File: policy_enf_setup.rst

package info (click to toggle)
murano 1%3A6.0.0-2
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 10,644 kB
  • sloc: python: 34,127; sh: 717; pascal: 269; makefile: 83
file content (111 lines) | stat: -rw-r--r-- 5,220 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
 
.. _policyenf_setup:

Setting up policy enforcement
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Before you use the policy enforcement feature, configure Murano and Congress
properly.

.. note::

   This article does not cover Murano and Congress configuration options
   useful for Murano application deployment, for example, DNS setup,
   floating IPs, and so on.

**To enable policy enforcement, complete the following tasks:**

#. In Murano:

   * Enable the ``enable_model_policy_enforcer`` option
     in the ``murano.conf`` file:

    .. code-block:: ini

        [engine]
        # Enable model policy enforcer using Congress (boolean value)
        enable_model_policy_enforcer = true

    * Restart murano-engine.

#. Verify that Congress is installed and available in your OpenStack
   environment. See the details in the `Congress official documentation
   <http://congress.readthedocs.org/en/latest/>`_.

#. `Install the congress command-line client
   <http://docs.openstack.org/user-guide/common/cli_install_openstack_command_line_clients.html>`_
   as any other OpenStack command-line client.

#. For Congress, configure the following policies that policy enforcement uses
   during the evaluation:

   * ``murano`` policy

      It is created by the Congress` murano datasource driver, which is a part
      of Congress. Configure it for the OpenStack project (tenant) where you plan to
      deploy your Murano application. Datasource driver retrieves deployed
      Murano environments and populates Congress' murano policy tables.
      See :ref:`policyenf_dev` for details.

      Remove the existing ``murano`` policy and create a new ``murano`` policy
      configured for the ``demo`` project, by running:

      .. code-block:: console

         # remove default murano datasource configuration, because it is using 'admin' project. We need 'demo' project to be used.
         openstack congress datasource delete murano
         openstack congress datasource create murano murano --config username="$OS_USERNAME" --config tenant_name="demo"  --config password="$OS_PASSWORD" --config auth_url="$OS_AUTH_URL"

   * ``murano_system`` policy

      It holds the user-defined rules for policy enforcement. Typically,
      the rules use tables from other policies, for example, murano, nova,
      keystone, and others. Policy enforcement expects the ``predeploy_errors``
      table here that is available on the ``predeploy_errors`` rules creation.

      Create the ``murano_system`` rule, by running:

      .. code-block:: console

         # create murano_system policy
         openstack congress policy create murano_system

         # resolves objects within environment
         openstack congress policy rule create murano_system 'murano_env_of_object(oid,eid):-murano:connected(eid,oid), murano:objects(eid,tid,"io.murano.Environment")'

   * ``murano_action`` policy with internal management rules.

     These rules are used internally in the policy enforcement request
     and stored in a dedicated ``murano_action`` policy that is
     created here. They are important in case an environment is redeployed.

     .. code-block:: console

        # create murano_action policy
        openstack congress policy create murano_action --kind action

        # register action deleteEnv
        openstack congress policy rule create murano_action 'action("deleteEnv")'

        # states
        openstack congress policy rule create murano_action 'murano:states-(eid, st) :- deleteEnv(eid), murano:states( eid, st)'

        # parent_types
        openstack congress policy rule create murano_action 'murano:parent_types-(tid, type) :- deleteEnv(eid), murano:connected(eid, tid),murano:parent_types(tid,type)'
        openstack congress policy rule create murano_action 'murano:parent_types-(eid, type) :- deleteEnv(eid), murano:parent_types(eid,type)'

        # properties
        openstack congress policy rule create murano_action 'murano:properties-(oid, pn, pv) :- deleteEnv(eid), murano:connected(eid, oid), murano:properties(oid, pn, pv)'
        openstack congress policy rule create murano_action 'murano:properties-(eid, pn, pv) :- deleteEnv(eid), murano:properties(eid, pn, pv)'

        # objects
        openstack congress policy rule create murano_action 'murano:objects-(oid, pid, ot) :- deleteEnv(eid), murano:connected(eid, oid), murano:objects(oid, pid, ot)'
        openstack congress policy rule create murano_action 'murano:objects-(eid, tnid, ot) :- deleteEnv(eid), murano:objects(eid, tnid, ot)'

        # relationships
        openstack congress policy rule create murano_action 'murano:relationships-(sid, tid, rt) :- deleteEnv(eid), murano:connected(eid, sid), murano:relationships( sid, tid, rt)'
        openstack congress policy rule create murano_action 'murano:relationships-(eid, tid, rt) :- deleteEnv(eid), murano:relationships(eid, tid, rt)'

        # connected
        openstack congress policy rule create murano_action 'murano:connected-(tid, tid2) :- deleteEnv(eid), murano:connected(eid, tid), murano:connected(tid,tid2)'
        openstack congress policy rule create murano_action 'murano:connected-(eid, tid) :- deleteEnv(eid), murano:connected(eid,tid)'