murano:connected+("0aafd67e", "ed8df2b0")`` # MySql to LinuxMuranoInstance
+
+
 ``murano:parent_types(object_id, parent_name)``
 """""""""""""""""""""""""""""""""""""""""""""""
 

doc/source/articles/policy_enf_index.rst

@@ -6,4 +6,5 @@ Murano Policy Enforcement
    :maxdepth: 2
 
    policy_enf
+   policy_enf_setup
    policy_enf_dev

doc/source/articles/policy_enf_setup.rst

@@ -0,0 +1,119 @@
+=====================================
+Murano Policy Enforcement Setup Guide
+=====================================
+
+.. _policyenf_setup:
+
+Introduction
+------------
+
+Before policy enforcement feature will be used, it has to be configured. It has
+to be enabled in Murano configuration, and Congress has to have created policy
+and rules used during policy evaluation.
+
+This document does not cover Murano and Congress configuration options useful
+for Murano application deployment (e.g., DNS setup, floating IPs, ...).
+
+Setup
+-----
+
+This setup uses *openstack* command. You can use copy-paste for commands.
+
+If you are using DevStack installation, you can setup environment using
+following command.
+
+   .. code-block:: ini
+
+      source devstack/openrc admin admin
+   ..
+
+#. **Murano**
+
+   Enable policy enforcement in Murano:
+
+    - edit */etc/murano/murano.conf* to enable **enable_model_policy_enforcer**
+      option:
+
+    .. code-block:: ini
+
+        [engine]
+        # Enable model policy enforcer using Congress (boolean value)
+        enable_model_policy_enforcer = true
+    ..
+
+    - restart murano-engine
+
+#. **Congress**
+
+   Policy enforcement uses following policies:
+
+   - **murano** policy
+
+      Policy is created by Congress' Murano datasource driver, which is part of
+      Congress. It has to be configured for the OpenStack tenant where Murano
+      application will be deployed. Datasource driver retrieves deployed Murano
+      environments and populates Congress' murano policy tables
+      (:ref:`policyenf_dev`).
+
+      Following commands removes existing **murano** policy, and creates new
+      **murano** policy configured for tenant *demo*.
+
+   .. code-block:: console
+
+      . ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually
+
+      # remove default murano datasource configuration, because it is using 'admin' tenant. We need 'demo' tenant to be used.
+      openstack congress datasource delete murano
+      openstack congress datasource create murano murano --config username="$OS_USERNAME" --config tenant_name="demo"  --config password="$OS_PASSWORD" --config auth_url="$OS_AUTH_URL"
+   ..
+
+   - **murano_system** policy
+      Policy holds user defined rules for policy enforcement. Rules typically
+      uses tables from other policies (e.g., murano, nova, keystone, ...).
+      Policy enforcement expects *predeploy_errors* table here which is created
+      by creating **predeploy_errors** rules.
+
+      Following command creates **murano_system** rule
+
+   .. code-block:: console
+
+      openstack congress policy create murano_system
+   ..
+
+   - **murano_action** policy with internal management rules
+      Following rules are used internally in policy enforcement request.
+      These rules are stored in dedicated **murano_action** policy which is
+      created here.
+      They are important for case when an environment is deployed again.
+
+   .. code-block:: console
+
+      # create murano_action policy
+      openstack congress policy create murano_action --kind action
+
+      # register action deleteEnv
+      openstack congress policy rule create murano_action 'action("deleteEnv")'
+
+      # states
+      openstack congress policy rule create murano_action 'murano:states-(eid, st) :- deleteEnv(eid), murano:states( eid, st)'
+
+      # parent_types
+      openstack congress policy rule create murano_action 'murano:parent_types-(tid, type) :- deleteEnv(eid), murano:connected(eid, tid),murano:parent_types(tid,type)'
+      openstack congress policy rule create murano_action 'murano:parent_types-(eid, type) :- deleteEnv(eid), murano:parent_types(eid,type)'
+
+      # properties
+      openstack congress policy rule create murano_action 'murano:properties-(oid, pn, pv) :- deleteEnv(eid), murano:connected(eid, oid), murano:properties(oid, pn, pv)'
+      openstack congress policy rule create murano_action 'murano:properties-(eid, pn, pv) :- deleteEnv(eid), murano:properties(eid, pn, pv)'
+
+      # objects
+      openstack congress policy rule create murano_action 'murano:objects-(oid, pid, ot) :- deleteEnv(eid), murano:connected(eid, oid), murano:objects(oid, pid, ot)'
+      openstack congress policy rule create murano_action 'murano:objects-(eid, tnid, ot) :- deleteEnv(eid), murano:objects(eid, tnid, ot)'
+
+      # relationships
+      openstack congress policy rule create murano_action 'murano:relationships-(sid, tid, rt) :- deleteEnv(eid), murano:connected(eid, sid), murano:relationships( sid, tid, rt)'
+      openstack congress policy rule create murano_action 'murano:relationships-(eid, tid, rt) :- deleteEnv(eid), murano:relationships(eid, tid, rt)'
+
+      # connected
+      openstack congress policy rule create murano_action 'murano:connected-(tid, tid2) :- deleteEnv(eid), murano:connected(eid, tid), murano:connected(tid,tid2)'
+      openstack congress policy rule create murano_action 'murano:connected-(eid, tid) :- deleteEnv(eid), murano:connected(eid,tid)'
+   ..