Retire the Congress Specs project
Recently the TC has worked on determining the criteria for when an OpenStack project should be retired. When there was not a PTL nominee for the Congress project, that triggered the TC to review the project health per [1], and the TC has determined [2] that development work on the project has ceased. This decision was announced in the openstack-discuss mailing list in April 2020 [3]. This commit retires the repository per the process for governance removal in the Victoria cycle as specified in the Mandatory Repository Retirement resolution [4] and detailed in the infra manual [5]. Should interest in developing Congress as part of OpenStack revive, please revert this commit to have the project rejoin the list of active projects. The community wishes to express our thanks and appreciation to all of those who have contributed to the Congress project over the years. [1] https://governance.openstack.org/tc/reference/dropping-projects.html [2] http://eavesdrop.openstack.org/irclogs/%23openstack-tc/latest.log.html#t2020-04-20T15:36:59 [3] http://lists.openstack.org/pipermail/openstack-discuss/2020-April/014292.html [4] https://governance.openstack.org/tc/resolutions/20190711-mandatory-repository-retirement.html [5] https://docs.opendev.org/opendev/infra-manual/latest/drivers.html#retiring-a-project Change-Id: Ide2a1f572f046e2d9f1bf9468556dbb39c736c0f
This commit is contained in:
parent
9bf73cc80c
commit
1f031e89c2
|
@ -1,16 +0,0 @@
|
|||
# build
|
||||
.venv
|
||||
*.egg*
|
||||
*.swp
|
||||
*.swo
|
||||
*.pyc
|
||||
.stestr/
|
||||
|
||||
# Editors
|
||||
*~
|
||||
.*.swp
|
||||
.bak
|
||||
/.project
|
||||
|
||||
# Testenvironment
|
||||
.tox/
|
|
@ -1,3 +0,0 @@
|
|||
[DEFAULT]
|
||||
test_path=./tests
|
||||
top_dir=./
|
|
@ -1,9 +0,0 @@
|
|||
- project:
|
||||
templates:
|
||||
- openstack-specs-jobs
|
||||
check:
|
||||
jobs:
|
||||
- openstack-tox-py37
|
||||
gate:
|
||||
jobs:
|
||||
- openstack-tox-py37
|
201
LICENSE
201
LICENSE
|
@ -1,201 +0,0 @@
|
|||
Apache License
|
||||
Version 2.0, January 2004
|
||||
http://www.apache.org/licenses/
|
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
||||
|
||||
1. Definitions.
|
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction,
|
||||
and distribution as defined by Sections 1 through 9 of this document.
|
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by
|
||||
the copyright owner that is granting the License.
|
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all
|
||||
other entities that control, are controlled by, or are under common
|
||||
control with that entity. For the purposes of this definition,
|
||||
"control" means (i) the power, direct or indirect, to cause the
|
||||
direction or management of such entity, whether by contract or
|
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity
|
||||
exercising permissions granted by this License.
|
||||
|
||||
"Source" form shall mean the preferred form for making modifications,
|
||||
including but not limited to software source code, documentation
|
||||
source, and configuration files.
|
||||
|
||||
"Object" form shall mean any form resulting from mechanical
|
||||
transformation or translation of a Source form, including but
|
||||
not limited to compiled object code, generated documentation,
|
||||
and conversions to other media types.
|
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or
|
||||
Object form, made available under the License, as indicated by a
|
||||
copyright notice that is included in or attached to the work
|
||||
(an example is provided in the Appendix below).
|
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object
|
||||
form, that is based on (or derived from) the Work and for which the
|
||||
editorial revisions, annotations, elaborations, or other modifications
|
||||
represent, as a whole, an original work of authorship. For the purposes
|
||||
of this License, Derivative Works shall not include works that remain
|
||||
separable from, or merely link (or bind by name) to the interfaces of,
|
||||
the Work and Derivative Works thereof.
|
||||
|
||||
"Contribution" shall mean any work of authorship, including
|
||||
the original version of the Work and any modifications or additions
|
||||
to that Work or Derivative Works thereof, that is intentionally
|
||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
||||
or by an individual or Legal Entity authorized to submit on behalf of
|
||||
the copyright owner. For the purposes of this definition, "submitted"
|
||||
means any form of electronic, verbal, or written communication sent
|
||||
to the Licensor or its representatives, including but not limited to
|
||||
communication on electronic mailing lists, source code control systems,
|
||||
and issue tracking systems that are managed by, or on behalf of, the
|
||||
Licensor for the purpose of discussing and improving the Work, but
|
||||
excluding communication that is conspicuously marked or otherwise
|
||||
designated in writing by the copyright owner as "Not a Contribution."
|
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
||||
on behalf of whom a Contribution has been received by Licensor and
|
||||
subsequently incorporated within the Work.
|
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
copyright license to reproduce, prepare Derivative Works of,
|
||||
publicly display, publicly perform, sublicense, and distribute the
|
||||
Work and such Derivative Works in Source or Object form.
|
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of
|
||||
this License, each Contributor hereby grants to You a perpetual,
|
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
||||
(except as stated in this section) patent license to make, have made,
|
||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
||||
where such license applies only to those patent claims licensable
|
||||
by such Contributor that are necessarily infringed by their
|
||||
Contribution(s) alone or by combination of their Contribution(s)
|
||||
with the Work to which such Contribution(s) was submitted. If You
|
||||
institute patent litigation against any entity (including a
|
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
||||
or a Contribution incorporated within the Work constitutes direct
|
||||
or contributory patent infringement, then any patent licenses
|
||||
granted to You under this License for that Work shall terminate
|
||||
as of the date such litigation is filed.
|
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the
|
||||
Work or Derivative Works thereof in any medium, with or without
|
||||
modifications, and in Source or Object form, provided that You
|
||||
meet the following conditions:
|
||||
|
||||
(a) You must give any other recipients of the Work or
|
||||
Derivative Works a copy of this License; and
|
||||
|
||||
(b) You must cause any modified files to carry prominent notices
|
||||
stating that You changed the files; and
|
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works
|
||||
that You distribute, all copyright, patent, trademark, and
|
||||
attribution notices from the Source form of the Work,
|
||||
excluding those notices that do not pertain to any part of
|
||||
the Derivative Works; and
|
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its
|
||||
distribution, then any Derivative Works that You distribute must
|
||||
include a readable copy of the attribution notices contained
|
||||
within such NOTICE file, excluding those notices that do not
|
||||
pertain to any part of the Derivative Works, in at least one
|
||||
of the following places: within a NOTICE text file distributed
|
||||
as part of the Derivative Works; within the Source form or
|
||||
documentation, if provided along with the Derivative Works; or,
|
||||
within a display generated by the Derivative Works, if and
|
||||
wherever such third-party notices normally appear. The contents
|
||||
of the NOTICE file are for informational purposes only and
|
||||
do not modify the License. You may add Your own attribution
|
||||
notices within Derivative Works that You distribute, alongside
|
||||
or as an addendum to the NOTICE text from the Work, provided
|
||||
that such additional attribution notices cannot be construed
|
||||
as modifying the License.
|
||||
|
||||
You may add Your own copyright statement to Your modifications and
|
||||
may provide additional or different license terms and conditions
|
||||
for use, reproduction, or distribution of Your modifications, or
|
||||
for any such Derivative Works as a whole, provided Your use,
|
||||
reproduction, and distribution of the Work otherwise complies with
|
||||
the conditions stated in this License.
|
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
||||
any Contribution intentionally submitted for inclusion in the Work
|
||||
by You to the Licensor shall be under the terms and conditions of
|
||||
this License, without any additional terms or conditions.
|
||||
Notwithstanding the above, nothing herein shall supersede or modify
|
||||
the terms of any separate license agreement you may have executed
|
||||
with Licensor regarding such Contributions.
|
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade
|
||||
names, trademarks, service marks, or product names of the Licensor,
|
||||
except as required for reasonable and customary use in describing the
|
||||
origin of the Work and reproducing the content of the NOTICE file.
|
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
||||
agreed to in writing, Licensor provides the Work (and each
|
||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
implied, including, without limitation, any warranties or conditions
|
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
||||
appropriateness of using or redistributing the Work and assume any
|
||||
risks associated with Your exercise of permissions under this License.
|
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory,
|
||||
whether in tort (including negligence), contract, or otherwise,
|
||||
unless required by applicable law (such as deliberate and grossly
|
||||
negligent acts) or agreed to in writing, shall any Contributor be
|
||||
liable to You for damages, including any direct, indirect, special,
|
||||
incidental, or consequential damages of any character arising as a
|
||||
result of this License or out of the use or inability to use the
|
||||
Work (including but not limited to damages for loss of goodwill,
|
||||
work stoppage, computer failure or malfunction, or any and all
|
||||
other commercial damages or losses), even if such Contributor
|
||||
has been advised of the possibility of such damages.
|
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing
|
||||
the Work or Derivative Works thereof, You may choose to offer,
|
||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
||||
or other liability obligations and/or rights consistent with this
|
||||
License. However, in accepting such obligations, You may act only
|
||||
on Your own behalf and on Your sole responsibility, not on behalf
|
||||
of any other Contributor, and only if You agree to indemnify,
|
||||
defend, and hold each Contributor harmless for any liability
|
||||
incurred by, or claims asserted against, such Contributor by reason
|
||||
of your accepting any such warranty or additional liability.
|
||||
|
||||
END OF TERMS AND CONDITIONS
|
||||
|
||||
APPENDIX: How to apply the Apache License to your work.
|
||||
|
||||
To apply the Apache License to your work, attach the following
|
||||
boilerplate notice, with the fields enclosed by brackets "{}"
|
||||
replaced with your own identifying information. (Don't include
|
||||
the brackets!) The text should be enclosed in the appropriate
|
||||
comment syntax for the file format. We also recommend that a
|
||||
file or class name and description of purpose be included on the
|
||||
same "printed page" as the copyright notice for easier
|
||||
identification within third-party archives.
|
||||
|
||||
Copyright {yyyy} {name of copyright owner}
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
62
README.rst
62
README.rst
|
@ -1,54 +1,14 @@
|
|||
========================
|
||||
Team and repository tags
|
||||
========================
|
||||
=========================
|
||||
Welcome to Congress Specs
|
||||
=========================
|
||||
|
||||
.. image:: http://governance.openstack.org/badges/congress-specs.svg
|
||||
:target: http://governance.openstack.org/reference/tags/index.html
|
||||
This project is no longer maintained.
|
||||
|
||||
.. Change things from this point on
|
||||
The contents of this repository are still available in the Git
|
||||
source code management system. To see the contents of this
|
||||
repository before it reached its end of life, please check out the
|
||||
previous commit with "git checkout HEAD^1".
|
||||
|
||||
=================================
|
||||
OpenStack Congress Specifications
|
||||
=================================
|
||||
|
||||
This git repository is used to hold approved design specifications for additions
|
||||
to the Congress project. Reviews of the specs are done in gerrit, using a similar
|
||||
workflow to how we review and merge changes to the code itself.
|
||||
|
||||
The layout of this repository is::
|
||||
|
||||
specs/<release>/
|
||||
|
||||
You can find an example spec in `doc/source/specs/template.rst`.
|
||||
|
||||
Specifications are proposed for a given release by adding them to the
|
||||
`specs/<release>` directory and posting it for review. The implementation
|
||||
status of a blueprint for a given release can be found by looking at the
|
||||
blueprint in launchpad. Not all approved blueprints will get fully implemented.
|
||||
|
||||
Specifications have to be re-proposed for every release. The review may be
|
||||
quick, but even if something was previously approved, it should be re-reviewed
|
||||
to make sure it still makes sense as written.
|
||||
|
||||
Prior to the Juno development cycle, this repository was not used for spec
|
||||
reviews. Reviews prior to Juno were completed entirely through Launchpad
|
||||
blueprints::
|
||||
|
||||
http://blueprints.launchpad.net/congress
|
||||
|
||||
Please note, Launchpad blueprints are still used for tracking the
|
||||
current status of blueprints. For more information, see::
|
||||
|
||||
https://wiki.openstack.org/wiki/Blueprints
|
||||
|
||||
For more information about working with gerrit, see::
|
||||
|
||||
http://docs.openstack.org/infra/manual/developers.html#development-workflow
|
||||
|
||||
To validate that the specification is syntactically correct (i.e. get more
|
||||
confidence in the Jenkins result), please execute the following command::
|
||||
|
||||
$ tox
|
||||
|
||||
After running ``tox``, the documentation will be available for viewing in HTML
|
||||
format in the ``doc/build/`` directory.
|
||||
For any further questions, please email
|
||||
openstack-discuss@lists.openstack.org or join #openstack-dev on
|
||||
Freenode.
|
||||
|
|
|
@ -1,273 +0,0 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
#
|
||||
# Tempest documentation build configuration file, created by
|
||||
# sphinx-quickstart on Tue May 21 17:43:32 2013.
|
||||
#
|
||||
# This file is execfile()d with the current directory set to its containing dir.
|
||||
#
|
||||
# Note that not all possible configuration values are present in this
|
||||
# autogenerated file.
|
||||
#
|
||||
# All configuration values have a default; values that are commented out
|
||||
# serve to show the default.
|
||||
|
||||
import sys
|
||||
import os
|
||||
|
||||
# If extensions (or modules to document with autodoc) are in another directory,
|
||||
# add these directories to sys.path here. If the directory is relative to the
|
||||
# documentation root, use os.path.abspath to make it absolute, like shown here.
|
||||
#sys.path.insert(0, os.path.abspath('.'))
|
||||
|
||||
# -- General configuration -----------------------------------------------------
|
||||
|
||||
# If your documentation needs a minimal Sphinx version, state it here.
|
||||
#needs_sphinx = '1.0'
|
||||
|
||||
# Add any Sphinx extension module names here, as strings. They can be extensions
|
||||
# coming with Sphinx (named 'sphinx.ext.*') or your custom ones.
|
||||
extensions = ['sphinx.ext.autodoc',
|
||||
'sphinx.ext.todo',
|
||||
'sphinx.ext.viewcode',
|
||||
'openstackdocstheme'
|
||||
]
|
||||
|
||||
todo_include_todos = True
|
||||
|
||||
# Add any paths that contain templates here, relative to this directory.
|
||||
templates_path = ['_templates']
|
||||
|
||||
# The suffix of source filenames.
|
||||
source_suffix = '.rst'
|
||||
|
||||
# The encoding of source files.
|
||||
#source_encoding = 'utf-8-sig'
|
||||
|
||||
# The master toctree document.
|
||||
master_doc = 'index'
|
||||
|
||||
# General information about the project.
|
||||
project = u'Congress Specs'
|
||||
copyright = u'2014, Congress Contributors'
|
||||
|
||||
# The language for content autogenerated by Sphinx. Refer to documentation
|
||||
# for a list of supported languages.
|
||||
#language = None
|
||||
|
||||
# There are two options for replacing |today|: either, you set today to some
|
||||
# non-false value, then it is used:
|
||||
#today = ''
|
||||
# Else, today_fmt is used as the format for a strftime call.
|
||||
#today_fmt = '%B %d, %Y'
|
||||
|
||||
# List of patterns, relative to source directory, that match files and
|
||||
# directories to ignore when looking for source files.
|
||||
exclude_patterns = ['_build']
|
||||
|
||||
# The reST default role (used for this markup: `text`) to use for all documents.
|
||||
#default_role = None
|
||||
|
||||
# If true, '()' will be appended to :func: etc. cross-reference text.
|
||||
#add_function_parentheses = True
|
||||
|
||||
# If true, the current module name will be prepended to all description
|
||||
# unit titles (such as .. function::).
|
||||
add_module_names = False
|
||||
|
||||
# If true, sectionauthor and moduleauthor directives will be shown in the
|
||||
# output. They are ignored by default.
|
||||
show_authors = False
|
||||
|
||||
# The name of the Pygments (syntax highlighting) style to use.
|
||||
pygments_style = 'sphinx'
|
||||
|
||||
# A list of ignored prefixes for module index sorting.
|
||||
modindex_common_prefix = ['congress-specs.']
|
||||
|
||||
# -- Options for man page output ----------------------------------------------
|
||||
man_pages = []
|
||||
|
||||
# -- Options for HTML output ---------------------------------------------------
|
||||
|
||||
# The theme to use for HTML and HTML Help pages. See the documentation for
|
||||
# a list of builtin themes.
|
||||
html_theme = 'openstackdocs'
|
||||
|
||||
# Theme options are theme-specific and customize the look and feel of a theme
|
||||
# further. For a list of options available for each theme, see the
|
||||
# documentation.
|
||||
#html_theme_options = {}
|
||||
|
||||
# Add any paths that contain custom themes here, relative to this directory.
|
||||
#html_theme_path = []
|
||||
|
||||
# The name for this set of Sphinx documents. If None, it defaults to
|
||||
# "<project> v<release> documentation".
|
||||
#html_title = None
|
||||
|
||||
# A shorter title for the navigation bar. Default is the same as html_title.
|
||||
#html_short_title = None
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top
|
||||
# of the sidebar.
|
||||
#html_logo = None
|
||||
|
||||
# The name of an image file (within the static path) to use as favicon of the
|
||||
# docs. This file should be a Windows icon file (.ico) being 16x16 or 32x32
|
||||
# pixels large.
|
||||
#html_favicon = None
|
||||
|
||||
# If not '', a 'Last updated on:' timestamp is inserted at every page bottom,
|
||||
# using the given strftime format.
|
||||
git_cmd = "git log --pretty=format:'%ad, commit %h' --date=local -n1"
|
||||
html_last_updated_fmt = os.popen(git_cmd).read()
|
||||
|
||||
# If true, SmartyPants will be used to convert quotes and dashes to
|
||||
# typographically correct entities.
|
||||
#html_use_smartypants = True
|
||||
|
||||
# Custom sidebar templates, maps document names to template names.
|
||||
#html_sidebars = {}
|
||||
|
||||
# Additional templates that should be rendered to pages, maps page names to
|
||||
# template names.
|
||||
#html_additional_pages = {}
|
||||
|
||||
# If false, no module index is generated.
|
||||
html_domain_indices = False
|
||||
|
||||
# If false, no index is generated.
|
||||
html_use_index = False
|
||||
|
||||
# If true, the index is split into individual pages for each letter.
|
||||
#html_split_index = False
|
||||
|
||||
# If true, links to the reST sources are added to the pages.
|
||||
#html_show_sourcelink = True
|
||||
|
||||
# If true, "Created using Sphinx" is shown in the HTML footer. Default is True.
|
||||
#html_show_sphinx = True
|
||||
|
||||
# If true, "(C) Copyright ..." is shown in the HTML footer. Default is True.
|
||||
#html_show_copyright = True
|
||||
|
||||
# If true, an OpenSearch description file will be output, and all pages will
|
||||
# contain a <link> tag referring to it. The value of this option must be the
|
||||
# base URL from which the finished HTML is served.
|
||||
#html_use_opensearch = ''
|
||||
|
||||
# This is the file name suffix for HTML files (e.g. ".xhtml").
|
||||
#html_file_suffix = None
|
||||
|
||||
# Output file base name for HTML help builder.
|
||||
htmlhelp_basename = 'Congress-Specsdoc'
|
||||
|
||||
|
||||
# -- Options for LaTeX output --------------------------------------------------
|
||||
|
||||
latex_elements = {
|
||||
# The paper size ('letterpaper' or 'a4paper').
|
||||
#'papersize': 'letterpaper',
|
||||
|
||||
# The font size ('10pt', '11pt' or '12pt').
|
||||
#'pointsize': '10pt',
|
||||
|
||||
# Additional stuff for the LaTeX preamble.
|
||||
#'preamble': '',
|
||||
}
|
||||
|
||||
# Grouping the document tree into LaTeX files. List of tuples
|
||||
# (source start file, target name, title, author, documentclass [howto/manual]).
|
||||
latex_documents = [
|
||||
('index', 'Congress-specs.tex', u'Congress Specs',
|
||||
u'Congress Contributors', 'manual'),
|
||||
]
|
||||
|
||||
# The name of an image file (relative to this directory) to place at the top of
|
||||
# the title page.
|
||||
#latex_logo = None
|
||||
|
||||
# For "manual" documents, if this is true, then toplevel headings are parts,
|
||||
# not chapters.
|
||||
#latex_use_parts = False
|
||||
|
||||
# If true, show page references after internal links.
|
||||
#latex_show_pagerefs = False
|
||||
|
||||
# If true, show URL addresses after external links.
|
||||
#latex_show_urls = False
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
#latex_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
#latex_domain_indices = True
|
||||
|
||||
# -- Options for Texinfo output ------------------------------------------------
|
||||
|
||||
# Grouping the document tree into Texinfo files. List of tuples
|
||||
# (source start file, target name, title, author,
|
||||
# dir menu entry, description, category)
|
||||
texinfo_documents = [
|
||||
('index', 'Congress-specs', u'Congress Design Specs',
|
||||
u'Congress Contributors', 'congress-specs', 'Design specifications for the Congress project.',
|
||||
'Miscellaneous'),
|
||||
]
|
||||
|
||||
# Documents to append as an appendix to all manuals.
|
||||
#texinfo_appendices = []
|
||||
|
||||
# If false, no module index is generated.
|
||||
#texinfo_domain_indices = True
|
||||
|
||||
# How to display URL addresses: 'footnote', 'no', or 'inline'.
|
||||
#texinfo_show_urls = 'footnote'
|
||||
|
||||
|
||||
# -- Options for Epub output ---------------------------------------------------
|
||||
|
||||
# Bibliographic Dublin Core info.
|
||||
epub_title = u'Congress Specs'
|
||||
epub_author = u'Congress Contributors'
|
||||
epub_publisher = u'Congress Contributors'
|
||||
epub_copyright = u'2014, Congress Contributors'
|
||||
|
||||
# The language of the text. It defaults to the language option
|
||||
# or en if the language is not set.
|
||||
#epub_language = ''
|
||||
|
||||
# The scheme of the identifier. Typical schemes are ISBN or URL.
|
||||
#epub_scheme = ''
|
||||
|
||||
# The unique identifier of the text. This can be a ISBN number
|
||||
# or the project homepage.
|
||||
#epub_identifier = ''
|
||||
|
||||
# A unique identification for the text.
|
||||
#epub_uid = ''
|
||||
|
||||
# A tuple containing the cover image and cover page html template filenames.
|
||||
#epub_cover = ()
|
||||
|
||||
# HTML files that should be inserted before the pages created by sphinx.
|
||||
# The format is a list of tuples containing the path and title.
|
||||
#epub_pre_files = []
|
||||
|
||||
# HTML files shat should be inserted after the pages created by sphinx.
|
||||
# The format is a list of tuples containing the path and title.
|
||||
#epub_post_files = []
|
||||
|
||||
# A list of files that should not be packed into the epub file.
|
||||
#epub_exclude_files = []
|
||||
|
||||
# The depth of the table of contents in toc.ncx.
|
||||
#epub_tocdepth = 3
|
||||
|
||||
# Allow duplicate toc entries.
|
||||
#epub_tocdup = True
|
||||
|
||||
# -- Options for openstackdocstheme ---------------------------------------
|
||||
|
||||
repository_name = 'openstack/congress-specs'
|
||||
bug_project = 'congress-specs'
|
||||
bug_tag = ''
|
|
@ -1,100 +0,0 @@
|
|||
.. congress-specs documentation master file
|
||||
|
||||
===============================
|
||||
Congress Project Specifications
|
||||
===============================
|
||||
|
||||
Train approved specs:
|
||||
|
||||
..
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/train/*
|
||||
|
||||
Stein approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/stein/*
|
||||
|
||||
Rocky approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/rocky/*
|
||||
|
||||
Queens approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/queens/*
|
||||
|
||||
Pike approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/pike/*
|
||||
|
||||
Newton approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/newton/*
|
||||
|
||||
Mitaka approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/mitaka/*
|
||||
|
||||
Liberty approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/liberty/*
|
||||
|
||||
Kilo approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/kilo/*
|
||||
|
||||
Juno approved specs:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/juno/*
|
||||
|
||||
Spec Template:
|
||||
|
||||
.. toctree::
|
||||
:glob:
|
||||
:maxdepth: 1
|
||||
|
||||
specs/*
|
||||
|
||||
==================
|
||||
Indices and tables
|
||||
==================
|
||||
|
||||
* :ref:`search`
|
|
@ -1 +0,0 @@
|
|||
../../specs
|
|
@ -1,5 +0,0 @@
|
|||
openstackdocstheme>=1.18.1 # Apache-2.0
|
||||
pbr>=0.6,!=0.7,<1.0
|
||||
sphinx!=1.6.6,!=1.6.7,>=1.6.2;python_version>='3.4' # BSD
|
||||
stestr>=2.0.0
|
||||
testtools>=0.9.34
|
23
setup.cfg
23
setup.cfg
|
@ -1,23 +0,0 @@
|
|||
[metadata]
|
||||
name = congress-specs
|
||||
summary = OpenStack Congress Project Development Specs
|
||||
description-file =
|
||||
README.rst
|
||||
author = OpenStack
|
||||
author-email = openstack-discuss@lists.openstack.org
|
||||
home-page = http://specs.openstack.org/openstack/congress-specs/
|
||||
classifier =
|
||||
Intended Audience :: Developers
|
||||
License :: OSI Approved :: Apache Software License
|
||||
Operating System :: POSIX :: Linux
|
||||
|
||||
[build_sphinx]
|
||||
all_files = 1
|
||||
build-dir = doc/build
|
||||
source-dir = doc/source
|
||||
|
||||
[pbr]
|
||||
warnerrors = True
|
||||
|
||||
[wheel]
|
||||
universal = 1
|
22
setup.py
22
setup.py
|
@ -1,22 +0,0 @@
|
|||
#!/usr/bin/env python
|
||||
# Copyright (c) 2013 Hewlett-Packard Development Company, L.P.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
||||
# implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
# THIS FILE IS MANAGED BY THE GLOBAL REQUIREMENTS REPO - DO NOT EDIT
|
||||
import setuptools
|
||||
|
||||
setuptools.setup(
|
||||
setup_requires=['pbr'],
|
||||
pbr=True)
|
|
@ -1,144 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Plexxi Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/plexxi-driver
|
||||
|
||||
This blueprint is to layout the design of a driver that integrates PlexxiCore
|
||||
into congress.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* A PlexxiCore Database can contain a vast wealth of information about a
|
||||
network that can be an asset to a Congress system in a network where
|
||||
Plexxi is present, and without this driver Congress does not have access
|
||||
to this data.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Integrate the Plexxi Driver driver.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Policy
|
||||
------------
|
||||
|
||||
This example compares data stored in the Plexxi tables with data stored in
|
||||
Nova tables and looks for Virtual Machines with names that are identical in
|
||||
both data sets
|
||||
|
||||
RepeatedName(vname,pvuuid)
|
||||
:- plexxi:vms(pvuuid,vname,phuuid,pvip,pvmaccount,pvaffin),
|
||||
nova:servers(nvuuid,vname,a,nstatus,b,c,d,num)
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
This driver provides monitoring of the Plexxi Core state as well
|
||||
and currently demonstrations reactive actions based on the data provided.
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
Primary: PlexxiCore
|
||||
Secondary: Nova/Congress - For demo policy
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Users of Congress who have PlexxiCore integrated in their network will now be
|
||||
able to access data stored in their PlexxiCore database through the congress
|
||||
API.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Network data stored in the PlexxiCore Database will now be accessible through
|
||||
Congress
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Conner-Ferguson
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
Plexxi Class package
|
||||
Plexxi-Core used within the network
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Documentation for the Driver is currently located in the bitbucket
|
||||
that found that can be found in the references section
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Working Demo -
|
||||
https://www.youtube.com/watch?v=ZAEydTlIW64
|
||||
Current Code Location -
|
||||
https://bitbucket.org/ConnerFerguson/plexxi-driver/overview
|
||||
Devloper Email -
|
||||
Conner.Ferguson1@marist.edu
|
||||
|
|
@ -1,124 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Cinder Data Source Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/cinder-data-source-driver
|
||||
|
||||
This blueprint is to add a data source driver for cinder.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A datasource driver is required to expose block storage parameters to the
|
||||
Congress policy framework so that we can write policies involving block storage
|
||||
entities. Cinder is the OpenStack component that provides block storage
|
||||
service. The cinder-datasource-driver interacts with cinderclient to provide
|
||||
block storage specific states to congress for policy monitoring.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add data source driver that integrates congress with cinder.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
This will use the congress language. cinder:volumes(X) etc.
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
Just monitoring right now.
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
Cinder
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
TBD
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Samta Rangare
|
||||
srangare@mvista.com
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Implement cinder driver with essential tables
|
||||
- Implement test code to test the driver
|
||||
- Implement tempest code for real-time tests
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
python-cinderclient
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Will need to add unit test code
|
||||
- Will add tempest tests.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,153 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Support for using Aggregates in Datalog
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/datalog-aggregates
|
||||
|
||||
|
||||
Aggregates in datalog are required for writing policies involving multiple
|
||||
records in a single ATOM.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
* Consider a policy statement "The maximum number of ports on the Subnet X
|
||||
belonging to tenant Y should not exceed N"
|
||||
To realize this policy, we need to use aggregations like COUNT, MAX, SUM etc.
|
||||
which span across multiple records of the table.
|
||||
* The current Datalog support in Congress does not allow writing policies with
|
||||
such aggregates.
|
||||
* Also there is no way to simulate aggregations using existing Datalog support.
|
||||
* When a policy engine subscribes to an aggregate on a data source table,
|
||||
the aggregates must be updated every time there is a change in the
|
||||
corresponding table.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
The aggregate support for Datalog allows writing policy atoms of the following
|
||||
form:
|
||||
|
||||
Example policies involving aggregates:
|
||||
|
||||
1. Restriction on number of ports on a subnet
|
||||
error(subnet) :- neutron:networks.subnets(subnet, port),
|
||||
neutron:ports(port, ip), count(num_port, port), not gt(num_port, 10)
|
||||
|
||||
2. Restriction on average CPU Load on a host
|
||||
error(host) :- ceilometer:meters(host, cpu_util), nova:servers(host, vm_host),
|
||||
average(avg_cpu, vm_host, cpu_util), not gt(avg_cpu, 80)
|
||||
average(x, y, z) :- sum(z, cpu_util), count(y, vm_host), div(x, z, y)
|
||||
|
||||
(Note: These are tentative policy statements and may be subject to change as
|
||||
the design/implementation progresses)
|
||||
|
||||
* The aggregates like "SUM", "COUNT" must be defined as ANTLR Terms and
|
||||
Congress must be able to parse and compile these terms.
|
||||
|
||||
The initial implementation will use SUM and COUNT as prototype aggregations.
|
||||
Other similar aggregates can be considered as enhancements to be taken up
|
||||
at a later date.
|
||||
|
||||
* The runtime execution should be able to update tables corresponding to the
|
||||
aggregate terms with computed values
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
No data model changes are expected.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
This change does not impact REST APIs as the changes involved will only extend
|
||||
the policy syntax which is fed as input to the policy APIs
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
End user will be able to write policies involving aggregates.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Evaluation of policies involving aggregates may involve additional processing
|
||||
and thereby impacting performance.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Madhu Mohan (mmohan@mvista.com)
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Add new terms in Congress.g to allow ANTLR to recognize aggregate keywords
|
||||
* Extend parser/compiler to accept aggregate keywords as part of the rule
|
||||
syntax and validate
|
||||
* Extend runtime to compute aggregate values and update the corresponding
|
||||
tables
|
||||
* Add sufficient tests to validate support for aggregates
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
* Add test cases involving aggregates
|
||||
* Add Tempest tests
|
||||
* Create sample policies to test some real scenarios
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
* Docs for external consumption would need to be updated with explanation on
|
||||
writing aggregate-based policies
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
1. http://logic.stanford.edu/reports/LG-2012-01.pdf
|
|
@ -1,236 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Add action execution interface
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/action-execution-interface
|
||||
|
||||
Add analogy to datasource driver for services that can execute actions.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Datasource drivers pull information from cloud services, allowing Congress
|
||||
to read the current state of the cloud (e.g. the list of all servers).
|
||||
Some cloud services also have the capacity to change the state of the cloud
|
||||
(e.g. create a new server). Today there is no way for the policy engine
|
||||
to ask for changes to be made in the state of the cloud. Congress needs
|
||||
an interface for cloud services that allows it to execute actions that
|
||||
change the state of the cloud.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This change will create a new (mix-in) class called ExecutionDriver that has
|
||||
one main function: execute(name, positional-args, named-args). That interface
|
||||
takes the name of the action, a list of its positional arguments, and a
|
||||
dictionary of its named arguments and executes that action on the cloud
|
||||
service.
|
||||
|
||||
This change will also overload the functionality of
|
||||
|
||||
policy/runtime.py:Runtime.execute()
|
||||
|
||||
in
|
||||
|
||||
policy/dseruntime.py:DseRuntime.execute()
|
||||
|
||||
so that a call to 'execute' by the policy engine will send a DSE message to
|
||||
the appropriate service to execute the ExecutionDriver:execute() function.
|
||||
This will be a unicast message from the policy engine to the appropriate
|
||||
service on the DSE. That service will be included in the name of the action,
|
||||
e.g. 'nova:disconnectNetwork' is an action that is sent to the 'nova' service.
|
||||
|
||||
As a starting point, this change will include an implementation of the
|
||||
ExecutionDriver mixin within datasources/nova_driver.py
|
||||
(or another service that the primary assignee chooses).
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
An alternative is to make the ExecutionDriver class not a mix-in but
|
||||
a standalone class, thereby having two separate files for each
|
||||
cloud service, e.g. nova_datasource_driver.py and nova_executor_driver.py.
|
||||
|
||||
Treating the ability to execute a service as an interface is beneficial
|
||||
because in reality services typically have some functionality that allows
|
||||
them to read the state of the cloud and other functionality that allows
|
||||
them to change the state of the cloud. Treating them as different files
|
||||
makes them seem to be separate services.
|
||||
|
||||
Another alternative choice in the design is to use publish/subscribe to
|
||||
communicate action execution between the policy engine and the instance
|
||||
of ExecutionDriver. Publish/subscribe has the drawback that it could
|
||||
result in multiple services subscribing to the same action (perhaps by
|
||||
accident) and a single 'execute' command producing several API calls
|
||||
modifying the state of the cloud. The unicast choice eliminates this
|
||||
as a potential problem (though admittedly eliminates the possibility
|
||||
of a use case where there are legitimately 2 different services that
|
||||
need to be informed of the action).
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
This is a step toward reactive enforcement.
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
Eventually all data sources will want to implement the ExecutionDriver
|
||||
interface.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
We will want to expose the policy/dse_runtime.py:DseRuntime.execute()
|
||||
command via the API.
|
||||
|
||||
Question: Should we rename the "data-sources" in the API to "cloud-services"?
|
||||
|
||||
|
||||
If so, then we'd have...
|
||||
|
||||
Execute an action on a specified service. ::
|
||||
|
||||
POST v1/cloud-services/nova?action=execute -d {'name': 'disconnectNetwork',
|
||||
'args': ['vm123', 'net456'],
|
||||
'options': {}}
|
||||
|
||||
|
||||
|
||||
Execute an action as if the given policy dictated it should be executed. ::
|
||||
|
||||
POST v1/policies/alice?action=execute -d {'name': 'nova:disconnectNetwork',
|
||||
'args': ['vm123', 'net456'],
|
||||
'options': {}}
|
||||
|
||||
|
||||
These API calls will have an empty response (HTTP code 204 perhaps) or an
|
||||
appropriate error response if there was an error raised *before* the API call
|
||||
was actually made. These API calls will return before the call we are
|
||||
executing returns.
|
||||
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
This change gives anyone with the ability to write policy the ability to
|
||||
execute API calls using the same rights Congress has been granted. Since
|
||||
we typically run Congress with administrative rights, we need to secure
|
||||
Congress authentication properly. But that is already accomplished because
|
||||
we use the standard Keystone authentication system.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
python-congressclient would need a new endpoint if we expose the execute()
|
||||
functionality via the API.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Because the DatasourceDriver and ExecutionDriver will most often be implemented
|
||||
as part of the same DSE instance, a poorly written ExecutionDriver could
|
||||
impair the ability of that driver to properly read information via the
|
||||
DatasourceDriver interface. The two pieces of functionality
|
||||
run in a single thread, i.e. either one runs or the other runs. This is
|
||||
actually beneficial because we would not want the driver to be pulling new
|
||||
data at the same time it executes a change in that data.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Rename folder congress/datasources to congress/cloudservices and change
|
||||
etc/congress/datasources.conf.sample appropriately. There may be other
|
||||
places that reference 'datasources' explicitly.
|
||||
|
||||
- Add congress/cloudservices/execution_driver.py to include the mixin class
|
||||
ExecutionDriver
|
||||
|
||||
- Implement policy/dseruntime.py:DseRuntime.execute() to send a unicast
|
||||
message to the appropriate service or raise an error if that service does
|
||||
not exist on the bus.
|
||||
|
||||
- Implement the ExecutionDriver for an existing service, e.g. Nova.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Unit tests that ensure a call to DseRuntime.execute() invokes the appropriate
|
||||
ExecutionDriver.execute().
|
||||
|
||||
- Tempest tests that invoke execute() and ensure the proper change actually
|
||||
happens.
|
||||
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Need to add description of actions and action format to docs, along with
|
||||
documentation for execute().
