deb-murano/doc/source/articles/policy_enf_setup.rst
Filip Blaha e4fe8b3973 Murano Policy Based Modification Documentation
Documentation for murano users includes example.

Implements: blueprint policy-based-env-modification

Change-Id: If363528d1dabf8acb698004fbbb0a3df3d1aab36
2015-09-09 13:45:03 +00:00

124 lines
5.1 KiB
ReStructuredText

=====================================
Murano Policy Enforcement Setup Guide
=====================================
.. _policyenf_setup:
Introduction
------------
Before policy enforcement feature will be used, it has to be configured. It has
to be enabled in Murano configuration, and Congress has to have created policy
and rules used during policy evaluation.
This document does not cover Murano and Congress configuration options useful
for Murano application deployment (e.g., DNS setup, floating IPs, ...).
Setup
-----
This setup uses *openstack* command. You can use copy-paste for commands.
If you are using DevStack installation, you can setup environment using
following command.
.. code-block:: ini
source devstack/openrc admin admin
..
#. **Murano**
Enable policy enforcement in Murano:
- edit */etc/murano/murano.conf* to enable **enable_model_policy_enforcer**
option:
.. code-block:: ini
[engine]
# Enable model policy enforcer using Congress (boolean value)
enable_model_policy_enforcer = true
..
- restart murano-engine
#. **Congress**
Policy enforcement uses following policies:
- **murano** policy
Policy is created by Congress' murano datasource driver, which is part of
Congress. It has to be configured for the OpenStack tenant where Murano
application will be deployed. Datasource driver retrieves deployed Murano
environments and populates Congress' murano policy tables
(:ref:`policyenf_dev`).
Following commands removes existing **murano** policy, and creates new
**murano** policy configured for tenant *demo*.
.. code-block:: console
. ~/devstack/openrc admin admin # if you are using devstack, otherwise you have to setup env manually
# remove default murano datasource configuration, because it is using 'admin' tenant. We need 'demo' tenant to be used.
openstack congress datasource delete murano
openstack congress datasource create murano murano --config username="$OS_USERNAME" --config tenant_name="demo" --config password="$OS_PASSWORD" --config auth_url="$OS_AUTH_URL"
..
- **murano_system** policy
Policy holds user defined rules for policy enforcement. Rules typically
uses tables from other policies (e.g., murano, nova, keystone, ...).
Policy enforcement expects *predeploy_errors* table here which is created
by creating **predeploy_errors** rules.
Following command creates **murano_system** rule
.. code-block:: console
# create murano_system policy
openstack congress policy create murano_system
# resolves objects within environment
openstack congress policy rule create murano_system 'murano_env_of_object(oid,eid):-murano:connected(eid,oid), murano:objects(eid,tid,"io.murano.Environment")'
..
- **murano_action** policy with internal management rules
Following rules are used internally in policy enforcement request.
These rules are stored in dedicated **murano_action** policy which is
created here.
They are important for case when an environment is deployed again.
.. code-block:: console
# create murano_action policy
openstack congress policy create murano_action --kind action
# register action deleteEnv
openstack congress policy rule create murano_action 'action("deleteEnv")'
# states
openstack congress policy rule create murano_action 'murano:states-(eid, st) :- deleteEnv(eid), murano:states( eid, st)'
# parent_types
openstack congress policy rule create murano_action 'murano:parent_types-(tid, type) :- deleteEnv(eid), murano:connected(eid, tid),murano:parent_types(tid,type)'
openstack congress policy rule create murano_action 'murano:parent_types-(eid, type) :- deleteEnv(eid), murano:parent_types(eid,type)'
# properties
openstack congress policy rule create murano_action 'murano:properties-(oid, pn, pv) :- deleteEnv(eid), murano:connected(eid, oid), murano:properties(oid, pn, pv)'
openstack congress policy rule create murano_action 'murano:properties-(eid, pn, pv) :- deleteEnv(eid), murano:properties(eid, pn, pv)'
# objects
openstack congress policy rule create murano_action 'murano:objects-(oid, pid, ot) :- deleteEnv(eid), murano:connected(eid, oid), murano:objects(oid, pid, ot)'
openstack congress policy rule create murano_action 'murano:objects-(eid, tnid, ot) :- deleteEnv(eid), murano:objects(eid, tnid, ot)'
# relationships
openstack congress policy rule create murano_action 'murano:relationships-(sid, tid, rt) :- deleteEnv(eid), murano:connected(eid, sid), murano:relationships( sid, tid, rt)'
openstack congress policy rule create murano_action 'murano:relationships-(eid, tid, rt) :- deleteEnv(eid), murano:relationships(eid, tid, rt)'
# connected
openstack congress policy rule create murano_action 'murano:connected-(tid, tid2) :- deleteEnv(eid), murano:connected(eid, tid), murano:connected(tid,tid2)'
openstack congress policy rule create murano_action 'murano:connected-(eid, tid) :- deleteEnv(eid), murano:connected(eid,tid)'
..