This document summarizes a presentation given by Motonori Shindo on OpenStack Congress and Datalog. It introduces OpenStack Congress as a project that provides "Policy as a Service" in OpenStack. It then discusses Datalog, the declarative logic programming language used to define policies in Congress. The document provides examples of Datalog syntax and semantics. It also outlines current and potential future capabilities of Congress, such as monitoring, enforcement, and auditing of policies. Finally, it demonstrates examples of policies defined in Congress to detect violations in OpenStack environments.
2. Self Introduction
• Motonori Shindo
• Bio
– Tokyo Electric Power Co (TEPCO), School of Computer Science
at Carnegie Mellon University, Ascend Communications,
CoSine Communications, Proxim, Fivefront, Nicira, VMware
2
3. What is OpenStack Congress ?
• One of the projects in OpenStack to provide “Policy as a Service”.
• Why called “Congress” ?
– Because that’s where policy is defined J
3
4. Why does Congress live in OpenStack?
• Congress is a generic policy engine so it works as standalone (i.e. without OpenStack)
• That said, in order to define a meaningful / useful policy, some sort of information (“data
source”) upon which policy can be defined is needed.
• OpenStack has a rich set of data sources that can be consumed by Congress, so it is a great
place for Congress to live!
4
5. What is “Policy”
• No single answer but let’s think of it as something that dictates how the system should behave
in order to conform to:
– Law / Regulations
– Business rule
– Application requirement
– Geographical constraint
– Security requirement
– …
5
A generic language that can
dictates these policies is needed!
6. Datalog
• Declarative Language based on First Order Logic
– Often used as a query language
• Syntactically it is similar to Prolog but it has different semantics :
– No Function Symbols
– Guarantee to terminate
– Order of rule definition is irrelevant
– No “List” construct
– No Cut (!) and fail operators
6
8. Safety Properties of Datalog
• All variables that appear in the head must also appear in the body in the rule as non-arithmetic
positive literal.
• All variables that appear in the body as negative literal must also appear in other positive
literals.
• Example of non-Safety rules
– q(X, Y, Z) :- r1(X,Y), X < Z.
– q(X, Y, Z) :- r1(X,Y), not r2(X, Y, Z).
• Example of Safety rules
– q(X, Y, Z) :- r1(X, Y), r2(Y, Z), X < Z.
– q(X, Y, Z) :- r1(X,Y), not r2(X, Y, Z), r3(Y, Z).
8
10. Datalog (Prolog) Example 2
10
adjacent(a, b).
adjacent(b, c).
adjacent(c, d).
adjacent(a, d).
adjacent(e, f).
reachable(X, Y) :- adjacent(X, Y).
reachable(X, Y) :- adjacent(X, Z), reachable(Z, Y).
?- reachable(b, d).
reachable(b, d).
?- reachable(a, f).
a b
d
f
c
e
11. What Congress can do today (and in the future)
• Monitoring
– Check the current status of Cloud against policy and report error if there’s a mismatch
• Enforcement
– Take an action in order to avoid policy violation
– Proactively / Reactively / Interactively
• Auditing
– History management of policy and policy violation
11
12. Datalog in Congress
• Syntax
• Restrictions
– Recursion is not supported (at least for the time being)
12
<policy> ::= <rule>*
<rule> ::= <head> COLONMINUS <literal> (COMMA <literal>)*
<head> ::= <atom>
<head> ::= EXECUTE[<atom>]
<literal> ::= <atom>
<literal> ::= NOT <atom>
<atom> ::= TABLENAME LPAREN <arg> (COMMA <arg>)* RPAREN
<arg> ::= <term>
<arg> ::= COLUMNNAME=<term>
<term> ::= INTEGER | FLOAT | STRING | VARIABLE
13. Extension in Congress
• Tables in certain data source may have many number of columns. When writing policy using
such a table it is cumbersome to write all those columns explicitly.
• Full form:
• Simplified form:
13
port(id) :- neutron:ports(id, tenant_id, name, network_id, mac_address, admin_state_up,
status, device_owner, fixed_ips, security_groups).
port(id) :- neutron:ports(id=id).
14. Drivers that are currently supported for Congress
• OpenStack Ceilometer
• OpenStack Cinder
• OpenStack Glance (v2)
• OpenStack Ironic
• OpenStack Keystone
• OpenStack Murano
• OpenStack Neutron (v2)
• OpenStack Nova
• OpenStack Switft
• Cloud Foundry
• Plexxi
• vCenter
14
15. Example 1: Congress Policy (for monitoring)
15
error(vm, network) :-
nova:virtual_machine(vm),
nova:network(vm, network),
nova:owner(vm, vm_owner),
neutron:owner(network, network_owner),
not neutron:public_network(network),
not same_group(vm_owner, network_owner)
same_group(user1, user2) :-
ad:group(user1, group),
ad:group(user2, group)
16. Example 2: Congress Policy (for enforcement)
16
Execute[neutron:disconnectNetwork(vm, network)] :-
error(vm, network)
Execute[nova:pause(x)] :-
nova:servers(id=x, status=“ACTIVE”)