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,149 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Add Extract-fn To All Translators
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/add-extract-fn-to-all-translators
|
||||
|
||||
This proposal would expand the general functionality of the translate_obj()
|
||||
method by adding a general extract-fn method to translators for HDICT, VDICT,
|
||||
and LIST. This gives datasource developers versatile tool to use when
|
||||
translating data into congress congress drivers.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Today, if a datasource returns an object that contains a json string instead
|
||||
of pure python objects, lists, and dicts, then the translator has no way to
|
||||
read data out of the json object.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
By including the extract-fn method as a translator, the translate_obj() method
|
||||
could then preprocess the data object with extract-fn before running the
|
||||
existing translation code. This way,the programmer can set the extract-fn to
|
||||
a json extractor to convert the json into a python object.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Currently if a datasource returns data in a non-standard format a driver
|
||||
developer can create unique methods inside their drivers to handle this data.
|
||||
This proposed change potentially eliminates the need for developers to
|
||||
individually generate code to use in their solutions by providing a tool to
|
||||
assist with translations in base driver class.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
This change provides developers more versatility when creating datasource
|
||||
drivers.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
|
||||
Primary assignee:
|
||||
Alex Yip
|
||||
|
||||
Other contributors:
|
||||
Conner Ferguson
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Add extract-fn as a parameter to HDICT, VDICT, and LIST translators.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
To test the results of this change, data will need to be passed through the
|
||||
extract-fn translator then this data will be checked to ensure that it is
|
||||
being displayed in the expected manor.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Minor additions to the datasource driver based class documentation to inform
|
||||
new developers about what the extract-fn method does as a translator.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,152 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Add in list support for hdict
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/add-in-list-support-hdict
|
||||
|
||||
This blueprint is to add support for a new translator value called in-list
|
||||
which is useful in translating a hdict that contains another hdict which
|
||||
is a list.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Several datasources return data in the format of a dict(list(dict()) (for
|
||||
example neutron ports for fixed_ips)::
|
||||
|
||||
{
|
||||
"ports": [
|
||||
{
|
||||
"status": "DOWN",
|
||||
"id": "11ce1474-e395-4bda-b48c-820f0d542acd",
|
||||
"fixed_ips": [
|
||||
{
|
||||
"subnet_id": "e56370ba-d255-486c-9907-ad4c6aed0241",
|
||||
"ip_address": "10.2.0.2"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
|
||||
congress currently does not have an easy way to deal with data in this format
|
||||
unless an extra table is created. This blueprint is to provide an
|
||||
easy generic way to do so without creating the extra table.
|
||||
|
||||
|
||||
NOTE: I only plan to implement this at first for hdict because we believe we
|
||||
might be able to remove the vdict type as it might not be needed. If it
|
||||
turns out that we need vdict I'll implement this for vdict as well.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
To implement this solution I propose we add a new in-list attribute to the
|
||||
child translator. If present, the datasource driver class will just simply
|
||||
interate this list and treat each list element as an hdict.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
We could force a datasource driver to manually do this themselves though it
|
||||
would be better to automatically handle this for a user.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
New element 'in-list' can be specified in the translator.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
arosen
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Implement this feature.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* This needs to be done before we can refactor the neutron driver to remove
|
||||
the subtables that it creates.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Will document.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,188 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===============================
|
||||
Support basic high availability
|
||||
===============================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/basic-high-availability
|
||||
|
||||
Congress needs to support high availability (HA) for API requests so that
|
||||
a client can continue to make successful API requests to Congress even if a
|
||||
congress server becomes unavailable. This proposal describes a basic HA
|
||||
solution that replicates the entire Congress server as-is. Each replica runs
|
||||
the policy engine, contains all the table data, and runs the datasource
|
||||
drivers.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Today, Congress runs as a single standalone server. That single server is
|
||||
responsible for handling all API queries and is a single point of failure. If
|
||||
the server fails, it will cause downtime for clients that integrate Congress.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This spec proposes to
|
||||
* Replicate the entire Congress server
|
||||
* Use an off the shelf load balancer to distribute requests to the replicas
|
||||
and avoid failed replicas
|
||||
* Write API calls modify the database
|
||||
* Each replica periodically checks the database for changes to policy or
|
||||
datasources
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
A more advanced design separates the policy engine from the datasources, and
|
||||
replicates the policy engine N times, but uses a master-standby configuration
|
||||
for the datasource driver. This way only the master datasource driver talks
|
||||
to datasources thus reducing the load on datasources. The datasource
|
||||
communicates incoming data changes to the replica over a message bus. This
|
||||
change would require more code changes to separate the engine from the
|
||||
datasources and to change how the messaging bus works.
|
||||
|
||||
Yet another proposal is to funnel all datasource updates to a central machine
|
||||
which would precompute materialized views of all tables. This has the
|
||||
advantage of giving the replicated Congress API consistency, but it relies on
|
||||
a single machine to compute the materialized views, and relies on
|
||||
materializing the views which stores all intermediate table content in memory,
|
||||
which can consume an unmanagable amount of memory with many intermediate
|
||||
tables. This alternate proposal would also require a significant amount of
|
||||
code changes.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
We need to ensure that each data service (such as Nova or Neutron) can accept
|
||||
and handle requests from more than one datasource driver instance at the same
|
||||
time since each replica will be fetching data from each data service. In
|
||||
other words, if there are N replicas, then each data service must respond with
|
||||
all the data separate N times, and the data service must be able to cope with
|
||||
that higher request load.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Two API calls may return different data if a different replica serves each API
|
||||
call because both the data from the datasources and the policy rules may be
|
||||
out of sync between two replicas. The rate at which each replica checks the
|
||||
database for updates can limit the problem for policy rules, but data skew
|
||||
will still affect the replicas.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
This change should improve throughput for the Congress server since there can
|
||||
be multiple replicas instead of a single server. However, there may be an
|
||||
impact on datasources since each replica will be requesting data from the
|
||||
datasource. The period database requests to check for updates should have a
|
||||
minimal impact on performance.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
All shared state must be stored in the database, and periodically checked at
|
||||
all replicas.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
ayip@vmware.com
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Add period check for database updates and add a test
|
||||
* Add a test that starts two replicas and queries both
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Start two replicas, using the same database. Write a policy change on one
|
||||
replica and check that the policy change occurs on the second replica.
|
||||
|
||||
Start two replicas, and kill one. Make sure the second replica can still
|
||||
serve requests. Start first replica again and make sure it can still serve
|
||||
requests.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
We should add a description of how to configure Congress in HA mode, with a
|
||||
load balancer and a shared database.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,256 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Example Spec - The title of your blueprint
|
||||
==========================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/datalog-column-names
|
||||
|
||||
Writing policy can be challenging when tables have many columns.
|
||||
This spec aims to give end users the ability to write policy by
|
||||
referencing column names directly in Datalog rules.
|
||||
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
The main problem is that wide tables (those with many columns) are hard to use.
|
||||
(a) it is hard to remember what all the columns are,
|
||||
(b) it is easy to mistakenly use the same variable in two different tables in
|
||||
the body of the rule,
|
||||
i.e. to create an accidental join,
|
||||
(c) changes to the datasource drivers can require tedious/error-prone
|
||||
modifications to policy.
|
||||
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Today people write policy statements as follows:
|
||||
|
||||
error(net) :-
|
||||
neutron:networks(x0,x1,net,x3,x4,x5,x6,x7,x8,x9,x10),
|
||||
...
|
||||
|
||||
This change enables an alternative syntax where columns are referenced by name
|
||||
instead
|
||||
of position.
|
||||
|
||||
error(net) :-
|
||||
neutron:networks(id=net),
|
||||
...
|
||||
|
||||
To implement this change, we will expand the grammar to accept column-name
|
||||
references and modify the AST constructor to translate the rules from
|
||||
column-name references back into position references.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
There were 2 alternatives described in a ML discussion.
|
||||
|
||||
2) Be disciplined about writing narrow tables and write
|
||||
tutorials/recommendations demonstrating how.
|
||||
|
||||
Instead of a table like...
|
||||
neutron:ports(port_id, addr_pairs, security_groups, extra_dhcp_opts,
|
||||
binding_cap, status, name, admin_state_up, network_id, tenant_id, binding_vif,
|
||||
device_owner, mac_address, fixed_ips, router_id, binding_host)
|
||||
|
||||
we would have many tables...
|
||||
neutron:ports(port_id)
|
||||
neutron:ports.addr_pairs(port_id, addr_pairs)
|
||||
neutron:ports.security_groups(port_id, security_groups)
|
||||
neutron:ports.extra_dhcp_opts(port_id, extra_dhcp_opts)
|
||||
neutron:ports.name(port_id, name)
|
||||
...
|
||||
|
||||
People writing policy would write rules such as ...
|
||||
|
||||
p(x) :- neutron:ports.name(port, name), ...
|
||||
|
||||
[Here, the period e.g. in ports.name is not an operator--just a convenient
|
||||
way to spell the tablename.]
|
||||
|
||||
To do this, Congress would need to know which columns in a table are sufficient
|
||||
to uniquely identify a row, which in most cases is just the ID.
|
||||
|
||||
Pros:
|
||||
(i) this requires only changes in the datasource drivers; everything else
|
||||
remains the same
|
||||
(ii) still leveraging database technology under the hood
|
||||
(iii) policy is robust to changes in fields of original data
|
||||
|
||||
Cons:
|
||||
(i) datasource driver can force policy writer to use wide tables
|
||||
(ii) this data model is much different than the original data models
|
||||
(iii) we need primary-key information about tables
|
||||
|
||||
3) Enhance the Congress policy language to handle objects natively.
|
||||
|
||||
Instead of writing a rule like the following ...
|
||||
|
||||
p(port_id, name, group) :-
|
||||
neutron:ports(port_id, addr_pairs, security_groups, extra_dhcp_opts,
|
||||
binding_cap, status, name, admin_state_up, network_id, tenant_id,
|
||||
binding_vif, device_owner, mac_address, fixed_ips, router_id, binding_host),
|
||||
neutron:ports.security_groups(security_group, group)
|
||||
|
||||
we would write a rule such as
|
||||
p(port_id, name) :-
|
||||
neutron:ports(port),
|
||||
port.name(name),
|
||||
port.id(port_id),
|
||||
port.security_groups(group)
|
||||
|
||||
The big difference here is that the period (.) is an operator in the language,
|
||||
just as in C++/Java.
|
||||
|
||||
Pros:
|
||||
(i) The data model we use in Congress is almost exactly the same as the data
|
||||
model we use in Neutron/Nova.
|
||||
|
||||
(ii) Policy is robust to changes in the Neutron/Nova data model as long as
|
||||
those changes only ADD fields.
|
||||
|
||||
(iii) Programmers may be slightly more comfortable with this language.
|
||||
|
||||
Cons:
|
||||
(i) The obvious implementation (changing the engine to implement the (.)
|
||||
operator directly is quite a change from traditional database technology.
|
||||
At this point, that seems risky.
|
||||
|
||||
(ii) It is unclear how to implement this via a preprocessor (thereby
|
||||
leveraging database technology). The key problem I see is that we would need
|
||||
to translate port.name(...) into something like option (2) above. The
|
||||
difficulty is that TABLE could sometimes be a port, sometimes be a network,
|
||||
sometimes be a subnet, etc.
|
||||
|
||||
(iii) Requires some extra syntactic restrictions to ensure we don't lose
|
||||
decidability.
|
||||
|
||||
(iv) Because the Congress and Nova/Neutron models are the same, changes to
|
||||
the Nova/Neutron model can require rewriting policy.
|
||||
|
||||
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
error(net) :-
|
||||
neutron:networks(id=net)
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
String-arguments to API calls representing policy can use either
|
||||
position or column syntax.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Other UIs can expose this enhanced syntax, but since currently all UIs
|
||||
just pass policy statements as strings, they will require no actual changes
|
||||
to leverage the enhancement.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Should have no performance impact, with the possible exception that
|
||||
eventually we will want to reverse the preprocessing step for tracing
|
||||
so that we present users with a more intuitive trace.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
thinrich
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Modify grammar
|
||||
* Make datasource schemas available to runtime
|
||||
* Add preprocessor to rule AST constructor to convert column references into
|
||||
positional references.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
The following change makes datasource schema available to policy engine
|
||||
|
||||
Change-Id: I7cfbd82c721509634c0acfd51e66031af2ed7f2d
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
No tempest tests are necessary. Unit tests only.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Should include modifications to docs to simplify the examples that use
|
||||
tables with many columns. Will also require modifying the section where
|
||||
we introduce Datalog.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Mailing list discussion:
|
||||
* http://lists.openstack.org/pipermail/openstack-dev/2014-August/041862.html
|
||||
|
|
@ -1,340 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========
|
||||
Datalog-ng
|
||||
==========
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/datalog-ng
|
||||
|
||||
Congress needs an easy-to-use declarative language for expressing policy. This
|
||||
design specification describes Datalog-ng, a version of standard Datalog that
|
||||
has some extra features that are required for data querying and manipulation in
|
||||
general and declarative networking in particular.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Congress needs an expressive policy language that is both easy-to-use as well
|
||||
as efficient for information processing and declarative networking. Datalog is
|
||||
a declarative language that provides a higher-level abstraction for querying
|
||||
graphs and relational structures. It defines an efficient, recursive, query
|
||||
execution and incremental data update mechanisms based on the relational model.
|
||||
This design specification specifies a formal EBNF grammar for Datalog-ng, an
|
||||
extension of Datalog that 1) enables tables to be referenced more easily in
|
||||
queries, 2) defines syntax for adding and removing facts from the policy
|
||||
database, 3) defines syntax for rules, queries, and constraints.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This specification proposes a generalization of Datalog, called Datalog-ng,
|
||||
which is suitable for declarative networking. The grammar will be defined in
|
||||
Extended Backus-Naur Form (EBNF) [2]_. An EBNF specification is
|
||||
platform-neutral, and formally defines the syntax of a language. Note that the
|
||||
full expressive power of EBNF will NOT be used; this enables access to a wider
|
||||
variety of tools that may not be able to understand all of the EBNF standard.
|
||||
Hence, a wider variety of tools can be used to implement a parser, an
|
||||
interpreter, and/or a compiler. See [3]_ for more information on the benefits
|
||||
of formally defining a grammar.
|
||||
|
||||
Change #1: Table Referencing
|
||||
[1]_ says: "Conceptually, Datalog describes policy in terms of a collection
|
||||
of tables." Tables are a simple way of conveying information, and lend
|
||||
themselves to querying, editing, and reporting. Policy rules can be thought of
|
||||
as how input from one or more tables can be transformed into output in one or
|
||||
more tables. Tables are full-fledged objects, so this enables us to not only
|
||||
reuse tables (i.e., the actual data), but also reuse the policies that created
|
||||
the data. However, tables that have a large number of columns are hard to use,
|
||||
since there is no simple way to reference their name, or even know the number
|
||||
of columns they have. In addition, there is no way for a policy to know about
|
||||
changes in the table, so it would likely break as well.
|
||||
|
||||
Change #2: Fact Semantics
|
||||
Datalog (and Datalog-ng) work by adding facts into, and removing facts from,
|
||||
the database. However, there is no standard way for a policy author to
|
||||
introduce semantics associated with these operations. For example, if a fact is
|
||||
removed by one policy rule, it could adversely affect other policy rules that
|
||||
were going to use that rule.
|
||||
|
||||
Change #3: Query and Rule Semantics
|
||||
Formal semantics need to be added to standardize how queries and rules are
|
||||
expressed and evaluated. Currently, there is no query semantics, but this is
|
||||
very easy to add.
|
||||
|
||||
Change #4: Constraints
|
||||
Currently, there is no way to express constraints in Datalog. For example, if
|
||||
table A has four columns, and if one of the columns must not be null, then
|
||||
there is no way to check that an insert of three values into a row will fail or
|
||||
not. Similarly, if there are semantic constraints (e.g., row #3 must use one of
|
||||
a set of enumerated values), or data type constraints, incorrect entries will
|
||||
either be very hard or impossible to check, and will fail when applied. This
|
||||
may be delayed, due to its difficulty and potential to introduce problems.
|
||||
|
||||
Change #5: Safety
|
||||
Currently, there is no way to guarantee rule safety. For example, the following
|
||||
queries are NOT safe: ::
|
||||
|
||||
foo(X, Y, Z) :- rel1(X, y) & X < Z
|
||||
foo(X, Y, Z) :- rel1(X, Y) & NOT rel2(X, Y, Z)
|
||||
foo(X, Y) :- rel1(X)
|
||||
|
||||
Change #6: Grammatical Improvements
|
||||
Datalog is powerful, but somewhat hard to use. A set of "syntactical sugar"
|
||||
will be defined to make Datalog easier to use, especially for the native Python
|
||||
developer.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Traditional policy rules take the form of statements that have either two or
|
||||
three clauses [5]_ ; they are called ECA (event-condition-action) and CA
|
||||
(condition-action): ::
|
||||
|
||||
ON <event-clause> IF <condition-clause> THEN <action-clause>
|
||||
or
|
||||
IF <condition-clause> THEN <action-clause>
|
||||
|
||||
In both ECA and CA, each clause can be a Boolean combination of atoms. However,
|
||||
there are other types of policy rules:
|
||||
• Goal policies
|
||||
• Utility functions
|
||||
• Promises
|
||||
[6]_ covers the first two, and [7]_ is the latest of Mark's publications on
|
||||
promise theory. All three of the above are different in form and function than
|
||||
ECA and CA policy rules. Datalog-ng can model the intent of most of these forms
|
||||
of policy rules, which is what is needed in Congress – the ability to
|
||||
declaratively specify intent.
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
Uses of Congress Policy Rules
|
||||
Possible candidates include:
|
||||
|
||||
* Monitoring
|
||||
* Reporting (including filtering for selected values, so the user is not
|
||||
inundated with data)
|
||||
* Configuring a device reactively (e.g., a threshold was violated)
|
||||
* Configuring a device proactively (e.g., trending analysis predicts that a
|
||||
threshold will be violated in the future)
|
||||
|
||||
The first three are straightforward; the latter may be pushed beyond the Kilo
|
||||
release.
|
||||
|
||||
Policy Rule Implementation Alternatives
|
||||
The advantages of Datalog are that it is a declarative subset of first-order
|
||||
logic. Declarative languages express the logic in a task without specifying the
|
||||
flow of control to perform the task. First-order logic is a formal system of
|
||||
logic in which each statement consists of a subject and a predicate. A
|
||||
predicate can only refer to a single subject. Sentences are combined and
|
||||
manipulated using the same rules as those used in Boolean algebra. Two
|
||||
quantifiers exist: "for all" and "for some" (higher-order logics have
|
||||
additional quantifiers, such as "for every property of an object").
|
||||
|
||||
Datalog is thus more powerful than simple propositional logic, but not as
|
||||
powerful as first-order logic. However, it provides a combination of power and
|
||||
simplicity that is hard to match.
|
||||
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
This section will describe where the data is coming from. It will define
|
||||
exemplar projects that produce these data.
|
||||
|
||||
Data Sinks
|
||||
This section will describe who is consuming the data. It will define
|
||||
exemplar
|
||||
projects that consume these data.
|
||||
|
||||
Future Extensions
|
||||
Since Datalog-ng is based on a subset of first-order logic, it also provides
|
||||
formal reasoning and analysis. This is most likely the subject for the next
|
||||
version of this specification, but it should be kept in mind so that we do not
|
||||
limit this feature in any way.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Policy can contain the proverbial "keys to the kingdom". So, if someone
|
||||
hacks their way into the system and can start issuing policies, game over.
|
||||
Therefore, some type of access control should be used with policy-based
|
||||
systems.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Datalog-ng is intended for Developers and Administrators, not End Users.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
For this to work in a secure manner, I really think we need to operate in a
|
||||
secure environment, such as role-based access control (RBAC).
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Implementation will provide policy writers with a richer set of options
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
straz
|
||||
|
||||
Other contributors:
|
||||
thinrichs, sarob
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
The following is a short description of how the above changes will be addressed
|
||||
in this specification.
|
||||
|
||||
Change #1: Table Referencing
|
||||
Table referencing will be supported by introducing namespaces into the policy
|
||||
grammar, as well as supporting syntax, to allow tables and table elements to be
|
||||
referred to by name and/or relative position.
|
||||
|
||||
Change #2: Fact Semantics
|
||||
New syntax will be added to differentiate between adding and removing a fact.
|
||||
This will enable optional rules to identify these operations and perform
|
||||
additional tasks, if required.
|
||||
|
||||
Change #3: Query and Rule Semantics
|
||||
This change involves adding dedicated syntax for differentiating between rules
|
||||
and queries.
|
||||
|
||||
Change #4: Constraints
|
||||
There are many types of constraints that can be enforced. The first set of
|
||||
examples comes from relational theory. For the following definitions, assume
|
||||
that a table represents an entity, such as a router or a network. Note that
|
||||
these types of constraints are critical for being able to safely reference
|
||||
different tables from different namespaces.
|
||||
|
||||
* Entity integrity: a row has a unique identifier, called a primary key. The
|
||||
primary key is unique and not null. This enables each row in the entity to
|
||||
be identified.
|
||||
* Referential integrity: sometimes, tables reference other tables. A foreign
|
||||
key is a set of attributes in one table that uniquely identifies a row of
|
||||
another table a primary key from one table that appears in another table.
|
||||
Referential integrity defines the dependency of one table on another table.
|
||||
* Value constraints: data has constraint(s) on the value(s) that it can take
|
||||
on. For example, a physical chassis can only be mounted in a single rack.
|
||||
* Domain constraints: entity attributes in a given domain are restricted in
|
||||
one or more ways. For example, the sum of two values from two columns in the
|
||||
same row is less than or equal to another value. This generally include data
|
||||
type, data value, and the defaulting of values.
|
||||
|
||||
The second set of examples comes from applications of security. In this view, a
|
||||
constraint is an assertion that needs to be satisfied. The typical example is
|
||||
that a policy should be able to specify the resources that a user (or
|
||||
application) can access, as well as the set of operations that this user can
|
||||
perform on that set of resources. For example, specifying permissions for all
|
||||
sub-directories and files under a given directory in intractable in Datalog,
|
||||
because the set of resources could be infinite, and Datalog does not have
|
||||
function symbols.
|
||||
|
||||
This will be defined using constraint domains, and is an optional part of the
|
||||
Datalog-ng language. It may be pushed out beyond Kilo if it becomes too
|
||||
difficult.
|
||||
|
||||
Change #5: Safety
|
||||
A rule is safe if all of the variables in the head of the rule also occur in a
|
||||
positive, non-arithmetic literal in the body of the rule. This guarantees
|
||||
termination of the rule. The grammar should include safety checks to protect
|
||||
developers from themselves. :-)
|
||||
|
||||
Change #6: Grammatical Improvements
|
||||
A set of grammatical improvements will be defined to simplify the use of
|
||||
Datalog-ng, and especially to make its syntax friendlier to Python developers.
|
||||
Examples include more recognizable comments (e.g., familiar "//" or
|
||||
"/*..*/" instead of the native Datalog '%'), the ability to use single
|
||||
and/or double quotes, and English equivalents to some commands
|
||||
(e.g., '!' or 'NOT' or 'not').
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
This spec may be broken up into multiple blueprints for implementation. The
|
||||
list of spec and/or blueprints will be listed at the top of this spec.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
The following are references for this specification.
|
||||
|
||||
.. [1] Congress Design, http://goo.gl/YFd2Fr
|
||||
.. [2] ISO/IEC, "Information technology - Syntactic metalanguage - Extended
|
||||
BNF", 14977, 12/15/1996
|
||||
.. [3] J. Strassner, "A Gentle Introduction to EBNF", TBD
|
||||
.. [4] Congress Policy Workshop, TBD
|
||||
.. [5] J. Strassner, "Policy Based Network Management", Morgan Kaufman
|
||||
Publishing, 978-1558608597, 9/2003
|
||||
.. [6] J. Strassner, J. Kephart, "Autonomic Systems and Networks – Theory and
|
||||
Practice", NOMS 2006 Tutorial
|
||||
.. [7] M. Burgess, J. Bergstra, "Promise Theory - An Introduction", xtAxis
|
||||
Press, 2014
|
|
@ -1,168 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
======================
|
||||
Add Control Bus to DSE
|
||||
======================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/dse-control-bus
|
||||
|
||||
Nodes participating on the data services engine (DSE) bus need a means of
|
||||
discovering each other and their exposed data types. Currently a periodic
|
||||
broadcast mechanism is used for this purpose. While effective, these
|
||||
broadcasts are inefficient, and complicate debugging.
|
||||
|
||||
Instead of using the exiting broadcast-based discovery mechanism, nodes on
|
||||
the DSE should publish events on a well-known "collections registry,"
|
||||
that every node subscribes to.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Distribution of DSE endpoint information is currently performed using an
|
||||
inefficient broadcast mechanism. Instead, this information should be
|
||||
delivered only when changes occur, or when specifically requested.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
* All instances of deepSix will subscribe to a well-known table,
|
||||
which we will refer to as the 'collection registry'.
|
||||
* When the data indexes exposed by a deepSix instance changes (including
|
||||
instance startup), the instance will publish an update to the collection
|
||||
registry.
|
||||
* Each deepsix instance will maintain a list of it's data_indexes that it has
|
||||
a desired subscription for. The instance will do a lookup in it's local
|
||||
copy of the collection registry to find associated endpoints to send
|
||||
subscription requests to. As changes occur to the collection registry,
|
||||
each instance will re-evaluate it's own subscriptions against these
|
||||
updates.
|
||||
* There is a collection registry per instance of the DSE. In a hierarchical
|
||||
DSE, there could be multiple registries.
|
||||
* The periodic broadcast of data_index information can be removed after
|
||||
these changes.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
We can continue to use the existing mechanism as an alternative, but
|
||||
difficulties with inefficiencies and complex debugging will grow substantially
|
||||
as the number of nodes on the bus increases.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
At runtime, this change will reduce the time it takes to distribute
|
||||
information about new nodes in the system. It will also reduce the overall
|
||||
"chatter" on the bus by eliminating unnecessary broadcasts. We anticipate
|
||||
the reduction in chatter will greatly simplify debugging the message bus.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
None
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
The existing testing framework is sufficient to test to change.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,148 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
=============================================
|
||||
Get status from the cage about dataservices
|
||||
=============================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/dse-dataservices-status
|
||||
|
||||
Get metrics about the data services and have it available
|
||||
through the api. This information will include things so that the policy engine
|
||||
will know the status of the data services and when a data service is not able
|
||||
to do its job correctly.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently each of the datasources implemented as nodes in the DSE have
|
||||
2 fields for status: the time the datasource last refreshed its data and
|
||||
the last error that was generated when it tried to refresh its data.
|
||||
But there are additional metrics that would be
|
||||
nice to have as part of the status of a datasource/DSE node, e.g. outstanding
|
||||
messages, message rate, subscribers, subscriptions.
|
||||
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This change will add a status() method to each DSE node that returns
|
||||
a dictionary of useful information about that node. The node will
|
||||
also compute those metrics and will be configurable so that metrics
|
||||
that are expensive to compute can be turned off.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The status() information could be implemented on top of DSE instead of
|
||||
directly within DSE. But doing so would break the abstraction that
|
||||
DSE provides: a message bus that takes care of message queues, message
|
||||
delivery, queueing times, etc.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None since the API already exposes a 'status' query for each datasource.
|
||||
But the implementation of that API will change to incorporate the additional
|
||||
status information provided by DSE.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
It will be possible to turn off high-cost status computation; thus, people
|
||||
can decide whether each status item is worth the cost of computing it.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Add implementations for metrics. The decision as to whether the metric
|
||||
is continually computed or computed on demand will be made on a
|
||||
metric-by-metric basis.
|
||||
|
||||
- Add status() method to DeepSix class and return a dictionary of metrics.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests will suffice: simulate activity in the DSE and check that the
|
||||
status metrics are as expected. Ideally would also simulate metric computation
|
||||
under load.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
None
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,165 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Explicit reactive enforcement
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/explicit-reactive-enforcement
|
||||
|
||||
Enable policy writers to describe conditions under which Congress should
|
||||
execute specific actions, e.g. when a network is connected to a VM that
|
||||
contains a virus, disconnect it from the internet.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently Congress takes no direct actions to help a cloud obey
|
||||
the policy that governs it. Today Congress can identify violations of
|
||||
policy but it cannot correct them.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This change enables policy writers to include policy snippets such as
|
||||
the one below to encode instructions for how Congress ought to
|
||||
react to changes in the cloud. It enables the policy writer to dictate
|
||||
that Congress must execute certain actions under certain conditions.
|
||||
|
||||
// disconnect a VM from the network whenever it is infected by a virus::
|
||||
|
||||
execute[disconnectNetwork(vm, network=net)] :-
|
||||
antivirus:infected(vm),
|
||||
nova:network(vm, net)
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
This same kind of functionality could be written in a traditional programming
|
||||
language such as Python, instead of encoded as policy. But the benefit
|
||||
of doing it as policy is that we can build analysis tools that help
|
||||
policy authors understand if they have created infinite loops and other
|
||||
undesirable featues.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
See example above.
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
The purpose of this blueprint is to implement a form of reactive enforcement.
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None. This functionality is leveraged by writing policy statements,
|
||||
which the existing API already handles properly.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
One potential security impact is that Congress typically runs as an
|
||||
administrator and thus all the actions that Congress executes will be
|
||||
as an administrator as well. Thus for the first time a security breach
|
||||
into Congress means a security breach into all of the services that
|
||||
Congress is permitted to execute actions on. Though in OpenStack,
|
||||
a breach of security for Congress means a breach of Keystone,
|
||||
which would still give administrative rights to the other OpenStack
|
||||
services anyway.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None for this spec; other, dependent specs have performance impacts.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Modify trigger framework to operate on modal operators directly, e.g. so
|
||||
that we can register a trigger whenever execute[x] changes.
|
||||
|
||||
- Set up a trigger on execute[x]. When that trigger fires, it invokes
|
||||
the action on the appropriate ExecutionDriver.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* modal-operators-for-policy: enable execute[] syntax
|
||||
* policy-triggers: initial version of trigger framework
|
||||
* action-execution-interface: add executor driver concept to Congress
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
This change will require unit tests for the enhanced trigger framework.
|
||||
|
||||
It should include tempest tests to test end-to-end functionality.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
This will require a new documentation section for reactive enforcement.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,151 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
=====================================
|
||||
Create a Fact class for storing facts
|
||||
=====================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/fact-datastructure
|
||||
|
||||
Today, the congress runtime stores facts as Rules. This is inefficient from a
|
||||
memory perspective since each Rule contains a Literal, which in turn contains
|
||||
a Term for each column. Each of these is a python object, and each of them
|
||||
also contains a few extra fields like head, body, location, negated,
|
||||
etc. Using Rules is also inefficient with CPU since congress needs to
|
||||
construct all these objects. This blueprint proposes to use a Fact data
|
||||
structure to store each fact. A Fact is a subclass of a native tuple, plus one
|
||||
field for table name. This is much more efficient memorywise and CPUwise than
|
||||
using a Rule because there are no extra objects like Literal and
|
||||
Term. Preliminary tests show a 10x reduction in CPU for initializing tables
|
||||
plus a 3x reduction in memory use.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* Today, congress stores each fact as a Rule object
|
||||
|
||||
* A Rule object contains many objects and fields
|
||||
|
||||
* Many objects and fields means that creating and storing a fact uses lots of
|
||||
CPU and memory resources.
|
||||
|
||||
* High CPU and memory use makes congress unable to scale to larger datasets.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
We propose to create a new class called Fact to store each fact. A Fact is a
|
||||
native tuple plus one string for table name. Using a Fact will eliminate all
|
||||
the subfields and subobjects in Rule.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Preliminary testing shows a 10x reduction in CPU use and a 3x reduction in
|
||||
memory use in initialize_table() for 7M facts where the payload is 700MB.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
A Theory object will internally contain Rules and Facts. The caller an insert
|
||||
a Fact into a RuleSet. However, whenever someone fetches the rules from a
|
||||
Theory the RuleSet converts Facts to Rules before returning them.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
ayip
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Implement FactSet
|
||||
|
||||
* Use FactSet inside of RuleSet
|
||||
|
||||
* Change initialize_tables() to avoid instantiating a list of all facts coming
|
||||
from DSE
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Add a unit test for FactSet
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
None
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,116 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Glance Data Source Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/glance-data-source-driver
|
||||
|
||||
This blueprint is to add a data source driver for glance.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
N/A
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add data source driver that integrates congress with glance.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
This will use the congress language. glance:image(X) etc.
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
Just monitoring right now.
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
Glance
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
TBD
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
arosen
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
python-glanceclient
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Will add tempest tests.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,158 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===============================
|
||||
Create a Heat Datasource Driver
|
||||
===============================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/heat-datasource-driver
|
||||
|
||||
This Heat driver will allow Congress to interact with the Openstack Heat API
|
||||
for orchestration. The first version will provide data from Heat's read API
|
||||
calls until Congress does has infrastructure to handle writing to drivers.
|
||||
Subsequent versions may be able to send requests and write to the Heat API.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Today, there is no Congress driver for Heat, either for reading or writing.
|
||||
This driver will give Congress eyes into Heat so that a policy writer can
|
||||
inspect Heat state such as details about each stack, stack snapshots,
|
||||
resources, software configurations, software deployments, and perhaps
|
||||
templates themselves.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This driver will be similar to other existing drivers like neutron_driver.py
|
||||
and nova_driver.py. The Heat driver will read data from the following Heat
|
||||
API calls and convert the responses to Congress tables:
|
||||
* list stacks
|
||||
* show stack detail
|
||||
* list snapshots
|
||||
* list resources
|
||||
* show resource data
|
||||
* show resource metadata
|
||||
* list resource types
|
||||
* show configuration details
|
||||
* list stack events
|
||||
* show event details
|
||||
* show software_configs
|
||||
* show software_deployments
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The alternative is to have no driver for Heat, which is not a good option for
|
||||
those admins that use Heat in their cloud.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Openstack Heat
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
The Heat driver will need to authenticate to the Heat API just like all the
|
||||
other datasource drivers.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
It is possible that the API calls will be expensive. We will need to measure
|
||||
the impact of the API calls on Heat and Congress performance.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
tengqim
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Write unit test
|
||||
* Write tempest test
|
||||
* Write API client code
|
||||
* Write translators for tables
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
This work must include a unit test and a tempest test. The driver translator
|
||||
infrastructure makes most of the translation code robust, but the driver is
|
||||
still dependent on the Heat API, so the tempest test is particularly important
|
||||
as an integration test.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Blueprint:
|
||||
https://blueprints.launchpad.net/congress/+spec/heat-datasource-driver
|
|
@ -1,169 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Policy creation in Horizon
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/horizon-create-policies
|
||||
|
||||
Congress policies can be created from the command line interface (CLI). Provide
|
||||
a way to create policies from the Horizon dashboard that helps users who have
|
||||
little or no experience with writing Datalog.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Users unfamiliar with Datalog may find it challenging to write rules for a
|
||||
Congress policy.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add a way to create Congress policies in the Policies panel in Horizon that
|
||||
does not require users to have knowledge of Datalog to write policy rules.
|
||||
Something like the draggable blocks in Node-RED or BipIO could be moved around
|
||||
and connected together by the user to construct a policy rule. Or have a
|
||||
template that presents the Datalog pieces of a rule in a natural language
|
||||
format.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
One alternative is to enhance the CLI to assist users in writing policy rules.
|
||||
However, a graphical interface can have interactive mechanisms to help users
|
||||
navigate the structure of a policy rule that a CLI cannot provide. For example,
|
||||
rule components could be more easily represented with graphics in a web
|
||||
interface vs. a CLI-based wizard, which is limited to text representations.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Caution must be exercised when using data entered by a user. An example of a
|
||||
type of security issue is SQL injections, if the user data is going to be
|
||||
inserted into a database. User data should be sanitized to mitigate such risks.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
The end user will be able to go to the Policies panel in Horizon and use some
|
||||
knobs to write policy rules and create a policy in Congress.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
jwy
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Knobs and form to enter policy details and rules.
|
||||
- Logic (e.g., autocompletion) to fill in policy table names, data source table
|
||||
names, etc., that can be used in a policy rule.
|
||||
- Backend to pass information on to Congress for policy creation.
|
||||
- Form to enter Datalog directly for a rule, for users who are more comfortable
|
||||
with the language.
|
||||
|
||||
Keep in mind that we may want to use the same UI for updating policies later.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Additional Tempest tests are not needed because the Congress code is not being
|
||||
modified here.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
None.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Datalog Policy Language:
|
||||
https://github.com/stackforge/congress/blob/master/doc/source/policy.rst#2-datalog-policy-language
|
||||
|
||||
Node-RED:
|
||||
http://nodered.org
|
||||
|
||||
BipIO:
|
||||
https://bip.io
|
|
@ -1,145 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
=====================================================
|
||||
Congress OpenStack Horizon : Data Source Status Table
|
||||
=====================================================
|
||||
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/horizon-datasource-status-table
|
||||
|
||||
This blue print describes integration of datasources status with Horizon
|
||||
dashboard. Admin will be able to see detailed status of each datasource.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* In the existing horizon implementation congress data source status is not
|
||||
shown
|
||||
|
||||
* This poses problem to admins who want to see the status of data sources
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
* Proposal is to add data source status table to the landing page
|
||||
contrib/horizon/datasources/templates/datasources/index.html
|
||||
* Add appropriate table to the file /contrib/horizon/datasources/tables.py
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Screens
|
||||
-------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
no updates required
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Authentication of python-congressclient through Keystone token
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
none
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
* User will be able to view Data Source Status
|
||||
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
none
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
none
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<jwy>
|
||||
<rajdeepd>
|
||||
|
||||
Other contributors:
|
||||
<None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Modify base Panel for Policies and Data sources tables
|
||||
* Add congress.py to add calls for getting status information
|
||||
* Create a Data Source status table
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Horizon
|
||||
* python-congressclient
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit testing using mocks.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
none
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
https://github.com/stackforge/python-congressclient
|
|
@ -1,191 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
================================================
|
||||
Congress OpenStack Horizon Dashboard Integration
|
||||
================================================
|
||||
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/horizon-integration
|
||||
|
||||
This blue print describes integration of Congress with Horizon dashboard.
|
||||
Admin should be able to create/update or view policies and rules. He should
|
||||
also be able to see information fetched from the various data sources.
|
||||
|
||||
|
||||
* ..
|
||||
*
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* In the existing implementation congress data elements like policies, rules
|
||||
and data sources can be accessed only through command line or python client.
|
||||
|
||||
* This poses problem to admins who want to use UI based dashboard to manage
|
||||
policies and its associated elements
|
||||
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
* Proposal is to integrate Congress read/ write and update use cases into
|
||||
Horizon
|
||||
* A new panel named `policies` will be added to the `admin` dashboard.
|
||||
|
||||
+-----------+ +------------+
|
||||
| ++------+ | |
|
||||
| || | REST API Call| |
|
||||
| || +------------------> |
|
||||
| OpenStack || congress | Congress |
|
||||
| Horizon || python-client | API |
|
||||
| || | | Service |
|
||||
| || | | |
|
||||
| || | | |
|
||||
| || | | |
|
||||
| || | | |
|
||||
| ++------+ | |
|
||||
+-----------+ +------------+
|
||||
|
||||
* This Panel will have a Tab Group
|
||||
|
||||
* First Tab will be Policies Tab
|
||||
* Second Tab will be DataSources Tab
|
||||
|
||||
Policies Tab will cover following use cases
|
||||
|
||||
* List of policies
|
||||
* List of Rules in a Policy
|
||||
* List of tables in a Policy
|
||||
* Create a Rule
|
||||
* Update a Rule
|
||||
* Delete a Rule
|
||||
|
||||
DataSource Tab will show
|
||||
|
||||
* List of DataSources
|
||||
* Tables returned by DataSources
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Implement a dashboard which is independent of Horizon, in case there is a need
|
||||
to integrate congress in a non openstack scenario.
|
||||
|
||||
|
||||
Screens
|
||||
-------
|
||||
none
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
To be determined.
|
||||
We might need some additional data to be exposed by python-congressclient
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Authentication of python-congressclient through Keystone token
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
none
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
* User will be able to view, configure and update Policies, Rules.
|
||||
* User will be able to data exposed by the DataSources
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
none
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Integration with Devstack.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<jwy>
|
||||
<rajdeepd>
|
||||
|
||||
Other contributors:
|
||||
<None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Add base Panel for Policies
|
||||
* TabGroup for Policies and DataSources
|
||||
* Implement Policy Tab
|
||||
* Implement DataSource Tab
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Horizon
|
||||
|
||||
* python-congressclient
|
||||
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit testing using mocks.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Document the screenflow.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
https://github.com/stackforge/python-congressclient
|
|
@ -1,230 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===========================================
|
||||
Abstraction policy definitions in Horizon
|
||||
===========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/horizon-policy-abstraction
|
||||
|
||||
Congress aims to provide an extensible open-source framework for governance
|
||||
and regulatory compliance across any cloud services. Users can define policies
|
||||
in congress by pure Datalog. But Datalog, working with data-tables, is a very
|
||||
difficult and complex description for policies. Users may have some problems
|
||||
to understand and deploy policies by Datalog. So this specification provides
|
||||
an abstraction for policies, and shows it in an abstraction form in Horizon,
|
||||
which will facilitate users to express their policies.
|
||||
|
||||
Problem description
|
||||
====================
|
||||
|
||||
Datalog is not intuitive to use, even difficult for users to express their
|
||||
policies who are not familiar with it. And it may cause some misinterpretation
|
||||
when translating real intent to Datalog because of the complex logic.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Congress makes the whole cloud compliant by defining violation state and action
|
||||
for violation.
|
||||
|
||||
Policies in Congress can be expressed by BNF as below.
|
||||
|
||||
::
|
||||
|
||||
Congress Policy ::= violation condition, "do" action for violation
|
||||
|
||||
So, policy abstraction is to abstract violation state and corresponding action
|
||||
to make the policy more intuitive and easy to use.
|
||||
|
||||
By analyzing typical scenarios, violation mainly can be divided into two parts.
|
||||
One is the constraint of objects' attributes, and another is the constraint
|
||||
of relationship between several objects' attributes.
|
||||
All the objects and constraints are not just a simple set of data source
|
||||
tables, but they can be divided into some categories according to their
|
||||
functions and relations. So users just need to choose objects they care about
|
||||
without worrying about which tables they are in.
|
||||
|
||||
The violation condition can be expressed by BNF as below.
|
||||
|
||||
::
|
||||
|
||||
violation condition ::=object attribute constraint (value | object attribute)
|
||||
object attribute::=object "." attribute
|
||||
|
||||
For any violation state, congress will take some actions, such as monitoring,
|
||||
proactive and reactive. Though congress has just realized monitor violation,
|
||||
changing cloud state to make the cloud compliant is also an important function
|
||||
for congress. So, policy abstraction will provide some optional reactive
|
||||
actions for different objects to resolve violations.
|
||||
|
||||
The action for violation state can be expressed by BNF as below.
|
||||
|
||||
::
|
||||
|
||||
action ::= ("monitor"| "proactive"| "reactive") data
|
||||
|
||||
So policies in Congress can be abstracted into "name", "objects",
|
||||
"violation condition", "action" and "data".
|
||||
|
||||
Among these, element "name" defines a marker of a policy, which is used to
|
||||
be a unique identification for a policy.
|
||||
|
||||
Element "objects" defines all objects which are concerned by this policy.
|
||||
They are not just simple display of data source tables, but a organized set
|
||||
which contains the relationship between different objects, such as, "servers",
|
||||
"networks", "hosts", "subnets", etc.
|
||||
For example, table "statistics" will not appear as a object, but it will be
|
||||
a attribute of other objects, such as, "servers", "networks".
|
||||
Another example is users could choose "servers" and "networks" without caring
|
||||
about what put them together ("ports", actually).
|
||||
|
||||
Element "violation condition" defines the state of objects' attributes
|
||||
which can produce violation, and the constraint will include comparison,
|
||||
arithmetic and some predefined relationship/functions, such as, "same_group".
|
||||
|
||||
Element "action" defines the action needs to take for this policy,
|
||||
and actions will include "proactive", "monitoring" and some specific actions,
|
||||
such as, "remove", "delete". All these actions depend on the ability of
|
||||
underlying components.
|
||||
|
||||
Element "data" defines the information gotten or needed when executing the
|
||||
action, for example, when monitoring a servers violation, users can define
|
||||
"data" as servers' name to be a return parameters.
|
||||
|
||||
That is, Congress UI will provide many elements of policies as drop-down lists,
|
||||
and the combination of these elements will form various policies. All these
|
||||
elements are from the summary of typical scenarios and the ability of
|
||||
underlying components.
|
||||
Users need to choose which one can match their needs.
|
||||
Then UI will translate the information in UI into Datalog.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
-------
|
||||
|
||||
There is one example to express typical policy by abstraction form in Horizon.
|
||||
|
||||
Example: every network connected to a VM must either be public or
|
||||
owned by someone in the same group as the VM.
|
||||
|
||||
For this example, users care about "servers" and "networks", so users will
|
||||
choose these two objects from a drop-down list.
|
||||
After users decide the objects, corresponding optional violation state will
|
||||
be decided, which will include these two objects' attributes and some
|
||||
predefined relationship, so users can choose "not same_group" and choose who
|
||||
are not in the same group. All the choices will be show as drop-down lists,
|
||||
too. And users need to choose the action and data for this violation.
|
||||
For example, users choose "monitoring", attributes of servers and networks
|
||||
will appear in "data".
|
||||
|
||||
In this policy, users can create a policy as below.
|
||||
|
||||
+----------+----------+-----------------------------------------------+------------+--------------+
|
||||
| name | objects | violation state | action | data |
|
||||
+----------+----------+-----------------------------------------------+------------+--------------+
|
||||
| policy_1 | servers |not equal(networks.share, public) | monitoring | servers.name |
|
||||
| | networks |not same_group(servers.tenant, networks.tenant)| | |
|
||||
+----------+----------+-----------------------------------------------+------------+--------------+
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
The action can be monitoring, proactive or some execute actions
|
||||
which can make the cloud compliant.
|
||||
|
||||
Data Source
|
||||
-----------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
All parameters inputted by users need satisfy predefined standard, for example,
|
||||
if values inputted in "violation condition" in reasonable range
|
||||
(e.g. 0-100% for CPU utilization).
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
End users can be able to write policies in Horizon and use some drop-down lists
|
||||
and some simple inputs to create a policy. Then Horizon will translate the
|
||||
information in UI into Datalog, which will be processed in Congress.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Yali Zhang
|
||||
|
||||
Other contributors:
|
||||
Jim Xu; Yinben Xia
|
||||
|
||||
Work items
|
||||
-----------
|
||||
|
||||
|
||||
- Abstraction form to write policies rules and actions for policies.
|
||||
- Build mapping relationship between abstraction form and Datalog,
|
||||
so users can write a policy in UI other than Datalog.
|
||||
- Pass information from Horizon to Congress to finish the policy creation.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Need to be tested with a variety of scenarios.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Add instructions for policy abstraction in UI.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,158 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==================================
|
||||
Create an ironic Datasource Driver
|
||||
==================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/ironic-datasource-driver
|
||||
|
||||
This ironic driver will allow Congress to interact with the Openstack ironic
|
||||
API for orchestration. The first version will provide data from ironic's read
|
||||
API calls until Congress does have infrastructure to handle writing to drivers.
|
||||
Subsequent versions may be able to send requests and write to the ironic API.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Today, there is no Congress driver for ironic, either for reading or writing.
|
||||
This driver will give Congress eyes into ironic so that a policy writer can
|
||||
inspect Bare Metal state such as details about enabled drivers, each chassis,
|
||||
each node, each port, supported boot devices of a node.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This driver will be similar to other existing drivers like neutron_driver.py
|
||||
and nova_driver.py. The ironic driver will read data from the following ironic
|
||||
API calls and convert the responses to Congress tables:
|
||||
|
||||
* list enabled drivers
|
||||
* show driver detail
|
||||
* list driver properties
|
||||
* list chassis
|
||||
* show chassis detail
|
||||
* list nodes contained in a chassis
|
||||
* list registered nodes
|
||||
* show node detail
|
||||
* list supported boot devices for a node
|
||||
* list ports assocaited with a node
|
||||
* list all registered ports
|
||||
* show port detail
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The alternative is to have no driver for ironic, which is not a good option for
|
||||
those admins that use ironic in their cloud to manage bare metal servers.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Openstack ironic
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
The ironic driver will need to authenticate to the ironic API just like all the
|
||||
other datasource drivers.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
It is possible that the API calls will be expensive. We will need to measure
|
||||
the impact of the API calls on ironic and Congress performance.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
zhenzan-zhou
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Write unit test
|
||||
* Write tempest test
|
||||
* Write API client code
|
||||
* Write translators for tables
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
This work must include a unit test and a tempest test. The driver translator
|
||||
infrastructure makes most of the translation code robust, but the driver is
|
||||
still dependent on the ironic API, so the tempest test is particularly
|
||||
important as an integration test.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Blueprint:
|
||||
https://blueprints.launchpad.net/congress/+spec/ironic-datasource-driver
|
|
@ -1,198 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Add modal operators to policy language
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/modal-operators-for-policy
|
||||
|
||||
To express access control policies and reactionary enforcement policies, we
|
||||
need modal operators like 'execute' and 'permit' added to the language. Modal
|
||||
operators are identifiers that apply to literals or rules in the language and
|
||||
hence cannot be encoded (naturally) without special syntactic support.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Example policy fragments that are enabled by this change:
|
||||
|
||||
1) Reactionary policies: describing what actions/API-calls Congress should
|
||||
execute and when.
|
||||
|
||||
execute[nova:disconnectNetwork(vm, net)] :-
|
||||
nova:virtual_machine(vm),
|
||||
nova:network(vm, net),
|
||||
bad_network(vm, net)
|
||||
|
||||
2) Access control policies: describing when other components are permitted
|
||||
to execute certain actions/API calls.
|
||||
|
||||
permit[nova:disconnectNetwork(vm, net)] :-
|
||||
nova:owner(vm, owner),
|
||||
role(owner, 'admin')
|
||||
|
||||
3) Action descriptions: describing the effects of an action
|
||||
|
||||
delete[nova:network(vm, net)] :-
|
||||
execute[nova:disconnectNetwork(vm, net)]
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This change requires modifying the grammar to so that the constructs above
|
||||
are permitted. To do this, we would want to make the definition for 'rule'
|
||||
into something like the following.
|
||||
|
||||
rule ::= modal_list COLONMINUS modal_list
|
||||
modal_list ::= modal (COMMA literal)*
|
||||
modal ::= literal | ID LBRACKET literal RBRACKET
|
||||
|
||||
We also need to change compile.py:Literal class to have a field 'modal' that
|
||||
is either None or is an ID (string).
|
||||
|
||||
We also need to change the unifier so that it checks the 'modal' field when
|
||||
doing unification.
|
||||
|
||||
Finally we need to introduce functionality so that we can ask for all
|
||||
x such that execute[x] is true in the current state. One option is to
|
||||
construct a special function in the Runtime; another option is to expand the
|
||||
definition of a modal so that it can take a variable, such as shown below,
|
||||
and modify the unifier and runtime.py:TopDownTheory.top_down_eval routines
|
||||
appropriately.
|
||||
|
||||
modal ::= literal | ID LBRACKET literal RBRACKET | ID LBRACKET ID RBRACKET
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Today the way we write action descriptions is by using + and - as suffixes
|
||||
on table-names to denote insert and delete respectively. This
|
||||
does not extend well to other modals like 'execute' and 'permit'.
|
||||
|
||||
The prototype code already in place assumes it can identify what is to be
|
||||
'execute'd and what is to be 'permit'ed based on the policy the rules
|
||||
reside in. Having separate policies for implementing this functionality
|
||||
is a poor solution because multiple policies ought to be able to represent
|
||||
multiple policy authors' contributions to policy--a single policy ought to
|
||||
be able to include reactive policy, access control policy, error policy,
|
||||
and action-descriptions.
|
||||
|
||||
In addition, the functionality we currently use for dealing with
|
||||
action-descriptions while implementing simulation uses the 'consequences'
|
||||
construct to compute all of the literals inserted and deleted upon execution
|
||||
of a given action. The 'consequences' functionality is computationally
|
||||
expensive in that it computes the contents of all tables in the policy. Once
|
||||
a single policy contains more than simply the action-descriptions, we cannot
|
||||
afford to use the 'consequences' functionality.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
See use cases above.
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None since rules are stored as strings in the DB.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None since policy snippets are passed as strings.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Modify grammar as described above
|
||||
- Change parser to read in new grammar
|
||||
- Change runtime to properly unify with modals
|
||||
- Add modal-level queries, e.g. find all x such that execute[x]
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests are sufficient. Ensure that the new syntactic constructs
|
||||
can be used anywhere and that the runtime produces the proper results
|
||||
when the new syntactic constructs are in place.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
End-user documentation is not necessary for this change. But documentation
|
||||
will be necessary for the functionality that uses this change, e.g.
|
||||
the simulation() docs will change to describe using insert[]/delete[] instead
|
||||
of +/- suffixes.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,289 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Example Spec - The title of your blueprint
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/multiple-policies
|
||||
|
||||
Currently, there are only a couple of different policies people can use.
|
||||
We want to enable people to utilize multiple policies for the purpose of
|
||||
modularity and encapsulation.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
We want users to be able to create and delete entire policies.
|
||||
We want users to be able to choose which type of policy they want
|
||||
to create.
|
||||
We want users to write policies that reference tables defined in
|
||||
other policies as naturally as they reference tables defined within
|
||||
datasources.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
Users may create/delete any number of policies and give them names.
|
||||
Each of these policies look like the classification policy we have
|
||||
today.
|
||||
|
||||
Users can insert/delete rules into each such policy
|
||||
just as they do with the classification policy today.
|
||||
Users may write the same kind of rules they always have, except
|
||||
they can reference tables defined in any other policy in
|
||||
the body of rules.
|
||||
|
||||
The rules are prohibited from prefixing the tablename in the head
|
||||
of a rule with a policy-name. The rules are prohibited from
|
||||
recursing across theories.
|
||||
|
||||
1) Example
|
||||
policy1:
|
||||
p(x) :- policy2:q(x)
|
||||
|
||||
policy2:
|
||||
q(x) :- nova:servers(x)
|
||||
|
||||
2) Non-example: do not include policy name in head of rule
|
||||
policy:p(x) :- q(x)
|
||||
|
||||
3) Non-example: do not recurse across policies
|
||||
policy1:
|
||||
p(x) :- policy2:q(x)
|
||||
|
||||
policy2:
|
||||
q(x) :- policy1:p(x)
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
We're already doing this (conceptually) with the prefixes (such as
|
||||
nova: and neutron:) on datasource tablenames. This proposal simply
|
||||
generalizes that idea.
|
||||
|
||||
Another approach is to put everything into a single theory and explicitly
|
||||
prefix all tables with the module in which they are defined.
|
||||
Implementationally, that is basically what we're doing, but leaving the
|
||||
policies in separate datastructures so that they can leverage different theory
|
||||
types.
|
||||
|
||||
Many other module systems are available, but this is basically Python's
|
||||
module system. Everything is visible to everything as long as you
|
||||
have a reference to it.
|
||||
|
||||
This proposal does not include hierarchical policies (policies defined
|
||||
within other policies). While that model is sensible for a file-based
|
||||
programming language, it is less clearly sensible for a restful API
|
||||
programming language since there is no inherent structure. This
|
||||
proposal still allows people to use hierarchical policy *names*, e.g.
|
||||
marketing:manager:alice, but there is no semantics to that hierarchy
|
||||
built into the language.
|
||||
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Example with policies policy1 and policy2. We assume we write the
|
||||
following rule in policy0.
|
||||
|
||||
error(vm) :-
|
||||
nova:virtual_machine(vm),
|
||||
policy1:vm_property(vm),
|
||||
neutron:port(vm, src_ip),
|
||||
policy2:ip_bad(src_ip).
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None. Just a change in the policy engine's implementation.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Each API method which is either added or changed should have the following
|
||||
|
||||
create_policy
|
||||
|
||||
* Description: create a new policy of the given name, abbreviation, and
|
||||
type
|
||||
* Method: POST
|
||||
* Normal http response codes: success
|
||||
* HTTP errors:
|
||||
** conflict: policy already exists
|
||||
** bad request: type does not exist
|
||||
* URL: /v1/policy/
|
||||
* Parameters: name, abbreviation (for traces), type (Nonrecursive,
|
||||
Materialized)
|
||||
|
||||
Example:
|
||||
curl -X PUT http://localhost:1789/v1/policy -d
|
||||
'{"id": "test_policy",
|
||||
"description": "a great policy",
|
||||
"abbreviation": "test",
|
||||
"type": "nonrecursive"}'
|
||||
|
||||
Example output:
|
||||
{"id": "test_policy",
|
||||
"description": "a great policy",
|
||||
"abbreviation": "test",
|
||||
"type": "nonrecursive",
|
||||
"owner": "alice"}'
|
||||
|
||||
|
||||
delete_policy: standard deletion operation
|
||||
|
||||
Example:
|
||||
curl -X DELETE http://localhost:1789/v1/policy/test_policy
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Users will interact with other policies when writing rules.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
thinrichs@vmware.com
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Add create_policy/delete_policy to congress/policy/policy.py:Runtime.
|
||||
The arguments to create_policy should include name/abbr/type, where
|
||||
type is either NonrecursiveRuleTheory or MaterializedViewTheory.
|
||||
|
||||
- Change compile.atom to a separate 'module' field and 'table' field to
|
||||
avoid repeatedly parsing the tablename. The 'module' field is None if
|
||||
there is none.
|
||||
|
||||
- Modify top_down_eval so that at every point in the search, it
|
||||
jumps to the policy in which the table is defined (or stays in the
|
||||
current policy if 'module' is None).
|
||||
|
||||
- Ensure no infinite loops across theories. We need to check
|
||||
that the graph obtained by rules that cross policy boundaries
|
||||
is non-recursive; we can ignore rules that do not cross policy
|
||||
boundaries.
|
||||
|
||||
- Can leave 'includes' functionality for internal implementation.
|
||||
Should not need to use it for the change above.
|
||||
|
||||
- Expose this functionality through the API and CLI
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests, both positive and negative.
|
||||
|
||||
Positive
|
||||
---------
|
||||
1) Test 1
|
||||
policy1:
|
||||
p(x) :- policy2:q(x)
|
||||
|
||||
policy2:
|
||||
q(1)
|
||||
q(2)
|
||||
|
||||
Query: policy1:p(x) yields {p(1), p(2)}
|
||||
|
||||
|
||||
2) Test 2
|
||||
policy1:
|
||||
p(x) :- policy2:q(x)
|
||||
r(1)
|
||||
r(2)
|
||||
|
||||
policy2
|
||||
q(x) :- policy1:r(x)
|
||||
|
||||
Query: policy1:p(x) yields {p(1), p(2)}
|
||||
|
||||
3) Test 3 (namespace separation)
|
||||
policy1:
|
||||
p(x) :- policy2:q(x)
|
||||
q(1)
|
||||
q(2)
|
||||
|
||||
policy2
|
||||
q(3)
|
||||
q(4)
|
||||
|
||||
Query: policy1:p(x) yields {p(3), p(4)}
|
||||
|
||||
|
||||
Negative
|
||||
----------
|
||||
1) Test 1
|
||||
policy1:
|
||||
p(x) :- policy2:q(x)
|
||||
|
||||
policy2:
|
||||
q(x) :- policy1:p(x)
|
||||
|
||||
Should throw error.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Need to add docs that describe new capabilities.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,133 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
murano-congress-integration
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/murano-congress-integration
|
||||
|
||||
This blueprint is to convert the integration with murano and congress.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* Make murano and congress interface with each other.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This blueprint covers 2 different things that we need to do.
|
||||
|
||||
- The first is write a datasource driver for congress that interacts with
|
||||
murano.
|
||||
|
||||
- The second is to integrate murano with congress. To do this we might want
|
||||
to provide some kind of congressmiddeware if there are any details we can
|
||||
abstract there but we will figure this out later after that datasource
|
||||
driver is written.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
The Murano Project introduces an application catalog to OpenStack,
|
||||
enabling application developers and cloud administrators to publish
|
||||
various cloud-ready applications in a browsable categorized catalog.
|
||||
Cloud users -- including inexperienced ones -- can then use the catalog
|
||||
to compose reliable application environments with the push of a button [1]
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Murano Team
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Data source driver
|
||||
murano integration with congress api
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
Data source driver for murano should be done first.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Tempest and unit tests will be added.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
[1] - https://wiki.openstack.org/wiki/Murano
|
|
@ -1,191 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Murano Data Source Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/murano-driver
|
||||
|
||||
This blueprint is to add a data source driver for Murano
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
We need a data source to get the Murano environments and applications related
|
||||
data so that we can define policies during and after application service
|
||||
fulfillment
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add data source driver that integrates Congress with Murano with following
|
||||
data tables.
|
||||
|
||||
* Data Tables
|
||||
|
||||
* *murano:objects(object_id, owner_id, type)*
|
||||
|
||||
This table holds every MuranoPL object instance in an environment.
|
||||
|
||||
* *object_id* - uuid of the object as used in Murano
|
||||
* *owner_id* - uuid of the owner object as used in Murano
|
||||
* *type* - string with full type identification as used in Murano
|
||||
(e.g., io.murano.Environment,...)
|
||||
|
||||
* *murano:parent-types(id, parent_type)*
|
||||
|
||||
This table holds parent types of *obj_id* object.
|
||||
|
||||
* *id* - uuid of the object as used in Murano
|
||||
* *parent_type* - string with full type identification of the parent
|
||||
object
|
||||
|
||||
Note that Murano supports multiple inheritance, so there can be several
|
||||
parent types for one object
|
||||
|
||||
* *murano:properties(id, name, value)*
|
||||
|
||||
This table stores object's properties. For multiple cardinality
|
||||
properties, there can be number of records here.
|
||||
|
||||
* *id* - uuid of the object as used in Murano
|
||||
* *name* - property name
|
||||
* *value* - property value
|
||||
|
||||
MuranoPL properties referencing class type (i.e., another object)
|
||||
are stored in *murano:relationship*. Properties with structure has
|
||||
not direct mapping here - it has to be stored here component
|
||||
by component.
|
||||
|
||||
* *murano:relationships(source_id, target_id, name)*
|
||||
|
||||
This table stores relationship between objects (i.e., MuranoPL property
|
||||
to *class*).
|
||||
|
||||
* *source_id* - uuid of the source object
|
||||
* *target_id* - uuid of the target object
|
||||
* *name* - name of the relationship between source and target object
|
||||
|
||||
For multiple cardinality relationships there is several records in the
|
||||
table.
|
||||
|
||||
* *murano:states(id, state)*
|
||||
|
||||
This table stores *EnvironmentStatus* of Murano environment
|
||||
|
||||
* *id* - uuid of the environment
|
||||
* *state* - the state status of the environment
|
||||
|
||||
The state status will be one of 'READY', 'PENDING', 'DEPLOYING',
|
||||
'DEPLOY_FAILURE', 'DELETING', 'DELETE_FAILURE'.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
We will have pre and post deployment policies for Murano applications based
|
||||
on the data tables defined in the driver.
|
||||
|
||||
Pre deployment policies will cover policies during application service
|
||||
fulfillment and will leverage the Congress simulate feature.
|
||||
|
||||
Post deployment policies will cover monitoring policies on fulfilled service
|
||||
instances.
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Actions will be added in the second phase.
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Murano
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
kishan-thomas
|
||||
kishan.thomas@hp.com
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Implement driver and data tables
|
||||
- Implement unit tests
|
||||
- Integration tests with Murano
|
||||
- Add example policies
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
Murano API
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Unit tests
|
||||
- Integration tests
|
||||
- Tempest tests
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Add new documents in standard documentation location
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
https://etherpad.openstack.org/p/policy-congress-murano-spec
|
|
@ -1,132 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
neutron-datasource-driver-refactor
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/neutron-datasource-driver-refactor
|
||||
|
||||
This blueprint is to cover the refactoring work to improve how the neutron
|
||||
datasource driver structures its data. In addition, to add security-group-rule
|
||||
support.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
* Refractor neutron driver table schema.
|
||||
* Add security group/security-group-rule support
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
* Leverage parent-key attribute to remove subtables.
|
||||
* Restructure table schema to be more natural.
|
||||
* Implement security-group/security-group-rule support.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Neutron
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
The schema will change to remove the subtables. This will simplify how one
|
||||
writes policy though it will break existing policies that have been written
|
||||
against the neutron driver.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
The datasources.conf file will have to be updated to include the new
|
||||
neutron driver.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Who is leading the writing of the code? Or is this a blueprint where you're
|
||||
throwing it out there to see who picks it up?
|
||||
|
||||
If more than one person is working on the implementation, please designate the
|
||||
primary author and contact.
|
||||
|
||||
Primary assignee:
|
||||
arosen
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Implement
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
All other patches this requires have already been merged into congress.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Tempest and unittests will be present.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Will update docs
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,134 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Parent key improvements
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/parent-key-improvements
|
||||
|
||||
There are two current shortcomings of the parent_key implementation in
|
||||
congress.
|
||||
|
||||
* It's unable to be accessed from a subtable. This is needed in the neutron
|
||||
refactoring working to handle how neutron structures the response for
|
||||
routers.
|
||||
|
||||
* It's column name is always named parent_key. It would be helpful if we
|
||||
could have the column in the schema actually reflect it's name.
|
||||
For example, router_id per say.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
* Parent key cannot be accessed from subtables which is needed.
|
||||
* No way to rename parent key column name.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Change the datasource framework code so this can be done.
|
||||
|
||||
To handle specifiy the column name on a parent_key on should add:
|
||||
'parent-col-name': <NAME> to the translator. If this is not present
|
||||
then the old behavior will still occur of having the column name called
|
||||
parent_key.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
arosen
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Implement
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* This needs to be done before neutronv2 refactoring can be done.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests will be included.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,129 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
persistent-storage-for-api
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/persistent-storage-for-api
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
* Currently we store all the api configuration data in memory so when the
|
||||
server is restarted all of ones data is lost. This blueprint is to
|
||||
implement a persistent layer to save this info.
|
||||
|
||||
* Needs to handle schema changes and data migration
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add Persistance layer
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Use a flat file which might be easier for the first implementation but is more
|
||||
error prone than using a db and doesn't let us scale out horizontally easily.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
There could be some private data here as we are storing peoples policies here.
|
||||
Though access to the db will require one to authenticate so hopefully there
|
||||
is no security flaws here that allow uninteneded access.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
|
||||
* Users will now have to deploy a db for congress to leverage.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
* Hopefully none
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
arosen
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Implementation
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* We'll leverage alembic to handle the migrations and reuse a lot of the code
|
||||
that neutron already has to do this.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests will be provided
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
http://alembic.readthedocs.org/en/latest/
|
||||
https://github.com/openstack/neutron/blob/master/neutron/db/migration/README
|
||||
|
|
@ -1,210 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Policy Engine Triggers
|
||||
==========================================
|
||||
|
||||
Blueprint: https://blueprints.launchpad.net/congress/+spec/policy-engine-trigger
|
||||
|
||||
Currently there is no mechanism for treating changes to
|
||||
policy-defined tables as events (aka triggers). Treating changes to
|
||||
policy-defined tables as events is useful because
|
||||
it enables us to, for example,
|
||||
(i) publish those changes on the message bus
|
||||
(ii) set up reactive enforcement, either written in code or
|
||||
in policy,
|
||||
(iii) kicking off translations to other policy
|
||||
engines.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
This spec aims to provide a programmatic interface for triggers.
|
||||
A programmer will register an event handler to run whenever
|
||||
a change to a table occurs. The framework will then
|
||||
periodically (e.g. whenever inserts/deletes occur)
|
||||
compute updates to tables and run the registered event handlers.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
We will create a trigger-registry interface that enables a programmer
|
||||
to dictate a function to run each time the contents of a given
|
||||
table changes.
|
||||
|
||||
|
||||
Programmer's perspective
|
||||
------------------------
|
||||
The functions that a programmer will register have a signature like
|
||||
the one that follows.
|
||||
|
||||
def respond_to_trigger(oldtable, newtable, delta)
|
||||
|
||||
The programmer will register this handler on a particular theory
|
||||
and a particular table. In this example, we register the
|
||||
function above so it runs each time the table "p" changes in
|
||||
the policy/theory "th".
|
||||
|
||||
# instance of congress/policy/runtime.py:Theory
|
||||
th = engine.policy("alice_policy")
|
||||
# register 'respond_to_trigger' for table 'p' on that policy
|
||||
th.register_trigger("p", respond_to_trigger)
|
||||
|
||||
From the programmer's point of view, each time the contents of
|
||||
table "p" changes in the theory named "alice_policy", the function
|
||||
respond_to_trigger is run and given as arguments the original
|
||||
table, the new table, and the difference in the two.
|
||||
|
||||
|
||||
Implementation
|
||||
---------------
|
||||
The function 'register_trigger' will be implemented in the
|
||||
congress/policy/runtime.py:Theory class. We will also have
|
||||
an 'unregister_trigger' function call. The Theory class will
|
||||
be augmented to contain a hash table 'self.triggers' that
|
||||
maps each table name to the set of functions that have
|
||||
been registered for that table. 'register_trigger' and
|
||||
'unregister_trigger' change the contents of that hash table.
|
||||
|
||||
Then changes will be made to NonrecursiveRuleTheory,
|
||||
MaterializedViewTheory, and Database to implement the trigger:
|
||||
each time update() is called, the theory will
|
||||
(i) compute the contents of each table that has a trigger registered,
|
||||
(ii) apply the usual update() logic,
|
||||
(iii) compute the contents of each table with a registered trigger (again),
|
||||
(iv) compute the deltas on each of the tables with triggers
|
||||
(v) for each table t with non-empty delta, invoke all of the triggers
|
||||
registered for t giving the arguments (i), (iii), (iv)
|
||||
|
||||
Obviously triggers can be expensive because they require 2 queries
|
||||
each time data is changed. Ideally, we would utilize policy analysis
|
||||
to only query those tables when the data being update might possibly
|
||||
change the contents of those tables.
|
||||
|
||||
For example, suppose we registered a trigger for table p, and we
|
||||
had 2 rules:
|
||||
|
||||
p(x) :- q(x)
|
||||
r(x) :- t(x)
|
||||
|
||||
Updates to table t could never change the contents of p, but updates
|
||||
to table q COULD change the contents of p. Hence, the trigger
|
||||
implementation would run queries on p only when the incoming update
|
||||
changes q.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Programmers could write their own trigger-logic for each feature
|
||||
that needs this functionality. The benefit would be that the
|
||||
programmer can customize the functionality to fit exactly her
|
||||
purpose. The drawback would be that the user would need to
|
||||
understand the internals of all the Theory subclasses.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
This added functionality may or may not come with a performance cost.
|
||||
|
||||
NonrecursiveRuleTheory will have a performance cost because currently
|
||||
we do not evaluate a table on insert/delete, but after the change
|
||||
we will need to do more query evaluation.
|
||||
|
||||
MaterializedViewTheory will incur no performance cost because it already
|
||||
evaluates all tables at every insert/delete.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
None
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None outside of Congress. Developers can ignore the new interface
|
||||
if they want.
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Tim Hinrichs
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Add event-handler registry to theory base class
|
||||
- Add implementation of event-handler to all theory subclasses
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests: register event handler, insert/delete policy data, check if
|
||||
event handler actually executed
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
None
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,180 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Publish policy results to DSE message bus
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/publish-policy-results-to-bus
|
||||
|
||||
Implement subscriptions for the policy engine. That is, every time an entity
|
||||
on the DSE subscribes to a policy engine table, the policy engine should
|
||||
publish the results of that table on the message bus. The implementation
|
||||
should utilize the trigger mechanism, which is the subject of another spec.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently, datasource drivers obey the publish/subscribe paradigm for tables.
|
||||
The policy engine subscribes to the tables it needs from the datasources,
|
||||
and the datasources publish information as appropriate.
|
||||
|
||||
But there are several use cases when other entities on the DSE message bus
|
||||
(not necessarily "datasources" per se) would like to subscribe to tables
|
||||
defined within policy.
|
||||
|
||||
- Building proof of concepts where an external service is informed of
|
||||
policy violations and reacts accordingly, implemented for the sake of
|
||||
convenience as another entity on the DSE message bus.
|
||||
|
||||
- Interoperable policy engines that publish their monitoring results
|
||||
on the bus for other policy engines to consume.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Every time the policy engine gets a subscription request for a specific
|
||||
table, e.g. 'alice_policy:error', the policy engine registers a trigger
|
||||
for that trigger. When the trigger fires, it publishes the contents of
|
||||
that table on the message bus.
|
||||
|
||||
Every time the policy engine gets an unsubscribe request for a specific
|
||||
table, the policy engine removes the trigger for that table.
|
||||
|
||||
The subscribe/unsubscribe functionality should be implemented within
|
||||
policy/dse_policy.py:DseRuntime.
|
||||
|
||||
Because it is likely that the tables could be large, it makes sense to
|
||||
publish deltas for those tables on the bus, just as the datasources do.
|
||||
The functionality that does this for datasource drivers can be found
|
||||
in datasource_driver.py:DatasourceDriver.prepush_processor.
|
||||
|
||||
To implement the delta publishing, we should look into creating a subclass
|
||||
of dse/deepsix.py:DeepSix that includes the prepush_processor functionality and
|
||||
have both DatasourceDriver and DseRuntime inherit from it instead of DeepSix.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The policy engine could publish the entire table to the bus. The downside
|
||||
is that large tables with frequent small changes would cause a large amount
|
||||
of unneeded bus traffic. The upside would be that the subscriber might
|
||||
be simpler to write if it receives the entire table. If that turns out to
|
||||
be the case, we could always build convenience functions that compute
|
||||
the entire table from the deltas.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Performance will be impacted, but little moreso than because of the triggers.
|
||||
The triggers will need to compute the delta; that delta will then simply
|
||||
be published on the message bus. Publishing is fast (especially compared
|
||||
to computing the contents of tables and then their deltas).
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Create subclass of DeepSix that includes delta publication functionality
|
||||
and have DatasourceDriver and DseRuntime inherit from that subclass
|
||||
instead of DeepSix
|
||||
|
||||
- Alter DseRuntime so that every subscribe message sets up the appropriate
|
||||
trigger.
|
||||
|
||||
- Alter DseRuntime so that every unsubscribe message removes the appropriate
|
||||
trigger.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Requires triggers: policy-engine-triggers
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Non-tempest tests that subscribe to policy engine tables, cause
|
||||
changes to those tables, and verify that the appropriate deltas
|
||||
are sent on the bus are adequate.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
None required--we're just making a policy engine implement the same interface
|
||||
as datasource drivers.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,166 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
refactor-datasource-driver-framework
|
||||
==========================================
|
||||
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/refactor-datasource-driver-framework
|
||||
|
||||
Currently the congress datasource driver is still pretty complex. This
|
||||
blueprint aims to simplify it.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* current there is a lot of logic in the convert_obj() method which is
|
||||
used to load the data into the data source driver. The majority of this
|
||||
logic is to validate that the table schema is valid. We should only need
|
||||
to do this one though on load of the data source driver.
|
||||
|
||||
* currently if you list the tables of a data source driver they aren't always
|
||||
populated in via __init__ self.state[table_name] = set(). I want to add a
|
||||
method to the DatasourceDriver base class that load_translator() which
|
||||
will allow one to pass in translators via the __init__ of a
|
||||
datasource driver. This will validate the schema there.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add load_translator() to datasource driver base class as descripted as able.
|
||||
In addition to other refactoring that comes up as this work is being done.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Using the Congress datalog syntax, write out an example policy using
|
||||
https://wiki.openstack.org/wiki/Congress#Policy_Language
|
||||
|
||||
Example:
|
||||
|
||||
error(vm) :-
|
||||
nova:virtual_machine(vm),
|
||||
ids:ip_packet(src_ip, dst_ip),
|
||||
neutron:port(vm, src_ip), //finds out the port that has the VM's IP
|
||||
ids:ip_blacklist(dst_ip).
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
Describe the policy activities in terms of monitoring, reactive, proactive,
|
||||
and other ways to explain how the policy will implement it's desired state.
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
Describe which projects and/or services the data is coming from
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
Changes which require modifications to the data model often have a wider impact
|
||||
on the system. The community often has strong opinions on how the data model
|
||||
should be evolved, from both a functional and performance perspective. It is
|
||||
therefore important to capture and gain agreement as early as possible on any
|
||||
proposed changes to the data model.
|
||||
|
||||
Questions which need to be addressed by this section include:
|
||||
|
||||
* What new data objects and/or database schema changes is this going to
|
||||
require?
|
||||
|
||||
* What database migrations will accompany this change.
|
||||
|
||||
* How will the initial set of new data objects be generated, for example if you
|
||||
need to take into account existing instances, or modify other existing data
|
||||
describe how that will work.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
arosen
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Push code to do this.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests and tempest tests will be present to confirm this works as desired.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Will update docs for how this now works.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,163 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===============================================================================
|
||||
Pull common functionality into driver superclass, including data transformation
|
||||
===============================================================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/refactor-drivers
|
||||
|
||||
Currently, each datasource driver contains code to convert data from the API
|
||||
call response to the Congress data tables. This change will make it easier
|
||||
for a developer to add each incremental data source driver.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Today, it takes more code than necessary to write a data source driver.
|
||||
|
||||
The code is also more difficult to write than necessary. Some of these API
|
||||
responses (like in neutron list networks) contain nested data, for example in
|
||||
the list of networks, each network can contain a sub-list of subnets. The
|
||||
driver populates a separate table for subnets and the creates a key to link
|
||||
between the network table and the subnet table.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
To generalize the driver, this change will allow a driver class to specify how
|
||||
to extract data from the API response, and into which table/field to put the
|
||||
response data.
|
||||
|
||||
To handle the sublist conversion, the driver class will specify if a field is
|
||||
a sublist, and then also specify a key, so that the main table can link to the
|
||||
subtable. This sublist relationship will be recursive, so that a sublist can
|
||||
also contain another sublist.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
This change will have an effect as soon as it is merged, but Congress should
|
||||
behave exactly as it did without the change.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
The new refactoring will change how programmers write datasource drivers. The
|
||||
new way should be easier, require less code, and be less bug prone. To take
|
||||
advantage of the new refactoring, we'll need to rewrite the existing drivers,
|
||||
but this need not happen at the same time as writing the new datasource driver
|
||||
superclass.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
ayip
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
1) Write new superclass.
|
||||
2) Rewrite Nova driver.
|
||||
3) Rewrite Neutron driver.
|
||||
4) Rewrite Keystone driver.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests for superclass, and modify existing test cases for individual
|
||||
drivers.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
This change will include new documentation for how to use the new datasource
|
||||
driver superclass.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,148 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
====================================
|
||||
Add Support for Python 3 to Congress
|
||||
====================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/support-python3
|
||||
|
||||
This specification describes how to gradually add Python 3 support to
|
||||
Congress.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently Python 3 tests are failing. In an effort to support both Python 2
|
||||
and Python 3 concurrently a number of changes to Congress are needed.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This specification will be used to track a number of successive, minor changes
|
||||
to Congress with the goal of fully supporting Python 3. Each commit will
|
||||
address one change to Congress to ensure compatibility with Python 3 while
|
||||
continuing support for Python 2.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Once fully implemented commits must pass tox tests against py34 and should be
|
||||
rejected if tests fail.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
jzabala
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Determine what sections of code need to be modified to ensure Python 3
|
||||
compatibility. This can be done by generating list of fixers which run
|
||||
when '2to3' is used to transform code to Python 3.
|
||||
- Run code through 2to3 for each fixer (see previous bullet), also ensuring
|
||||
that changes to the code do not break compatibility with Python 2.
|
||||
- Confirm that changes are gradually improving tox -e py34 test outcomes.
|
||||
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
tbd
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Implementation of this specification should result in tox tests against py34
|
||||
succeeding. Current unit tests (and the code being tested) may have to be
|
||||
modified during the course of the implementation of this specification.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
None.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None.
|
|
@ -1,125 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Swift Data Source Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/swift-data-source-driver
|
||||
|
||||
This blueprint is to add a data source driver for swift.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A datasource driver is required to expose list of containers and
|
||||
list of objects in each container to the Congress policy framework
|
||||
so that we can write policies involving object storage entities.
|
||||
Swift is the OpenStack component that provides object storage service.
|
||||
The swift-datasource-driver interacts with swift service to provide
|
||||
object storage specific states to congress for policy monitoring.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add data source driver that integrates congress with swift.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
This will use the congress language. swift:containers(X) etc.
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Just monitoring right now.
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Swift
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
TBD
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Srinivasa Rao Ragolu
|
||||
sragolu@mvista.com
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Implement swift driver with essential tables
|
||||
- Implement test code to test the driver
|
||||
- Implement tempest code for real-time tests
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
python-swiftclient
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Will need to add unit test code
|
||||
- Will add tempest tests.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,146 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
vCenter Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/vcenter-driver
|
||||
|
||||
This blueprint is to add a data source driver for vCenter, giving congress
|
||||
access to new information from an external datasource.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add a data source driver that integrates congress with vCenter by connecting
|
||||
to vCenter using oslo.vmware.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
This will use the congress language. vCenter:hosts(X) etc.
|
||||
|
||||
Example - Creating a whitelist of all MAC addresses of hosts found in vCenter
|
||||
|
||||
WhiteList(vnic_macs,pnic_macs) :-
|
||||
vCenter:hosts(host:vnic_mac_id,host:pnic_mac_id),
|
||||
vCenter:host.pnic_macs(host:pnic_mac_id,pnic_macs),
|
||||
vCenter:host.vnic_macs(host:vnic_mac_id,vnic_macs)
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
Monitoring Hosts and Virtual Machines
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
vCenter
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
This driver will require vCenter credentials to be input into congresses
|
||||
configuration, and will provide congress data by using those credentials. It
|
||||
will be important for those implementing this driver to be aware of what data
|
||||
is visible from congresses API.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Implementing this driver will add another data source for congress to parse
|
||||
data from, and since this driver pulls data from a non-openstack source this
|
||||
will generate additional traffic on the network.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
To use this driver a deployer will need to configure this driver in
|
||||
datasource.config.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Conner Ferguson
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Documentation can already be found at
|
||||
https://bitbucket.org/ConnerFerguson/vcenter-driver
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
https://bitbucket.org/ConnerFerguson/vcenter-driver - Current code hosting
|
||||
|
||||
|
|
@ -1,165 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Add Action Listing to api
|
||||
==========================================
|
||||
|
||||
Just as the API allows us to query the available tables that a
|
||||
datasource provides, it should be possible to query the available
|
||||
actions that a datasource can execute.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently, datasources have the ability to execute actions, but there is no api
|
||||
call to ask what the available actions are.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Add an API call that returns the list of available actions.
|
||||
|
||||
This requires adding a method to the
|
||||
congress/datasources/datasource_driver.py:ExecutionDriver
|
||||
class that returns the list of actions that the datasource will execute.
|
||||
|
||||
It would be nice if the ExecutionDriver also enforced that it only
|
||||
executed the actions in that list.
|
||||
|
||||
One might consider trying to auto-generate the list of actions based
|
||||
on the methods available in the python-client being used (for those
|
||||
datasources using a python-client).
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The alternative is to provide no API and ask people to consult the
|
||||
documentation to find the list of available actions.
|
||||
|
||||
This is more
|
||||
attractive than it sounds because it gives us the freedom to
|
||||
execute any action that the python-client for the underlying
|
||||
datasource exposes. If someone adds a new method for the python-client
|
||||
then a policy writer immediately gets access to that method, without
|
||||
requiring any changes in Congress.
|
||||
|
||||
The downside to this approach is that end-users need to understand
|
||||
which python client they are using within each datasource driver and
|
||||
then look up the docs for that python client. So in terms of usability,
|
||||
it's pretty terrible.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
There should be no data-model impact, since the added information is
|
||||
implemented as part of the datasource driver, not stored in the database.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
GET /v1/data-sources/<datasource-id>/actions
|
||||
|
||||
Should error if the datasource does not implement the proper method.
|
||||
|
||||
Result should be an array of dicts, where each dict describes an action:
|
||||
[{'name': <action-name>,
|
||||
'args': <list-of-parameter-names>}]
|
||||
|
||||
The assignee is free to extend the fields of an action to include additional
|
||||
meta-information, such as a description of what the action does, or a
|
||||
description of what each of the parameters are.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Need to add similar functionality to the python-congressclient.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
0. Modify API design doc (linked from the wiki)
|
||||
1. Add method to ExecutionDriver in congress/datasources/datasource_driver.py
|
||||
2. Add call handler in congress/harness.py
|
||||
3. Add route call in congress/api/router.py
|
||||
4. Add API implementation to congress/api/action_model.py
|
||||
5. Update python-congressclient
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Unit tests for API to congress/tests/test_congress.py
|
||||
- Unit tests for ExecutionDriver
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Add API call
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,189 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==============
|
||||
API Validation
|
||||
==============
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/api-validation
|
||||
|
||||
Users (and programs) sometimes provide invalid inputs to APIs. The API should
|
||||
be resilient to this, and deny bad requests.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Any request that does not conform to the form expected by the API is deemed
|
||||
invalid. Invalid requests should be rejected by the API, along with
|
||||
information to aid in correcting the problem.
|
||||
|
||||
The following features are desirable in an API validation solution:
|
||||
|
||||
* Validation should enforce a declarative model that is visible external to
|
||||
the validation implementation.
|
||||
|
||||
* The declarative model should follow standard formatting and conventions
|
||||
that are understood in the API caller's context.
|
||||
|
||||
* For cross-platform APIs, the model should be consumable without knowledge
|
||||
of a particular programming language.
|
||||
|
||||
* The model should provide sufficient information for generation of
|
||||
resource documentation in associated API reference material.
|
||||
|
||||
* Validation should be performed by a common framework which facilitates
|
||||
binding the declarative models with the API implementation.
|
||||
|
||||
* The API implementation may assume trusted inputs by relying on the
|
||||
framework to offload validation.
|
||||
|
||||
* Validation may be selectively enabled on API outputs to facilitate
|
||||
development and testing.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
We will introduce JSON schemas to model the expected inputs and outputs of
|
||||
each API call.
|
||||
|
||||
The API resource manager will be updated to support binding of schemas to
|
||||
each handler.
|
||||
|
||||
When dispatching API calls, the framework will validate the call body using
|
||||
the 'jsonschema' python validator.
|
||||
|
||||
If an optional flag is provided, the dispatcher will validate the API handler
|
||||
response body before passing the response up the stack.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Other components, such as neutron, have created custom validation utilities.
|
||||
These utilities are often not as rich as JSON schema, and do not address
|
||||
many of the desirable features described above.
|
||||
|
||||
The nova project is currently retrofitting their API to utilize JSON Schema
|
||||
validation: https://blueprints.launchpad.net/nova/+spec/v3-api-schema
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
The current API provides very minimal validation. This change will add
|
||||
validation to all existing API calls.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Adding validation to the API should increase security of the system by
|
||||
protecting the API implementation from unexpected inputs.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Validation of inputs will have a negative performance impact on latency and
|
||||
throughput of API calls. JSON schema does not necessarily impose larger
|
||||
performance impacts than other validation solutions, despite its increased
|
||||
power and flexibility.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
After introduction of API validation, new API calls will need to introduce an
|
||||
associated schema.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
pballand
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Create JSON schemas for each API resource (This is already done in the API
|
||||
design, and simply needs to be translated to the source tree.)
|
||||
|
||||
* Add support to the API resource manager to bind schemas with resource
|
||||
endpoints.
|
||||
|
||||
* Add jsonschema as a runtime dependency.
|
||||
|
||||
* Use jsonschema to validate requests before dispatching to API implementation.
|
||||
|
||||
* Expose flag to support output validation. Optionally use jsonschema to
|
||||
validate body of API result before returning to the wsgi server.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
The schema validator is assumed to be thoroughly tested. We will test that
|
||||
validation is being performed by issuing requests that should and should not
|
||||
validate against the schema.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
This change itself does not impact documentation. The addition of schemas
|
||||
for each API call should be included in the documentation.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
JSON Schema definition:
|
||||
http://json-schema.org/
|
||||
|
||||
Python jsonschema validator:
|
||||
https://python-jsonschema.readthedocs.org/en/latest/
|
||||
|
||||
Nova spec for updating validation to use JSON Schema:
|
||||
https://blueprints.launchpad.net/nova/+spec/v3-api-schema
|
|
@ -1,230 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
========================
|
||||
Support version list API
|
||||
========================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/api-version
|
||||
|
||||
The Congress API should be able to list current supported API versions.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Users want to talk with Congress API, but no API support to query the supported
|
||||
versions, so users have no idea about which versions can be supported in the
|
||||
current Congress deployment.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Export the version list API, and show the current API details, include: id,
|
||||
status, update time, links, like other OpenStack project: nova, neutron and
|
||||
etc. Although Congress only support one version API(v1) currently, but the
|
||||
version list API make sense for future API evolution.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
* Specification for the method
|
||||
|
||||
* List the current supported API versions.
|
||||
|
||||
* Method type: GET
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): None
|
||||
|
||||
* ``/``
|
||||
|
||||
* Parameters which can be passed via the url: None
|
||||
|
||||
* JSON schema definition for the body data if allowed: None
|
||||
|
||||
* JSON schema definition for the response data if any:
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"versions": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"status": {
|
||||
"type": "string"
|
||||
},
|
||||
"updated": {
|
||||
"type": "string"
|
||||
},
|
||||
"id": {
|
||||
"type": "string"
|
||||
},
|
||||
"links": {
|
||||
"type": "array",
|
||||
"items": {
|
||||
"type": "object",
|
||||
"properties": {
|
||||
"href": {
|
||||
"type": "string"
|
||||
},
|
||||
"rel": {
|
||||
"type": "string"
|
||||
}
|
||||
},
|
||||
"additionalProperties": false,
|
||||
"required": ["href", "rel"]
|
||||
}
|
||||
}
|
||||
},
|
||||
"additionalProperties": false,
|
||||
"required": ["status", "updated", "id", "links"]
|
||||
}
|
||||
}
|
||||
},
|
||||
"additionalProperties": false,
|
||||
"required": ["versions"]
|
||||
}
|
||||
|
||||
|
||||
* Example use case:
|
||||
|
||||
::
|
||||
|
||||
GET /
|
||||
{
|
||||
"versions": [{
|
||||
"status": "CURRENT",
|
||||
"updated": "2015-07-03T11:33:21Z",
|
||||
"id": "v1",
|
||||
"links": [{
|
||||
"href": "http://10.250.10.29:1789/v1/",
|
||||
"rel": "self"
|
||||
}]
|
||||
}]
|
||||
}
|
||||
|
||||
* There should not be any impacts to policy.json files for this change.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
The related works in python-congressclient will also be added.
|
||||
|
||||
After this modification, user could get the API version details, like this:
|
||||
|
||||
::
|
||||
|
||||
openstack congress version list
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
We modify api-paste.ini to add some stuff, so if the operator prepare to
|
||||
upgrade from old release, he need to add the new config items to old
|
||||
api-paste.ini file or override the old using new one.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
|
||||
Rui Chen <chenrui.momo@gmail.com>
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Adds Version class to assemble API versions response.
|
||||
* modify api-paste.ini to route the request to the new logic.
|
||||
* Make python-congressclient supporting this API.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
None
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Some unit tests should been added to cover the new API.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
The related content should be added in Congress API document.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,182 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Compromised VM
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/compromised-vm
|
||||
|
||||
Security policy use case
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
IDS service notices malicious traffic originating from an insider VM trying to
|
||||
send packets to hosts inside and outside of the tenant perimeter. As this is
|
||||
detected, some reactive response would need to be taken, such as isolating the
|
||||
offending VM from the rest of the network. This policy would facilitate one of
|
||||
the reactive responses to be invoked when a compromise is reported by an IDS
|
||||
service.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
An IDS will need to monitor traffic in and out of virtual machines. The IDS
|
||||
will maintain the blacklist of known bad destinations. The patterns will need
|
||||
to maintained in the IDS. While the IDS is monitoring for traffic patterns and
|
||||
blacklist, it will need to notify Congress of the event through the Congress
|
||||
IDS plugin. Through the Congress Neutron plugin, Neutron API will need to be
|
||||
updated blocked IP. Congress-client and Horizon to alert the operator of
|
||||
changes.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
(sarob)
|
||||
Instead of a blacklist maintained by the IDS, use an real time check of a
|
||||
public blacklist.
|
||||
|
||||
(thinrichs)
|
||||
Would it be simpler to flag an error anytime a VM was identified by IDS?
|
||||
error(vm) :- ids:ip_blacklist(ip), neutron:port(vm, ip)
|
||||
|
||||
(thinrichs)
|
||||
We should try to work out how the reactive bit would work. The way we'll do
|
||||
that for the beta is to write another policy that dictates which action to take
|
||||
under certain conditions. Imagine the policy above but instead of error(vm), we
|
||||
write something like neutron:block_ip(secgrp, ip) :- ids:ip_blacklist(ip),
|
||||
neutron:port(vm, ip), neutron:security_group(vm, secgrp)
|
||||
I'm sure not all the details there are right. But ideally the thing in the head
|
||||
of the rule would be a Neutron API call. In the worst case it can just the name
|
||||
of a script that we write.
|
||||
|
||||
Policy
|
||||
----------------
|
||||
error(vm) :-
|
||||
nova:virtual_machine(vm),
|
||||
ids:ip_packet(src_ip, dst_ip),
|
||||
neutron:port(vm, src_ip), //finds out the port that has the VM's IP
|
||||
ids:ip_blacklist(dst_ip).
|
||||
|
||||
Policy actions
|
||||
-----------------
|
||||
|
||||
* Monitoring: report/log the incident including the VM's IP address, external
|
||||
IP, etc.
|
||||
* Reactive: Invoke the nova API to add the VM to IDS security group restricting
|
||||
access to make changes. Invoke neutron to block all traffic to/from the
|
||||
VM's IP address. Alternatives are to restart the VM on a nova IDS
|
||||
schedule filter (limiting traffic chaos while maintaining the ability to
|
||||
access the VM) and/or a no route network or removing the VM network
|
||||
interface(s).
|
||||
|
||||
Data sources
|
||||
-----------------
|
||||
|
||||
* IDS (intrusion detection service VM): IP address of the offending VM
|
||||
* neutron: network details, IP details
|
||||
* nova: VM details; instance ID, interface(s) status, instance state, security
|
||||
group
|
||||
|
||||
Data model impact
|
||||
------------------
|
||||
|
||||
none
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Needs explanation
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
* DoS
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
* IDS API
|
||||
* congress-client
|
||||
* horizon
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Unknown at this time
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Unknown at this time
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Unknown at this time
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Unknown at this time
|
||||
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Unknown at this time
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Congress IDS plugin
|
||||
* Compromised VM policy
|
||||
* Congress client notification
|
||||
* Horizon notification
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
Neutron really needs to provide port allow/deny primitive. Today it blocks
|
||||
everything and we can only poke pin holes what's allowed out -- this makes it
|
||||
complex to implement policy
|
||||
|
||||
(thinrichs)
|
||||
Need to understand more about these limitations.
|
||||
|
||||
(sarob)
|
||||
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
TBD
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
https://docs.google.com/document/d/1ExDmT06vDZjzOPePYBqojMRfXodvsk0R8nRkX-zrkSw/edit#
|
||||
https://wiki.openstack.org/wiki/Congress
|
|
@ -1,208 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==================================================================
|
||||
Translation of Congress Table to Neutron Group-based Policy Tables
|
||||
==================================================================
|
||||
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/congress-gbp-translation
|
||||
|
||||
This specification describes how to integrate Congress Policy with Neutron
|
||||
Group-based Policy (GBP).
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
Congress provides a mechanism to allow OpenStack clients to define policy
|
||||
to be applied across all OpenStack components including networking.
|
||||
Neutron Group-based policy provides a high level abstraction for defining
|
||||
network connectivity between groups of endpoints.
|
||||
|
||||
It is desirable to integrate Congress and GBP so that Congress can
|
||||
monitor and enforce GBP policies. A Congress Reachability table
|
||||
can be used to specify connectivity policy between endpoints. This table
|
||||
can be translated into a set of tables that represent GBP entities, such as
|
||||
Policy Target Groups, Policy Rules, Policy Classifier, etc.
|
||||
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
GBP can be represented by these tables:
|
||||
|
||||
* Endpoints (endpoint_id)
|
||||
* Endpoint_group (endpoint_id, endpoint_group_id)
|
||||
* Classifiers (classifier_id, port, protocol, direction)
|
||||
* Classifier_group (classifier_id, classifer_group_id)
|
||||
* Actions (action_id, action_type, action_value)
|
||||
* Action_group (action_id, action_group_id)
|
||||
* Policy_rule (policy_rule_id, classifier_group_id, action_group_id)
|
||||
* Contracts (contract_id, policy_rule_id)
|
||||
* PolicyInstance (endpoint_group_id, relation, contract_id)
|
||||
|
||||
|
||||
A Congress Reachability policy table may be defined to form
|
||||
a policy between two groups of endpoints:
|
||||
|
||||
Reachable (id, group1, group2, src_port, dst_port)
|
||||
|
||||
The goal is to translate from the input Reachable policy table to
|
||||
the output GBP tables using the Congress policy language using
|
||||
functions such as:
|
||||
|
||||
PolicyInstance(group_id1, relation, contract_id) :-
|
||||
reachable(contract_id, group_id1, group_id2, x, y),
|
||||
producer_relation(relation)
|
||||
|
||||
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
None.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
An example of such a policy written using Congress datalog syntax
|
||||
is shown below for two groups, tier 1 and tier 2, to communicate
|
||||
bidirectionally on port 80.
|
||||
|
||||
Operator Input Data (from operator or cloud management system)
|
||||
|
||||
Tier Membership (tier_id, vm_id)
|
||||
|
||||
(1, 100)
|
||||
(1, 101)
|
||||
(2, 102)
|
||||
|
||||
Policy Input Data
|
||||
|
||||
Tiers(tier_id)
|
||||
(1)
|
||||
(2)
|
||||
|
||||
Reachability policy table
|
||||
|
||||
Reachable (id, src, dst, src_port, dst_port)
|
||||
(10, tier1, tier2, \*, 80)
|
||||
|
||||
(11, tier2, tier1, \*, 80)
|
||||
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
These tables allow Congress to monitor and enforce GBP policies.
|
||||
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
Neutron Group-based Policy. Details of GBP can be found here:
|
||||
|
||||
https://wiki.openstack.org/wiki/GroupBasedPolicy/StackForge/repos
|
||||
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
None.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
louis.fourie, alex.yip, cathy.zhang
|
||||
|
||||
Other contributors:
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Define translation functions.
|
||||
|
||||
* Implement the new constant tables and function tables to perform the
|
||||
translation.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* This is dependent on the implementation of a GBP data-source driver for
|
||||
Congress.
|
||||
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Some sample input tables will be created and the translation verified by
|
||||
checking the contents of the output trigger tables.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
All translation details will be documented.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
|
||||
* Juno Mid-cycle Policy Summit
|
||||
https://etherpad.openstack.org/p/juno-midcycle-policy-summit
|
||||
|
|
@ -1,164 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Datalog aggregates
|
||||
==========================================
|
||||
|
||||
Add aggregates sum, count, min, max, avg to the policy language.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Many policies require counting the number of VMs
|
||||
with a certain property, computing the average, min, max, or sum
|
||||
of certain values. Without aggregates, these policies cannot be
|
||||
expressed in Datalog.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This change adds aggregates to the Datalog policy language.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The alternative is to leave aggregates out of the language. The
|
||||
drawback is that some common policies would be inexpressible, but
|
||||
the benefit is that the algorithms for reasoning about policy
|
||||
would be simpler. By prohibiting aggregates, we exclude the possibility
|
||||
that the user wants to use aggregates at the cost of their inclusion.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Example: define a table that counts the number of VMs in the web tier
|
||||
of each application.
|
||||
|
||||
app_web_size(id, count(vm)) :-
|
||||
appservice:app(id),
|
||||
appservice:webtier(id, vm)
|
||||
|
||||
|
||||
Another option for syntax puts the aggregates into the body of the rule.
|
||||
This option will likely require new syntactic restrictions on rules
|
||||
to function properly.
|
||||
|
||||
app_web_size(id, cnt) :-
|
||||
appservice:app(id),
|
||||
appservice:webtier(id, vm),
|
||||
count(vm, cnt)
|
||||
|
||||
Suggestions for other syntaxes?
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
The syntax for rules will be extended, but the database schema for storing
|
||||
rules will not, since they are stored as strings.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
There will be some performance impact in using aggregates since
|
||||
they cost more to compute. These aggregates will also make reasoning
|
||||
about the policy itself (i.e. when data is unknown) more difficult.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
0. Choose aggregates to implement, e.g. count, min, max, sum, avg
|
||||
1. Modify congress/datalog/congress.g to accept the new statements (possibly)
|
||||
2. Modify congress/datalog/compiler.g to include new datastructures for
|
||||
representing aggregates internally
|
||||
3. Modify congress/datalog/topdown.py:TopDown.select() to handle aggregates.
|
||||
This will require adding in a step after computing all solutions
|
||||
that applies the aggregate function.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Unit tests will be added to congress/tests/datalog/test_nonrecur.py
|
||||
- A unit test or two ensuring the API properly accepts the new syntax
|
||||
will be added to congress/tests/test_congress.py
|
||||
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Need to add explanation of new syntax constructs to docs.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
1. Overview of a Datalog language with aggregates:
|
||||
http://dexter.stanford.edu/main/dexlog.html
|
||||
|
||||
2. Recent Stanford paper on aggregates
|
||||
http://stanford.edu/~abhijeet/papers/abhijeetSARA13.pdf
|
|
@ -1,150 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Removing d6cage dependency in api process
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/dist-remove-d6cage-from-api
|
||||
|
||||
remove d6cage dependency
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
API server currently relies on d6cage to create new API instances. Congress
|
||||
will remove d6cage in the next distributed architecture. It needs to remove
|
||||
dependency on d6cage of API instance creation.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
1. Introduce a new dict object to create instances of API models. The dict
|
||||
has references to each API instances d6cage has as services[name]['object']
|
||||
now. Then router.py:APIRouterV1 uses the references to register API
|
||||
with the instance.
|
||||
2. Change base class of some instances, which aren't need to be a deepsix
|
||||
class. This BP also changes these kind of class to python normal object.
|
||||
SchemaModel and DatasourceModel aren't need to be deepSix's subclass both
|
||||
in the current architecture and in the distributed one. others aren't need
|
||||
to be deepSix's subclass in the new distributed one.
|
||||
|
||||
How to change to distributed version
|
||||
|
||||
It replace calling harness.py:create() in service.py:congress_app_factory()
|
||||
with a new API instance creating method which has instantiation steps for
|
||||
API model in harness.py:create(). And it's only to make the dict with new
|
||||
instances.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The alternative is to spread codes in harness.py:create() into
|
||||
router.py:APIRouterV1.__init__(). This change is easier to track
|
||||
in current one process solution.
|
||||
|
||||
How to change to distributed version
|
||||
|
||||
It need to replace all d6cage.createservice() in APIRouterV1.__init__()
|
||||
with new API instance creating method. There are a lot of place we have
|
||||
to change for it. So this way is an alternative for this BP.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
muroi-masahito
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
0. create a new dict to have references to API instances
|
||||
1. pass it as an argument for router.py:APIRouterV1()
|
||||
2. use it to register API and the instances
|
||||
3. remove API instances which don't need to inherit deepsix from d6cage
|
||||
4. change direct access with variable to indirect access with method
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- change Unit tests for non-deepsix object if needed
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,256 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
=========================================
|
||||
Abstraction policy definitions in Horizon
|
||||
=========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/horizon-policy-abstraction
|
||||
|
||||
Congress aims to provide an extensible open-source framework for governance
|
||||
and regulatory compliance across any cloud services. Users can define policies
|
||||
in congress by pure Datalog. But Datalog, working with data-tables, is a very
|
||||
difficult and complex description for policies. Users may have some problems
|
||||
to understand and deploy policies with Datalog. So this specification provides
|
||||
an abstraction for policies, and shows it in an abstraction form in Horizon,
|
||||
which will facilitate users to express their policies.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Datalog is not intuitive to use, even difficult for users to express their
|
||||
policies who are not familiar with it. And it may cause some misinterpretation
|
||||
when translating real intent to Datalog because of the complex logic.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Congress makes the whole cloud compliant by defining violation state and action
|
||||
for violation.
|
||||
|
||||
Policies in Congress can be expressed by BNF as below.
|
||||
|
||||
::
|
||||
|
||||
Congress Policy ::= violation-condition, "do" action for violation
|
||||
|
||||
So, policy abstraction is to abstract violation state and corresponding action
|
||||
to make the policy more intuitive and easy to use.
|
||||
|
||||
By analyzing typical scenarios, violation mainly can be divided into two parts.
|
||||
One is the constraint of objects' attributes, and another is the constraint
|
||||
of relationship between several objects' attributes.
|
||||
|
||||
All the objects and constraints are not just a simple set of data source
|
||||
tables, but they can be divided into some categories according to their
|
||||
functions and relations. So users just need to choose objects they care about
|
||||
without worrying about which tables they are in.
|
||||
|
||||
The violation-condition can be expressed by BNF as below.
|
||||
|
||||
::
|
||||
|
||||
violation-condition ::=object attribute constraint (value | object-attribute)
|
||||
object-attribute::=object "." attribute
|
||||
|
||||
For any violation state, congress will take some actions, such as monitoring,
|
||||
proactive and reactive. Of course, there may be more than one action defined to
|
||||
a violation. Though monitoring violation is the fundamental function of
|
||||
congress, changing cloud state to make the cloud compliant is also an important
|
||||
function. So, policy abstraction will provide some optional reactive actions
|
||||
for different objects to resolve violations.
|
||||
|
||||
The action for violation state can be expressed by BNF as below.
|
||||
|
||||
::
|
||||
|
||||
action ::= ("monitoring"| "proactive"| "reactive action") data
|
||||
|
||||
So policies in Congress can be abstracted into "name", "objects",
|
||||
"violation-condition", "action" and "data".
|
||||
|
||||
Among these, element "name" defines a marker of a policy, which is used to
|
||||
be a unique identification for a policy.
|
||||
|
||||
Element "objects" defines all objects which are concerned by this policy.
|
||||
They are not just simple display of data source tables, but a organized set
|
||||
which contains the relationship between different tables and objects,
|
||||
such as, "servers", "networks", "hosts", "subnets", etc.
|
||||
For example, table "statistics" will not appear as a object, but it will be
|
||||
a attribute of other objects, such as, "servers", "networks".
|
||||
Another example is users could choose "servers" and "networks" without caring
|
||||
about what put them together ("ports", actually).
|
||||
|
||||
Element "violation-condition" defines the state of objects' attributes
|
||||
which can produce violation, and the constraint will include comparison,
|
||||
arithmetic and some predefined relationship/functions, such as, "same_group".
|
||||
|
||||
Element "action" defines the action needs to take for this policy,
|
||||
and actions will include "proactive", "monitoring" and some specific actions,
|
||||
such as, "create", "pause". All these actions depend on the ability of
|
||||
underlying components.
|
||||
|
||||
Element "data" defines the information gotten or needed when executing the
|
||||
action, for example, when monitoring a servers violation, users can define
|
||||
"data" as servers' name to be a return parameters.
|
||||
|
||||
That is, Congress UI will provide many elements of policies as drop-down lists,
|
||||
and the combination of these elements will form various policies. All these
|
||||
elements are from the summary of typical scenarios and the ability of
|
||||
underlying components.
|
||||
Users need to choose which one can match their needs.
|
||||
|
||||
If there are some extensions of underlying component, attributes of any
|
||||
component, or packaging functions, users could add objects, attributes and
|
||||
define functions in advanced UI which show all detailed tables and attributes
|
||||
in the underlying components. All extensions defined in advanced UI will
|
||||
be available in abstraction UI,so users could customize their own policies
|
||||
by combining these two UIs.
|
||||
|
||||
When user submits what he choose, UI will translate the information in UI
|
||||
into Datalog.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Policy
|
||||
-------
|
||||
|
||||
There is one example to express typical policy by abstraction form in Horizon.
|
||||
|
||||
Example: every network connected to a VM must either be public or
|
||||
owned by someone in the same group as the VM.
|
||||
|
||||
For this example, users care about "servers" and "networks", so users will
|
||||
choose these two objects from a drop-down list.
|
||||
After users decide the objects,users could make use of these attributes to
|
||||
define violation state. In this example, violation-condition is that servers
|
||||
tenant's group is not same with networks tenant's group. So users could choose
|
||||
these two attributes and set their relation is "not equal".
|
||||
All the choices will be show as drop-down lists, too.
|
||||
|
||||
And users need to choose the action and data to define which actions should be
|
||||
applied to this violation. For example, users choose "monitoring", attributes
|
||||
of servers and networks will appear in "data".
|
||||
|
||||
In this policy, users can create a policy as below.
|
||||
|
||||
+----------+----------+------------------------------------------------------+------------+--------------+
|
||||
| name | objects | violation-condition | action | data |
|
||||
+----------+----------+------------------------------------------------------+------------+--------------+
|
||||
| policy_1 | servers |not equal(networks.share, public) | monitoring | servers.name |
|
||||
| | networks |not equal(servers.tenant.group, networks.tenant.group)| | |
|
||||
+----------+----------+------------------------------------------------------+------------+--------------+
|
||||
|
||||
If user have defined a packaging function for same_group, it will be added into
|
||||
violation-condition, so user could choose this function and set which two
|
||||
attributes are the parameters of this function.
|
||||
|
||||
If use take use of this way, above policy will be showed as below.
|
||||
|
||||
+----------+----------+-----------------------------------------------+------------+--------------+
|
||||
| name | objects | violation-condition | action | data |
|
||||
+----------+----------+-----------------------------------------------+------------+--------------+
|
||||
| policy_1 | servers |not equal(networks.share, public) | monitoring | servers.name |
|
||||
| | networks |not same_group(servers.tenant, networks.tenant)| | |
|
||||
+----------+----------+-----------------------------------------------+------------+--------------+
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
The action can be monitoring, proactive or some execute actions
|
||||
which can make the cloud compliant.
|
||||
|
||||
Data Source
|
||||
-----------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
All parameters inputted by users need satisfy predefined standard, for example,
|
||||
if values inputted in "violation-condition" in reasonable range
|
||||
(e.g. 0-100% for CPU utilization).
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
End users can be able to write policies in Horizon and use some drop-down lists
|
||||
and some simple inputs to create a policy. Then Horizon will translate the
|
||||
information in UI into Datalog, which will be processed in Congress.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
===============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Yali Zhang
|
||||
|
||||
Other contributors:
|
||||
Jim Xu; Yinben Xia
|
||||
|
||||
Work items
|
||||
-----------
|
||||
|
||||
|
||||
- Abstraction form to write policies rules and actions for policies.
|
||||
- Build mapping relationship between abstraction form and Datalog,
|
||||
so users can write a policy in UI other than Datalog.
|
||||
- Pass information from Horizon to Congress to finish the policy creation.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Need to be tested with a variety of scenarios.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Add instructions for policy abstraction in UI.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,334 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Add policy engine class to API
|
||||
==========================================
|
||||
|
||||
This blueprint makes it possible to access policy-engines (other than
|
||||
the domain-agnostic policy engine) via the API.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently there is no way to access policy engines other than the current
|
||||
domain-agnostic policy engine through the API. Now that we are adding
|
||||
other policy engines, we need to give the user a way to interact with them.
|
||||
|
||||
In addition to being useful for domain-specific policy engines, enabling
|
||||
multiple policy engines should make it easier to handle upgrades for the
|
||||
domain-agnostic policy engine: bring up the new one alongside the old one,
|
||||
then swap the old one with the new one atomically.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Here we discuss two proposals. We list tradeoffs in the next section.
|
||||
|
||||
Proposal 1: Type-based
|
||||
--------------------------
|
||||
Here we simply add a top-level 'policy-engines' API endpoint, giving us ...
|
||||
|
||||
/v1/policy-engines/<engine-id>/...
|
||||
/v1/data-sources/<datasource-id>/...
|
||||
/v1/system/...
|
||||
|
||||
For example:
|
||||
/data-sources/nova/...
|
||||
/data-sources/neutron/...
|
||||
/policy-engines/agnostic/...
|
||||
|
||||
Data-sources would support:
|
||||
* schema: available tables
|
||||
* actions: available actions
|
||||
* status: status
|
||||
|
||||
Policy-engines would support:
|
||||
|
||||
* schema: available tables (e.g. classification:connected_to_internet)
|
||||
* actions: available actions (e.g. scripts built into a policy-engine for
|
||||
carrying out some task)
|
||||
* status: status
|
||||
* policies: available policies
|
||||
|
||||
That is, the only difference between a policy-engine and a data-source is that
|
||||
the datasource doesn't support 'policies'. If we were to think of 'policies'
|
||||
as simply 'modules' then we could imagine a datasource-driver exposing
|
||||
hierarchical tables, just like a policy-engine does. And in that case,
|
||||
the data-source would have something analogous to the policy-engine 'policies'.
|
||||
|
||||
|
||||
Proposal 2: Service-based
|
||||
--------------------------
|
||||
Here we do away with the types policy-engine and data-sources and give clients
|
||||
the ability to access both policy-engines and datasources from the same
|
||||
endpoint. This is possible because you cannot give a policy-engine and
|
||||
a datasource the same name (a restriction in place to ensure references to
|
||||
other services in policy are unambiguous).
|
||||
|
||||
/v1/services/<service-id>/...
|
||||
/v1/system/...
|
||||
|
||||
For example:
|
||||
/v1/services/nova/...
|
||||
/v1/services/neutron/...
|
||||
/v1/services/agnostic/...
|
||||
|
||||
All services would support:
|
||||
|
||||
* schema: available tables (e.g. classification:connected_to_internet)
|
||||
* actions: available actions (e.g. scripts built into a policy-engine for
|
||||
carrying out some task)
|
||||
* status: status
|
||||
* policies: available policies
|
||||
|
||||
In short, this proposal treats everything as if it is a policy-engine. The
|
||||
datasource policy engines prohibit users from making changes directly (and
|
||||
even if they did, they would only accept a very restricted form of policy
|
||||
statements: ground facts).
|
||||
|
||||
This approach can be backwards compatible as well. We can still support
|
||||
|
||||
/v1/datasources/<datasource-id>/...
|
||||
|
||||
which gets routed to
|
||||
|
||||
/v1/services/<datasource-id>.
|
||||
|
||||
And we can support
|
||||
|
||||
/v1/policies
|
||||
/v1/actions
|
||||
/v1/tables
|
||||
/v1/status
|
||||
|
||||
as syntactic sugar for
|
||||
|
||||
/v1/services/<default-service>/policies
|
||||
/v1/services/<default-service>/actions
|
||||
/v1/services/<default-service>/tables
|
||||
/v1/services/<default-service>/status
|
||||
|
||||
This would enable the user to choose a single touchpoint for managing policy
|
||||
in the datacenter, while at the same time enabling them direct access to all
|
||||
the services in the datacenter. (The only worry here is that )
|
||||
|
||||
To set the <default-service>, we'd want a parameter the user can set
|
||||
dynamically (to help with upgrade).
|
||||
Right now we would set that to /services/agnostic.
|
||||
And maybe we can have arbitrary aliases for services as well, so that we can
|
||||
upgrade any service without changing policy.
|
||||
|
||||
One worry with providing the /v1/policies, etc. endpoints is that it may
|
||||
seem to mask Congress's overall status, policies, actions, and tables. That is,
|
||||
people might expect those endpoints to aggregate all the potential policies,
|
||||
actions, tables, and statuses. But if such functionality ever becomes
|
||||
necessary, we can attach those endpoints to /v1/services, giving us the
|
||||
following end points.
|
||||
|
||||
/services/policies
|
||||
/services/actions
|
||||
/services/tables
|
||||
/services/status
|
||||
|
||||
Here is an example of the entry points if we had Nova, GBP, and our policy
|
||||
engine. The name of the service is whatever name DSE expects.
|
||||
|
||||
/policies
|
||||
/actions
|
||||
/tables
|
||||
/services/policies
|
||||
/services/actions
|
||||
/services/tables
|
||||
|
||||
/services/nova/policies -> empty
|
||||
/services/nova/actions -> createVM, deleteVM, migrateVM, etc.
|
||||
/services/nova/tables -> servers, hosts, etc.
|
||||
/services/gbp/policies
|
||||
/services/gbp/actions
|
||||
/services/gbp/tables
|
||||
/services/engine/policies
|
||||
/services/engine/actions
|
||||
/services/engine/tables
|
||||
|
||||
/system/drivers/
|
||||
|
||||
/system/engine-drivers/nova-uber-driver
|
||||
/system/datasource-drivers/nova-uber-driver
|
||||
/system/action-drivers/nova-uber-driver
|
||||
|
||||
|
||||
/users
|
||||
/stats
|
||||
|
||||
One benefit to enabling people to modify domain-specific policy engines
|
||||
through the Congress API is that we provide a single policy language for
|
||||
managing all the policy engines running in the datacenter. For delegation,
|
||||
we already need adapters that translate Datalog into the native language of
|
||||
each policy engine, so here we expose that functionality directly to the user
|
||||
as well.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Tradeoffs
|
||||
------------
|
||||
|
||||
Pros for the type-based approach:
|
||||
* Easy for users to understand
|
||||
* Simple extension of the current API
|
||||
|
||||
Cons for the type-based approach:
|
||||
|
||||
* Awkward that data-sources and policy-engines implement almost exactly the
|
||||
same interface and have separate namespaces, but are represented as
|
||||
distinct classes in the API.
|
||||
* Enables us to build datasources with significantly different programmatic
|
||||
interface than policy-engines. If at the API-layer the two classes of
|
||||
objects were almost indistinguishable, it would lead to better abstraction
|
||||
and interfaces in the underlying implementation.
|
||||
|
||||
Pros for the the service-based approach:
|
||||
|
||||
* All services running on the DSE are accessed identically from the API. This
|
||||
is a more natural reflection of the reality of the nature of those services.
|
||||
|
||||
Cons for the service-based approach:
|
||||
|
||||
* Bigger change
|
||||
* May be more difficult for users to understand initially.
|
||||
* Eventually the policy-engine class will include functionality that the
|
||||
datasource class does not. Executing that functionality on a datasource
|
||||
will cause a 404, and we cannot predict which will occur based on just the
|
||||
URL.
|
||||
* Doing something like listing all the datasources will require an API like
|
||||
/v1/services?action=list&type=datasource instead of the more obvious
|
||||
/v1/data-sources/.
|
||||
|
||||
|
||||
Overall, the types (datasource vs. policyengine) will be present in both
|
||||
proposals, but they will be emphasized much less in the service-based approach.
|
||||
The service-based approach is closer to Python in that the system isn't able
|
||||
to look at the code you've written (the URL) and check if the method you asked
|
||||
for exists. The type-based approach is closer to C/Java in that the system IS
|
||||
able to tell you if the method exists by just looking at the code (URL).
|
||||
|
||||
Typically policy systems are quite dynamic in nature (you can change the
|
||||
policy/code at runtime), and hence are closer to dynamic programming languages
|
||||
like Python than to static languages like C/Java. We therefore typically
|
||||
bias our decisions toward dynamism, which in this case would mean the
|
||||
service-based approach.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
See above. No changes to API results--just the paths for invoking them.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
See above.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Once we decide on the approach, we will figure out the necessary work items.
|
||||
But here's a rough cut.
|
||||
|
||||
- type-based approach: add routes, create congress/api/engine_model.py, modify
|
||||
congress/api/\*_model to enable tables/actions/policies/etc. for engines.
|
||||
- service-based approach: add routes, create congress/api/service_model.py,
|
||||
(including an API to list different types of objects), modify the
|
||||
congress/api/\*_model to eliminate distinction between datasources and
|
||||
policies
|
||||
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
Assumes that we have added an API call for 'actions', though this work could
|
||||
be done without that: add-action-listing.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Change unit tests in congress/tests/test_congress.py
|
||||
- Change congress_pythonclient (which will handle tempest tests)
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Many URLs may change.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,174 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Create table publishing middleware
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/table-publishing-middleware
|
||||
|
||||
To lower the barrier to entry for other projects to publish data to Congress
|
||||
on the (extended) DSE, create middleware that automates as much of the process
|
||||
as possible.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently Congress periodically polls the services it is managing to get their
|
||||
data. It would be preferable if services sent data to Congress only when that
|
||||
data changes. For example, instead of Congress pulling the list of Nova's
|
||||
servers every minute, Nova would send its servers to Congress whenever a
|
||||
new server is created, an existing server is deleted, or an existing server
|
||||
is updated.
|
||||
|
||||
oslo.messaging already makes it possible for projects to publish data
|
||||
to other projects, but that mechanism is underutilized today.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Solving this problem means making it even easier for other projects to send
|
||||
their data to Congress than oslo.messaging does. This change will include
|
||||
middleware, perhaps made available via oslo, that publishes all changes to the
|
||||
underlying database tables on the bus. Moreover, it will
|
||||
send not the entire table but rather the delta on the table that occurred.
|
||||
It will be tightly integrated into existing oslo.db so that existing projects
|
||||
need make no code changes; they need only include and configure the code.
|
||||
|
||||
There will need to be a synchronization mechanism: Congress pulls all the data
|
||||
once and then needs deltas published on the bus from that point on. The deltas
|
||||
sent on the bus will include timestamps that allow Congress to synchronize
|
||||
the initial pull of data with the deltas.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Another option is to have a separate effort, say oslo.publish_tables, that
|
||||
is not so tightly integrated with oslo.db. The upside to this approach is that
|
||||
projects not using oslo.db (even those outside of OpenStack) could leverage
|
||||
the code. The downside to this approach is that projects already using oslo.db
|
||||
would need to write and maintain a bunch of special-purpose code for publishing
|
||||
their data--an approach that has seen little success til now.
|
||||
|
||||
Perhaps we will find that we can implement both approaches with little extra
|
||||
effort, but the primary goal of this spec is the tight integration with
|
||||
oslo.db.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
None
|
||||
|
||||
Policy Actions
|
||||
--------------
|
||||
|
||||
None
|
||||
|
||||
Data Sources
|
||||
------------
|
||||
|
||||
None
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
The goal of this spec is to improve the ability of other projects to
|
||||
utilize the notifications mechanism provided by oslo.messaging.
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
There will be minimal performance impact on the projects that utilize this
|
||||
code because only the deltas that hit the database will be published on
|
||||
the bus. Moreover, because each project can configure which tables
|
||||
are published on the bus, the project owner can tune any
|
||||
possible performance impact.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
When configuring the middleware, we propose one key configuration option:
|
||||
which tables should be published on the bus.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
None
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Write basic middleware functionality
|
||||
- Integrate it into oslo.db
|
||||
- Install it into an existing service, say Nova.
|
||||
- Standalone documentation
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
enable-delta-driven-datasources: enable the datasources/DatasourceDriver
|
||||
class to connect to datasources that send deltas.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
- Unit testing the basic functionality
|
||||
- Tempest tests
|
||||
o Verify that changes to tables configured to be published actually
|
||||
get published
|
||||
o Verify that changes to tables configured NOT to be published do not
|
||||
get published
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Need documentation in oslo for the basic middleware.
|
||||
Need documentation update to oslo.db
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
None
|
|
@ -1,152 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===============================================================
|
||||
Add availability zones to nova datasource driver
|
||||
===============================================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/add-az-to-nova-driver
|
||||
|
||||
This specification presents to extend the current nova datasource driver for
|
||||
supporting availability zone and its fields available from nova.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
The current nova provides avaiability zones for server and host. A host is a
|
||||
part of availability zone and server can be booted on the availability zone.
|
||||
However, the current nova datasource driver does not support it.
|
||||
This availability zone are useful for creating any policy related to server
|
||||
location.
|
||||
For example, we can specify a policy for checking status of any VMs located in
|
||||
the specific availability zone. In addition, we can specify an action policy
|
||||
for migrating some VMs from availability zone A to availability zone B.
|
||||
|
||||
Recently, availability zone was added to servers using
|
||||
OS-EXT-AZ:availability_zone [1].
|
||||
However, it is hard to make full hierarchy among availability zone, hosts, and
|
||||
servers and lack of flexiblity and extensibility. If we add the availability
|
||||
zone to nova data source driver, it will be more flexible and extensible to use
|
||||
more fields available from the availability zone such as zone state.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Basically, we can extend the curret Nova datasource driver
|
||||
(datasources/nova_driver.py) by adding the following a translator and
|
||||
two fields.
|
||||
|
||||
* availabilty_zones_translator
|
||||
|
||||
* zone_name
|
||||
* zone_state
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Using the Congress datalog syntax, write out an example policy using
|
||||
https://wiki.openstack.org/wiki/Congress#Policy_Language
|
||||
|
||||
Example:
|
||||
|
||||
host_availability_zone(vm,zone_name) :-
|
||||
nova:hosts(host_name,zone=zone_name),
|
||||
nova:availability_zones(zone_name=zone_name)
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
nova
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
Joon Kang <joon-myung-kang>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Implement availability_zone_translator in nova datasource driver
|
||||
* Perform unit testing
|
||||
* Perform functional testing for the new field
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
* Test host and availability zones using the policy
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
TBD
|
||||
|
||||
References
|
||||
==========
|
||||
[1] /congress/commit/9f9e26f850d12c73721b5e6b45ac00997c8c24c2
|
||||
[2] http://docs.openstack.org/openstack-ops/content/scaling.html
|
|
@ -1,199 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Push Type DataSource Driver
|
||||
==========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/push-type-datasource-driver
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Currently DataSource Driver retrieves all cloud service's info by polling
|
||||
each datasource. The purpose of the polling is just to monitor cloud
|
||||
service periodically. Thus Congress can't notice a change in cloud service
|
||||
just after the change occurs. It means a policy violation isn't detected
|
||||
until Congress polls the change. Additionally, Congress calls the service's
|
||||
API to get the data for a table, so datasource table's schema depends on API
|
||||
response contents.
|
||||
|
||||
In the area of monitoring, tons of well-developed monitoring system have
|
||||
already existed in the world. The systems have an ability to notify a change
|
||||
in cloud services just after a change occurs. And then these monitoring systems
|
||||
can detect many kind of changes in cloud services that Congress can't do.
|
||||
|
||||
Congress should retrieve the notification as a DataSource since it helps
|
||||
Congress to calculate a policy violation faster than now and also enables
|
||||
us to define varied policies and rules.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Following changes are proposed in the BP.
|
||||
|
||||
1. Create PollingDataSourceDriver and PushedDataSourceDriver class. Current
|
||||
|
||||
DataSourceDriver has 2 features. One is converting data to datasource table
|
||||
and sending it to Policy Engine. Another is polling data from datasource.
|
||||
We should separate the polling feature into another class that is subclass
|
||||
of DataSourceDriver named PollingDataSourceDriver. And we create
|
||||
PushedDataSourceDriver, which is subclass of DataSourceDriver and receives
|
||||
data from a monitoring system.
|
||||
|
||||
2. Create HttpReceiverDriver subclass or OsloMsgReceiverDriver subclass
|
||||
|
||||
Both Drivers are a subclass of PushedDataSourceDriver and receive
|
||||
datasource info by the protocol the class name has. DataSourceDriver has
|
||||
to keep datasource status in itself, so the classes will support 2 types
|
||||
of a data receiving method. One is receiving all status data each push
|
||||
time. Another is receiving only delta data that represents which row is
|
||||
deleted or added in the status like REST API.
|
||||
|
||||
First of all, the BP chooses and implements one of them based on an usecase,
|
||||
which needs to use PushedDatasourceDriver.
|
||||
|
||||
There are some restrictions as a first implementation.
|
||||
|
||||
* Table definitions
|
||||
|
||||
Ideally speaking, PushedDataSourceDriver should allow admin to change a
|
||||
datasource name, table name, schema and so on by Congress API.
|
||||
PushedDataSourceDriver defines the protocol name as a datasource name in
|
||||
first implementation. Then the admin can define a translator in another
|
||||
python file. In the current architecture, the path is set by 'config' key
|
||||
in a call for create datasource API. In the distributed architecture, the
|
||||
path is set by a config file for each datasource driver.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
The alternative is that Congress allows admin to add and delete a row by API
|
||||
calls. The API is a REST API, so the benefit is that both create and delete
|
||||
methods are already developed in itself. However, the way has following
|
||||
bad points. First is all request needs an authentication to push data. It
|
||||
means all datasource have to be related to keystone authority. Second is
|
||||
it's not easy to divide a network segmentation based on each API's purpose.
|
||||
If Congress enables API to retrieve datasource, the datasource receiver is
|
||||
exposed to user.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
Example: define a table that shows service name related to host's failures
|
||||
detected by monitoring system.
|
||||
|
||||
Assumption: monitoring system pushes data by http. col_1 represents name of
|
||||
a host where the monitoring system detects
|
||||
some failure. col_2 represents a failure type.
|
||||
|
||||
host_failures(host):-
|
||||
http:table(col_1=host, col_2="nic_error")
|
||||
|
||||
host_failures(host):-
|
||||
http:table(col_1=host, col_2="disk_error")
|
||||
|
||||
failure_effected_service(service, host) :-
|
||||
nova:service(host_name=host, service=service),
|
||||
host_failures(host=host)
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Add new datasource model and table.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
N/A
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Creating new datasource name, table name and table schema by API is a future
|
||||
work. It means this feature is out of scope for this BP.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
It enables others to push datasource row into the datasource driver. It would
|
||||
cause undesired policy violation if malicious users send data on purpose.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
PushedDataSourceDriver notifies a status change when it receives a change from
|
||||
a monitoring system. If the system frequently sends a notification, it would
|
||||
make Congress busy with calculating policy table.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
* Add a config for column number
|
||||
* Disable the PushedDataSourceDriver in default because of a reason described
|
||||
in Security Impact section
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
muroi-masahito
|
||||
|
||||
Other contributors:
|
||||
None
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
0. Create PollingDataSourceDriver subclass and pull out methods related to
|
||||
polling from DataSourceDriver class into the new Driver
|
||||
1. Create PushedDataSourceDriver subclass
|
||||
2. Create HttpReceiverDriver or OsloMsgReceiverDriver
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
* Add unit tests related to new class
|
||||
* Add tempest scenario tests which use pushed data in rules if possible
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
DataSource list will be updated if the list is described in docs.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Tokyo Summit discussion: https://etherpad.openstack.org/p/congress-mitaka-external
|
|
@ -1,208 +0,0 @@
|
|||
..
|
||||
|
||||
==========================================
|
||||
Policy Support for Unknown Table Schemas
|
||||
==========================================
|
||||
|
||||
The new distributed architecture requires the policy engine to
|
||||
handle the case when the schema for some datasource drivers are
|
||||
unknown. Today the policy engine assumes the schemas for all
|
||||
datasource drivers are known at load-time. This spec outlines
|
||||
a mechanism for supporting unknown schemas.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
For the new distributed architecture, the policy engine will not know
|
||||
the schema for all the datasources at the time rules are loaded from the
|
||||
database. This is currently problematic because column-references are
|
||||
compiled away at the time rules are loaded from the database, and that
|
||||
compilation procedure requires the schema. Thus in the new architecture,
|
||||
the policy engine will crash when it tries to load policy rules that
|
||||
contain column references.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
The fix to this problem is to enable the policy engine to load rules
|
||||
that include column references without compiling away those column references.
|
||||
That is, the main reason to compile away column references is that the
|
||||
internal datastructures for representing rules cannot represent those
|
||||
column references natively, and hence, the column references must be
|
||||
removed at load-time. The first task is to extend the internal
|
||||
datastructures in compile.py so they can represent named-columns.
|
||||
|
||||
The second reason column references get compiled away is that they cannot
|
||||
be evaluated (even semantically) without the schema. The second task
|
||||
is to extend the run-time capabilities of the policy engine so that
|
||||
rules can be disabled without being deleted. A disabled rule will
|
||||
be completely hidden from the evaluation engine when answering queries
|
||||
yet will still be visible but marked as "disabled" when users view
|
||||
the rules.
|
||||
|
||||
Every time a new rule is inserted, if its schema is unknown, that
|
||||
rule must be disabled. Moreover, every rule using a table dependent
|
||||
on the table in the head of that rule must be disabled. Similarly
|
||||
for deletion except that deletion can cause other rules to be enabled.
|
||||
|
||||
Every time the schema changes, all rules impacted by that schema
|
||||
change should be checked for consistency, and disabled rules
|
||||
must be enabled once all schemas are known. Once a rule
|
||||
is enabled, the column references are compiled away.
|
||||
|
||||
If a 2nd schema arrives (unequal to the first), the policy engine
|
||||
must check for consistency and recompile any rules whose schema
|
||||
may have changed.
|
||||
|
||||
For example, if the following rule is inserted before the schemas
|
||||
for nova-servers and neutron-networks is known, the rule will
|
||||
be disabled since it has column references.
|
||||
|
||||
p(x, z) :- nova:servers(id=x, network=y), neutron:networks(id=y, status=z)
|
||||
|
||||
Then when the nova schema becomes known this rule is validated
|
||||
against that schema but is not enabled because the neutron schema
|
||||
is unknown.
|
||||
|
||||
Finally when the neutron schema becomes known, the column references
|
||||
are compiled away and the rule is officially enabled.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Instead of disabling rules, another option is to modify the
|
||||
evaluation engine to do a best-effort query evaluation. The evaluation
|
||||
algorithms themselves would know about column-references, and would
|
||||
attempt to operate even if the schema was unknown.
|
||||
|
||||
The downside to this alternative is that the rules are actually
|
||||
semantically ambiguous, and hence the result of evaluation has
|
||||
unknown semantic value.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
N/A
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
No database modifications are required.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
The Rule object will have an additional boolean field representing whether
|
||||
or not the rule is disabled.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Rule inserts could now be slower since if the rule inserted gets disabled,
|
||||
that could cause many other rules to be disabled.
|
||||
|
||||
Rule deletions likewise could cause many policy rules to be enabled.
|
||||
|
||||
Schema updates are expensive because the policy engine must do consistency
|
||||
checks on all rules that are relevant, and potentially re-compile rules.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
N/A
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
thinrichs
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
|
||||
1. Modify compile.py datastructures to natively represent column
|
||||
references. Include a 'disabled' flag.
|
||||
2. Modify query evaluation engine to ignore disabled rules
|
||||
3. Modify triggers to ignore disabled tables
|
||||
4. Enable/disable rules on insert/delete/set-schema
|
||||
- Write dependency analysis routine to compute the rules/tables
|
||||
that are disabled once a given table is disabled.
|
||||
Likely to need a datastructure that tracks disabled tables.
|
||||
- Modify update routine to do schema check and enable/disable rules
|
||||
as appropriate using the dependency analysis.
|
||||
- Modify set-schema to appropriately enable/disable rules
|
||||
May want to add field to rules that say which tables the compilation
|
||||
was dependent on.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit test coverage should be mostly adequate.
|
||||
|
||||
Only real need for tempest tests would be testing the startup of Congress,
|
||||
but that is not supported with tempest.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
N/A
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
The need for this spec was discussed at the Liberty Midcycle Sprint.
|
||||
https://etherpad.openstack.org/p/congress-liberty-sprint
|
||||
|
||||
|
|
@ -1,746 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
=====================================================
|
||||
Support high availability, high throughput deployment
|
||||
=====================================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/high-availability-design
|
||||
|
||||
Some applications require Congress to be highly available (HA). Some
|
||||
applications require a Congress policy engine to handle a high volume of
|
||||
queries (high throughput - HT). This proposal describes how we can support
|
||||
several deployment schemes that address several HA and HT requirements.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
This spec aims to address three main problems:
|
||||
|
||||
1. Congress is not currently able to provide high query throughput because
|
||||
all queries are handled by a single, single-threaded policy engine instance.
|
||||
2. Congress is not currently able to failover quickly when its policy engine
|
||||
becomes unavailable.
|
||||
3. If the policy engine and a push datasource driver both crash, Congress is
|
||||
not currently able to restore the latest data state upon restart or
|
||||
failover.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Implement the required code changes and create deployment guides for the
|
||||
following reference deployments.
|
||||
|
||||
Warm standby for all Congress components in single process
|
||||
----------------------------------------------------------
|
||||
|
||||
- Downtime: ~1 minute (start a new Congress instance and ingest data from
|
||||
scratch)
|
||||
- Reliability: action executions may be lost during downtime.
|
||||
- Performance considerations: uniprocessing query throughput
|
||||
- Code changes: minimal
|
||||
|
||||
Active-active PE replication, DSDs warm-standby
|
||||
----------------------------------------------------
|
||||
|
||||
Run N instances of Congress policy engine in active-active configuration. One
|
||||
datasource driver per physical datasource published data on oslo-messaging to
|
||||
all policy engines.
|
||||
|
||||
::
|
||||
|
||||
+-------------------------------------+ +--------------+
|
||||
| Load Balancer (eg. HAProxy) | <----+ Push client |
|
||||
+----+-------------+-------------+----+ +--------------+
|
||||
| | |
|
||||
PE | PE | PE | all+DSDs node
|
||||
+---------+ +---------+ +---------+ +-----------------+
|
||||
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
|
||||
| | API | | | | API | | | | API | | | | DSD | | DSD | |
|
||||
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
|
||||
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
|
||||
| | PE | | | | PE | | | | PE | | | | DSD | | DSD | |
|
||||
| +-----+ | | +-----+ | | +-----+ | | +-----+ +-----+ |
|
||||
+---------+ +---------+ +---------+ +--------+--------+
|
||||
| | | |
|
||||
| | | |
|
||||
+--+----------+-------------+--------+--------+
|
||||
| |
|
||||
| |
|
||||
+-------+----+ +------------------------+-----------------+
|
||||
| Oslo Msg | | DBs (policy, config, push data, exec log)|
|
||||
+------------+ +------------------------------------------+
|
||||
|
||||
|
||||
- Downtime: < 1s for queries, ~2s for reactive enforcement
|
||||
- Deployment considerations:
|
||||
|
||||
- Cluster manager (eg. Pacemaker + Corosync) can be used to manage warm
|
||||
standby
|
||||
- Does not require global leader election
|
||||
- Performance considerations:
|
||||
|
||||
- Multi-process, multi-node query throughput
|
||||
- No redundant data-pulling load on datasources
|
||||
- DSDs node separate from PE, allowing high load DSDs to operate more
|
||||
smoothly and avoid affecting PE performance.
|
||||
- PE nodes are symmetric in configuration, making it easy to load balance
|
||||
evenly.
|
||||
|
||||
- Code changes:
|
||||
|
||||
- New synchronizer and harness to support two different node types:
|
||||
API+PE node and all-DSDs node
|
||||
|
||||
Details
|
||||
###########################################################################
|
||||
|
||||
- Datasource drivers (DSDs):
|
||||
|
||||
- One datasource driver per physical datasource.
|
||||
- All DSDs run in a single DSE node (process)
|
||||
- Push DSDs: optionally persist data in push data DB, so a new snapshot can
|
||||
be obtained whenever needed.
|
||||
|
||||
- Policy engine (PE):
|
||||
|
||||
- Replicate policy engine in active-active configuration.
|
||||
- Policy synchronized across PE instances via Policy DB
|
||||
- Every instance subscribes to the same data on oslo-messaging.
|
||||
- Reactive enforcement:
|
||||
All PE instances initiate reactive policy actions, but each DSD locally
|
||||
selects a "leader" to "listen to". The DSD ignores execution requests
|
||||
initiated by all other PE instances.
|
||||
|
||||
- Every PE instance computes the required reactive enforcement actions and
|
||||
initiate the corresponding execution requests over oslo-messaging.
|
||||
- Each DSD locally picks PE instance as leader (say the first instance the
|
||||
DSD hears from in the asymmetric node deployment, or the PE instance on
|
||||
the same node as the DSD in a symmetric node deployment) and executes
|
||||
only requests from that PE.
|
||||
- If heartbeat contact is lost with the leader, the DSD selects a new
|
||||
leader.
|
||||
- Each PE instance is unaware of whether it is a "leader"
|
||||
|
||||
- API:
|
||||
|
||||
- Each node has an active API service
|
||||
- Each API service routes requests for PE to its associated intranode PE
|
||||
- Requests for any other service(eg. get data source status) are routed to
|
||||
DSE2, which will be fielded by some active instance of the service on some
|
||||
node
|
||||
- Details:
|
||||
- in API models, replace every invoke_rpc with a conditional:
|
||||
|
||||
- if the target is policy engine, target same-node PE
|
||||
eg.::
|
||||
self.invoke_rpc(
|
||||
caller, 'get_row_data', args, server=self.node.pe.rpc_server)
|
||||
|
||||
- otherwise, invoke_rpc stays as is, routing to DSE2
|
||||
eg.::
|
||||
self.invoke_rpc(caller, 'get_row_data', args)
|
||||
|
||||
- Load balancer:
|
||||
|
||||
- Layer 7 load balancer (e.g. HAProxy) distributes incoming API calls among
|
||||
the nodes (each running API service).
|
||||
- load balancer optionally configured to use sticky session to pin each API
|
||||
caller to a particular node. This configuration avoids the experience of
|
||||
going back in time.
|
||||
|
||||
- External components (load balancer, DBs, and oslo messaging bus) can be made
|
||||
highly available using standard solutions (e.g. clustered LB, Galera MySQL
|
||||
cluster, HA rabbitMQ)
|
||||
|
||||
|
||||
Dealing with missed actions during failover
|
||||
###########################################################################
|
||||
|
||||
When a leader fails (global or local), it takes time for the failure to be
|
||||
detected and a new leader anointed. During the failover, reactive enforcement
|
||||
actions expected to be triggered would be missed. Four proposed approaches
|
||||
are discussed below.
|
||||
|
||||
- Tolerate missed actions during failover: for same applications, it may be
|
||||
acceptable to miss actions during failover.
|
||||
|
||||
- Re-execute recent actions after failover
|
||||
|
||||
- Each PE instance remembers its recent action requests (including the
|
||||
requests a follower PE computed but did not send)
|
||||
- On failover, the DSD requests the recent action requests from the new
|
||||
leader and executes them (within a certain recency window)
|
||||
- Duplicate execution expected on failover.
|
||||
- Re-execute recent unmatched actions after failover (possible future work)
|
||||
|
||||
- We can reduce the number of duplicate executions on failover by attempting
|
||||
to match a new leader's recent action requests with the already executed
|
||||
requests, and only additionally executing those unmatched.
|
||||
- DSD logs all recent successfully executed action requests in DB
|
||||
- Request matching can be done by a combination of the following information:
|
||||
|
||||
- the action requested
|
||||
- the timestamp of the request
|
||||
- the sequence number of the data update that triggered the action
|
||||
- the full derivation tree that triggers the action
|
||||
- Matching is imperfect, but still helpful
|
||||
|
||||
- Log and replay data updates (possible future work)
|
||||
|
||||
- Log every data update from every data source, and let a new leader replay
|
||||
the updates where the previous leader left off to generate the needed
|
||||
action requests.
|
||||
- The logging can be directly supported by transport or by additional DB
|
||||
|
||||
- kafka naturally supports this model
|
||||
- hard to do directly with oslo-messaging + RabbitMQ
|
||||
|
||||
- Leaderless de-duplication (possible future work)
|
||||
|
||||
- If a very good matching method is implemented for re-execution for recent
|
||||
unmatched actions after failover, it is possible to go one stop further
|
||||
and simply operate in this mode full time.
|
||||
- Each incoming action request is matched against all recently executed
|
||||
action requests.
|
||||
|
||||
- Discard if matched.
|
||||
- Execute if unmatched.
|
||||
- Eliminates the need for selecting leader (global or local) and improves
|
||||
failover speed
|
||||
|
||||
We propose to focus first on supporting the first two options
|
||||
(deployers' choice). The more complex options may be implemented and supported
|
||||
in future work.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
We first discuss the main decision points before detailing several alternative
|
||||
deployments.
|
||||
|
||||
For active-active replication of the PE, here are the main decision points:
|
||||
|
||||
A. node configurations
|
||||
|
||||
- Options:
|
||||
|
||||
1. single node-type (every node has API+PE+DSDs).
|
||||
2. two node-types (API+PE nodes, all-DSDs node). [proposed target]
|
||||
3. many node-types (API+PE nodes, all DSDs in separate nodes).
|
||||
|
||||
- Discussions: The many node-types configuration is most flexible and has
|
||||
the best support for high-load DSDs, but it also requires the most work to
|
||||
dev and to deploy.
|
||||
We propose to target the two node-types configuration because it gives
|
||||
reasonable support for high-load DSDs while keeping both the development
|
||||
and the deployment complexities low.
|
||||
|
||||
B. global vs local leader for action execution
|
||||
|
||||
- Options:
|
||||
|
||||
1. global leader: Pacemaker anoints a global leader among PE instances;
|
||||
only the leader sends action-execution requests.
|
||||
2. local leader: every PE instance sends action-execution requests, but
|
||||
each receiving DSD locally picks a "leader" to listen to.
|
||||
[proposed target]
|
||||
|
||||
- Discussions: Because there is a single active DSD for a given data source,
|
||||
it is a natural spot to locally choose a "leader" among the PE instances
|
||||
sending reactive enforcement action execution requests.
|
||||
We propose to target the local leader style because it avoids the
|
||||
development and deployment complexities associated with global leader
|
||||
election.
|
||||
Furthermore, because all PE instances perform reactive enforcement and send
|
||||
action execution requests, the redundancy opens up the possibility for
|
||||
zero disruption to reactive enforcement when a PE intance fails.
|
||||
|
||||
C. DSD redundancy
|
||||
|
||||
- Options:
|
||||
|
||||
1. warm standby: only one set of DSDs running at a given time; backup
|
||||
instances ready to launch.
|
||||
2. hot standby: multiple instances running, but only one set is active.
|
||||
3. active-active: multiple instances active.
|
||||
|
||||
- Discussions:
|
||||
|
||||
- For pull DSDs, we propose to target warm standby seems most appropriate
|
||||
because warm startup time is low (seconds) relative to frequency of data
|
||||
pulls.
|
||||
- For push DSDs, warm standby is generally sufficient except for use cases
|
||||
that demand sub-second latency even during a failover. Those use cases
|
||||
would require active-active replication of the push DSDs. But even with
|
||||
active-active replication of push DSDs, other unsolved issues in
|
||||
action-execution prevent us from delivering sub-second end-to-end latency
|
||||
(push data to triggered action executed) during failover (see leaderless
|
||||
de-duplication approach for sub-second action execution failover).
|
||||
Since we cannot yet realize the benefit of active-active replication of
|
||||
push DSDs, we propose to target a warm-standby deployment, leaving
|
||||
active-active replication as potential future work.
|
||||
|
||||
Active-active PE replication, DSDs hot-standby, all components in one node
|
||||
###########################################################################
|
||||
|
||||
Run N instances of single-process Congress.
|
||||
|
||||
One instance is selected as leader by Pacemaker. Only the leader has active
|
||||
datasource drivers (which pull data, accept push data, and accept RPC calls
|
||||
from the API service), but all instances subscribes to and processes data on
|
||||
oslo-messaging. Queries are load balanced among instances.
|
||||
|
||||
::
|
||||
|
||||
+-----------------------------------------------------------------------+
|
||||
| Load Balancer (eg. HAProxy) |
|
||||
+----+------------------------+------------------------+----------------+
|
||||
| | |
|
||||
| leader | follower | follower
|
||||
+---------------------+ +---------------------+ +---------------------+
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| | API | |DSD (on) | | | | API | |DSD (off)| | | | API | |DSD (off)| |
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| | PE | |DSD (on) | | | | PE | |DSD (off)| | | | PE | |DSD (off)| |
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
+---------------------+ +---------------------+ +---------------------+
|
||||
| | |
|
||||
| | |
|
||||
+---------+--------------+-------------------+----+
|
||||
| |
|
||||
| |
|
||||
+--------------+-----------+ +--------------------+---------------------+
|
||||
| Oslo Msg | | DBs (policy, config, push data, exec log)|
|
||||
+--------------------------+ +------------------------------------------+
|
||||
|
||||
|
||||
|
||||
- Downtime: < 1s for queries, ~2s for reactive policy
|
||||
- Deployment considerations:
|
||||
|
||||
- Requires cluster manager (Pacemaker) and cluster messaging (Corosync)
|
||||
- Relatively simple Pacemaker deployment because every node is identical
|
||||
- Requires leader election (handled by Pacemaker+Corosync)
|
||||
- Easy to start new DSD (make API call, all instances sync via DB)
|
||||
- Performance considerations:
|
||||
|
||||
- [Pro] Multi-process query throughput
|
||||
- [Pro] No redundant data-pulling load on datasources
|
||||
- [Con] If some data source drivers have high demand (say telemetry data),
|
||||
performance may suffer when deployed in the same python process as other
|
||||
Congress components.
|
||||
- [Con] Because the leader has the added load of active DSDs, PE performance
|
||||
may be reduced, making it harder to evenly load balance across instances.
|
||||
- Code changes:
|
||||
|
||||
- Add API call to designate a node as leader or follower
|
||||
- Custom resource agent that allows Pacemaker to start, stop, promote, and
|
||||
demote Congress instances
|
||||
|
||||
Details
|
||||
++++++++++++++
|
||||
|
||||
- Pull datasource drivers (pull DSD):
|
||||
|
||||
- One active datasource driver per physical datasource.
|
||||
- Only leader node has active DSDs (active polling loop and active
|
||||
RPC server)
|
||||
- On node failure, new leader node activates DSDs.
|
||||
|
||||
- Push datasource drivers (push DSD):
|
||||
|
||||
- One active datasource driver per physical datasource.
|
||||
- Only leader node has active DSDs (active RPC server)
|
||||
- On node failure, new leader node activates DSDs.
|
||||
- Persist data in push data DB, so a new snapshot can be obtained.
|
||||
|
||||
- Policy engine (PE):
|
||||
|
||||
- Replicate policy engine in active-active configuration.
|
||||
- Policy synchronized across PE instances via Policy DB
|
||||
- Every instance subscribes to the same data on oslo-messaging.
|
||||
- Reactive enforcement: See later section "Reactive enforcement architecture
|
||||
for active-active deployments"
|
||||
|
||||
- API:
|
||||
|
||||
- Add new API calls for designating the receiving node as leader or follower.
|
||||
The call must complete all tasks before returning (eg. start/stop RPC)
|
||||
- Each node has an active API service
|
||||
- Each API service routes requests for PE to its associated intranode PE,
|
||||
bypassing DSE2.
|
||||
- Requests for any other service(eg. get data source status) are routed to
|
||||
DSE2, which will be fielded by some active instance of the service on some
|
||||
node
|
||||
- Details:
|
||||
- in API models, replace every invoke_rpc with a conditional:
|
||||
|
||||
- if the target is policy engine, target same-node PE
|
||||
eg.::
|
||||
self.invoke_rpc(
|
||||
caller, 'get_row_data', args,
|
||||
server=self.node.pe.rpc_server)
|
||||
|
||||
- otherwise, invoke_rpc stays as is, routing to DSE2
|
||||
eg.::
|
||||
self.invoke_rpc(caller, 'get_row_data', args)
|
||||
|
||||
- Load balancer:
|
||||
|
||||
- Layer 7 load balancer (e.g. HAProxy) distributes incoming API calls among
|
||||
the nodes (each running API service).
|
||||
- load balancer optionally configured to use sticky session to pin each API
|
||||
caller to a particular node. This configuration avoids the experience of
|
||||
going back in time.
|
||||
|
||||
- Each DseNode is monitored and managed by a cluster manager (eg. Pacemaker)
|
||||
- External components (load balancer, DBs, and oslo messaging bus) can be made
|
||||
highly available using standard solutions (e.g. clustered LB, Galera MySQL
|
||||
cluster, HA rabbitMQ)
|
||||
|
||||
- Global leader election with Pacemaker:
|
||||
|
||||
- A resource agent contains the scripts that tells a Congress instance it is
|
||||
a leader or follower.
|
||||
- Pacemaker decides which Congress instance to promote to leader (master).
|
||||
- Pacemaker promotes (demotes) the appropriate Congress instance to leader
|
||||
(follower) via the resource agent.
|
||||
- Fencing:
|
||||
|
||||
- If the leader node stops responding, and a new node is promoted to
|
||||
leader, it is possible that the unresponsive node is still doing work
|
||||
(eg. listening on oslo-messaging, issuing action requests).
|
||||
- It is generally not a catastrophe if for a time there is more than one
|
||||
Congress node doing the work of a leader. (Potential effects may include:
|
||||
duplicate action requests and redundant data source pulls)
|
||||
- Pacemaker can be configured with strict fencing and STONITH for
|
||||
deployments that require it. (deployers' choice)
|
||||
http://clusterlabs.org/doc/en-US/Pacemaker/1.1/html-single/Pacemaker_Explained/#_what_is_stonith
|
||||
|
||||
- In case of network partitions:
|
||||
|
||||
- Pacemaker can be configured to stop each node that is not part of a
|
||||
cluster reaching quorum, or to allow each partition to continue
|
||||
operating. (deployers' choice)
|
||||
http://clusterlabs.org/doc/en-US/Pacemaker/1.0/html/Pacemaker_Explained/s-cluster-options.html
|
||||
|
||||
Active-active PE replication, DSDs warm-standby, each DSD in its own node
|
||||
###########################################################################
|
||||
|
||||
Run N instances of Congress policy engine in active-active configuration. One
|
||||
datasource driver per physical datasource published data on oslo-messaging to
|
||||
all policy engines.
|
||||
|
||||
::
|
||||
|
||||
+-------------------------------------+
|
||||
| Load Balancer (eg. HAProxy) |
|
||||
+----+-------------+-------------+----+
|
||||
| | |
|
||||
| | |
|
||||
+---------+ +---------+ +---------+
|
||||
| +-----+ | | +-----+ | | +-----+ |
|
||||
| | API | | | | API | | | | API | |
|
||||
| +-----+ | | +-----+ | | +-----+ |
|
||||
| +-----+ | | +-----+ | | +-----+ |
|
||||
| | PE | | | | PE | | | | PE | |
|
||||
| +-----+ | | +-----+ | | +-----+ |
|
||||
+---------+ +---------+ +---------+
|
||||
| | |
|
||||
| | |
|
||||
+------------------------------------------+-----------------+
|
||||
| | | | |
|
||||
| | | | |
|
||||
+----+-------------+-------------+---+ +-------+--------+ +-----+-----+
|
||||
| Oslo Msg | | Push Data DB | | DBs |
|
||||
+----+-------------+-------------+---+ ++---------------+ +-----------+
|
||||
| | | | (DBs may be combined)
|
||||
+----------+ +----------+ +----------+
|
||||
| +------+ | | +------+ | | +------+ |
|
||||
| | Poll | | | | Poll | | | | Push | |
|
||||
| | Drv | | | | Drv | | | | Drv | |
|
||||
| | DS 1 | | | | DS 2 | | | | DS 3 | |
|
||||
| +------+ | | +------+ | | +------+ |
|
||||
+----------+ +----------+ +----------+
|
||||
| | |
|
||||
+---+--+ +---+--+ +---+--+
|
||||
| | | | | |
|
||||
| DS 1 | | DS 2 | | DS 3 |
|
||||
| | | | | |
|
||||
+------+ +------+ +------+
|
||||
|
||||
- Downtime: < 1s for queries, ~2s for reactive policy
|
||||
- Deployment considerations:
|
||||
|
||||
- Requires cluster manager (Pacemaker) and cluster messaging (Corosync)
|
||||
- More complex Pacemaker deployment because there are many different
|
||||
kinds of nodes
|
||||
- Does not require global leader election (but that's not a big saving if
|
||||
we're running Pacemaker+Corosync anyway)
|
||||
- Performance considerations:
|
||||
|
||||
- [Pro] Multi-process query throughput
|
||||
- [Pro] No redundant data-pulling load on datasources
|
||||
- [Pro] Each DSD can run in its own node, allowing high load DSDs to operate
|
||||
more smoothly and avoid affecting PE performance.
|
||||
- [Pro] PE nodes are symmetric in configuration, making it easy to load
|
||||
balance evenly.
|
||||
|
||||
- Code changes:
|
||||
|
||||
- New synchronizer and harness and DB schema to support per node
|
||||
configuration
|
||||
|
||||
Hot standby for all Congress components in single process
|
||||
###########################################################################
|
||||
|
||||
Run N instances of single-process Congress, as proposed in:
|
||||
https://blueprints.launchpad.net/congress/+spec/basic-high-availability
|
||||
|
||||
A floating IP points to the primary instance which handles all queries and
|
||||
requests, failing over when primary instance is down.
|
||||
All instances ingest and process data to stay up to date.
|
||||
|
||||
::
|
||||
|
||||
+---------------+
|
||||
| Floating IP | - - - - - - + - - - - - - - - - - - -+
|
||||
+----+----------+ | |
|
||||
|
|
||||
| | |
|
||||
+---------------------+ +---------------------+ +---------------------+
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| | API | | DSD | | | | API | | DSD | | | | API | | DSD | |
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| | PE | | DSD | | | | PE | | DSD | | | | PE | | DSD | |
|
||||
| +-----+ +---------+ | | +-----+ +---------+ | | +-----+ +---------+ |
|
||||
| +-----------------+ | | +-----------------+ | | +-----------------+ |
|
||||
| | Oslo Msg | | | | Oslo Msg | | | | Oslo Msg | |
|
||||
| +-----------------+ | | +-----------------+ | | +-----------------+ |
|
||||
+---------------------+ +---------------------+ +---------------------+
|
||||
| | |
|
||||
| | |
|
||||
+----------+------------------------+----------------------+------------+
|
||||
| Databases |
|
||||
+-----------------------------------------------------------------------+
|
||||
|
||||
|
||||
- Downtime: < 1s for queries, ~2s for reactive policy
|
||||
- Feature limitations:
|
||||
|
||||
- Limited support for action execution: each action execution is triggered
|
||||
N times)
|
||||
- Limited support for push drivers: push updates only primary instance
|
||||
(optional DB-sync to non-primary instances)
|
||||
|
||||
- Deployment considerations:
|
||||
|
||||
- Very easy to deploy. No need for cluster manager. Just start N independent
|
||||
instances of Congress (in-process messaging) and setup floating IP.
|
||||
- Performance considerations:
|
||||
|
||||
- Performance characteristics similar to single-instance Congress
|
||||
- [Con] uniprocessing query throughput (optional load balancer can be added
|
||||
to balance queries between instances)
|
||||
- [Con] Extra load on data sources from replicated data source drivers
|
||||
pulling same data N times
|
||||
- Code changes:
|
||||
|
||||
- (optional) DB-sync of pushed data to non-primary instances
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Not applicable
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Not applicable
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Not applicable
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
No impact
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
No impact
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
No major security impact identified compared to a non-HA distributed
|
||||
deployment.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
No impact
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Proposed changes generally transparent to end user. Some exceptions:
|
||||
|
||||
- Different PE instances may be out-of-sync in their data and policies
|
||||
(eventual consistency). The issue is generally made transparent to the end
|
||||
user by making each user sticky to a particular PE instance. But if
|
||||
a PE instance goes down, the end user reaches a different instance and may
|
||||
experience out-of-sync artifacts.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
- In single node deployment, there is generally no performance impact.
|
||||
- Increased latency due to network communication required by multi-node
|
||||
deployment
|
||||
- Increased reactive enforcement latency if action executions are persistently
|
||||
logged to facilitate smoother failover
|
||||
- PE replication can achieve greater query throughput
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
- New config settings:
|
||||
|
||||
- set DSE node type to one of the following:
|
||||
|
||||
- PE+API node
|
||||
- a DSDs node
|
||||
- all-in-one node (backward compatible default)
|
||||
|
||||
- set reactive enforcement failover strategy:
|
||||
|
||||
- do not attempt to recover missed actions (backward compatible default)
|
||||
- after failover, repeat recent action requests
|
||||
- after failover, repeat recent action requests not matched to logged
|
||||
executions
|
||||
|
||||
- Proposed changes have no impact on existing single-node deployments.
|
||||
100% backward compatibility expected.
|
||||
- Changes only have effect if deployer chooses to set up a multi-node
|
||||
deployment with the appropriate configs.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
No major impact identified.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Work to be assigned and tracked via launchpad.
