Congress A System For Declaring, Auditing, and Enforcing Policy In Heterogeneous Cloud Environments Peter Balland Tim Hinrichs OpenStack Summit, May 2014
The Policy Problem Organizational Business Contracts Rules Industrial Application Regulations Requirements Governmental Privacy Legislation Promises 2
IT Policy Use Cases • Network Access Control – Allow/deny/waypoint flows using (i) attributes of source/destination users/hosts (e.g. for hosts whether mobile, last-connection), (ii) payload, (iii) risk score. – Load-balance flows to server A to servers B, C, D, E, and F. • Application (multiple VMs) Configuration – Allow/deny network-attachments of VMs based on attributes of VM/tenant. – Parameterize application templates, e.g. when an app is deployed for testing/dev, there should be 1 WS/1 DB/1 App. For deployment, there are many more of each kind of VM. • Application Deployment Location – Applications that manage data from Singapore (Japan, Turkey) must be located in a data center that physically resides within • Host Management – Intrusion prevention systems should be applied to high-risk hosts 3
Existing Approach: Multiple Touch Points Organizational Business Contracts Rules Industrial Application Regulations Requirements Governmental Privacy Legislation Promises 4
Congress Policy Framework Policy (Congress) AVaaS FWaaS Compute Storage Networking 5
Any Cloud Service Congress User Dept Age User Dept Age User Dept Age Pete Finance 30 User Dept Age Pete Finance 30 Pete Finance 30 Tim Engineering 32 Pete Finance 30 Tim Engineering 32 Tim Engineering 32 Martin Finance 33 Tim Engineering 32 Martin Finance 33 Martin Finance 33 Pierre Sales 31 User Dept Age Martin Finance 33 Pierre Sales 31 Pierre Sales 31 Pete Finance 30 User Dept Age Pierre Sales 31 User Dept Age Tim Engineering 32 Pete Finance 30 Pete Finance 30 User Dept Age User Dept Age Martin Finance 33 Tim Engineering 32 Tim Engineering 32 Pete Finance 30 Pete Finance 30 User Dept Age Pierre Sales 31 Martin Finance 33 Martin Finance 33 Tim Engineering 32 Tim Engineering 32 Pete Finance 30 Pierre Sales 31 Pierre Sales 31 Martin Finance 33 Martin Finance 33 Tim Engineering 32 Pierre Sales 31 Pierre Sales 31 Martin Finance 33 Pierre Sales 31 6
Any Policy Permitted Actions Errors Actions to Execute create_vm(…) VM1 disconnect_network(…) Reserved delete_vm(…) Router2 Tables move_vm(…) Router3 … … … … … ID Results Time Net Switch Ports VM Memory CPU Disk Capacity Used VM1 Infected 01:13:56 Net1 Switch1 2 VM1 32GB 4 Disk1 1TB 501GB Cloud VM2 Clean 18:23:05 Net1 Switch2 30 VM2 64GB 8 Disk2 2TB 237GB Service VM3 Infected 07:13:09 Net2 Switch3 0 VM3 32GB 12 Disk3 8TB 6.1TB Tables VM4 Clean 20:21:17 Net3 Switch4 10 VM4 128GB 8 Disk4 4TB 3.2TB 7
Monitoring and Enforcement Permitted Actions Prohibited States Actions to Execute Errors Actions to Execute Permitted Actions VM1 disconnect_network(…) create_vm(…) Router2 delete_vm(…) Router3 move_vm(…) … … 1. Monitor Violations 2. Prevent 3. Correct Violations Violations 8
Congress Policy Grammar • <policy> ::= <rule>* • <rule> ::= <atom> COLONMINUS <literal> (COMMA <literal>)* • <literal> ::= <atom> • <literal> ::= NOT <atom> • <atom> ::= TABLENAME LPAREN <term> (COMMA <term>)* RPAREN • <term> ::= INTEGER | FLOAT | STRING | VARIABLE 9
Example • Policy: – Every network attached to a VM must be a public network or a private network owned by someone in the same group as the VM owner. • Cloud Services: – Nova: a manager for VMs – Neutron: a manager for virtual networks – LDAP: manager for group-membership • Enforcement: – Monitoring: check if all deployed VMs obey this policy. – Preventative: before Nova deploys VM, ask Congress if within policy. – Corrective: when LDAP group membership changes, correct violations 10
Prohibited States Policy // prohibited states error(vm) :- nova:virtual_machine(vm), nova:network(vm, network), not neutron:public_network(network), neutron:owner(network, netowner), nova:owner(vm, vmowner), not same_group(netowner, vmowner) // which users are members of the same group same_group(user1, user2) :- ldap:group(user1, group), ldap:group(user2, group) 11
Example Cloud State (No Violations) VM1 Net_private VM3 VM2 Net_public Error LDAP:group Nova:owner Neutron:owner <no rows> VM Owner User Group Network Owner VM1 Tim Pete Congress Net_private Martin VM2 Pete Tim Congress Neutron:public VM3 Pierre Martin Congress Network Pierre Congress Net_public 12
Example Cloud State (1 Violation) VM1 Net_private VM3 VM2 Net_public Error LDAP:group Nova:owner Neutron:owner VM1 VM Owner User Group Network Owner VM1 Tim Pete Congress Net_private Martin VM2 Pete Tim Congress Neutron:public VM3 Pierre Martin Congress Network Pierre Congress Net_public 13
Congress + OpenStack • Fills a business need of implementers and operators • Prohibit vendor lock-in • Congress integration across projects facilitates greater inter-component communication and extensibility 14
Status and Roadmap • Basic Policy language implementation (datalog evaluation, optimization, etc.) • Architecture and API (formalize data models and implement event loop, APIs) • Enhanced Policy language • Policy structure (multi-tenancy, multi-stakeholder) • Enforcement (action execution, component sub-policy interaction) • Libraries (data-source drivers, HIPPA (etc.) encoding) • Policy Analysis (loop & redundancy detection, impact analysis) • Dashboard • … 15
How To Help • Open Source Community Design Session – Room B405 • IRC Meetings – Bi-weekly on Tuesdays (e.g. May 20, 2014) at 1700 UTC • openstack-dev mailing list 16
References • Congress Wiki – https://wiki.openstack.org/wiki/Congress • On Policy in the Data Center – http://networkheresy.com/2014/04/22/on-policy-in-the-data-center-the-policy-problem/ • Stackforge Repo: – https://github.com/stackforge/congress 17
Learn more about VMware + OpenStack at the following sessions: Monday Wednesday Hands-on-Labs VMware + OpenStack: Accelerating OpenStack In The VMware Demo OpenStack on VMware Enterprise 1:00-1:15 pm, Demo Theater vSphere and NSX 1:50-2:30 pm, B313 Wed, May 14, 3:30-5:30 pm, Enterprise Grade Scheduling Deep-dive Demo for OpenStack On VMware B313 4:40-5:20 pm, B206 2:40-3:20 pm, B313 OpenStack Distribution Support For vSphere + NSX Bridging The Gap: OpenStack For VMware Administrators 3:30-4:10 pm, B313 OpenStack Networking 5:30-6:10 pm, B206 Congress: A System For Declaring, Auditing, and Enforcing Wed, May 14, 4:30-6:00 pm, Policy In Heterogeneous Cloud Environments B314 Software Defined Networking Performance And Architecture 4:30-5:10 pm, B313 Evaluation VSAN and OpenStack 5:30-6:10 pm, B103 Presented by Symantec & Mirantis 5:20-6:00 pm, B313 Tuesday Thursday Recap: Nova-network Or Neutron For OpenStack Scaling Neutron For Large Deployments Networking? 4:40-5:20 pm, B101 Presented by eBay & PayPal 9:50-10:30 am, B309 Leveraging VMware Technology To Build An Enterprise Open vSwitch And The Intelligent Edge Grade OpenStack Cloud - It's Not Always About KVM! 5:30-6:10 pm, B206 2:20-3:00 pm, B101 Presented by iLand Session by Session by VMware VMware Customers / Partners The Enterprise-Grade Foundation For Your OpenStack Cloud
Recommend
More recommend
