[openstack-dev] Congress: an open policy framework

Flavio Percoco flavio at redhat.com
Mon Nov 11 10:28:35 UTC 2013

On 02/11/13 21:31 -0700, Tim Hinrichs wrote:
>Hi OpenStackers,
>We've been working on an open policy framework for OpenStack that we're calling Congress.  We've been talking with OpenStack users and several of our partners to understand the kinds of rules and regulations they envision enforcing with a policy-based management framework.  Across the board they are interested in policies that span networking, compute, storage, etc.
>The idea behind Congress is to have a single policy engine that integrates any collection of external authentication and data stores and allows cloud administrators to write policies over those data stores in a rich, declarative language.  The policy engine can either enforce the policy proactively (i.e. preventing policy violations before they occur) or reactively (identifying violations after they occur and taking corrective action) or a combination (proactively when possible and reactively when not).  The policy engine can also interact with the administrator, explaining the causes of violations, computing potential remediation plans, and simulating action executions to understand what violations those actions might cause.
>While the project is still in the early stages, we have identified a grammar for the policy language, implemented a policy engine, and written a proof of concept integration for ActiveDirectory.  We would love to get participation and feedback.

Have you guys looked into oslo-incubator/policy.py ?

What's wrong with the grammar used there?

Have you guys considered starting your work from there?

Although you're planning to create a policy service, it may make sense
to be compliant with what OpenStack uses and maybe, you could maintain
the whole policy library at some point.


Flavio Percoco

More information about the OpenStack-dev mailing list