Aaron Rosen
OpenStack Hacker Neutron/Congress Core developer, part time world traveler and experience seeking addict.
python-congressclient 1.0.0 release!
This post was originally posted on October 1, 2014 on blog.aaronorosen.com
Today, we’re releasing the first version of the python-congressclient which provides python bindings to make it easy to call the Congress API (especially in conjunction with keystone). The python-congressclient leverages the python-openstackclient for it’s CLI output. We’d like to thank Dean Troyer and Jamie Lennox for their helpful suggestions with the integration with the python-openstackclient which provides a unified shell command structure and common language to describe operations in OpenStack. Below is a quick preview of the client in action.
Get the client:
sudo pip install python-congressclient
Supported Congress commands:
$ openstack --help | grep congress
congress datasource list List Datasources.
congress datasource row list List datasource rows.
congress datasource table list List datasource tables.
congress policy list List Policy.
congress policy row list List policy rows.
congress policy rule create Create a policy rule.
congress policy rule delete Delete a policy rule.
congress policy rule list List policy rules.
congress policy table list List policy tables.
List the available datasources. Today, congress has datasource drivers that integrate with keystone, neutron and nova (Contribute one!).
$ openstack congress datasource list
+----------+----------+---------+------+--------+
| id | owner_id | enabled | type | config |
+----------+----------+---------+------+--------+
| keystone | d6cage | True | None | None |
| neutron | d6cage | True | None | None |
| nova | d6cage | True | None | None |
+----------+----------+---------+------+--------+
Each datasource driver contains a series of tables. Here are the tables for nova that congress supports today:
$ openstack congress datasource table list nova
+--------------+
| id |
+--------------+
| flavors |
| floating_IPs |
| servers |
+--------------+
Retrieve data cached in congress for the nova servers table (helpful for debugging, shows that congress knows that there are two instances running in nova):
$ openstack congress datasource row list nova servers
+--------------------------------------+------+----------------------------------------------------------+--------+----------------------------------+----------------------------------+--------------------------------------+------+
| Col0 | Col1 | Col2 | Col3 | Col4 | Col5 | Col6 | Col7 |
+--------------------------------------+------+----------------------------------------------------------+--------+----------------------------------+----------------------------------+--------------------------------------+------+
| 87eb3b34-47c6-439e-b335-baf6f2a30752 | vm1 | 58c3b7b2707c922131c4ea4c3bd100f77c4861337505c415254412be | ACTIVE | 98891a1d5b6d4ac4b9fae289d582c842 | 14ca0e60d8e44e8bb719712adf1846f8 | a4d10b29-cd5a-4490-a079-5289038b0906 | 1 |
| b963f4cb-db6c-4716-ba79-0d583f0b7e16 | vm2 | 58c3b7b2707c922131c4ea4c3bd100f77c4861337505c415254412be | ACTIVE | 98891a1d5b6d4ac4b9fae289d582c842 | 14ca0e60d8e44e8bb719712adf1846f8 | a4d10b29-cd5a-4490-a079-5289038b0906 | 1 |
+--------------------------------------+------+----------------------------------------------------------+--------+----------------------------------+----------------------------------+--------------------------------------+------+
Create a policy rule, this creates a table that will return a list of ports and security group name bindings:
$ openstack congress policy rule create classification "port_security_group(port, security_group_name) :-neutron:ports(addr_pairs, security_groups, extra_dhcp_opts, binding_cap, status, name, admin_state_up, network_id, tenant_id, binding_vif, device_owner, mac_address, fixed_ips, port, device_id, binding_host_id1), neutron:ports.security_groups(security_groups, security_group_id), neutron:security_groups(tenant_id2, security_group_name, desc2, security_group_id)"
+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| comment | None |
| id | 5b5dc1d1-0d19-4a43-b6ed-d79ca75e16b5 |
| rule | port_security_group(port, security_group_name) :- |
| | neutron:ports(addr_pairs, security_groups, extra_dhcp_opts, binding_cap, status, name, admin_state_up, network_id, tenant_id, binding_vif, device_owner, mac_address, fixed_ips, port, device_id, binding_host_id1), |
| | neutron:ports.security_groups(security_groups, security_group_id), |
| | neutron:security_groups(tenant_id2, security_group_name, desc2, security_group_id) |
+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Retrieve the table data for the port_secruity_group rule above which is the bindings of port_id’s and security group names:
$ openstack congress policy row list classification port_security_group
+--------------------------------------+---------+
| Col0 | Col1 |
+--------------------------------------+---------+
| 36892a8e-b741-4547-a4d5-e2dfb0fe5e9d | default |
| b8adbd48-30f8-4b1e-ae6b-5eed81d38af1 | default |
+--------------------------------------+---------+
List the policy rules in congress:
$ openstack congress policy rule list classification
+--------------------------------------+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id | comment | rule |
+--------------------------------------+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 5b5dc1d1-0d19-4a43-b6ed-d79ca75e16b5 | None | port_security_group(port, security_group_name) :- |
| | | neutron:ports(addr_pairs, security_groups, extra_dhcp_opts, binding_cap, status, name, admin_state_up, network_id, tenant_id, binding_vif, device_owner, mac_address, fixed_ips, port, device_id, binding_host_id1), |
| | | neutron:ports.security_groups(security_groups, security_group_id), |
| | | neutron:security_groups(tenant_id2, security_group_name, desc2, security_group_id) |
+--------------------------------------+---------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Lists the internal tables in congress:
$ openstack congress policy table list classification
+-------------------------------+
| id |
+-------------------------------+
| port_security_group |
| neutron:ports |
| neutron:ports.security_groups |
| neutron:security_groups |
+-------------------------------+
Deletes the policy rule we created above:
$ openstack congress policy rule delete classification 5b5dc1d1-0d19-4a43-b6ed-d79ca75e16b5
And of course if you want to use the python-bindings directly:
import keystoneclient
from congressclient.v1 import client
auth = keystoneclient.auth.identity.v2.Password(
auth_url=AUTH_URL, username=USERNAME,
password=PASSWORD, tenant_name=TENANT_NAME)
session = keystoneclient.session.Session(auth=auth)
congress = client.Client(session=session,
auth=None,
interface='publicURL',
service_type='policy',
region_name='RegionOne')
congress.create_policy_rule(..)
That’s it for now but say tuned!