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Items with order dependency:
|
||||
|
||||
1. API routing.
|
||||
Change API routing to support active-active PE replication, routing PE-bound
|
||||
RPCs to the PE instance on the same node as the receiving API server.
|
||||
Changes expected to be confined to congress/api/*
|
||||
2. Reactive enforcement.
|
||||
Change datasource_driver.py:ExecutionDriver class to handle action execution
|
||||
requests from replicated PE-nodes (locally choose leader to follow)
|
||||
3. (low priority) Missed actions mitigation.
|
||||
|
||||
- Implement changes to mitigate missed actions during DSD failover
|
||||
- Implement changes to mitigate missed actions during PE failover
|
||||
|
||||
Items without dependency:
|
||||
|
||||
- Push data persistence.
|
||||
Change datasource_driver.py:PushedDataSourceDriver class to support
|
||||
persistence of pushed data. Corresponding DB changes also needed.
|
||||
- (potential) Leaderless de-duplication of action execution requests.
|
||||
- HA guide.
|
||||
Create HA guide sketching the properties and trade-offs of each different
|
||||
deployment types.
|
||||
- Deployment guide.
|
||||
Create deployment guide for active-active PE replication
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
- Requires Congress to support distributed deployment (for example with policy
|
||||
engine and datasource drivers on separate DseNodes.) Distributed deployment
|
||||
has been addressed by several implemented blueprints. The following patch is
|
||||
expected to be the final piece required.
|
||||
https://review.openstack.org/#/c/307693/
|
||||
- This spec does not introduce any new code of library dependencies.
|
||||
- In line with OpenStack recommendation
|
||||
(http://docs.openstack.org/ha-guide/controller-ha-pacemaker.html), some
|
||||
reference deployments use open source software outside of OpenStack:
|
||||
- HAProxy: http://www.haproxy.org
|
||||
- Pacemaker: http://clusterlabs.org/wiki/Pacemaker
|
||||
- Corosync: http://corosync.github.io/corosync/
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
We propose to add tempest tests for the following scenarios:
|
||||
- Up to (N - 1) PE-nodes killed
|
||||
- Previously killed PE-nodes rejoin.
|
||||
- Kill and restart DSDs-node, possibly at the same time PE-nodes are killed.
|
||||
|
||||
Split brain scenarios can be manually tested.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Deployment guide to be added for each supported reference deployment. No impact
|
||||
on existing documentation.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
- IRC discussion on major design decisions (#topic HA design):
|
||||
http://eavesdrop.openstack.org/meetings/congressteammeeting/2016/congressteammeeting.2016-06-09-00.04.log.txt
|
||||
- Notes from summit session:
|
||||
https://etherpad.openstack.org/p/newton-congress-availability
|
||||
- OpenStack HA guide:
|
||||
http://docs.openstack.org/ha-guide/controller-ha-pacemaker.html
|
||||
- HAProxy documentation:
|
||||
http://www.haproxy.org/#docs
|
||||
- Pacemaker documentation:
|
||||
|
||||
- directory: http://clusterlabs.org/doc/
|
||||
- Cluster from scratch:
|
||||
http://clusterlabs.org/doc/en-US/Pacemaker/1.1-pcs/html/Clusters_from_Scratch/index.html
|
||||
- Configuration explained:
|
||||
http://clusterlabs.org/doc/en-US/Pacemaker/1.1-pcs/html/Pacemaker_Explained/index.html
|
||||
|
||||
- OCF resource agents:
|
||||
http://www.linux-ha.org/wiki/OCF_Resource_Agents
|
|
@ -1,249 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
============================
|
||||
Selectability for Translator
|
||||
============================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/selectable-translator
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
DataSource Driver creates all translator and publishes its schema when
|
||||
it's initialized. If the driver is one of polling driver, it polls data
|
||||
of all translator from related services, even though any policy rules don't
|
||||
use the schema. The behavior causes performance issues when an unnecessary
|
||||
translator takes a long time to fetch data from related service.
|
||||
|
||||
Admin can choose which DataSource Driver they use or don't use by configuring
|
||||
congress.conf and creating DataSource by API. On the other hands, there is
|
||||
no way for admin to choose which translator in the created DataSource publishes
|
||||
their schema. So when the update frequency of an unnecessary translator is
|
||||
high, the issue described above also happens.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
This BP proposes a new feature that admin can set *lazy* to polling
|
||||
data from services until other service requires schema of the datasource.
|
||||
The issue described above doesn't happen in the usual case. So datasources
|
||||
poll data for all table in default. If admin don't want a datasource to
|
||||
poll unnecessary data, they disableds polling flag of the datasource and then
|
||||
the datasource doesn't poll data if not needed.
|
||||
|
||||
Admin defines a list of lazy tables in datasource config parameter when
|
||||
he/she instantiates a new datasouce. The datasource doesn't poll data related
|
||||
to tables listed in the config value while any policy rule doesn't subscribe
|
||||
the table. If datasource notices/recieves the subscription it starts to poll
|
||||
data.
|
||||
|
||||
There are 2 possible corner cases.
|
||||
|
||||
* lazy parent translator and non-lazy child translator
|
||||
|
||||
This issue happens when parent translator is defined as a lazy but child
|
||||
translator is not defined. Each table is mapped to one translator and
|
||||
some translators have a hierarchy for extracting one pulled data to some
|
||||
tables. When admin specifies a table mapped to a child translator as a lazy
|
||||
but parent translator is not lazy, details of the issue are that the
|
||||
datasource should pull data or not.
|
||||
|
||||
In this proposal, the datasource tries to pull data. Having the hierarchy
|
||||
is depending on an implementation of the client the datasource uses. If
|
||||
the client has separeted methods for pulling both data the datasource could
|
||||
use each method.
|
||||
|
||||
* list table row API for a lazy table
|
||||
|
||||
This issue happens when user calls list table row API for a lazy table before
|
||||
any service subscribes it. The table has no data about the table and the
|
||||
datasource can't return row data. Details of the issue are that the
|
||||
datasource should pull data and return a response of row or not when user
|
||||
calls the API.
|
||||
|
||||
In this proposal, the API returns 400 Bad Request error with a message about
|
||||
the table doesn't start to poll since the table is defined as lazy. If the
|
||||
API returns a response with row data user can't recognize the table is a lazy
|
||||
and the row data is up-to-date or not.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Specifying a table that doesn't poll is one of alternatives. This allows
|
||||
admin to handle each table to poll or not. Additionally, the datasource
|
||||
doesn't pull data in not polling status even though policy rules using the
|
||||
table are defined. But it also requires admin to manage all table manually.
|
||||
It's hard to operate.
|
||||
|
||||
Enabling admin to config polling time delta for each translator is one of
|
||||
answers to resolve a polling performance issue. The good point is admin
|
||||
can write a policy rule related to the translator anytime since PolicyEngine
|
||||
has its schema. The down side, however, is policy calculation could be delayed
|
||||
since the delta is longer than in usual case.
|
||||
|
||||
Admin can set the enabled flag by config file for each translator too.
|
||||
Using config file is an easy way to disable it and has low impacts for codes.
|
||||
However, he/she have to restart DataSource everytime they want to change the
|
||||
flag.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
N/A
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
N/A
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Datasource Driver have a functionality to start/stop pull data from service.
|
||||
Datasource starts to pull ALL data in default just after initialized. If lazy
|
||||
config is specified to some tables, the datasource waits to start to pull data
|
||||
related to the tables until other service subscribes the table. And then when
|
||||
there is no subscriber for the lazy table the datasource stops to pull data.
|
||||
|
||||
There is no change from PolicyEngine perspectives.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
Datasources have a list of lazy table in its config values. Currently, all
|
||||
config values are stored in DB, so the list is also stored there.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
This proposal expands parameters of existing APIs.
|
||||
|
||||
* Define a list of lazy tables
|
||||
|
||||
* API Schema
|
||||
|
||||
POST /v1/data-sources
|
||||
|
||||
* Request Body
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"config": {
|
||||
...
|
||||
"lazy_table": "[table1-a, table-b]",
|
||||
...
|
||||
},
|
||||
...
|
||||
}
|
||||
|
||||
* Response Body
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"config": {
|
||||
...
|
||||
"lazy_table": "[table1-a, table-b]",
|
||||
...
|
||||
},
|
||||
...
|
||||
}
|
||||
|
||||
List show a datasource details
|
||||
|
||||
* API Schema
|
||||
|
||||
GET /v1/data-sources/<datasoure-id>
|
||||
|
||||
* Response Body
|
||||
|
||||
.. code-block:: javascript
|
||||
|
||||
{
|
||||
"config": {
|
||||
...
|
||||
"lazy_table": "[table1-a, table-b]",
|
||||
...
|
||||
},
|
||||
...
|
||||
}
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
N/A
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
N/A
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
As described in Problem description section, the feature is to improve
|
||||
PollingDataSource Driver. It reduces polling time and amount of sent data
|
||||
from DataSource to PolicyEngine.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
N/A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Developers who write another PollingDataSource Driver
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee:
|
||||
muroi-masahito
|
||||
|
||||
Other contributors:
|
||||
muroi-masahito
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
0. Disable polling data
|
||||
When no subscrier exists for lazy tables, PollingDataSourceDriver
|
||||
stops pulling data. And the driver starts pulling data after some
|
||||
other service start to subscribe the table.
|
||||
1. "lazy_table" config
|
||||
Subclass of PollingDataSourceDriver will have "lazy_table" key in
|
||||
its config parameter. This key is optional config.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
N/A
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
* Add unit tests related to the functionality
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
API reference will be updated based on the API changes.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
N/A
|
|
@ -1,354 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Example Spec - The title of your blueprint
|
||||
==========================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/example
|
||||
|
||||
Introduction paragraph -- why are we doing anything? A single paragraph of
|
||||
prose that operators can understand.
|
||||
|
||||
Some notes about using this template:
|
||||
|
||||
* Your spec should be in ReSTructured text, like this template.
|
||||
|
||||
* Please wrap text at 79 columns.
|
||||
|
||||
* The filename in the git repository should match the launchpad URL, for
|
||||
example a URL of: https://blueprints.launchpad.net/congress/+spec/awesome-thing
|
||||
should be named awesome-thing.rst
|
||||
|
||||
* Please do not delete any of the sections in this template. If you have
|
||||
nothing to say for a whole section, just write: None
|
||||
|
||||
* For help with syntax, see http://sphinx-doc.org/rest.html
|
||||
|
||||
* To test out your formatting, build the docs using tox, or see:
|
||||
http://rst.ninjs.org
|
||||
|
||||
* If you would like to provide a diagram with your spec, ascii diagrams are
|
||||
required. http://asciiflow.com/ is a very nice tool to assist with making
|
||||
ascii diagrams. The reason for this is that the tool used to review specs is
|
||||
based purely on plain text. Plain text will allow review to proceed without
|
||||
having to look at additional files which can not be viewed in gerrit. It
|
||||
will also allow inline feedback on the diagram itself.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* For a new feature this might be use cases. Ensure you are clear about the
|
||||
actors in each use case: End User vs Deployer
|
||||
|
||||
* For a major reworking of something existing it would describe the
|
||||
problems in that feature that are being addressed.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Here is where you cover the change you propose to make in detail. How do you
|
||||
propose to solve this problem?
|
||||
|
||||
If this is one part of a larger effort make it clear where this piece ends. In
|
||||
other words, what's the scope of this effort?
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
What other ways could we do this thing? Why aren't we using those? This doesn't
|
||||
have to be a full literature review, but it should demonstrate that thought has
|
||||
been put into why the proposed solution is an appropriate one.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Using the Congress datalog syntax, write out an example policy using
|
||||
https://wiki.openstack.org/wiki/Congress#Policy_Language
|
||||
|
||||
Example:
|
||||
|
||||
error(vm) :-
|
||||
nova:virtual_machine(vm),
|
||||
ids:ip_packet(src_ip, dst_ip),
|
||||
neutron:port(vm, src_ip), //finds out the port that has the VM's IP
|
||||
ids:ip_blacklist(dst_ip).
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Describe the policy activities in terms of monitoring, reactive, proactive,
|
||||
and other ways to explain how the policy will implement it's desired state.
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Describe which projects and/or services the data is coming from
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
Changes which require modifications to the data model often have a wider impact
|
||||
on the system. The community often has strong opinions on how the data model
|
||||
should be evolved, from both a functional and performance perspective. It is
|
||||
therefore important to capture and gain agreement as early as possible on any
|
||||
proposed changes to the data model.
|
||||
|
||||
Questions which need to be addressed by this section include:
|
||||
|
||||
* What new data objects and/or database schema changes is this going to
|
||||
require?
|
||||
|
||||
* What database migrations will accompany this change.
|
||||
|
||||
* How will the initial set of new data objects be generated, for example if you
|
||||
need to take into account existing instances, or modify other existing data
|
||||
describe how that will work.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Each API method which is either added or changed should have the following
|
||||
|
||||
* Specification for the method
|
||||
|
||||
* A description of what the method does suitable for use in
|
||||
user documentation
|
||||
|
||||
* Method type (POST/PUT/GET/DELETE)
|
||||
|
||||
* Normal http response code(s)
|
||||
|
||||
* Expected error http response code(s)
|
||||
|
||||
* A description for each possible error code should be included
|
||||
describing semantic errors which can cause it such as
|
||||
inconsistent parameters supplied to the method, or when an
|
||||
instance is not in an appropriate state for the request to
|
||||
succeed. Errors caused by syntactic problems covered by the JSON
|
||||
schema definition do not need to be included.
|
||||
|
||||
* URL for the resource
|
||||
|
||||
* Parameters which can be passed via the url
|
||||
|
||||
* JSON schema definition for the body data if allowed
|
||||
|
||||
* JSON schema definition for the response data if any
|
||||
|
||||
* Example use case including typical API samples for both data supplied
|
||||
by the caller and the response
|
||||
|
||||
* Discuss any policy changes, and discuss what things a deployer needs to
|
||||
think about when defining their policy.
|
||||
|
||||
Example JSON schema definitions can be found in the Nova tree
|
||||
https://opendev.org/openstack/nova/src/branch/master/nova/api/openstack/compute/schemas
|
||||
|
||||
Note that the schema should be defined as restrictively as
|
||||
possible. Parameters which are required should be marked as such and
|
||||
only under exceptional circumstances should additional parameters
|
||||
which are not defined in the schema be permitted (eg
|
||||
additionaProperties should be False).
|
||||
|
||||
Reuse of existing predefined parameter types such as regexps for
|
||||
passwords and user defined names is highly encouraged.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Describe any potential security impact on the system. Some of the items to
|
||||
consider include:
|
||||
|
||||
* Does this change touch sensitive data such as tokens, keys, or user data?
|
||||
|
||||
* Does this change alter the API in a way that may impact security, such as
|
||||
a new way to access sensitive information or a new way to login?
|
||||
|
||||
* Does this change involve cryptography or hashing?
|
||||
|
||||
* Does this change require the use of sudo or any elevated privileges?
|
||||
|
||||
* Does this change involve using or parsing user-provided data? This could
|
||||
be directly at the API level or indirectly such as changes to a cache layer.
|
||||
|
||||
* Can this change enable a resource exhaustion attack, such as allowing a
|
||||
single API interaction to consume significant server resources? Some examples
|
||||
of this include launching subprocesses for each connection, or entity
|
||||
expansion attacks in XML.
|
||||
|
||||
For more detailed guidance, please see the OpenStack Security Guidelines as
|
||||
a reference (https://wiki.openstack.org/wiki/Security/Guidelines). These
|
||||
guidelines are a work in progress and are designed to help you identify
|
||||
security best practices. For further information, feel free to reach out
|
||||
to the OpenStack Security Group at openstack-security@lists.openstack.org.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
Please specify any changes to notifications. Be that an extra notification,
|
||||
changes to an existing notification, or removing a notification.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Aside from the API, are there other ways a user will interact with this
|
||||
feature?
|
||||
|
||||
* Does this change have an impact on python-congressclient? What does the user
|
||||
interface there look like?
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Describe any potential performance impact on the system, for example
|
||||
how often will new code be called, and is there a major change to the calling
|
||||
pattern of existing code.
|
||||
|
||||
Examples of things to consider here include:
|
||||
|
||||
* A periodic task might look like a small addition but if it calls conductor or
|
||||
another service the load is multiplied by the number of nodes in the system.
|
||||
|
||||
* Scheduler filters get called once per host for every instance being created,
|
||||
so any latency they introduce is linear with the size of the system.
|
||||
|
||||
* A small change in a utility function or a commonly used decorator can have a
|
||||
large impacts on performance.
|
||||
|
||||
* Calls which result in a database queries (whether direct or via conductor)
|
||||
can have a profound impact on performance when called in critical sections of
|
||||
the code.
|
||||
|
||||
* Will the change include any locking, and if so what considerations are there
|
||||
on holding the lock?
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Discuss things that will affect how you deploy and configure OpenStack
|
||||
that have not already been mentioned, such as:
|
||||
|
||||
* What config options are being added? Should they be more generic than
|
||||
proposed (for example a flag that other hypervisor drivers might want to
|
||||
implement as well)? Are the default values ones which will work well in
|
||||
real deployments?
|
||||
|
||||
* Is this a change that takes immediate effect after its merged, or is it
|
||||
something that has to be explicitly enabled?
|
||||
|
||||
* If this change is a new binary, how would it be deployed?
|
||||
|
||||
* Please state anything that those doing continuous deployment, or those
|
||||
upgrading from the previous release, need to be aware of. Also describe
|
||||
any plans to deprecate configuration values or features. For example, if we
|
||||
change the directory name that instances are stored in, how do we handle
|
||||
instance directories created before the change landed? Do we move them? Do
|
||||
we have a special case in the code? Do we assume that the operator will
|
||||
recreate all the instances in their cloud?
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Discuss things that will affect other developers working on OpenStack,
|
||||
such as:
|
||||
|
||||
* If the blueprint proposes a change to the driver API, discussion of how
|
||||
other hypervisors would implement the feature is required.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Who is leading the writing of the code? Or is this a blueprint where you're
|
||||
throwing it out there to see who picks it up?
|
||||
|
||||
If more than one person is working on the implementation, please designate the
|
||||
primary author and contact.
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Work items or tasks -- break the feature up into the things that need to be
|
||||
done to implement it. Those parts might end up being done by different people,
|
||||
but we're mostly trying to understand the timeline for implementation.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Include specific references to specs and/or blueprints in congress, or in
|
||||
other projects, that this one either depends on or is related to.
|
||||
|
||||
* If this requires functionality of another project that is not currently used
|
||||
by congress (such as the glance v2 API when we previously only required v1),
|
||||
document that fact.
|
||||
|
||||
* Does this feature require any new library dependencies or code otherwise not
|
||||
included in OpenStack? Or does it depend on a specific version of library?
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Please discuss how the change will be tested. We especially want to know what
|
||||
tempest tests will be added. It is assumed that unit test coverage will be
|
||||
added so that doesn't need to be mentioned explicitly, but discussion of why
|
||||
you think unit tests are sufficient and we don't need to add more tempest
|
||||
tests would need to be included.
|
||||
|
||||
Is this untestable in gate given current limitations (specific hardware /
|
||||
software configurations available)? If so, are there mitigation plans (3rd
|
||||
party testing, gate enhancements, etc).
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
What is the impact on the docs team of this change? Some changes might require
|
||||
donating resources to the docs team to have the documentation updated. Don't
|
||||
repeat details discussed above, but please reference them here.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Please add any useful references here. You are not required to have any
|
||||
reference. Moreover, this specification should still make sense when your
|
||||
references are unavailable. Examples of what you could include are:
|
||||
|
||||
* Links to mailing list or IRC discussions
|
||||
|
||||
* Links to notes from a summit session
|
||||
|
||||
* Links to relevant research, if appropriate
|
||||
|
||||
* Related specifications as appropriate (e.g. if it's an EC2 thing, link the
|
||||
EC2 docs)
|
||||
|
||||
* Anything else you feel it is worthwhile to refer to
|
|
@ -1,628 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Policy Library
|
||||
==========================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/policy-library
|
||||
|
||||
When Congress is first deployed, it does not perform any monitoring or
|
||||
enforcement because there are no policies specified. It takes significant
|
||||
investment in time and energy to learn the policy language and write the
|
||||
desired policies before Congress provides any value.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
To help deployers and administrators quickly get started and see value,
|
||||
we propose to include with Congress a library of useful policies that a
|
||||
deployer or administrator can easily enable, disable, and customize.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
|
||||
Overview
|
||||
------------
|
||||
|
||||
The proposed changes come in two main pieces, the new policy library and the
|
||||
changes to existing Congress server functionalities to support the use of
|
||||
policies from the policy library.
|
||||
|
||||
The policy library
|
||||
^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
Introduce a new concept of the policy library in Congress server,
|
||||
where policies are retained and manipulated but are not used by the policy
|
||||
engine (for monitoring or enforcement).
|
||||
Include with Congress server a collection of useful policies,
|
||||
each in a YAML file. These policies automatically populate the policies
|
||||
library.
|
||||
|
||||
To make it easy for us to populate the library and for admins to modify/create
|
||||
their own library, the API/CLI/GUI should support full CRUD into the library.
|
||||
|
||||
* Congress server can have new config option that points to a directory of
|
||||
policies to load into the library.
|
||||
|
||||
* Once the library is initialized from the files, restart of Congress server
|
||||
do not re-initialize the policy library from the files
|
||||
(empty library is assumed to be un-initialized). A new interface
|
||||
allows an administrator to trigger re-initialization from files.
|
||||
|
||||
.. note:: The policy library is persisted in the database and has a
|
||||
separate existence in Congress server apart from the files in the policy
|
||||
library directory. See also discussion of the alternative model
|
||||
_`Policy library directory files as truth`.
|
||||
|
||||
* Future feature: reloads changed files automatically into library
|
||||
|
||||
* Will not update policies imported from library into policy engine
|
||||
* Open question:
|
||||
Should changes to the policy library through the API sync back to the
|
||||
files in the policy library directory?
|
||||
* Care must be taken to consider concurrent changes and potential conflicts
|
||||
from multiple congress server instances.
|
||||
|
||||
.. warning:: When Congress server policy engine service is replicated,
|
||||
different server instances must have the same
|
||||
policy library files. If not, the library will be populated based on the
|
||||
an arbitrary combination of the policy files on the different server
|
||||
instances.
|
||||
|
||||
* Installation
|
||||
|
||||
* Standalone: installer scripts copy the default library directory from the
|
||||
Congress git repo into /etc/congress/.
|
||||
* Devstack: same as standalone
|
||||
|
||||
|
||||
Support for using policies from the library
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
We propose to add all the functionalities required to support the following
|
||||
workflows for activating a policy from the policy library (i.e., creating an
|
||||
(active) policy in the policy engine by importing a (inactive) policy from the
|
||||
policy library).
|
||||
|
||||
* Activating a policy from library using CLI/API.
|
||||
|
||||
#. Administrator inspects policies in library to find one they want to use.
|
||||
#. Administrator downloads the relevant policy, in YAML or JSON.
|
||||
#. Administrator modifies YAML/JSON encoding and uses it as the payload to
|
||||
create a new policy.
|
||||
|
||||
* Activating a policy from library using GUI.
|
||||
|
||||
#. Administrator peruses policies in library
|
||||
#. Administrator clicks on an interesting policy, which brings up a textbox
|
||||
(or more sophisticated policy editor) to customize.
|
||||
#. Administrator clicks on a 'Create' button that creates that policy.
|
||||
|
||||
Below are the specific functionalities needed to support these workflows.
|
||||
|
||||
* A backward compatible change to the policies POST API to allow for a 'rules'
|
||||
key in the JSON/YAML payload body.
|
||||
|
||||
* A new optional parameter to the ``policy create`` CLI command that allows
|
||||
the administrator to import and activate a policy from a YAML file.
|
||||
|
||||
* A new optional parameter to the ``policy create`` CLI command that allows
|
||||
the administrator to import and activate a policy directly from the policy
|
||||
library without saving to file.
|
||||
|
||||
.. note:: The policy engine rule insert code would require some careful
|
||||
reworking to ensure policy creation with rules is transactional. That is,
|
||||
if insertion fails at the third rule (say because of cross-policy
|
||||
recursion), the first and second rule insertions are undone without having
|
||||
caused any effect (triggered actions or altered query answers).
|
||||
|
||||
Three main things are needed.
|
||||
|
||||
* Write to database only after the insertion of all the policy rules have
|
||||
succeeded in the policy engine.
|
||||
|
||||
* Trigger evaluation must be delayed until after all the rules are inserted
|
||||
successfully.
|
||||
|
||||
* The policy engine must be prevented from answering queries while in the
|
||||
middle of processing a batch of rule insertions. This can be done either
|
||||
with locks or by making sure the greenthread executing the batch rule
|
||||
insertion does not yield.
|
||||
|
||||
* A new page in the Horizon GUI where an administrator can perform the
|
||||
following tasks.
|
||||
|
||||
- browse and inspect policies in the policy library
|
||||
- active (i.e., import to policy engine) a policy from the policy library
|
||||
- customize a policy in the policy library prior to import
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
This section discusses several alternative designs and implementation to
|
||||
various aspects of this proposal.
|
||||
|
||||
Policy library strictly external to Congress
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
* No concept of library in API/data model. The policy library is simply a
|
||||
directory of files the administrator can import into the policy engine.
|
||||
|
||||
* Least development effort.
|
||||
|
||||
* Not as usable. Administrator cannot use the existing Congress interface
|
||||
(CLI/GUI/API) to browse, inspect, customize, and activate policies in the
|
||||
policy library.
|
||||
|
||||
* This version is realized by a subset of the changes proposed in the spec.
|
||||
This subset should be prioritized in the development to realize the minimal
|
||||
viable functionality described here.
|
||||
|
||||
Policy library directory files as truth
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
* Instead of database, use the policy files in the policy library directory as
|
||||
source of truth.
|
||||
|
||||
* Complex in error-prone in a setup with multiple policy engines.
|
||||
|
||||
* Different model from all the other persisted data in Congress server,
|
||||
adding more complexity for developers.
|
||||
|
||||
Library rules as disabled policy engine rules in the same database table
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
* Instead of storing the rules in the library policy in a separate logical
|
||||
repository as well as a separate database table from the active rules in the
|
||||
rule engine, store all the rules as rules in the rule engine, with an
|
||||
additional flag indicating which ones are active.
|
||||
|
||||
* Complicates the existing data model for rules in the policy engine.
|
||||
|
||||
* What is the benefit?
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Not applicable.
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Not applicable
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Not applicable.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
No impact on existing tables.
|
||||
|
||||
One new database tables are needed:
|
||||
|
||||
* A ``library_policies`` table to store the policies in the policies library.
|
||||
Below are the columns.
|
||||
|
||||
* ``name =
|
||||
sa.Column(sa.String(255), nullable=False, unique=True, primary_key=True)``
|
||||
* ``abbreviation = sa.Column(sa.String(5), nullable=False)``
|
||||
* ``description = sa.Column(sa.Text(), nullable=False)``
|
||||
* ``kind = sa.Column(sa.Text(), nullable=False)``
|
||||
* ``rules = sa.Column(sa.Text(), nullable=False)``
|
||||
|
||||
.. note:: Because the rules in the library are accessed at the granularity of
|
||||
one entire policy, we can improve simplicity and performance by storing the
|
||||
rules as a text blob instead of as individual rows.
|
||||
|
||||
.. warning:: the TEXT type is limited to 2^16 - 1 bytes in length in MySQL.
|
||||
Very large policies beyond this size are not supported. If this limit turns
|
||||
out to be too restrictive, MEDIUMTEXT or LONGTEXT type can be forced by
|
||||
specifying a longer length in the SQL Alchemy column declaration, at the
|
||||
cost of losing SQLite support (primarily used for unit testing).
|
||||
|
||||
Empty tables will be created using sqlalchemy migration scripts. Tables will be
|
||||
populated by Congress server from policy files in the policy libraries folder.
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Policy library methods
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* Re-initialize
|
||||
|
||||
* Re-initialize policy library from the files in the policy library directory
|
||||
as set in configuration.
|
||||
|
||||
.. warning:: This operation destroys the current content of the policy
|
||||
library.
|
||||
|
||||
* Method type: PUT
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): 401
|
||||
|
||||
* ``/v1/library``
|
||||
|
||||
* Parameters which can be passed via the url: None
|
||||
|
||||
* JSON schema definition for the body data if allowed: Not allowed
|
||||
|
||||
* JSON schema definition for the response data if any: None
|
||||
|
||||
* List policies
|
||||
|
||||
* List metadata for all policies in the library (id, name, desc, number of
|
||||
rules)
|
||||
|
||||
* Method type: GET
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): None
|
||||
|
||||
* ``/v1/library``
|
||||
|
||||
* Parameters which can be passed via the url: None
|
||||
|
||||
* JSON schema definition for the body data if allowed: Not allowed
|
||||
|
||||
* JSON schema definition for the response data if any:
|
||||
|
||||
::
|
||||
|
||||
- !Type:
|
||||
title: collection of PolicyProperties
|
||||
type: array
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
title: Policy unique name
|
||||
type: string
|
||||
required: true
|
||||
description:
|
||||
title: Policy description
|
||||
type: string
|
||||
required: true
|
||||
kind:
|
||||
title: Policy kind
|
||||
type: string
|
||||
required: true
|
||||
abbreviation:
|
||||
title: Policy name abbreviation
|
||||
type: string
|
||||
required: false
|
||||
|
||||
|
||||
* Show policy
|
||||
|
||||
* Show specified library policy (in specified format)
|
||||
|
||||
* Method type: GET
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): 401, 404
|
||||
|
||||
* ``/v1/library/<policy-name>``
|
||||
|
||||
* Parameters which can be passed via the url: None
|
||||
|
||||
* JSON schema definition for the body data if allowed: Not allowed
|
||||
|
||||
* JSON schema definition for the response data if any:
|
||||
`Policy full schema`_.
|
||||
|
||||
* Create policy
|
||||
|
||||
* Create a new policy in library
|
||||
|
||||
* Method type: POST
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): 400, 401, 409
|
||||
|
||||
* ``/v1/library``
|
||||
|
||||
* Parameters which can be passed via the url: None
|
||||
|
||||
* JSON schema definition for the body data if allowed:
|
||||
`Policy full schema`_.
|
||||
|
||||
* JSON schema definition for the response data if any:
|
||||
`Policy metadata schema without UUID`_.
|
||||
|
||||
* Update policy
|
||||
|
||||
* Update a policy in library
|
||||
|
||||
* Method type: PUT
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): 400, 401, 404, 409
|
||||
|
||||
* ``/v1/library/<policy-name>``
|
||||
|
||||
* Parameters which can be passed via the url:
|
||||
|
||||
* format: {json, yaml} (default is json)
|
||||
|
||||
* JSON schema definition for the body data if allowed:
|
||||
`Policy full schema`_.
|
||||
|
||||
* JSON schema definition for the response data if any:
|
||||
`Policy metadata schema without UUID`_.
|
||||
|
||||
* Delete policy
|
||||
|
||||
* Delete policy from library
|
||||
|
||||
* Method type: DELETE
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): 401, 404
|
||||
|
||||
* ``/v1/library/<policy-name>``
|
||||
|
||||
* Parameters which can be passed via the url: None
|
||||
|
||||
* JSON schema definition for the body data if allowed: Not allowed
|
||||
|
||||
* JSON schema definition for the response data if any: None
|
||||
|
||||
|
||||
Policy engine methods
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
* Create policy
|
||||
|
||||
* Create a policy in policy engine (either from input data or from library)
|
||||
|
||||
* Method type: POST
|
||||
|
||||
* Normal http response code(s): 200
|
||||
|
||||
* Expected error http response code(s): 400, 401, 404, 409
|
||||
|
||||
* ``/v1/policies``
|
||||
|
||||
* Parameters which can be passed via the url:
|
||||
|
||||
* library_policy=<name of policy in library>. This creates the policy
|
||||
directly from the library policy, without needing body data. A request
|
||||
where both this parameter and a body data are specified should result in
|
||||
error 400.
|
||||
|
||||
* JSON schema definition for the body data if allowed: `Policy full schema`_.
|
||||
|
||||
* JSON schema definition for the response data if any:
|
||||
`Policy metadata schema with UUID`_.
|
||||
|
||||
|
||||
Common JSON Schemas
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
|
||||
|
||||
Policy metadata schema without UUID
|
||||
++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
::
|
||||
|
||||
- !Type:
|
||||
id: PolicyProperties
|
||||
title: Policy Properties
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
title: Policy unique name
|
||||
type: string
|
||||
required: true
|
||||
description:
|
||||
title: Policy description
|
||||
type: string
|
||||
required: true
|
||||
kind:
|
||||
title: Policy kind
|
||||
type: string
|
||||
required: true
|
||||
abbreviation:
|
||||
title: Policy name abbreviation
|
||||
type: string
|
||||
required: false
|
||||
|
||||
.. note:: UUIDs are not used for policies in the policy library. The reason
|
||||
is gets confusing if the UUID is changed when the policy is activated,
|
||||
but also problematic if the UUID is retained in the activated policy in
|
||||
policy engine, leading to two different entities sharing the same UUID.
|
||||
|
||||
|
||||
Policy metadata schema with UUID
|
||||
++++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
::
|
||||
|
||||
- !Type:
|
||||
id: PolicyProperties
|
||||
title: Policy Properties
|
||||
type: object
|
||||
properties:
|
||||
id:
|
||||
title: UUID for the policy
|
||||
type: string
|
||||
required: true
|
||||
name:
|
||||
title: Policy unique name
|
||||
type: string
|
||||
required: true
|
||||
description:
|
||||
title: Policy description
|
||||
type: string
|
||||
required: false
|
||||
kind:
|
||||
title: Policy kind
|
||||
type: string
|
||||
required: false
|
||||
abbreviation:
|
||||
title: Policy name abbreviation
|
||||
type: string
|
||||
required: false
|
||||
|
||||
|
||||
Policy full schema
|
||||
++++++++++++++++++++++++++++++++++++++++++
|
||||
|
||||
.. note:: It is a design decision that rules in a policy library do not
|
||||
have IDs and cannot be referred to individually. Policies in the library
|
||||
are created, updated, or deleted at the level of the whole policy.
|
||||
|
||||
::
|
||||
|
||||
- !Type:
|
||||
id: PolicyProperties
|
||||
title: Policy Properties
|
||||
type: object
|
||||
properties:
|
||||
name:
|
||||
title: Policy unique name
|
||||
type: string
|
||||
required: true
|
||||
description:
|
||||
title: Policy description
|
||||
type: string
|
||||
required: true
|
||||
kind:
|
||||
title: Policy kind
|
||||
type: string
|
||||
required: true
|
||||
abbreviation:
|
||||
title: Policy name abbreviation
|
||||
type: string
|
||||
required: false
|
||||
rules:
|
||||
title: collection of rules
|
||||
type: array
|
||||
required: true
|
||||
items:
|
||||
type: object
|
||||
properties:
|
||||
id: PolicyRule
|
||||
title: Policy rule
|
||||
type: object
|
||||
properties:
|
||||
rule:
|
||||
title: Rule definition following policy grammar
|
||||
type: string
|
||||
required: true
|
||||
name:
|
||||
title: User-friendly name
|
||||
type: string
|
||||
required: false
|
||||
comment:
|
||||
title: User-friendly comment
|
||||
type: string
|
||||
required: false
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
In general, no major security impact is expected. However, below are some
|
||||
security considerations.
|
||||
|
||||
* If policy library changes are sync'ed back to the policy library directory on
|
||||
the server, then an attacker who gains administrative privilege to Congress
|
||||
can also create and modify files in the policy library directory of the
|
||||
Congress servers.
|
||||
|
||||
* The ability to submit multiple rules in a policy creation API can increase
|
||||
the potential for resource exhaustion attacks.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
No impact
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
No impact to existing work flows.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Minimal performance impact expected. Care must be taken to limit the
|
||||
performance impact of the feature to automatically detect changes in
|
||||
the policy library folder and update the policy library accordingly.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
There is minimal negative impact on deployers.
|
||||
|
||||
* No existing database table schemas are changed.
|
||||
|
||||
* New database tables are used, which would be added by alembic migration
|
||||
scripts.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Minimal developer impact.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Assignment to be done on launchpad.
