Policy Guided Fulfillmentof Murano Applications

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The OpenStack TM attribution statement should used: The

OpenStack wordmark and the Square O Design, together or part, are trademarks or registered trademarks of OpenStack Foundation in the United States and other countries, and are used with the

OpenStack Foundation’s permission.

Vancouver OpenStack®

Summit

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Policy Guided Fulfillmentof Murano ApplicationsRadek Pospíšil / May 21, [email protected]

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.3

Motivation: Integration of Business Policies and Application Model

What is Policy Guided Fulfillment?

• Business (Management) policies and Application model are typically independent each other

– Application designer models application without knowledge of existing and/or future policies

– System administrator defines business policies

• i.e., restrictions and/or intended state of your system

• typically without knowing which application will be deployed

• Application can be affected by policies in deployment and runtime

– Policy can modify application model prior it is deployed |

(e.g., enable monitoring, …)

– Deployment of an application

is cancelled if it violates policies

– Policy violation in runtime

means triggering of an action

(e.g., notification, remediation,…)


Examples of Business Policies

• Security policy rule

– 2 nodes of the cluster cannot reside on same security zone

– Networks used by application must belongs be trusted

– Storages must reside in trusted zone

• Requirements policy rule

– All application layers must be monitored (SLA)

– Application must be composed of certified components

• Finance rule policy

– Placement will be selected according to cost at deployment time

– Only give sizes of flavors are allowed


UseCases Delivered in Kilo

• Predeployment Policy Enforcement

– Application must comply with policies in order to be deployed

• Runtime Policy Enforcement

– It is possible to check if application does not breaching policies in runtime

• Workflow Embracement

– Workflow can be executed as part of application deployment


How it works

Application Designer

System Administrator

Application Enduser

Policies

Application

Murano

Congress

Mistral

VM Instances

3. Creates Policies

Predeployment Policy Enfrocement

Workflow Embracement

Runtime Policy Enfrocement

OpenStack


Policy Part: Murano – Congress Integration

Technical Deep Dive

• Mapping of Murano Environment object model to Congress policy tables

– Murano environment is decomposed to following entities

– Objects – holds individual environment objects

• (e.g., common object types are environment, application, VM instance, …)

– Properties – holds properties of objects

– ParentTypes – holds type full type information of objects

– States – holds state of environment

– Relationships – holds relationships between objects with its type

– Connected – holds all connected objects in environment (both direct and indirects)

• Murano environments are pulled to Congress using datasource driver

– For runtime enforcement

• Congress policy rules can trigger/execute actions

– Currently supports nova client action

– For runtime enforcement


Policy Part: Policy Validation

Technical Deep Dive

• Deployment scenario

– predeployment_errors is table in Congress queried for deployment enforcement

• Administrator has to create rules reporting violation to this table

– Congress policy simulation API is used to validate if environment violates it or not

• Simulation input is decomposed environment

– Simulation puts temporarily data into Congress DB

• Runtime scenario

– No specific rule is named for runtime, as it is up to Congress administrator to specify handling of rule violation in Congress

• passive (e.g., notification): data from such rules are read by administrator

• active (e.g., action execution): rule triggers an action execution in Congress

– Murano Congress Datasource driver pulls data from Murano environment, so Congress has available up-to-date environment data


Workflow Part

Technical Deep Dive

• Murano provides Mistral client

• Application Packages (MuranoPL) can use the Mistral Client to

– Deploy workflow to Mistral

– Execute the workflow

• Example

- $ep: $.tomcat.instance.floatingIpAddress + ':8080/petclinic'

- $this.find(std:Environment).reporter.report($this, 'Running at http://' + $ep)

- $mistral_workflow: $resources.string('TestTomcat.yaml')

- $.mistralClient.upload(definition => $mistral_workflow)

- $.mistralClient.run(name => 'test_tomcat', inputs => dict(url => 'http://' + $ep))


Static Examples

Demo

• Full demo details available at https://wiki.openstack.org/wiki/PolicyGuidedFulfillmentDemo

• Goal

– Allow to deploy only Murano environments with PetClinic using

• MySql in project demo

• Postgresql in project qa

https://wiki.openstack.org/wiki/PolicyGuidedFulfillmentDemo


Business Policy Creation

Demo

# Predeploy policy rules

openstack congress policy rule create murano_system 'predeploy_errors(eid,oid,msg) :- murano:objects(oid,eid,type), murano:objects(eid,tid,

"io.murano.Environment"), murano:parent_types(oid,"io.murano.Application"), tenantName(tid,tname), not allowedApp(type,

tname),concat("Unsupported application detected: ", type, tmsg1),concat(tmsg1, ", ", tmsg2),objName(oid, oname), concat(tmsg2, oname, msg)'

# allowed app main rules

openstack congress policy rule create murano_system 'objName(oid,oname) :- murano:properties(oid, "name", oname)'

openstack congress policy rule create murano_system 'tenantName(tid, tname) :- keystone:tenants(en,desc,tname,tid)'

#demo tenant

openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.MySql", "demo")'

openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.PetClinic", "demo")'

openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "demo")'

#qa tenant

openstack congress policy rule create murano_system 'allowedApp("io.murano.databases.PostgreSql", "qa")'

openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.java.PetClinic", "qa")'

openstack congress policy rule create murano_system 'allowedApp("io.murano.apps.apache.Tomcat", "qa")'


Invalid Environment Creation

Demo


Deployment Failure

Demo


Next Steps

• Runtime Remediation

– Policy identifies problem/defect/breach/overload/… of application, thus

• (Simple) user/administrator is notified to deal with it

• (Advanced) remediation Mistral workflow is started to deal with it

• More Workflow integration in Murano

– Murano Application implemented by workflows

• Congress Improvements

– Datasources

– UI


Resources

• https://wiki.openstack.org/wiki/PolicyGuidedFulfillment

• https://wiki.openstack.org/wiki/PolicyGuidedFulfillmentDemo

• http://murano.readthedocs.org/en/latest/articles/policy_enf_index.html

• https://wiki.openstack.org/wiki/Murano

• https://wiki.openstack.org/wiki/Congress

• https://wiki.openstack.org/wiki/Mistral

• Contact us via Murano, Congress, Mistral IRC



http://murano.readthedocs.org/en/latest/articles/policy_enf_index.html

https://wiki.openstack.org/wiki/Murano

https://wiki.openstack.org/wiki/Congress

https://wiki.openstack.org/wiki/Mistral

© Copyright 2015 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The OpenStack TM attribution statement should used: The

OpenStack wordmark and the Square O Design, together or part, are trademarks or registered trademarks of OpenStack Foundation in the United States and other countries, and are used with the

OpenStack Foundation’s permission.

Thank you

Software

Policy Guided Fulfillmentof Murano Applications