deb-murano/doc/source/articles/policy_enf_dev.rst
ondrej.vojta 82a66201f2 Documentation for policy enforcement
Partially Implements blueprint policy-enforcement-point

Change-Id: I10b9567d874812b775544904bd85906390b337d4
2015-01-30 12:49:37 +00:00

4.8 KiB

Murano Policy Enforcement - Developer Guide

This document describes internals of murano policy enforcement.

Model Decomposition

Models of Murano applications are transformed to set of rules that are processed by congress. This represent data for policy validation.

There are several "tables" created in murano policy for different kind of rules:

  • murano:objects(environment_id, object_id, type_name)
  • murano:properties(object_id, property_name, property_value)
  • murano:relationships(source, target, name)
  • murano:parent_types(object_id, parent_name)
  • murano:states(environment_id, state)

murano:objects(environment_id, object_id, type_name)

This rule is used for representation of all objects in murano model (environment, applications, instances, ...). Value of property type is used as type_name parameter:

name: wordpress-env
'?': {type: io.murano.Environment, id: 83bff5ac}
applications:
- '?': {id: e7a13d3c, type: io.murano.databases.MySql}

Transformed to these rules:

  • murano:objects+("83bff5ac", "83bff5ac", "io.murano.Environment")
  • murano:objects+("83bff5ac", "e7a13d3c", "io.murano.databases.MySql")

Note

In case of rule for environment environment_id, object_id are the same.

murano:properties(object_id, property_name, property_value)

Each object can have properties. In this example we have application with one property:

applications:
- '?': {id: e7a13d3c, type: io.murano.databases.MySql}
database: wordpress

Transformed to this rule:

  • murano:properties+("e7a13d3c", "database", "wordpress")

Inner properties are also supported using dot notation:

instance:
'?': {id: 825dc61d, type: io.murano.resources.LinuxMuranoInstance}
networks:
  useFlatNetwork: false

Transformed to this rule:

  • murano:properties+("825dc61d", "networks.useFlatNetwork", "False")

If model contains list of values it is represented as set of multiple rules:

instances:
- '?': {id: be3c5155, type: io.murano.resources.LinuxMuranoInstance}
networks:
  customNetworks: [10.0.1.0, 10.0.2.0]

Transformed to these rules:

  • murano:properties+("be3c5155", "networks.customNetworks", "10.0.1.0")
  • murano:properties+("be3c5155", "networks.customNetworks", "10.0.2.0")

There is one special property on environment for tenant_id:

  • murano:properties+("...", "tenant_id", "123")

murano:relationships(source, target, name)

Murano app models can contain references to other applications. In this example WordPress application references MySQL in property "database":

applications:
- '?':
    id: 0aafd67e
    type: io.murano.databases.MySql
- '?':
    id: 50fa68ff
    type: io.murano.apps.WordPress
  database: 0aafd67e

Transformed to this rule:

  • murano:relationships+("50fa68ff", "0aafd67e", "database")

Note

For property "database" we do not create rule murano:properties+.

Also if we define inner object inside other object, they will have relationship between them:

applications:
- '?':
    id: 0aafd67e
    type: io.murano.databases.MySql
  instance:
    '?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}

Transformed to this rule:

  • murano:relationships+("0aafd67e", "ed8df2b0", "instance")

murano:parent_types(object_id, parent_name)

Each object in murano has class type and these classes can inherit from one or more parents:

e.g. LinuxMuranoInstance > LinuxInstance > Instance

So this model:

instances:
- '?': {id: be3c5155, type: LinuxMuranoInstance}

Transformed to these rules:

  • murano:objects+("...", "be3c5155", "LinuxMuranoInstance")
  • murano:parent_types+("be3c5155", "LinuxMuranoInstance")
  • murano:parent_types+("be3c5155", "LinuxInstance")
  • murano:parent_types+("be3c5155", "Instance")

Note

Type of object is also repeated among parent types (LinuxMuranoInstance in example) for easier handling of user-created rules.

Note

If type inherits from more than one parent and those parents inherit from one common type, parent_type rule is included only once for common type.

murano:states(environment_id, state)

Currently only one record for environment is created:

  • murano:states+("uugi324", "PENDING")