.. _policyenf_dev:
Murano policy enforcement internals
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This section describes internals of the murano policy enforcement
feature.
Model decomposition
-------------------
The data for the policy validation comes from the models of Murano
applications. These models are transformed to a set of rules that are
processed by Congress.
There are several *tables* created in murano policy for different kinds
of rules that are as follows:
* ``murano:objects(object_id, parent_id, type_name)``
* ``murano:properties(object_id, property_name, property_value)``
* ``murano:relationships(source, target, name)``
* ``murano:connected(source, target)``
* ``murano:parent_types(object_id, parent_type_name)``
* ``murano:states(environment_id, state)``
**murano:objects(object_id, parent_id, type_name)**
This rule is used for representation of all objects in Murano model,
such as environment, application, instance, and other.
Value of the ``type`` property is used as the ``type_name`` parameter:
.. code-block:: yaml
name: wordpress-env
'?': {type: io.murano.Environment, id: 83bff5ac}
applications:
- '?': {id: e7a13d3c, type: com.example.databases.MySql}
The model above transforms to the following rules:
* ``murano:objects+("83bff5ac", "tenant_id", "io.murano.Environment")``
* ``murano:objects+("83bff5ac", "e7a13d3c", "com.example.databases.MySql")``
.. note::
The owner of the environment is a project (tenant).
**murano:properties(object_id, property_name, property_value)**
Each object may have properties. In this example we have an application
with one property:
.. code-block:: yaml
applications:
- '?': {id: e7a13d3c, type: com.example.databases.MySql}
database: wordpress
The model above transforms to the following rule:
* ``murano:properties+("e7a13d3c", "database", "wordpress")``
Inner properties are also supported using dot notation:
.. code-block:: yaml
instance:
'?': {id: 825dc61d, type: io.murano.resources.LinuxMuranoInstance}
networks:
useFlatNetwork: false
The model above transforms to the following rule:
* ``murano:properties+("825dc61d", "networks.useFlatNetwork", "False")``
If a model contains list of values, it is represented as a set of multiple
rules:
.. code-block:: yaml
instances:
- '?': {id: be3c5155, type: io.murano.resources.LinuxMuranoInstance}
networks:
customNetworks: [10.0.1.0, 10.0.2.0]
The model above transforms to the following rules:
* ``murano:properties+("be3c5155", "networks.customNetworks", "10.0.1.0")``
* ``murano:properties+("be3c5155", "networks.customNetworks", "10.0.2.0")``
**murano:relationships(source, target, name)**
Murano application models may contain references to other applications.
In this example, the WordPress application references MySQL in
the ``database`` property:
.. code-block:: yaml
applications:
- '?':
id: 0aafd67e
type: com.example.databases.MySql
- '?':
id: 50fa68ff
type: com.example.WordPress
database: 0aafd67e
The model above transforms to the following rule:
* ``murano:relationships+("50fa68ff", "0aafd67e", "database")``
.. note::
For the ``database`` property we do not create
the ``murano:properties+`` rule.
If we define an object within other object, they will have relationships
between them:
.. code-block:: yaml
applications:
- '?':
id: 0aafd67e
type: com.example.databases.MySql
instance:
'?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}
The model above transforms to the following rule:
* ``murano:relationships+("0aafd67e", "ed8df2b0", "instance")``
There are special relationships of ``services`` from the environment
to its applications: ``murano:relationships+("env_id", "app_id",
"services")``
**murano:connected(source, target)**
This table stores both direct and indirect connections between instances.
It is derived from ``murano:relationships``:
.. code-block:: yaml
applications:
- '?':
id: 0aafd67e
type: com.example.databases.MySql
instance:
'?': {id: ed8df2b0, type: io.murano.resources.LinuxMuranoInstance}
- '?':
id: 50fa68ff
type: com.example.WordPress
database: 0aafd67e
The model above transforms to the following rules:
* ``murano:connected+("50fa68ff", "0aafd67e")`` # WordPress to MySql
* ``murano:connected+("50fa68ff", "ed8df2b0")`` # WordPress to LinuxMuranoInstance
* ``murano:connected+("0aafd67e", "ed8df2b0")`` # MySql to LinuxMuranoInstance
**murano:parent_types(object_id, parent_name)**
Each object in murano has a class type. These classes may inherit from one
or more parents. For example, ``LinuxMuranoInstance > LinuxInstance >
Instance``:
.. code-block:: yaml
instances:
- '?': {id: be3c5155, type: LinuxMuranoInstance}
The model above transforms to the following rules:
* ``murano:objects+("...", "be3c5155", "LinuxMuranoInstance")``
* ``murano:parent_types+("be3c5155", "LinuxMuranoInstance")``
* ``murano:parent_types+("be3c5155", "LinuxInstance")``
* ``murano:parent_types+("be3c5155", "Instance")``
.. note::
The type of an object is also repeated in its parent types
(``LinuxMuranoInstance`` in the example) for easier handling of
user-created rules.
.. note::
If a type inherits from more than one parent, and these parents inherit
from one common type, the ``parent_type`` rule is included only once in
the common type.
**murano:states(environment_id, state)**
Currently only one record for environment is created:
* ``murano:states+("uugi324", "pending")``