[openstack-dev] Congress: an open policy framework
dolph.mathews at gmail.com
Mon Nov 11 23:10:01 UTC 2013
On Mon, Nov 11, 2013 at 4:28 AM, Flavio Percoco <flavio at redhat.com> wrote:
> On 02/11/13 21:31 -0700, Tim Hinrichs wrote:
>> Hi OpenStackers,
>> We've been working on an open policy framework for OpenStack that we're
>> calling Congress. We've been talking with OpenStack users and several of
>> our partners to understand the kinds of rules and regulations they envision
>> enforcing with a policy-based management framework. Across the board they
>> are interested in policies that span networking, compute, storage, etc.
>> The idea behind Congress is to have a single policy engine that
>> integrates any collection of external authentication and data stores and
>> allows cloud administrators to write policies over those data stores in a
>> rich, declarative language. The policy engine can either enforce the
>> policy proactively (i.e. preventing policy violations before they occur) or
>> reactively (identifying violations after they occur and taking corrective
>> action) or a combination (proactively when possible and reactively when
>> not). The policy engine can also interact with the administrator,
>> explaining the causes of violations, computing potential remediation plans,
>> and simulating action executions to understand what violations those
>> actions might cause.
>> While the project is still in the early stages, we have identified a
>> grammar for the policy language, implemented a policy engine, and written a
>> proof of concept integration for ActiveDirectory. We would love to get
>> participation and feedback.
> Have you guys looked into oslo-incubator/policy.py ?
> What's wrong with the grammar used there?
> Have you guys considered starting your work from there?
> Although you're planning to create a policy service, it may make sense
> to be compliant with what OpenStack uses and maybe, you could maintain
> the whole policy library at some point.
++ I'm excited to see some new effort in this space (and sad that I wasn't
aware of this ahead of the summit), but surprised by the apparent lack of
integration with the existing oslo.policy engine, centralized policy
storage in keystone (/v3/policies), etc. There's no reason why you couldn't
replace all that, but a comparison with the existing policy infrastructure
to indicate the advantages provided by congress (without making me read the
source!) would be help this gain some traction within community.
> Flavio Percoco
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev