murano/doc/source/articles/policy_enf.rst

Murano Policy Enforcement Example

Introduction

As a part of the policy guided fulfillment, we need to enforce policies on the Murano environment deployment. If the policy enforcement failed, deployment fails. Policies are defined and evaluated in the Congress project. The policy language for Congress is Datalog. The congress policy consists of Datalog rules and facts. The cloud administrator defines policies in Congress. Examples of such policies:

• all VM instances must have at least 2GB of RAM
• all Apache server instances must have given certified version
• data placement policy: all DB instances must be deployed at given geo location (enforcing some law restriction on data placement)

These policies are evaluated over data in the form of tables (Congress data structures). A deployed Murano environment must be decomposed to Congress data structures. The decomposed environment is sent to congress for simulation. Congress simulates whether the resulting state does not violate any defined policy. Deployment is aborted in case of policy violation. Murano uses two predefined policies in Congress:

• murano_system contains rules and facts of policies defined by cloud admin.
• murano contains only facts/records reflecting resulting state after deployment of an environment.

Records in the murano policy are queried by rules from the murano_system policy. The congress simulation does not create any records in the murano policy. Congress will only give feedback on whether the resulting state violates the policy or not.

Example

In this example we will

1. Set-up murano to perform validation using congress engine.
2. Create rules that prohibit creating VM instances with flavor with more than 2048 MB ram.

Setup

1. Enable policy enforcement in murano

   • edit /etc/murano/murano.conf:

   [engine]
   # Enable model policy enforcer using Congress (boolean value)
   enable_model_policy_enforcer = true

   • restart murano-engine

2. Create murano and murano_system policies

   • Check if policies murano and murano_system were created by datasource driver:

     congress policy list

   • If there are no murano and murano_system policies then create them by performing following commands:

   (openstack) congress policy create murano
   (openstack) congress policy create murano_system

   Note

   Commands are performed in console started by openstack command

Example rules

1. Create predeploy_errors rule

   Policy validation engine checks rule predeploy_errors and rules referenced inside this rule are evaluated by congress engine.

   We create example rule which references flavor_ram rule we create afterwards. It disables flavors with ram higher than 2048 MB and constructs message returned to the user in msg variable.

   predeploy_errors(eid, obj_id, msg) :-
      murano:objects(obj_id, eid, type),
      murano:properties(obj_id, "flavor", flavor_name),
      flavor_ram(flavor_name, ram),
      gt(ram, 2048),
      murano:properties(obj_id, "name", obj_name),
      concat(obj_name, ": instance flavor has RAM size over 2048MB", msg)

   Use this command to create the rule:

   congress policy rule create murano_system "predeploy_errors(eid, obj_id, msg) :- murano:objects(obj_id, eid, type), murano:properties(obj_id, \"flavor\", flavor_name), flavor_ram(flavor_name, ram), gt(ram, 2048), murano:properties(obj_id, \"name\", obj_name), concat(obj_name, \": instance flavor has RAM size over 2048MB\", msg)"

   In this example we used data from policy murano which is represented by murano:properties. There are stored rows with decomposition of model representing murano application. We also used built-in functions of congress - gt - greater-than, and concat which joins two strings into variable.

2. Create flavor_ram rule

   We create the rule that resolves parameters of flavor by flavor name and returns ram parameter. It uses rule flavors from nova policy. Data in this policy is filled by nova datasource driver.

   Use this command to create the rule:

   congress policy rule create murano_system "flavor_ram(flavor_name, ram) :- nova:flavors(id, flavor_name, cpus, ram)"

Example rules in murano app deployment

1. Create environment with simple application

   • Choose Git application from murano applications
   • Create with "m1.medium" instance flavor which uses 4096MB so validation will fail

   

2. Deploy environment

   • Environment is in Status: Deploy FAILURE
   • Check deployment log: