Murano policy enforcement internals

This section describes internals of the murano policy enforcement feature.

Model decomposition

The data for the policy validation comes from the models of Murano applications. These models are transformed to a set of rules that are processed by Congress.

There are several tables created in murano policy for different kinds of rules that are as follows:

  • murano:objects(object_id, parent_id, type_name)
  • murano:properties(object_id, property_name, property_value)
  • murano:relationships(source, target, name)
  • murano:connected(source, target)
  • murano:parent_types(object_id, parent_type_name)
  • murano:states(environment_id, state)

murano:objects(object_id, parent_id, type_name)

This rule is used for representation of all objects in Murano model, such as environment, application, instance, and other.

Value of the type property is used as the type_name parameter:

name: wordpress-env
'?': {type: io.murano.Environment, id: 83bff5ac}
applications:
- '?': {id: e7a13d3c, type: com.example.databases.MySql}

The model above transforms to the following rules:

  • murano:objects+("83bff5ac", "tenant_id", "io.murano.Environment")
  • murano:objects+("83bff5ac", "e7a13d3c", "com.example.databases.MySql")

Note

The owner of the environment is a project (tenant).

murano:properties(object_id, property_name, property_value)

Each object may have properties. In this example we have an application with one property:

applications:
- '?': {id: e7a13d3c, type: com.example.databases.MySql}
database: wordpress

The model above transforms to the following rule:

  • murano:properties+("e7a13d3c", "database", "wordpress")

Inner properties are also supported using dot notation:

instance:
'?': {id: 825dc61d, type: io.murano.resources.LinuxMuranoInstance}
networks:
  useFlatNetwork: false

The model above transforms to the following rule:

  • murano:properties+("825dc61d", "networks.useFlatNetwork", "False")

If a model contains list of values, it is represented as a set of multiple rules:

instances:
 - '?': {id: be3c5155, type: io.murano.resources.LinuxMuranoInstance}
 networks:
   customNetworks: [10.0.1.0, 10.0.2.0]

The model above transforms to the following rules:

  • murano:properties+("be3c5155", "networks.customNetworks", "10.0.1.0")
  • murano:properties+("be3c5155", "networks.customNetworks", "10.0.2.0")

murano:relationships(source, target, name)

Murano application models may contain references to other applications. In this example, the WordPress application references MySQL in the database property:

applications:
- '?':
    id: 0aafd67e
    type: com.example.databases.MySql
- '?':
    id: 50fa68ff
    type: com.example.WordPress
  database: 0aafd67e

The model above transforms to the following rule:

  • murano:relationships+("50fa68ff", "0aafd67e", "database")

Note

For the database property we do not create the murano:properties+ rule.

If we define an object within other object, they will have relationships between them:

applications:
- '?':
    id: 0aafd67e
    type: com.example.databases.MySql
  instance:
    '?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}

The model above transforms to the following rule:

  • murano:relationships+("0aafd67e", "ed8df2b0", "instance")

There are special relationships of services from the environment to its applications: murano:relationships+("env_id", "app_id", "services")

murano:connected(source, target)

This table stores both direct and indirect connections between instances. It is derived from murano:relationships:

applications:
- '?':
    id: 0aafd67e
    type: com.example.databases.MySql
  instance:
    '?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}
- '?':
    id: 50fa68ff
    type: com.example.WordPress
  database: 0aafd67e

The model above transforms to the following rules:

  • murano:connected+("50fa68ff", "0aafd67e") # WordPress to MySql
  • murano:connected+("50fa68ff", "ed8df2b0") # WordPress to LinuxMuranoInstance
  • murano:connected+("0aafd67e", "ed8df2b0") # MySql to LinuxMuranoInstance

murano:parent_types(object_id, parent_name)

Each object in murano has a class type. These classes may inherit from one or more parents. For example, LinuxMuranoInstance > LinuxInstance > Instance:

instances:
- '?': {id: be3c5155, type: LinuxMuranoInstance}

The model above transforms to the following rules:

  • murano:objects+("...", "be3c5155", "LinuxMuranoInstance")
  • murano:parent_types+("be3c5155", "LinuxMuranoInstance")
  • murano:parent_types+("be3c5155", "LinuxInstance")
  • murano:parent_types+("be3c5155", "Instance")

Note

The type of an object is also repeated in its parent types (LinuxMuranoInstance in the example) for easier handling of user-created rules.

Note

If a type inherits from more than one parent, and these parents inherit from one common type, the parent_type rule is included only once in the common type.

murano:states(environment_id, state)

Currently only one record for environment is created:

  • murano:states+("uugi324", "pending")