[openstack-dev] Congress: an open policy framework

Tim Hinrichs thinrichs at vmware.com
Sun Nov 3 04:31:20 UTC 2013

Hi OpenStackers,

We've been working on an open policy framework for OpenStack that we're calling Congress.  We've been talking with OpenStack users and several of our partners to understand the kinds of rules and regulations they envision enforcing with a policy-based management framework.  Across the board they are interested in policies that span networking, compute, storage, etc.

The idea behind Congress is to have a single policy engine that integrates any collection of external authentication and data stores and allows cloud administrators to write policies over those data stores in a rich, declarative language.  The policy engine can either enforce the policy proactively (i.e. preventing policy violations before they occur) or reactively (identifying violations after they occur and taking corrective action) or a combination (proactively when possible and reactively when not).  The policy engine can also interact with the administrator, explaining the causes of violations, computing potential remediation plans, and simulating action executions to understand what violations those actions might cause.  

While the project is still in the early stages, we have identified a grammar for the policy language, implemented a policy engine, and written a proof of concept integration for ActiveDirectory.  We would love to get participation and feedback.  

Code (in the midst of moving to stackforge):


We'll be in Hong Kong, so if you would like to meet up to discuss please e-mail Peter <pballand at vmware.com> and Pierre <pettori at vmware.com>.

-- The Congress Team

More information about the OpenStack-dev mailing list