[openstack-dev] Congress: an open policy framework

Dolph Mathews dolph.mathews at gmail.com
Mon Nov 11 23:10:01 UTC 2013

On Mon, Nov 11, 2013 at 4:28 AM, Flavio Percoco <flavio at redhat.com> wrote:

> On 02/11/13 21:31 -0700, Tim Hinrichs wrote:
>> Hi OpenStackers,
>> We've been working on an open policy framework for OpenStack that we're
>> calling Congress.  We've been talking with OpenStack users and several of
>> our partners to understand the kinds of rules and regulations they envision
>> enforcing with a policy-based management framework.  Across the board they
>> are interested in policies that span networking, compute, storage, etc.
>> The idea behind Congress is to have a single policy engine that
>> integrates any collection of external authentication and data stores and
>> allows cloud administrators to write policies over those data stores in a
>> rich, declarative language.  The policy engine can either enforce the
>> policy proactively (i.e. preventing policy violations before they occur) or
>> reactively (identifying violations after they occur and taking corrective
>> action) or a combination (proactively when possible and reactively when
>> not).  The policy engine can also interact with the administrator,
>> explaining the causes of violations, computing potential remediation plans,
>> and simulating action executions to understand what violations those
>> actions might cause.
>> While the project is still in the early stages, we have identified a
>> grammar for the policy language, implemented a policy engine, and written a
>> proof of concept integration for ActiveDirectory.  We would love to get
>> participation and feedback.
> Have you guys looked into oslo-incubator/policy.py ?
> What's wrong with the grammar used there?
> Have you guys considered starting your work from there?
> Although you're planning to create a policy service, it may make sense
> to be compliant with what OpenStack uses and maybe, you could maintain
> the whole policy library at some point.

++ I'm excited to see some new effort in this space (and sad that I wasn't
aware of this ahead of the summit), but surprised by the apparent lack of
integration with the existing oslo.policy engine, centralized policy
storage in keystone (/v3/policies), etc. There's no reason why you couldn't
replace all that, but a comparison with the existing policy infrastructure
to indicate the advantages provided by congress (without making me read the
source!) would be help this gain some traction within community.

> FF
> --
> @flaper87
> Flavio Percoco
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20131111/801c62b7/attachment.html>

More information about the OpenStack-dev mailing list