Congress is an OpenStack project that provides policy management and enforcement across OpenStack services. It allows defining policies like restricting network access based on group membership. In Kilo, Congress focused on the core capabilities of monitoring for violations and basic proactive/reactive enforcement. Liberty adds controls for limiting enforcement actions and expands the number of integrated services. It also introduces scale out and high availability architectures using a shared database and load balancing. Liberty may also integrate delegation of enforcement through Keystone.
4. Example
Policy:
Every network attached to a VM must be a public network or a
private network owned by someone in the same group as the
VM owner.
Cloud Services:
– Nova: a manager for VMs
– Neutron: a manager for virtual networks
– Keystone: manager for group-membership
5. Capabilities
• Monitoring. Identify policy violations
• Enforcement. Take action to eliminate policy violations
– Proactive: prevent violations
– Reactive: correct violations
– Delegation: divvy problem among other policy engines
• Audit. Chronicle history pertinent to policy
6. Kilo status
• Level 3 in the big tent
• Ground work: RESTful API, Command-line interface, GUI (Horizon),
Keystone integration, devstack integration, tempest tests
• Policy engine: Datalog with negation but without recursion
• Integrated Services: Ceilometer, Cinder, CloudFoundry, Glance, Ironic,
Keystone, Murano, Neutron, Nova, Plexxi, Swift, vCenter
• Capabilities: Monitoring, proactive/reactive enforcement
7. Liberty: Reactive Enforcement
Congress
1. Change
requested
Nova
2. Identify violation
3. Execute actions
Kilo
Policy statements like
if <conditions> then <action>
Liberty
● Provide admin controls to disable/limit action execution
● Add API that lists the available actions
● Enlarge number of services capable of executing actions