This section describes internals of the murano policy enforcement feature.
The data for the policy validation comes from the models of Murano applications. These models are transformed to a set of rules that are processed by Congress.
There are several tables created in murano policy for different kinds of rules that are as follows:
murano:objects(object_id, parent_id, type_name)
This rule is used for representation of all objects in Murano model, such as environment, application, instance, and other.
Value of the type property is used as the type_name parameter:
name: wordpress-env '?': {type: io.murano.Environment, id: 83bff5ac} applications: - '?': {id: e7a13d3c, type: com.example.databases.MySql}The model above transforms to the following rules:
- murano:objects+("83bff5ac", "tenant_id", "io.murano.Environment")
- murano:objects+("83bff5ac", "e7a13d3c", "com.example.databases.MySql")
Note
The owner of the environment is a project (tenant).
murano:properties(object_id, property_name, property_value)
Each object may have properties. In this example we have an application with one property:
applications: - '?': {id: e7a13d3c, type: com.example.databases.MySql} database: wordpressThe model above transforms to the following rule:
- murano:properties+("e7a13d3c", "database", "wordpress")
Inner properties are also supported using dot notation:
instance: '?': {id: 825dc61d, type: io.murano.resources.LinuxMuranoInstance} networks: useFlatNetwork: falseThe model above transforms to the following rule:
- murano:properties+("825dc61d", "networks.useFlatNetwork", "False")
If a model contains list of values, it is represented as a set of multiple rules:
instances: - '?': {id: be3c5155, type: io.murano.resources.LinuxMuranoInstance} networks: customNetworks: [10.0.1.0, 10.0.2.0]The model above transforms to the following rules:
- murano:properties+("be3c5155", "networks.customNetworks", "10.0.1.0")
- murano:properties+("be3c5155", "networks.customNetworks", "10.0.2.0")
murano:relationships(source, target, name)
Murano application models may contain references to other applications. In this example, the WordPress application references MySQL in the database property:
applications: - '?': id: 0aafd67e type: com.example.databases.MySql - '?': id: 50fa68ff type: com.example.WordPress database: 0aafd67eThe model above transforms to the following rule:
- murano:relationships+("50fa68ff", "0aafd67e", "database")
Note
For the database property we do not create the murano:properties+ rule.
If we define an object within other object, they will have relationships between them:
applications: - '?': id: 0aafd67e type: com.example.databases.MySql instance: '?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}The model above transforms to the following rule:
- murano:relationships+("0aafd67e", "ed8df2b0", "instance")
There are special relationships of services from the environment to its applications: murano:relationships+("env_id", "app_id", "services")
murano:connected(source, target)
This table stores both direct and indirect connections between instances. It is derived from murano:relationships:
applications: - '?': id: 0aafd67e type: com.example.databases.MySql instance: '?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance} - '?': id: 50fa68ff type: com.example.WordPress database: 0aafd67eThe model above transforms to the following rules:
- murano:connected+("50fa68ff", "0aafd67e") # WordPress to MySql
- murano:connected+("50fa68ff", "ed8df2b0") # WordPress to LinuxMuranoInstance
- murano:connected+("0aafd67e", "ed8df2b0") # MySql to LinuxMuranoInstance
murano:parent_types(object_id, parent_name)
Each object in murano has a class type. These classes may inherit from one or more parents. For example, LinuxMuranoInstance > LinuxInstance > Instance:
instances: - '?': {id: be3c5155, type: LinuxMuranoInstance}The model above transforms to the following rules:
- murano:objects+("...", "be3c5155", "LinuxMuranoInstance")
- murano:parent_types+("be3c5155", "LinuxMuranoInstance")
- murano:parent_types+("be3c5155", "LinuxInstance")
- murano:parent_types+("be3c5155", "Instance")
Note
The type of an object is also repeated in its parent types (LinuxMuranoInstance in the example) for easier handling of user-created rules.
Note
If a type inherits from more than one parent, and these parents inherit from one common type, the parent_type rule is included only once in the common type.
murano:states(environment_id, state)
Currently only one record for environment is created:
- murano:states+("uugi324", "pending")