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
To be organized on launchpad.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
No new dependencies.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
In addition to unit tests, straight-forward additions to the tests in
|
||||
congress_tempest_tests/tests/scenarios/test_congress_basic_ops.py would
|
||||
suffice.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Minimal impact.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
No references.
|
|
@ -1,365 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
========================================
|
||||
OpenStack Configuration Files Validation
|
||||
========================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/configuration-files-validation
|
||||
|
||||
Congress could be used by cloud operators to formalize the constraints between
|
||||
options defined in configuration files with the help of business rules written
|
||||
in Datalog and verify the compliance of their deployments automatically.
|
||||
It is intended to be complementary to config management systems
|
||||
that should only create valid configuration files
|
||||
and to integration tests such as RefStack.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Each OpenStack service on each node in parameterized by a set of configuration
|
||||
files describing the value of the various configuration options. In this
|
||||
proposal we only consider configuration files managed by the oslo-config
|
||||
library. Configuration options are not independent:
|
||||
|
||||
* Each option value is constrained but the constraints may go beyond the
|
||||
expressive power of oslo-config type system.
|
||||
|
||||
* For a given service on a given node, constraints may exist between different
|
||||
options.
|
||||
|
||||
* On a given node, constraints and incompatibilities may exist between various
|
||||
options belonging to different services. For example, when a functionality in
|
||||
a given service depends on the availability of another functionality in
|
||||
another service.
|
||||
|
||||
* Between nodes, other constraints exist either for a given service or between
|
||||
services.
|
||||
|
||||
Constraints may be defined by different actors:
|
||||
|
||||
* Service developers know the constraints on the options they define and
|
||||
usually document them informally in the source code in the description field
|
||||
associated to the option.
|
||||
|
||||
* Cloud integrators will discover additional constraints when they develop
|
||||
deployment code. Most of the time those options are only implicitly defined
|
||||
in the source code of the scripts.
|
||||
|
||||
* Administrators may want to enforce additional constraints reflecting the
|
||||
operational environment constraints.
|
||||
|
||||
* For companies having multiple instances of OpenStack, rules could be
|
||||
used to ensure compliance of the instances with their global engineering
|
||||
rules.
|
||||
|
||||
* Although OpenStack provides abstractions that hide implementation details
|
||||
from end-users, some back-ends or some back-end combinations may impose
|
||||
constraints on what is available to the end-user. When administrators
|
||||
discover some back-end limitations, it may be useful to add congress rules
|
||||
reflecting those limitations before a more permanent solution is found.
|
||||
|
||||
Datalog could be used as a formal language to describe those constraints and
|
||||
Congress could be used to enforce those constraints if the configuration files
|
||||
were available for processing. Although Congress is usually used for more
|
||||
dynamic data coming from running instances, nothing precludes the use of more
|
||||
static data sources.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
The extension adds a new agent deployed on OpenStack nodes that collect the
|
||||
configuration files as defined in its own configuration. The agent communicates
|
||||
with a datasource driver included in the congress analyzer through the
|
||||
message bus. The agent is configured with its own configuration file describing
|
||||
the files it transmit (an example configuration file is given in the 'Other
|
||||
deployer impact' section).
|
||||
|
||||
The agent is responsible for conveying information on option values but also on
|
||||
their meta-data: layout in groups, type, flags such as deprecation, secret
|
||||
status, etc. Meta-data are described in templates which are in fact
|
||||
a collection of namespaces. Namespace contain the actual definition of
|
||||
meta-data. To avoid versionning problems, Meta-data must be obtained directly
|
||||
from the service.
|
||||
|
||||
To limit the amount of traffic between the driver and agents, template files
|
||||
are hashed. Agents first reply to queries with hashes. The driver will request
|
||||
the content only if the hash is unknown.
|
||||
The same process is used for namespaces.
|
||||
|
||||
The only processing performed by agents on the option files is the removal of
|
||||
the values of secret options.
|
||||
|
||||
The datasource driver is responsible for populating the extensional database
|
||||
with information provided by the agents:
|
||||
|
||||
* option definitions are extracted from templates and namespaces and translated
|
||||
in new Datalog tables.
|
||||
|
||||
* option values are parsed by the oslo-config library and stored with an
|
||||
identification of the origin (file and node).
|
||||
|
||||
The Datalog model defines several tables:
|
||||
|
||||
* hosts
|
||||
|
||||
* files
|
||||
|
||||
* templates
|
||||
|
||||
* namespaces
|
||||
|
||||
* option values
|
||||
|
||||
The definition of an option is split between three tables:
|
||||
|
||||
* The option table defines the mapping between the option id and the fields
|
||||
that build up the key: name, namespace and group of the option.
|
||||
|
||||
* The option_info table defines the type and the flags of the option. It uses
|
||||
the id defined in the option table to uniquely identify the option.
|
||||
|
||||
* Depending on the type of the option, attributes specific to a given type are
|
||||
defined in a specialized table. The option id is used again as a key to refer
|
||||
to the option table.
|
||||
|
||||
Regarding the uniqueness of configuration meta-data in the extensional
|
||||
database, the driver must ensure that the ids are deterministic. An option
|
||||
identified by the same name, same group name and same namespace name should
|
||||
always be given the same unique id. The use of the MD5 hash function (there is
|
||||
no cryptographic requirement) guarantees uniqueness and determinism.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
Installers usually generate correct set of configuration files for a
|
||||
more or less extensible set of options but provide little help for live
|
||||
maintenance of those files. They may also restrict the configuration
|
||||
space beyond what is necessary.
|
||||
|
||||
The proposed change must be considered as a work in progress. It does not fully
|
||||
address the problem of the location and the management of constraints. Most
|
||||
constraints are known by the service developers and should be maintained in the
|
||||
source code of services in a dedicated meta-data field of
|
||||
the option definition.
|
||||
|
||||
The use of an external agent to push a service configuration is not the only
|
||||
solution. The oslo-config library could be modified to push the configuration
|
||||
read by the service to the datasource driver. This could be done through
|
||||
the use of a hook in oslo-config. It would require additional configuration of
|
||||
the services to identify the endpoint.
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
We would like to aggregate policy violations in a few tables partitioning
|
||||
violations by their degree (error, warn, info).
|
||||
|
||||
Example:
|
||||
|
||||
X: neutron-server host
|
||||
|
||||
Y: ovs-agt host
|
||||
|
||||
Z: lb-agt host
|
||||
|
||||
::
|
||||
|
||||
warn('Multinode OVS and linuxbridge use incompatible UDP ports',
|
||||
'vxlan_conflicting_ovs_lb_udp_ports') :-
|
||||
vxlan_conflicting_ovs_lb_udp_ports()
|
||||
|
||||
vxlan_conflicting_ovs_lb_udp_ports(Y, Z) :-
|
||||
value(X, 'neutron.conf', 'DEFAULT', 'core_plugin', 'ml2'),
|
||||
value(X, 'ml2_conf.ini', 'ml2', 'type_drivers', 'vxlan'),
|
||||
value(X, 'ml2_conf.ini', 'ml2', 'mechanism_drivers', 'openvswitch'),
|
||||
value(X, 'ml2_conf.ini', 'ml2', 'mechanism_drivers', 'linuxbridge'),
|
||||
value(Y, 'openvswitch_agent.ini', 'agent', 'tunnel_types', 'vxlan'),
|
||||
not value(Y, 'openvswitch_agent.ini', 'agent', 'vxlan_udp_port', 8472),
|
||||
value(Z, 'linuxbridge_agent.ini', 'vxlan', 'enable_vxlan', 'True')
|
||||
|
||||
|
||||
We'd like the 'value' table to be intelligible to most potential contributor,
|
||||
and also meaningful enough to spare them from predictable joins.
|
||||
|
||||
Currently the 'value' table is derived from the extensional tables, which
|
||||
describe configuration files and their meta-data. Although it is defined
|
||||
intentionally, it could be useful to consider it as an extensional predicate.
|
||||
Here is how we derived it:
|
||||
|
||||
::
|
||||
|
||||
value(hostname, file, group, name, value) :-
|
||||
config:option(id=option_id, group=group, name=name),
|
||||
config:file(id=file_id, host_id=host_id, name=file),
|
||||
config:host(id=host_id, name=hostname),
|
||||
config:value(option_id=option_id, file_id=file_id, val=value)
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
None.
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
The data sources are the different configuration files of OpenStack projects
|
||||
using the Oslo.config library for their configuration.
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Configuration files contain sensitive credentials. Those credentials MUST NOT
|
||||
be transmitted to the Congress engine. The agent has access to types and must
|
||||
filter out credentials. Values of any option marked as secret will not be
|
||||
available within the engine.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
None other than the usual management of the datasource and policy.
|
||||
Eventually, we would like to feed the engine with rules that are coming from
|
||||
and maintained in the services source code.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Performance impact should be limited because of the static nature of the values
|
||||
provided by this datasource.
|
||||
|
||||
The main impact is the traffic on the message bus used to exchange
|
||||
configuration files between agents and Congress server. The server may
|
||||
rate-limit this traffic. If performance is still a concern, another solution is
|
||||
to limit the use of the bus to announcement and use a REST endpoint on the
|
||||
server to record new configuration files.
|
||||
|
||||
We give the driver control over the way data is retrieved. We want to prevent
|
||||
the duplicated sending of files and templates, and to prevent overloading the
|
||||
driver. When the driver is activated, it periodically notifies agents, over the
|
||||
communication bus requesting their data description. An agent send description
|
||||
of the files it has been set to provide. The description contains hashes of
|
||||
namespaces, templates and configs. The driver then requests the resources,
|
||||
which hashes have not been recognized.
|
||||
|
||||
We use the RPC server of the datasource associated DseNode.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
We add a dedicated group and options to configure an agent and the
|
||||
configuration files to manage.
|
||||
|
||||
*validator.host*
|
||||
|
||||
A string option serving as a node id, in a way that is meaningful to
|
||||
administrators.
|
||||
|
||||
*validator.version*
|
||||
|
||||
A string option introducing the notion of version and what it would be on this
|
||||
node. It could be used to discriminate handling of different version of a
|
||||
config-file coexisting in a cloud instance during a migration.
|
||||
This information may be provided differently in the future to be defined
|
||||
at the services level.
|
||||
|
||||
*validator.services*
|
||||
|
||||
An dict option describing the OpenStack services activated on this node. The
|
||||
values are also dictionaries. Keys are paths to config-files,
|
||||
values are paths to the associated templates. For instance::
|
||||
|
||||
congress: { /etc/congress/congress.conf:
|
||||
/opt/stack/congress/etc/congress-config-generator.conf }
|
||||
|
||||
|
||||
Example config :
|
||||
|
||||
::
|
||||
|
||||
[DEFAULT]
|
||||
transport_url = rabbit://..@control:5672/
|
||||
|
||||
[validator]
|
||||
services = nova : { /etc/nova.conf:
|
||||
/opt/stack/nova/etc/nova/nova-config-generator.conf:
|
||||
version = ocata
|
||||
host = node_A
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Discuss things that will affect other developers working on OpenStack,
|
||||
such as:
|
||||
|
||||
* If the blueprint proposes a change to the driver API, discussion of how
|
||||
other hypervisors would implement the feature is required.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignees:
|
||||
|
||||
* Valentin Matton
|
||||
|
||||
* Pierre Crégut
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
* Agent to collect the config files
|
||||
|
||||
* Datasource interacting with the agents
|
||||
|
||||
* Integration to devstack
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
We will depend on oslo-config-generator config-files, which can be used to
|
||||
describe OS services config-files.
|
||||
https://github.com/openstack/oslo-specs/blob/master/specs/juno/oslo-config-generator.rst
|
||||
|
||||
We rely extensively on the oslo-config lib.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
We propose to use tempest tests in a setting with 2 nodes. One of which hosts
|
||||
the congress-server and the second an agent. Communications will be tested :
|
||||
sending of meta-data and files.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
This feature introduces an agent component that requires separate
|
||||
configuration. It also defines new datasources.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
|
@ -1,314 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===================================
|
||||
Z3 as an alternative Datalog engine
|
||||
===================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/alternative-engine-z3
|
||||
|
||||
Z3 is an open source Datalog engine developed by Microsoft.
|
||||
We propose an extension of Congress that lets the user define
|
||||
theories (ie. set of rules producing new tables from existing ones
|
||||
that can be later used by other theories) that will be treated
|
||||
by the Z3 engine instead of the existing one.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A cloud operator may want to check if connectivity exists between two machines
|
||||
or if they are effectively isolated. This means understanding how traffic is
|
||||
routed (ie. what are the path the traffic may take) and how security groups and
|
||||
firewall rules are applied along those path.
|
||||
|
||||
Here are the main characteristics needed by the Datalog engine for
|
||||
solving such problems:
|
||||
|
||||
* Recursion: routing packets means building paths (link paths, networks)
|
||||
and paths are naturally described recursively.
|
||||
|
||||
* Efficient representation of IP addresses and IP address ranges as commonly
|
||||
found in switching devices and firewalls.
|
||||
|
||||
* Efficient handling of large volumes of data.
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
We propose to integrate Z3, Microsoft open-source automatic prover, as an
|
||||
alternate Datalog engine for Congress.
|
||||
|
||||
Z3 theories will be expressed in the same syntax as standard theories.
|
||||
But the Datalog language supported by these theories will be tailored to what
|
||||
Z3 supports in Datalog mode:
|
||||
|
||||
* different and reduced set of built-ins as explained in the Policy section,
|
||||
|
||||
* no modals.
|
||||
|
||||
Architecture
|
||||
------------
|
||||
|
||||
Overview
|
||||
^^^^^^^^
|
||||
A new kind of theory will be introduced alongside the classical
|
||||
NonRecursiveTheory. Z3 theories will consume data from
|
||||
other theories and use the Z3 engine to apply rules.
|
||||
|
||||
There will be one single Z3 solver instance per analyzer that will be
|
||||
abstracted in Python as a Z3 context object. Z3 context will host all tables
|
||||
of Z3 theories in Z3 format.
|
||||
|
||||
Z3 theories should be callable from other theories in particular from
|
||||
regular non-recursive theories.
|
||||
|
||||
Z3 theories can use data from other theories. The external tables used by
|
||||
Z3 theories will be completely imported in the Z3 context.
|
||||
|
||||
Compilation of Z3 theories will be delayed until queries are done on those
|
||||
theories. We will regularly update the representation of external tables in
|
||||
the Z3 engine to keep them synchronized. Z3 does not support undoing relations
|
||||
or rules, so a new context must be created each time a change occurs.
|
||||
|
||||
Type-checking
|
||||
^^^^^^^^^^^^^
|
||||
|
||||
Z3 requires typed data. Type-checking will be completely implicit and we will
|
||||
not add type-constraints in the language.
|
||||
|
||||
The type-checker will preserve the types from external tables. It will raise
|
||||
an error if a variable should have two different types according to two
|
||||
different tables.
|
||||
|
||||
The type-checker will try to give the most precise type to constants that
|
||||
appear in Datalog programs to make them compatible with external tables.
|
||||
For example the value ``Ingress`` is usually typed as a string (``Str`` type)
|
||||
but in the context of a Neutron security group, it will be given the type
|
||||
``Direction``
|
||||
|
||||
To be able to have two representations for a value, we will introduce
|
||||
explicit converter built-ins: ``builtin:cast(x, 'Direction', y, 'Str')``
|
||||
will convert a variable ``x`` of type ``Direction`` in a variable ``y``
|
||||
of the standard string type. It will be implemented as a table where each
|
||||
row is a pair of the representations in the two different types of a same
|
||||
object. Those tables will be filled when constants in programs are compiled
|
||||
and external tables are imported.
|
||||
|
||||
The same trick will be used to have a bit field representation of Ip addresses.
|
||||
|
||||
Finally the type-checker should support some kind of generic polymorphism for
|
||||
built-ins. For example equalities and comparison should work as long as the
|
||||
compared objects are of the same type, addition of two items belonging to a
|
||||
given subtype of integers should give back an item in the same subtype. We do
|
||||
not plan to support user-defined polymorphic tables. For example the following
|
||||
rule is ill defined: ::
|
||||
|
||||
add3(x,y,z,t) :- builtin:plus(x,y,u), builtin:plus(u,z,t)
|
||||
|
||||
It may be desirable to have type-constraints in the language to constrain
|
||||
such variables.
|
||||
|
||||
Internal representations
|
||||
^^^^^^^^^^^^^^^^^^^^^^^^
|
||||
Internally Z3 will use bit-vectors. Integers will be translated in 32 bits
|
||||
bit-vectors. Strings will be bijectively associated with an integer and
|
||||
represented by its associated bit-vector.
|
||||
|
||||
When possible we will use finer types (enumerations) that require smaller
|
||||
bit-vector.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
We could try to rephrase the theories to fit the current engine. For example we
|
||||
could unroll recursive calls up to a reasonable depth (packets have a TTL).
|
||||
Unfortunately this solution does not scale well. Unrolling recursive calls
|
||||
change in fact the overall complexity of the program. Experiments with octant
|
||||
have shown that some problems that require several minutes of computation with
|
||||
the current engine can be solved in tenth of seconds with octant.
|
||||
|
||||
We could try to incorporate Z3 algorithmic in Congress engine: this would be
|
||||
time consuming and hazardous. Z3 uses very efficient C++ data structures to
|
||||
represent tables and more that ten years have been devoted to its development.
|
||||
|
||||
We could use another external engine: there may be cases where another Datalog
|
||||
engine could be a better candidate. The new Congress architecture with explicit
|
||||
data-type has been designed to let several engines share a same pool of data.
|
||||
The strong points of Z3 are its overall efficiency and its data-structures
|
||||
specially crafted for network related problems.
|
||||
|
||||
There may be cases where we may wish to have several Z3 contexts with different
|
||||
settings. Contexts define the variant of the Z3 engine in use and different
|
||||
theories may benefit from different settings.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Here are the main characteristics of Z3 policies:
|
||||
|
||||
* Adds support for recursive rules.
|
||||
|
||||
* Support of built-in predicates for equalities / comparison
|
||||
|
||||
* Support for basic bit arithmetic (to be used with IP address).
|
||||
|
||||
* New built-ins for converting opaque IpAddress to bit fields and IpNetwork
|
||||
to a pair of bit-fields (mask and address).
|
||||
|
||||
* Built-ins to convert a value that exists in different types from one
|
||||
representation to the other.
|
||||
|
||||
The last two kinds of built-ins will in fact be implemented by tables computed
|
||||
when data-sources and programs are synchronized.
|
||||
|
||||
Here is an example of policy that verifies if two networks are connected by
|
||||
a chain of routers and if VMs are attached to two networks that belong to two
|
||||
sets of networks that should be kept isolated: ::
|
||||
|
||||
connect1(X) :- neutronv2:networks(id=X, name="N1")
|
||||
connect2(X) :- neutronv2:networks(id=X, name="N2")
|
||||
|
||||
linked(X,Y) :-
|
||||
neutronv2:ports(network_id=X, device_id=Z), neutronv2:routers(id=Z),
|
||||
neutronv2:ports(network_id=Y, device_id=Z)
|
||||
|
||||
path(X,Y) :- linked(X,Y)
|
||||
path(X,Y) :- path(X,Z), linked(Z,Y)
|
||||
|
||||
interco_error(X,Y) :- connect1(X), connect2(Y), path(X,Y)
|
||||
|
||||
network1(X) :- connect1(Y), path(Y, X)
|
||||
network2(X) :- connect2(Y), path(Y, X)
|
||||
|
||||
double_attach(X) :-
|
||||
nova:server(id=X),
|
||||
neutronv2:ports(network_id=X, device_id=Y), network1(Y),
|
||||
neutronv2:ports(network_id=X, device_id=Z), network2(Z)
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
None. Z3 theories will not support actions. Support may be added later.
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Independent from the data-source used.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
We may want to move to more atomic definitions of theories. A theory is
|
||||
a complete program and should be considered as such. Adding and removing
|
||||
rules on the fly makes compilation and type-checking unnecessarily complex.
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
None
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
None
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
For python-congressclient, when a new theory is created, there is a new
|
||||
kind alternative: z3.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Well behaved Z3 theories will be much faster than equivalent non-recursive
|
||||
theories. But programs that require too much computing power may be harder to
|
||||
abort on the Z3 engine.
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Z3 is not a pypi package. There is an unofficial z3solver package but it has
|
||||
some limitations (not an up-to-date version and a version emitting a lot of
|
||||
spurious messages). For some Linux distributions, there is no pre-compiled
|
||||
version of Z3 available. Z3 must be compiled from source on those systems.
|
||||
|
||||
Due to all these constraints, we have chosen NOT to add z3 as a requirement.
|
||||
z3theory will be available IF z3 has been deployed on the server hosting
|
||||
congress.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
None
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
|
||||
Primary assignee:
|
||||
pcregut
|
||||
|
||||
Other contributors:
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
For Rocky we do not plan to add built-ins. The basic Datalog language is
|
||||
sufficient for interesting examples.
|
||||
|
||||
During Stein iteration, built-ins and the treatment of polymorphism
|
||||
in the type-checker will be added.
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
This feature depends on Microsoft theorem prover Z3.
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Unit tests will be done with a mock of z3 library.
|
||||
|
||||
For integration tests, new settings will be added to devstack so that Z3
|
||||
can be either installed from source (rather slow) or directly deployed from
|
||||
a pre-compiled release (only available for Ubuntu 14.04, 16.04 and Debian
|
||||
8.10). As the python package is deployed globally, tempest may skip Z3 tests
|
||||
if it cannot import the python package.
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Documentation should at least mention:
|
||||
|
||||
* How to enable Z3,
|
||||
|
||||
* Z3 theories and the kind of builtins supported,
|
||||
|
||||
* Explain the benefit of recusive theories.
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
[1] https://github.com/Z3Prover/z3
|
||||
|
||||
[2] https://github.com/Orange-OpenSource/octant
|
||||
|
||||
[3] https://specs.openstack.org/openstack/congress-specs/specs/rocky/explicit-data-types
|
|
@ -1,678 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
===================
|
||||
Explicit Data Types
|
||||
===================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/explicit-data-types
|
||||
|
||||
In preparation to support more policy engines in addition to the standard
|
||||
Congress policy engine (e.g., ones based on SQL, influxDB, or Z3), we need
|
||||
explicit typing of table columns in the data sources and the
|
||||
data service engine. This spec proposes to support explicit typing, including
|
||||
custom types, in an extensible, evolutionary, and backwards-compatible manner.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
Because every rule engine has limits in expressiveness and performance, there
|
||||
is no one-size-fits-all rule engine that works well for all use cases. For
|
||||
this reason, Congress was architected from the beginning to support multiple
|
||||
policy engines in addition to the standard ``agnostic`` engine.
|
||||
|
||||
One problem is that Congress deals with untyped table columns, which
|
||||
conflicts with many candidate bases for policy engines (e.g., SQL, influxDB,
|
||||
Z3).
|
||||
|
||||
To have an open framework in which multiple policy engines and mulitple
|
||||
data sources work well together, we need an explicit type system that is
|
||||
extensible (to fit the particular needs for different data sources and
|
||||
different policy engines), loosely-coupled (between different data sources and
|
||||
policy engines), and backwards-compatible with the standard ``agnostic`` engine
|
||||
and existing data source drivers.
|
||||
|
||||
As an illustration of the need for extensibility and loose-coupling, consider
|
||||
that a SMT-based Z3 prover needs types that are as narrow as possible
|
||||
(e.g., enum{'ingress', 'egress'}), but another engine does not understand
|
||||
such narrow types. A data source driver then must specify its types
|
||||
in a way that works well for both engines.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Overview
|
||||
--------
|
||||
The basic idea is that we let each data source driver describe its data as
|
||||
precisely and narrowly as practical using as combination of base types
|
||||
and custom types.
|
||||
Then each policy engine is responsible for using that information to represent
|
||||
the data using its internal representation. A policy engine would likely not
|
||||
understand every custom type used by a data source driver (especially because
|
||||
we expect new ones to be introduced over time). To allow a policy engine to
|
||||
handle custom data types it does not "understand", we require that every
|
||||
custom data type inherit from another data type, all of which ultimately
|
||||
inherit from one of the base types all policy engines must handle. That way,
|
||||
when a policy engine encounters a value of a custom type
|
||||
it does not understand, the policy engine can fall back to handling the value
|
||||
according to an ancestor type the engine does understand.
|
||||
|
||||
What is a type?
|
||||
---------------
|
||||
|
||||
To define what a type is in this spec, we first establish four related
|
||||
concepts:
|
||||
|
||||
#. *source representation*: the representation used in the data received from
|
||||
an external source. Each external data source has its own source
|
||||
representation defined outside of Congress. In an IP address example, one
|
||||
source could use IPv4 dotted decimal string ``"1.0.0.1"`` while another
|
||||
source could use IPv6 (short) hexadecimal string ``"::ffff:100:1"``.
|
||||
|
||||
#. *internal representation*: the representation used by a Congress service
|
||||
(e.g., a policy engine). Each Congress service can use a different internal
|
||||
representation. For example, the IP address may be represented as a string
|
||||
in one engine, as an integer another engine, and as a bit-vector in yet
|
||||
another engine.
|
||||
|
||||
#. *exchange representation*: the representation used as the data is published
|
||||
and received among Congress services. In the IP address example, this could
|
||||
be the integer ``0x01000001``.
|
||||
|
||||
Data is received from an external data source in the form of the
|
||||
*source representation*. The data source driver converts from the source
|
||||
representation to the *exchange representation* before publishing the data to
|
||||
Congress services such as the policy engine. A Congress service such as a
|
||||
policy engine will process the data and use some form of
|
||||
*internal representation* for storing the data for future use.
|
||||
|
||||
The primary purpose of a Congress data type is to be an exchange format
|
||||
specification used between the various Congress data sources and services each
|
||||
with their own representations. The developers of each Congress service
|
||||
can use the Congress data type of a piece of data or a table column to
|
||||
know what exchange format to expect and what is being represented. For this
|
||||
purpose, a Congress data type can be thought of as a tag associated with each
|
||||
piece of data or table column.
|
||||
|
||||
As a secondary convenience, each Congress data type also provides helpful
|
||||
methods for processing a value of that type. At a minimun, the Congress
|
||||
data type would provide a method for validating a value as valid for that
|
||||
type.
|
||||
|
||||
Finally, the entire collection of Congress data types cannot be anticipated
|
||||
upfront. So it is impractical for each Congress data consumer to be programmed
|
||||
to recognize and handle every Congress data type. We need a more structured
|
||||
and extensible collection of "tags". We organize the Congress data types
|
||||
in an is-a hierarchy. First there are a number of base types which all
|
||||
Congress data consumers must recognize and handle. All additional non-base
|
||||
types inherit from a base type or another non-base type in a well-founded
|
||||
hierarchy. Then, each data consumer can handle all data types simply by
|
||||
treating each piece of data according to its base type. Optionally, a data
|
||||
consumer can add special handling of certain non-base types.
|
||||
|
||||
As an example of inheritance, the IP address type could inherit from the
|
||||
general string type so that policy engines which do not specifically
|
||||
handle the IP address type will handle the data as a general string.
|
||||
|
||||
Putting all three of the above pieces together, we define a Congress data type
|
||||
as a subclass of the following ``CongressDataType`` abstract base class.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class CongressDataType(object):
|
||||
|
||||
@classmethod
|
||||
@abc.abstractmethod
|
||||
def validate(cls, value):
|
||||
'''Validate a value as valid for this type.
|
||||
|
||||
:Raises ValueError: if the value is not valid for this type
|
||||
'''
|
||||
raise NotImplementedError
|
||||
|
||||
@classmethod
|
||||
def _get_parent(cls):
|
||||
congress_parents = [parent for parent in cls.__bases__
|
||||
if issubclass(parent, CongressDataType)]
|
||||
if len(congress_parents) == 1:
|
||||
return congress_parents[0]
|
||||
elif len(congress_parents) == 0:
|
||||
raise cls.CongressDataTypeNoParent(
|
||||
'No parent type found for {0}'.format(cls))
|
||||
else:
|
||||
raise cls.CongressDataTypeHierarchyError(
|
||||
'More than one parent type found for {0}: {1}'
|
||||
.format(cls, congress_parents))
|
||||
|
||||
.. important::
|
||||
These classes are not expected to be instantiated as wrapper objects, but
|
||||
they merely act as organizing units of these class methods that serve to
|
||||
describe and manipulate the values as well as encode the data type hierarchy.
|
||||
The reason why classes are used is two fold.
|
||||
|
||||
1. The Python inheritance hierarchy is a convenient way to declare and access
|
||||
the relationship between the Congress data types. Each non-root concrete
|
||||
subclass (A) of CongressDataType inherits from exactly one other concrete
|
||||
subclass (B) of CongressDataType to encode that (A) is a subtype of (B)
|
||||
in the data type hierarchy. A concrete subclass of CongressDataType may
|
||||
inherit from multiple parent Python classes, but among the parents there
|
||||
must not be more than one subclass of CongressDataType.
|
||||
|
||||
2. Python inheritance makes it convenient for a Congress data type to reuse
|
||||
the code in a parent Congress data type.
|
||||
|
||||
Further details
|
||||
---------------
|
||||
|
||||
Specification of data types
|
||||
```````````````````````````
|
||||
Data source drivers may optionally specify explicit data types in its
|
||||
value translator definition. The data service base class attaches data type
|
||||
information (table schema) in each table publish.
|
||||
For flexibility and backwards-compatibility, an explicit type is not required
|
||||
for every column.
|
||||
|
||||
The standard ``agnostic`` engine handles untyped table columns.
|
||||
Other policy engines may or may not handle untyped tables columns.
|
||||
When a policy engine that requires typing receives untyped data, the policy
|
||||
engine may either reject the data or impose typing.
|
||||
|
||||
Below is a sample translator definition showing how the explicit data types
|
||||
could be specified for the ``flavors`` table in the Nova data source driver.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
flavors_translator = {
|
||||
'translation-type': 'HDICT',
|
||||
'table-name': FLAVORS,
|
||||
'selector-type': 'DOT_SELECTOR',
|
||||
'field-translators':
|
||||
({'fieldname': 'id', 'desc': 'ID of the flavor',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressStr}},
|
||||
{'fieldname': 'name', 'desc': 'Name of the flavor',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressStr}},
|
||||
{'fieldname': 'vcpus', 'desc': 'Number of vcpus',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressInt}},
|
||||
{'fieldname': 'ram', 'desc': 'Memory size in MB',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressInt}},
|
||||
{'fieldname': 'disk', 'desc': 'Disk size in GB',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressInt}},
|
||||
{'fieldname': 'ephemeral', 'desc': 'Ephemeral space size in GB',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressInt}},
|
||||
{'fieldname': 'rxtx_factor', 'desc': 'RX/TX factor',
|
||||
'translator': {'translation-type': 'VALUE',
|
||||
'data-type': CongressFloat}})
|
||||
}
|
||||
|
||||
|
||||
|
||||
Union of types
|
||||
``````````````
|
||||
When a policy engine derives a new table out from existing tables, it create
|
||||
a table column which contains data from more than one type. In these cases,
|
||||
the new column shall be typed as the least common ancestor type of all the
|
||||
constituent data types. To ensure that a least common ancestor type always
|
||||
exists, we establish the Congress string type as the root parent of all the
|
||||
other types.
|
||||
|
||||
Types hierarchy
|
||||
```````````````
|
||||
This spec proposes a flexible and extensible type framework. The precise
|
||||
collection of types would be decided in implementation patches and also
|
||||
evolved over time. As point of reference, we provide below a sample hierarchy
|
||||
of types below. (Items enclosed in are abstract categories of types.)
|
||||
|
||||
- string
|
||||
|
||||
- [bounded length sting]
|
||||
|
||||
- string of length up to N
|
||||
- [string enumerations]
|
||||
|
||||
- boolean
|
||||
- network direction (ingress and egress)
|
||||
|
||||
- [fixed length string]
|
||||
|
||||
- string of length N
|
||||
|
||||
- UUID
|
||||
|
||||
- decimal (fixed precision rational number represented as a string)
|
||||
|
||||
- integer
|
||||
|
||||
- [integer enumerations]
|
||||
|
||||
- integer between A and B
|
||||
- short integer
|
||||
|
||||
- floating point
|
||||
|
||||
- IP address
|
||||
|
||||
Data types sample code
|
||||
``````````````````````
|
||||
Sample code for a few selected data types are included here for reference.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
class CongressStr(CongressDataType):
|
||||
'''Base type representing a string.
|
||||
|
||||
Sample implementation only. Final implementation needs to deal with
|
||||
nullability, unicode, and other issues.'''
|
||||
|
||||
@classmethod
|
||||
def validate(cls, value):
|
||||
if not isinstance(value, six.string_types):
|
||||
raise ValueError
|
||||
|
||||
class CongressBool(CongressStr):
|
||||
@classmethod
|
||||
def validate(cls, value):
|
||||
if not isinstance(value, bool):
|
||||
raise ValueError
|
||||
|
||||
class CongressIPAddress(CongressStr):
|
||||
@classmethod
|
||||
def validate(cls, value):
|
||||
try:
|
||||
ipaddress.IPv4Address(value)
|
||||
except ipaddress.AddressValueError:
|
||||
try:
|
||||
ipv6 = ipaddress.IPv6Address(value)
|
||||
if ipv6.ipv4_mapped:
|
||||
# as a design decision in standardized format
|
||||
# addresses in ipv4 range should be in ipv4 syntax
|
||||
raise ValueError
|
||||
except ipaddress.AddressValueError:
|
||||
raise ValueError
|
||||
|
||||
Abstract categories of data types
|
||||
`````````````````````````````````
|
||||
Sometimes, a collection of types all follow a certain pattern. In these
|
||||
cases, we can provide a framework for creating and handling these types in
|
||||
a more generic way.
|
||||
For example, many types are characterized by a fixed, finite domain of strings.
|
||||
In such cases, we can provide a type factory for creating types in this space.
|
||||
The following is a sample implementation for a type factory function for
|
||||
a fixed, finite domain of strings.
|
||||
|
||||
In addition, we can also provide a mix-in abstract base class that data
|
||||
consumers can use to handle the data in a more generic way. In this case,
|
||||
the abstract base class ``CongressTypeFiniteDomain`` stipulates that
|
||||
each type inheriting from this class must have a class variable DOMAIN
|
||||
which is a frozenset of the set of values allowed in the type.
|
||||
A data consumer may use this information to handle the value in a generic
|
||||
way without recognizing the specific concrete type used.
|
||||
|
||||
|
||||
Sample code included below for reference.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class CongressTypeFiniteDomain(object):
|
||||
'''Abstract base class for a Congress type of bounded domain.
|
||||
|
||||
Each type inheriting from this class must have a class variable DOMAIN
|
||||
which is a frozenset of the set of values allowed in the type.
|
||||
'''
|
||||
pass
|
||||
|
||||
|
||||
def create_congress_str_enum_type(class_name, enum_items):
|
||||
'''Return a sub-type of CongressStr for representing a string from
|
||||
a fixed, finite domain.'''
|
||||
|
||||
for item in enum_items:
|
||||
if not isinstance(item, six.string_types):
|
||||
raise ValueError
|
||||
|
||||
class NewType(CongressStr, CongressTypeFiniteDomain):
|
||||
DOMAIN = frozenset(enum_items)
|
||||
|
||||
@classmethod
|
||||
def validate(cls, value):
|
||||
if not value in cls.DOMAIN:
|
||||
raise ValueError
|
||||
|
||||
NewType.__name__ = class_name
|
||||
return NewType
|
||||
|
||||
As an example, a particular data source driver dealing with firewall rules may
|
||||
use the factory function to create a custom type as follows.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
NetworkDirection = create_congress_str_enum_type(
|
||||
'NetworkDirection', ('ingress', 'egress'))
|
||||
|
||||
Converting to ancestor types
|
||||
````````````````````````````
|
||||
Generally, each descendent type value is directly interpretable as a value
|
||||
of an ancestor type. Ideally, every policy engine would recognize and support
|
||||
The only exception is that values of the non-string types
|
||||
inheriting from CongressStr need to be converted to string to be interprable
|
||||
as a value of CongressStr type.
|
||||
The CongressDataType abstract base class can include additional helper methods
|
||||
to make the interpretation easy. Below is an expanded
|
||||
CongressDataType definition including the additional helper methods.
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
@six.add_metaclass(abc.ABCMeta)
|
||||
class CongressDataType(object):
|
||||
|
||||
@classmethod
|
||||
@abc.abstractmethod
|
||||
def validate(cls, value):
|
||||
'''Validate a value as valid for this type.
|
||||
|
||||
:Raises ValueError: if the value is not valid for this type
|
||||
'''
|
||||
raise NotImplementedError
|
||||
|
||||
@classmethod
|
||||
def least_ancestor(cls, target_types):
|
||||
'''Find this type's least ancestor among target_types
|
||||
|
||||
This method helps a data consumer find the least common ancestor of
|
||||
this type among the types the data consumer supports.
|
||||
|
||||
:param supported_types: iterable collection of types
|
||||
:returns: the subclass of CongressDataType
|
||||
which is the least ancestor
|
||||
'''
|
||||
target_types = frozenset(target_types)
|
||||
current_class = cls
|
||||
try:
|
||||
while current_class not in target_types:
|
||||
current_class = current_class._get_parent()
|
||||
return current_class
|
||||
except cls.CongressDataTypeNoParent:
|
||||
return None
|
||||
|
||||
@classmethod
|
||||
def convert_to_ancestor(cls, value, ancestor_type):
|
||||
'''Convert this type's exchange value
|
||||
to ancestor_type's exchange value
|
||||
|
||||
Generally there is no actual conversion because descendant type value
|
||||
is directly interpretable as ancestor type value. The only exception
|
||||
is the conversion from non-string descendents to string. This
|
||||
conversion is needed by Agnostic engine does not support boolean.
|
||||
|
||||
.. warning:: undefined behavior if ancestor_type is not
|
||||
an ancestor of this type.
|
||||
'''
|
||||
if ancestor_type == CongressStr:
|
||||
return json.dumps(value)
|
||||
else:
|
||||
return value
|
||||
|
||||
@classmethod
|
||||
def _get_parent(cls):
|
||||
congress_parents = [parent for parent in cls.__bases__
|
||||
if issubclass(parent, CongressDataType)]
|
||||
if len(congress_parents) == 1:
|
||||
return congress_parents[0]
|
||||
elif len(congress_parents) == 0:
|
||||
raise cls.CongressDataTypeNoParent(
|
||||
'No parent type found for {0}'.format(cls))
|
||||
else:
|
||||
raise cls.CongressDataTypeHierarchyError(
|
||||
'More than one parent type found for {0}: {1}'
|
||||
.format(cls, congress_parents))
|
||||
|
||||
class CongressDataTypeNoParent(TypeError):
|
||||
pass
|
||||
|
||||
class CongressDataTypeHierarchyError(TypeError):
|
||||
pass
|
||||
|
||||
Re-imposing types
|
||||
`````````````````
|
||||
(Potential future work included here for reference.)
|
||||
|
||||
Policy engines may publish data for consumption by other policy engines.
|
||||
When a policy engine (e.g., Z3) with narrower types publish to another policy
|
||||
engine (e.g., Congress agnostic) with
|
||||
unfixed types or broader types, the handling is natural. When the reverse
|
||||
situation happens, the receiving policy engine may be unable to handle the
|
||||
data.
|
||||
|
||||
As future work, the publishing policy engine can optionally infer and
|
||||
re-impose narrower types where possible.
|
||||
|
||||
Also as future work, policy engines that require narrower types can employ
|
||||
an additional import construct that imposes narrower types on the tables they
|
||||
subscribe to from other policy engines.
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
In this section we discuss a few ways alternative proposals may deviate from
|
||||
this spec.
|
||||
|
||||
#. Require that all policy engines support untyped data.
|
||||
|
||||
This alternative would rule out many top candidates for policy engines
|
||||
(e.g., SQL-based, influxDB-based, Z3-based).
|
||||
|
||||
#. Use a fixed set of types all data sources and all policy engines use.
|
||||
|
||||
A fixed set of types should be a first candidate because it is the simplest
|
||||
approach. Unfortunately, it is impossible to anticipate all the types
|
||||
needed. Whenever a new policy engine is added, distinctions that may not
|
||||
have mattered before becomes critical. For example, without an SMT-based
|
||||
engine such as Z3, string enum types are not so important to distinguish
|
||||
from general string types. So when a Z3 engine is introduced, we then need
|
||||
to 1) create new types, 2) update data source drivers to specify using the
|
||||
new types, and 3) update the existing policy engines to handle the new
|
||||
types.
|
||||
|
||||
The decoupled and extensible approach proposed in this spec provides for a
|
||||
much smoother way to evolve the types. Each data source driver specifies
|
||||
types as narrowly as practical, without regard to what the policy engines
|
||||
want. Each policy engine can then make use of the type information as much
|
||||
or as little as needed to map data to its own internal representations.
|
||||
|
||||
So when new types, new data source drivers, or new policy engines are
|
||||
introduced, none of the existing code need to change.
|
||||
|
||||
#. Instead of specifying types in the data publisher, let types be imposed
|
||||
exclusively in the data consumer.
|
||||
|
||||
This alternative is helpful when a fixed data type cannot be obtained from
|
||||
the data publisher (see point 5 in the section above). When a data
|
||||
source/publisher does have information on a fixed data type (inferred from
|
||||
fixed data types defined in code), it is better to avoid the unnecessary
|
||||
operational burden of the operator having to define data types at the point
|
||||
of consumption.
|
||||
|
||||
#. Instead of requiring that each value of a child type be directly
|
||||
interpretable as a value of a parent type, allowing a conversion between
|
||||
child and parent can give more flexibility to choose the exchange
|
||||
representation that best fits a particular type, independently of
|
||||
the type's parent type. For example, an IP address can be represented
|
||||
as a single integer value instead of as a string.
|
||||
|
||||
The increase flexibility could be useful, but so far has not proven to be
|
||||
necessary.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Not applicable.
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Not applicable.
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Each data source driver may optionally specify data types in its value
|
||||
translator. Data source drivers can be updated with explicit types as needed
|
||||
by new use cases and new policy engines.
|
||||
|
||||
See section `Specification of data types`_ for additional details.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
No impact on Congress's data model as defined in congress/db/
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
No impact on REST API.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
There is little new security impact. Because new/custom types include
|
||||
new/custom data handling methods, it does theoretically increase the attack
|
||||
surface. Care needs to be taken to make sure the data handling methods are safe
|
||||
against malformed or possibility malicious input. There are well-known best
|
||||
practices to minimize such risks.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
No impact.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
No immediate impact on end users. This spec can indirectly benefits end
|
||||
users through the additional policy engines made possible.
|
||||
|
||||
All existing behaviors and workflows are preserved.
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
The data and memory impact is expected to be minimal because the data is stored
|
||||
and transmitted in primitive form without the overhead of custom objects.
|
||||
|
||||
The other main performance impact is the treatment of a piece of data as an
|
||||
ancestor type.
|
||||
Identifying the least ancestor type by tracing up the type hierarchy. Done
|
||||
on a per-column basis, this step has negligible performance cost because the
|
||||
type hierarchy is shallow and because each type has at most one ancestor. The
|
||||
tracing up has worst case running time linear in the depth of the type
|
||||
hierarchy.
|
||||
(See `Converting to ancestor types`_ for sample
|
||||
implementation.)
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
No direct impact on deployers. This spec can indirectly benefits end
|
||||
users through the additional policy engines made possible.
|
||||
|
||||
All existing behaviors and workflows are preserved.
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
No significant changes are forced on a developer. Use of type information by
|
||||
a policy engine is optional. Specification of type information in a data source
|
||||
driver is also optional.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Individual tasks will be picked up and tracked on launchpad. Primary contact is
|
||||
ekcs <ekcs.openstack@gmail.com>.
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Minimal implementation.
|
||||
|
||||
- Abstract base class for type
|
||||
|
||||
- Primitive types
|
||||
|
||||
- Data Service Engine (DSE) changes to store and convey (optional) type
|
||||
information on columns.
|
||||
|
||||
- Further implementation. These further implementations are optional and can be
|
||||
done in an incremental fashion as needed by use cases.
|
||||
|
||||
- Adding type information to data source drivers.
|
||||
|
||||
- Standard policy engine (Agnostic) changes to use type information.
|
||||
|
||||
- Extended types (e.g., IP address)
|
||||
|
||||
- Categories of types (e.g., fixed enumeration of strings)
|
||||
|
||||
- Framework for loading custom types defined in data source drivers
|
||||
|
||||
- Inference and re-imposition of types when a policy engine publishes tables
|
||||
|
||||
- Subscriber-end imposition of additional type information
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
No notable external dependencies.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
The incorporation of additional type information in the data service engine
|
||||
will primarily tested through unit tests in the style of the existing tests in
|
||||
congress/tests/dse2/
|
||||
|
||||
When a data source driver is updated to include additional type information,
|
||||
additional checks on the type information can be naturally added to the
|
||||
existing tempest tests that compares an independently obtained service state
|
||||
to the state obtained by the data source driver and translated into tables.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
No direct impact.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
A relevant type system for a Z3-based datalog solver:
|
||||
|
||||
- https://github.com/Orange-OpenSource/octant/blob/master/doc/source/user/index.rst
|
||||
|
||||
- https://github.com/Orange-OpenSource/octant/blob/master/octant/datalog_primitives.py
|
|
@ -1,511 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
============================================
|
||||
Experimental component for a JSON data model
|
||||
============================================
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/json-data-model
|
||||
|
||||
The translation from JSON source data to tabular Congress data places the
|
||||
limited resources of Congress developers in the way of the Congress users
|
||||
having the flexibility to quickly try/use any data source and data field as
|
||||
the need arises in their policy use cases. This spec is a proposal to
|
||||
experiment with removing the translation step, thus retaining the source JSON
|
||||
data model, as a promising way to overcome the limitation.
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
In cloud computing, most of the source data is JSON. In the Congress model,
|
||||
the developers carefully understand and curate the source data to develop the
|
||||
data source drivers that make the data available to end users in table form.
|
||||
The translation into table model has the advantage of presenting a simpler
|
||||
and more consistent data model to the user writing policy on the data.
|
||||
|
||||
However, with so many sources of data out there and new data being added to
|
||||
existing sources through frequent microversions (e.g., Nova), it is impossible
|
||||
for Congress developers to anticipate and keep up with all the data sources or
|
||||
even all the data fields in a given data source the end users desire.
|
||||
It often happens that as the user writes policy, the user finds out that
|
||||
additional data fields or sources are needed for the policy. In that case,
|
||||
the user needs to contact upstream developers, wait for them to add the data
|
||||
fields or sources, then wait for the new release, then upgrade to the latest
|
||||
release. All this before the end user can even test out the desired policy.
|
||||
|
||||
In order to better support those operators who have rapidly emerging and
|
||||
evolving use cases, we need to experiment with an additional model: remove
|
||||
translation and developer curation from the loop, allowing users to integrate
|
||||
new data sources without code change.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Create an experimental component of Congress (tentatively congress-json)
|
||||
to allow writing policy over json data stored in PostgreSQL json data model.
|
||||
|
||||
Congress-CloudState would ingest the source data mostly as-is, in JSON format,
|
||||
into a PostgreSQL database using the JSONB column type in PostgreSQL. The
|
||||
`PostgreSQL JSON syntax
|
||||
<https://hackernoon.com/how-to-query-jsonb-beginner-sheet-cheat-4da3aa5082a3>`_
|
||||
(see the policy_ section for examples) would allow for rules (SQL views) to
|
||||
operate directly over the JSON data.
|
||||
|
||||
Because no translation is needed, new data sources can be configured without
|
||||
code change. For example, the following sample YAML config file configures
|
||||
Congress-CloudState to poll the nova endpoint. It tells Congress-CloudState to
|
||||
poll the path servers/detail, extract the results using the jsonpath
|
||||
expression ``$.servers[:]``, and finally populate the nova.servers table with
|
||||
the results.
|
||||
|
||||
::
|
||||
|
||||
name: nova
|
||||
poll: 60
|
||||
authentication:
|
||||
type: keystone_password
|
||||
user: congress_access
|
||||
password: secret
|
||||
api_endpoint: https://stack.org/compute/v2.26
|
||||
tables:
|
||||
servers:
|
||||
api_path: servers/detail
|
||||
api_verb: get
|
||||
jsonpath: $.servers[:]
|
||||
|
||||
Architecture
|
||||
------------
|
||||
The architecture is fairly simple. Congress-CloudState has two major
|
||||
components.
|
||||
|
||||
- The data ingestor polls the cloud services via API and populates the
|
||||
database with the data. The ingestor also accepts webhook notifications.
|
||||
- The executor reads from the database to determine what actions to execute,
|
||||
then calls the appropriate APIs in the cloud services to execute the
|
||||
actions.
|
||||
|
||||
The users mostly interact directly with the database to add/remove policy
|
||||
rules and query policy results.
|
||||
|
||||
The following diagram shows the high level components and flow of data.
|
||||
|
||||
::
|
||||
|
||||
+----------------------------------------------------------+
|
||||
| Cloud Services |
|
||||
+--------------------------------------------------^-------+
|
||||
| |
|
||||
| |
|
||||
+------v--------+ +---------------+ +----------------+
|
||||
| Congress-JSON | | | | Congress-JSON |
|
||||
| Data Ingestor +----> PostgreSQL +----> Executor |
|
||||
| | | | | |
|
||||
+---------------+ +----------^----+ +----------------+
|
||||
| |
|
||||
| |
|
||||
+----v----------+
|
||||
| |
|
||||
| Users |
|
||||
| |
|
||||
+---------------+
|
||||
|
||||
Benefits
|
||||
--------
|
||||
|
||||
- Very easy to add new data source because no translation is required. This
|
||||
`blog post
|
||||
<https://pndablog.com/2017/04/26/schema-on-write-vs-schema-on-read/>`_
|
||||
has more discussion of the pros and cons of the approach (schema-on-read).
|
||||
- No code change and release needed to consume a new field in a new API
|
||||
microversion. The operator simply changes the desired microversion in
|
||||
Congress-CloudState configuration.
|
||||
This `patch <https://review.openstack.org/#/c/611516/>`_ is a recent
|
||||
example of how much time and work it takes to consume a new field previously
|
||||
not included by Congress, not to mention the delay for users waiting for a
|
||||
new release to consume a new field.
|
||||
- Much is available in the way of editors, debuggers, tutorials, and online
|
||||
help for PostgreSQL language, making it easy for new users to write
|
||||
policies.
|
||||
- PostgreSQL has `JSON indexing support
|
||||
<https://blog.2ndquadrant.com/nosql-postgresql-9-4-jsonb/>`_
|
||||
which allows for a wide class of performant queries.
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
- Directly make changes to Congress agnostic policy engine to support JSON data
|
||||
|
||||
- Here is a rough estimate of the work required to implement similar
|
||||
functionality in Congress itself.
|
||||
|
||||
- Design a new version of Datalog language to support JSON. This step is
|
||||
hard. As of now, there is no concensus in the Datalog community on how
|
||||
best to do this.
|
||||
- Major changes to congress/datalog/* to process the new language.
|
||||
- Major changes to the policy engine to support the new language.
|
||||
- Changes to congress/dse2/* to accommodate JSON data.
|
||||
|
||||
- Instead of attempting all the work outlined above, we propose to create
|
||||
a very simple new component which leverages PostgreSQL allow policy over
|
||||
JSON data.
|
||||
If the approach proves successful, a decision could be made in the future
|
||||
to allow congress-json to be used as a tool for extracting from JSON data
|
||||
the table data needed by other parts of Congress (e.g., agnostic, z3).
|
||||
|
||||
- Homegrow a policy engine supporting JSON data rather than use one
|
||||
off-the-shelf
|
||||
|
||||
- It would take a tremendous amount of unnecessary development and
|
||||
maintenance work.
|
||||
|
||||
- Choose a datastore other than PostgreSQL
|
||||
|
||||
- The following are the major requirements for the datastore
|
||||
|
||||
- JSON data support
|
||||
- Widely-adopted declarative language
|
||||
- Performant (off-key) join
|
||||
- Support for rules (views)
|
||||
- Transactional write
|
||||
- Strong open source community with appropriate licensing
|
||||
- Highly-available deployment option
|
||||
- Fine-grained permissions
|
||||
|
||||
- Most of the well-known NoSQL solutions do not provide performant off-key
|
||||
joins
|
||||
- MySQL/MariaDB has support for JSON data but limited indexing support
|
||||
(typically requiring the indexed value be declared as a virtual column)
|
||||
- Among all the options evaluated, PostgreSQL best satisfies the
|
||||
requirements, with the following notable features:
|
||||
|
||||
- Flexible indexing for JSONB data type supporting performant off-key
|
||||
joins
|
||||
- Very strong open source community with permissive license
|
||||
- A wealth of (first party and third party) tools and online knowledge for
|
||||
learning, query writing, query debugging, and performance-tuning
|
||||
- A flexible and expressive permissions system
|
||||
- We propose to start with PostgreSQL, while leaving the option open to add
|
||||
support for other datastores down the road through a plugin architecture.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Here we give several examples to demonstrate how policy and rules would be
|
||||
created. Each interaction is shown in both classic Congress interaction as
|
||||
well as Congress-CloudState interaction for reader’s understanding.
|
||||
|
||||
Sample data
|
||||
~~~~~~~~~~~
|
||||
The nova.servers table is the collection of all the JSON documents
|
||||
representing servers, each document in a row with a single column d containing
|
||||
the document. Each server is represented by a JSON document as supplied by
|
||||
Nova’s list servers (detailed) API. Here is a simplified version of a sample
|
||||
JSON document representing a Nova server (the UUIDs have been replaced with
|
||||
more readable strings for ease of illustration):
|
||||
|
||||
::
|
||||
|
||||
{
|
||||
"id":"server-134",
|
||||
"name":"server 134",
|
||||
"status":"ACTIVE",
|
||||
"tags":[
|
||||
"production",
|
||||
"critical"
|
||||
],
|
||||
"hostId":"host-05",
|
||||
"host_status":"ACTIVE",
|
||||
"metadata":{
|
||||
"HA_Enabled":false
|
||||
},
|
||||
"tenant_id":"tenant-52",
|
||||
"user_id":"user-830",
|
||||
"flavor": {
|
||||
"disk": 1,
|
||||
"ephemeral": 0,
|
||||
"extra_specs": {
|
||||
"hw:cpu_policy": "dedicated",
|
||||
"hw:mem_page_size": "2048"
|
||||
},
|
||||
"original_name": "m1.tiny.specs",
|
||||
"ram": 512,
|
||||
"swap": 0,
|
||||
"vcpus": 1
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Example 1
|
||||
~~~~~~~~~
|
||||
|
||||
- Create policy (schema).
|
||||
|
||||
- Congress syntax:
|
||||
::
|
||||
|
||||
congress policy create vm_error
|
||||
- Congress-CloudState equivalent:
|
||||
::
|
||||
|
||||
CREATE SCHEMA vm_host_down;
|
||||
|
||||
- Create policy rule (view) identifying those servers whose host is down.
|
||||
|
||||
- Congress syntax:
|
||||
::
|
||||
|
||||
congress policy rule create vm_host_down '
|
||||
error(server_id) :-
|
||||
nova:servers(id=server_id, host_id=host_id),
|
||||
nova:hypervisors(id=host_id, state="DOWN")'
|
||||
|
||||
- Congress-CloudState equivalent:
|
||||
::
|
||||
|
||||
CREATE VIEW vm_host_down.error AS
|
||||
SELECT d->>'id' AS server_id
|
||||
FROM nova.servers
|
||||
WHERE d->>'host_status' = 'DOWN';
|
||||
|
||||
- Note on syntax: the :code:`->>` operator accesses the content of a JSON
|
||||
object field and returns the result as text.
|
||||
|
||||
- Query the results in the policy table.
|
||||
|
||||
- Congress syntax:
|
||||
::
|
||||
|
||||
congress policy row list vm_host_down error
|
||||
|
||||
- Congress-CloudState equivalent:
|
||||
::
|
||||
|
||||
SELECT * FROM vm_host_down.error;
|
||||
|
||||
- Create policy rule (view) identifying 'critical'-tagged servers whose host
|
||||
is down.
|
||||
|
||||
- Congress syntax:
|
||||
::
|
||||
|
||||
congress policy rule create vm_host_down '
|
||||
critical(server_id) :-
|
||||
nova:servers(id=server_id, host_id=host_id),
|
||||
nova:hypervisors(id=host_id, state="DOWN"),
|
||||
nova:tags(server_id=server_id, tag="critical")'
|
||||
|
||||
- Congress-CloudState equivalent:
|
||||
::
|
||||
|
||||
CREATE VIEW vm_host_down.critical AS
|
||||
SELECT d->>'id' AS server_id
|
||||
FROM nova.servers
|
||||
WHERE d->>'host_status' = 'DOWN'
|
||||
AND d->'tags' ? 'critical';
|
||||
|
||||
- Note on syntax:
|
||||
|
||||
- The :code:`->` operator accesses the content of a JSON object field
|
||||
and returns the result as JSON. In this example, :code:`d->'tags'`
|
||||
returns the array of tags associated with each server.
|
||||
- The :code:`?` operator checks that a string is a top-level key/element
|
||||
in a JSON structure. In this example, the
|
||||
:code:`d->'tags' ? 'critical'` condition checks that the string
|
||||
'critical' is in the array of tags retrieved by :code:`d->'tags'`.
|
||||
|
||||
Example 2
|
||||
~~~~~~~~~
|
||||
|
||||
- Create policy (schema).
|
||||
|
||||
- Congress syntax:
|
||||
::
|
||||
|
||||
congress policy create production_stable
|
||||
|
||||
- Congress-CloudState equivalent:
|
||||
::
|
||||
|
||||
CREATE SCHEMA production_stable;
|
||||
|
||||
- Create policy rule (view) identifying production servers using an unstable
|
||||
image.
|
||||
|
||||
- Congress syntax:
|
||||
::
|
||||
|
||||
congress policy rule create production_stable '
|
||||
error(id) :-
|
||||
nova:servers(id=id, image=image_id),
|
||||
nova:tags(id=id, tag="production"),
|
||||
glance:tags(image_id=image_id, tag="unstable")'
|
||||
|
||||
- Congress-CloudState equivalent:
|
||||
::
|
||||
|
||||
CREATE VIEW production_stable.error AS
|
||||
SELECT server.d->>'id' AS server_id,
|
||||
image.d->>'id' AS image_id
|
||||
FROM nova.servers server
|
||||
JOIN glance.images image
|
||||
ON server.d->'image'->'id' = image.d->'id'
|
||||
WHERE (server.d->'tags' ? 'production')
|
||||
AND (image.d->'tags' ? 'unstable');
|
||||
|
||||
- Note on syntax: the join-condition
|
||||
:code:`server.d->'image'->'id' = image.d->'id'` matches the glance image
|
||||
with the server whose image ID matches the glance image ID.
|
||||
|
||||
|
||||
Example 3
|
||||
~~~~~~~~~
|
||||
|
||||
This example illustrates that accessing deeply nested data can be relatively
|
||||
straightforward.
|
||||
|
||||
The following view (rule) identifies all the servers using a flavor with cpu
|
||||
policy 'dedicated'. Despite the information being buried several layers deep,
|
||||
it is relatively straightforward to access simply by following the structure.
|
||||
|
||||
::
|
||||
|
||||
CREATE VIEW dedicated_servers AS
|
||||
SELECT *
|
||||
FROM nova.servers
|
||||
WHERE d -> 'flavor' -> 'extra_specs' ->> 'hw:cpu_policy' = 'dedicated';
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Policy actions would work similarly to agnostic engine.
|
||||
The policy writer would define a policy rule (view) specifying in each row
|
||||
what action to call on which service using what parameter values.
|
||||
|
||||
As in agnostic engine, the new component would query the 'execute' table and
|
||||
then call the appropriate client/API methods according to the rows in the
|
||||
'execute' table of each policy.
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
A new type of data source is introduced which is configured through YAML files
|
||||
and stores data in the original JSON format without translation.
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
No impact on the data model.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Minimal REST API impact. The webhook model for accepting webhooks is naturally
|
||||
extended to the JSON data sources when configured.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
No security impact when the experimental component is not explicitly.
|
||||
When enabled, there is an additional data access which would be protected by
|
||||
PostgreSQL permissions set up by Congress.
|
||||
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
No impact.
|
||||
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
End users will have the option of using the well-known
|
||||
PostgreSQL syntax to write policy directly on the source data format,
|
||||
having direct access to all the source data fields.
|
||||
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Preliminary performance testing on 100,000 records show adequate performance
|
||||
on both data ingestion and query evaluation. If a query performance issues
|
||||
does arise, there is a wealth of tools and knowledge for tuning query
|
||||
performance in PostgreSQL.
|
||||
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Additional config/commandline options to control the deployment of the new
|
||||
experimental component.
|
||||
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
congress-json is expected to be a very simple component. As a result,
|
||||
congress-json is expected to require very minimal maintenance from
|
||||
developers.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Primary assignee: ekcs
|
||||
|
||||
Others welcome to pick up tasks.
|
||||
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
- Database initializer
|
||||
- JSON-postgres data source driver
|
||||
- Integration testing
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
The only major new dependency is PostgreSQL, which is already used in
|
||||
OpenStack deployments. Version 9.4 or higher required (Ubuntu xenial comes with
|
||||
9.5). It affects only those enabling the experimental new component.
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Simple tempest scenarios for the new component. They may piggyback on the
|
||||
existing congress-tempest-postgres jobs.
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
Standard documentation expected for the new component.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
* `Schema-on-read pros and cons
|
||||
<https://pndablog.com/2017/04/26/schema-on-write-vs-schema-on-read/>`_
|
||||
* `PostgreSQL JSON operators and functions
|
||||
<https://www.postgresql.org/docs/9.4/functions-json.html>`_
|
||||
* `PostgreSQL JSON syntax cheat sheet
|
||||
<https://hackernoon.com/how-to-query-jsonb-beginner-sheet-cheat-4da3aa5082a3>`_
|
||||
* `JSON indexing support
|
||||
<https://blog.2ndquadrant.com/nosql-postgresql-9-4-jsonb/>`_
|
|
@ -1,354 +0,0 @@
|
|||
..
|
||||
This work is licensed under a Creative Commons Attribution 3.0 Unported
|
||||
License.
|
||||
|
||||
http://creativecommons.org/licenses/by/3.0/legalcode
|
||||
|
||||
==========================================
|
||||
Example Spec - The title of your blueprint
|
||||
==========================================
|
||||
|
||||
Include the URL of your launchpad blueprint:
|
||||
|
||||
https://blueprints.launchpad.net/congress/+spec/example
|
||||
|
||||
Introduction paragraph -- why are we doing anything? A single paragraph of
|
||||
prose that operators can understand.
|
||||
|
||||
Some notes about using this template:
|
||||
|
||||
* Your spec should be in ReSTructured text, like this template.
|
||||
|
||||
* Please wrap text at 79 columns.
|
||||
|
||||
* The filename in the git repository should match the launchpad URL, for
|
||||
example a URL of: https://blueprints.launchpad.net/congress/+spec/awesome-thing
|
||||
should be named awesome-thing.rst
|
||||
|
||||
* Please do not delete any of the sections in this template. If you have
|
||||
nothing to say for a whole section, just write: None
|
||||
|
||||
* For help with syntax, see http://sphinx-doc.org/rest.html
|
||||
|
||||
* To test out your formatting, build the docs using tox, or see:
|
||||
http://rst.ninjs.org
|
||||
|
||||
* If you would like to provide a diagram with your spec, ascii diagrams are
|
||||
required. http://asciiflow.com/ is a very nice tool to assist with making
|
||||
ascii diagrams. The reason for this is that the tool used to review specs is
|
||||
based purely on plain text. Plain text will allow review to proceed without
|
||||
having to look at additional files which can not be viewed in gerrit. It
|
||||
will also allow inline feedback on the diagram itself.
|
||||
|
||||
|
||||
Problem description
|
||||
===================
|
||||
|
||||
A detailed description of the problem:
|
||||
|
||||
* For a new feature this might be use cases. Ensure you are clear about the
|
||||
actors in each use case: End User vs Deployer
|
||||
|
||||
* For a major reworking of something existing it would describe the
|
||||
problems in that feature that are being addressed.
|
||||
|
||||
|
||||
Proposed change
|
||||
===============
|
||||
|
||||
Here is where you cover the change you propose to make in detail. How do you
|
||||
propose to solve this problem?
|
||||
|
||||
If this is one part of a larger effort make it clear where this piece ends. In
|
||||
other words, what's the scope of this effort?
|
||||
|
||||
|
||||
Alternatives
|
||||
------------
|
||||
|
||||
What other ways could we do this thing? Why aren't we using those? This doesn't
|
||||
have to be a full literature review, but it should demonstrate that thought has
|
||||
been put into why the proposed solution is an appropriate one.
|
||||
|
||||
|
||||
Policy
|
||||
------
|
||||
|
||||
Using the Congress datalog syntax, write out an example policy using
|
||||
https://wiki.openstack.org/wiki/Congress#Policy_Language
|
||||
|
||||
Example:
|
||||
|
||||
error(vm) :-
|
||||
nova:virtual_machine(vm),
|
||||
ids:ip_packet(src_ip, dst_ip),
|
||||
neutron:port(vm, src_ip), //finds out the port that has the VM's IP
|
||||
ids:ip_blacklist(dst_ip).
|
||||
|
||||
|
||||
Policy actions
|
||||
--------------
|
||||
|
||||
Describe the policy activities in terms of monitoring, reactive, proactive,
|
||||
and other ways to explain how the policy will implement it's desired state.
|
||||
|
||||
|
||||
Data sources
|
||||
------------
|
||||
|
||||
Describe which projects and/or services the data is coming from
|
||||
|
||||
|
||||
Data model impact
|
||||
-----------------
|
||||
|
||||
Changes which require modifications to the data model often have a wider impact
|
||||
on the system. The community often has strong opinions on how the data model
|
||||
should be evolved, from both a functional and performance perspective. It is
|
||||
therefore important to capture and gain agreement as early as possible on any
|
||||
proposed changes to the data model.
|
||||
|
||||
Questions which need to be addressed by this section include:
|
||||
|
||||
* What new data objects and/or database schema changes is this going to
|
||||
require?
|
||||
|
||||
* What database migrations will accompany this change.
|
||||
|
||||
* How will the initial set of new data objects be generated, for example if you
|
||||
need to take into account existing instances, or modify other existing data
|
||||
describe how that will work.
|
||||
|
||||
|
||||
REST API impact
|
||||
---------------
|
||||
|
||||
Each API method which is either added or changed should have the following
|
||||
|
||||
* Specification for the method
|
||||
|
||||
* A description of what the method does suitable for use in
|
||||
user documentation
|
||||
|
||||
* Method type (POST/PUT/GET/DELETE)
|
||||
|
||||
* Normal http response code(s)
|
||||
|
||||
* Expected error http response code(s)
|
||||
|
||||
* A description for each possible error code should be included
|
||||
describing semantic errors which can cause it such as
|
||||
inconsistent parameters supplied to the method, or when an
|
||||
instance is not in an appropriate state for the request to
|
||||
succeed. Errors caused by syntactic problems covered by the JSON
|
||||
schema definition do not need to be included.
|
||||
|
||||
* URL for the resource
|
||||
|
||||
* Parameters which can be passed via the url
|
||||
|
||||
* JSON schema definition for the body data if allowed
|
||||
|
||||
* JSON schema definition for the response data if any
|
||||
|
||||
* Example use case including typical API samples for both data supplied
|
||||
by the caller and the response
|
||||
|
||||
* Discuss any policy changes, and discuss what things a deployer needs to
|
||||
think about when defining their policy.
|
||||
|
||||
Example JSON schema definitions can be found in the Nova tree
|
||||
https://opendev.org/openstack/nova/src/branch/master/nova/api/openstack/compute/schemas
|
||||
|
||||
Note that the schema should be defined as restrictively as
|
||||
possible. Parameters which are required should be marked as such and
|
||||
only under exceptional circumstances should additional parameters
|
||||
which are not defined in the schema be permitted (eg
|
||||
additionaProperties should be False).
|
||||
|
||||
Reuse of existing predefined parameter types such as regexps for
|
||||
passwords and user defined names is highly encouraged.
|
||||
|
||||
|
||||
Security impact
|
||||
---------------
|
||||
|
||||
Describe any potential security impact on the system. Some of the items to
|
||||
consider include:
|
||||
|
||||
* Does this change touch sensitive data such as tokens, keys, or user data?
|
||||
|
||||
* Does this change alter the API in a way that may impact security, such as
|
||||
a new way to access sensitive information or a new way to login?
|
||||
|
||||
* Does this change involve cryptography or hashing?
|
||||
|
||||
* Does this change require the use of sudo or any elevated privileges?
|
||||
|
||||
* Does this change involve using or parsing user-provided data? This could
|
||||
be directly at the API level or indirectly such as changes to a cache layer.
|
||||
|
||||
* Can this change enable a resource exhaustion attack, such as allowing a
|
||||
single API interaction to consume significant server resources? Some examples
|
||||
of this include launching subprocesses for each connection, or entity
|
||||
expansion attacks in XML.
|
||||
|
||||
For more detailed guidance, please see the OpenStack Security Guidelines as
|
||||
a reference (https://wiki.openstack.org/wiki/Security/Guidelines). These
|
||||
guidelines are a work in progress and are designed to help you identify
|
||||
security best practices. For further information, feel free to reach out
|
||||
to the OpenStack Security Group at openstack-security@lists.openstack.org.
|
||||
|
||||
Notifications impact
|
||||
--------------------
|
||||
|
||||
Please specify any changes to notifications. Be that an extra notification,
|
||||
changes to an existing notification, or removing a notification.
|
||||
|
||||
Other end user impact
|
||||
---------------------
|
||||
|
||||
Aside from the API, are there other ways a user will interact with this
|
||||
feature?
|
||||
|
||||
* Does this change have an impact on python-congressclient? What does the user
|
||||
interface there look like?
|
||||
|
||||
Performance impact
|
||||
------------------
|
||||
|
||||
Describe any potential performance impact on the system, for example
|
||||
how often will new code be called, and is there a major change to the calling
|
||||
pattern of existing code.
|
||||
|
||||
Examples of things to consider here include:
|
||||
|
||||
* A periodic task might look like a small addition but if it calls conductor or
|
||||
another service the load is multiplied by the number of nodes in the system.
|
||||
|
||||
* Scheduler filters get called once per host for every instance being created,
|
||||
so any latency they introduce is linear with the size of the system.
|
||||
|
||||
* A small change in a utility function or a commonly used decorator can have a
|
||||
large impacts on performance.
|
||||
|
||||
* Calls which result in a database queries (whether direct or via conductor)
|
||||
can have a profound impact on performance when called in critical sections of
|
||||
the code.
|
||||
|
||||
* Will the change include any locking, and if so what considerations are there
|
||||
on holding the lock?
|
||||
|
||||
Other deployer impact
|
||||
---------------------
|
||||
|
||||
Discuss things that will affect how you deploy and configure OpenStack
|
||||
that have not already been mentioned, such as:
|
||||
|
||||
* What config options are being added? Should they be more generic than
|
||||
proposed (for example a flag that other hypervisor drivers might want to
|
||||
implement as well)? Are the default values ones which will work well in
|
||||
real deployments?
|
||||
|
||||
* Is this a change that takes immediate effect after its merged, or is it
|
||||
something that has to be explicitly enabled?
|
||||
|
||||
* If this change is a new binary, how would it be deployed?
|
||||
|
||||
* Please state anything that those doing continuous deployment, or those
|
||||
upgrading from the previous release, need to be aware of. Also describe
|
||||
any plans to deprecate configuration values or features. For example, if we
|
||||
change the directory name that instances are stored in, how do we handle
|
||||
instance directories created before the change landed? Do we move them? Do
|
||||
we have a special case in the code? Do we assume that the operator will
|
||||
recreate all the instances in their cloud?
|
||||
|
||||
Developer impact
|
||||
----------------
|
||||
|
||||
Discuss things that will affect other developers working on OpenStack,
|
||||
such as:
|
||||
|
||||
* If the blueprint proposes a change to the driver API, discussion of how
|
||||
other hypervisors would implement the feature is required.
|
||||
|
||||
|
||||
Implementation
|
||||
==============
|
||||
|
||||
Assignee(s)
|
||||
-----------
|
||||
|
||||
Who is leading the writing of the code? Or is this a blueprint where you're
|
||||
throwing it out there to see who picks it up?
|
||||
|
||||
If more than one person is working on the implementation, please designate the
|
||||
primary author and contact.
|
||||
|
||||
Primary assignee:
|
||||
<launchpad-id or None>
|
||||
|
||||
Other contributors:
|
||||
<launchpad-id or None>
|
||||
|
||||
Work items
|
||||
----------
|
||||
|
||||
Work items or tasks -- break the feature up into the things that need to be
|
||||
done to implement it. Those parts might end up being done by different people,
|
||||
but we're mostly trying to understand the timeline for implementation.
|
||||
|
||||
|
||||
Dependencies
|
||||
============
|
||||
|
||||
* Include specific references to specs and/or blueprints in congress, or in
|
||||
other projects, that this one either depends on or is related to.
|
||||
|
||||
* If this requires functionality of another project that is not currently used
|
||||
by congress (such as the glance v2 API when we previously only required v1),
|
||||
document that fact.
|
||||
|
||||
* Does this feature require any new library dependencies or code otherwise not
|
||||
included in OpenStack? Or does it depend on a specific version of library?
|
||||
|
||||
|
||||
Testing
|
||||
=======
|
||||
|
||||
Please discuss how the change will be tested. We especially want to know what
|
||||
tempest tests will be added. It is assumed that unit test coverage will be
|
||||
added so that doesn't need to be mentioned explicitly, but discussion of why
|
||||
you think unit tests are sufficient and we don't need to add more tempest
|
||||
tests would need to be included.
|
||||
|
||||
Is this untestable in gate given current limitations (specific hardware /
|
||||
software configurations available)? If so, are there mitigation plans (3rd
|
||||
party testing, gate enhancements, etc).
|
||||
|
||||
|
||||
Documentation impact
|
||||
====================
|
||||
|
||||
What is the impact on the docs team of this change? Some changes might require
|
||||
donating resources to the docs team to have the documentation updated. Don't
|
||||
repeat details discussed above, but please reference them here.
|
||||
|
||||
|
||||
References
|
||||
==========
|
||||
|
||||
Please add any useful references here. You are not required to have any
|
||||
reference. Moreover, this specification should still make sense when your
|
||||
references are unavailable. Examples of what you could include are:
|
||||
|
||||
* Links to mailing list or IRC discussions
|
||||
|
||||
* Links to notes from a summit session
|
||||
|
||||
* Links to relevant research, if appropriate
|
||||
|
||||
* Related specifications as appropriate (e.g. if it's an EC2 thing, link the
|
||||
EC2 docs)
|
||||
|
||||
* Anything else you feel it is worthwhile to refer to
|
|
@ -1,107 +0,0 @@
|
|||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
# not use this file except in compliance with the License. You may obtain
|
||||
# a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
# License for the specific language governing permissions and limitations
|
||||
# under the License.
|
||||
|
||||
import glob
|
||||
import re
|
||||
|
||||
import docutils.core
|
||||
import testtools
|
||||
|
||||
|
||||
class TestTitles(testtools.TestCase):
|
||||
def _get_title(self, section_tree):
|
||||
section = {
|
||||
'subtitles': [],
|
||||
}
|
||||
for node in section_tree:
|
||||
if node.tagname == 'title':
|
||||
section['name'] = node.rawsource
|
||||
elif node.tagname == 'section':
|
||||
subsection = self._get_title(node)
|
||||
section['subtitles'].append(subsection['name'])
|
||||
return section
|
||||
|
||||
def _get_titles(self, spec):
|
||||
titles = {}
|
||||
for node in spec:
|
||||
if node.tagname == 'section':
|
||||
section = self._get_title(node)
|
||||
titles[section['name']] = section['subtitles']
|
||||
return titles
|
||||
|
||||
def _check_titles(self, fname, titles):
|
||||
expected_titles = ('Problem description', 'Proposed change',
|
||||
'Implementation', 'Dependencies',
|
||||
'Testing', 'Documentation impact',
|
||||
'References')
|
||||
self.assertEqual(
|
||||
sorted(expected_titles),
|
||||
sorted(titles.keys()),
|
||||
"Expected titles not found in document %s" % fname)
|
||||
|
||||
proposed = 'Proposed change'
|
||||
msg = 'Subtitle missing from %s' % fname
|
||||
self.assertIn('Alternatives', titles[proposed], message=msg)
|
||||
self.assertIn('Data model impact', titles[proposed], message=msg)
|
||||
self.assertIn('REST API impact', titles[proposed], message=msg)
|
||||
self.assertIn('Security impact', titles[proposed], message=msg)
|
||||
self.assertIn('Notifications impact', titles[proposed], message=msg)
|
||||
self.assertIn('Other end user impact', titles[proposed], message=msg)
|
||||
self.assertIn('Performance impact', titles[proposed], message=msg)
|
||||
self.assertIn('Other deployer impact', titles[proposed], message=msg)
|
||||
self.assertIn('Developer impact', titles[proposed], message=msg)
|
||||
|
||||
impl = 'Implementation'
|
||||
self.assertIn('Assignee(s)', titles[impl], message=msg)
|
||||
self.assertIn('Work items', titles[impl], message=msg)
|
||||
|
||||
def _check_lines_wrapping(self, tpl, raw):
|
||||
for i, line in enumerate(raw.split("\n")):
|
||||
if "http://" in line or "https://" in line:
|
||||
continue
|
||||
# skip long table
|
||||
elif "-+-" in line or " | " in line:
|
||||
continue
|
||||
self.assertTrue(
|
||||
len(line) < 80,
|
||||
msg="%s:%d: Line limited to a maximum of 79 characters." %
|
||||
(tpl, i+1))
|
||||
|
||||
def _check_no_cr(self, tpl, raw):
|
||||
matches = re.findall('\r', raw)
|
||||
self.assertEqual(
|
||||
len(matches), 0,
|
||||
"Found %s literal carriage returns in file %s" %
|
||||
(len(matches), tpl))
|
||||
|
||||
|
||||
def _check_trailing_spaces(self, tpl, raw):
|
||||
for i, line in enumerate(raw.split("\n")):
|
||||
trailing_spaces = re.findall(" +$", line)
|
||||
self.assertEqual(len(trailing_spaces),0,
|
||||
"Found trailing spaces on line %s of %s" % (i+1, tpl))
|
||||
|
||||
|
||||
def test_template(self):
|
||||
files = ['specs/template.rst'] + glob.glob('specs/*/*')
|
||||
for filename in files:
|
||||
self.assertTrue(filename.endswith(".rst"),
|
||||
"spec's file must uses 'rst' extension.")
|
||||
with open(filename) as f:
|
||||
data = f.read()
|
||||
|
||||
spec = docutils.core.publish_doctree(data, source_path=filename)
|
||||
titles = self._get_titles(spec)
|
||||
self._check_titles(filename, titles)
|
||||
self._check_lines_wrapping(filename, data)
|
||||
self._check_no_cr(filename, data)
|
||||
self._check_trailing_spaces(filename, data)
|
21
tox.ini
21
tox.ini
|
@ -1,21 +0,0 @@
|
|||
[tox]
|
||||
# Hold back to 1.4, since that's what's in Fedora 20 repos
|
||||
# and we don't need anything newer for nova-specs tests
|
||||
minversion = 3.1.1
|
||||
envlist = docs,pep8
|
||||
skipsdist = True
|
||||
ignore_basepython_conflict = True
|
||||
|
||||
[testenv]
|
||||
basepython = python3
|
||||
usedevelop = True
|
||||
setenv = VIRTUAL_ENV={envdir}
|
||||
install_command = pip install -U {opts} {packages}
|
||||
deps = -r{toxinidir}/requirements.txt
|
||||
commands = stestr run --slowest {posargs}
|
||||
|
||||
[testenv:venv]
|
||||
commands = {posargs}
|
||||
|
||||
[testenv:docs]
|
||||
commands = python setup.py build_sphinx
|
Loading…
Reference in New Issue