The Topology Compliance Checking of Winery enables to describe restrictions, constraints, and requirements for Topology Templates in form of reusable topology-based Compliance Rules. Furthermore, the Compliance Checker of Winery can be used to ensure that a given Topology Template is compliant to the current set of Compliance Rules.
A Compliance Rule itself consists of two Topology Templates called Identifier and Required Structure. The Identifier is used to detect areas in a Topology Template that are subject to the rule while the Required Structure is used to verify if the rule is satisfied. It is important to note that a Compliance Rule is only valid if there is exactly one matching mapping from the Identifier to the Required Structure. A Topology Element š1 can be matched to a Topology Element š2 if the type of š2 is of the same type or supertype of the type of š1. Furthermore, all attributes of š1 must also be present in š2 with equivalent š¾šš¦ and šššš¢š.
An example of a valid Compliance Rule is shown here:
The Identifier consists of a single Node Template with a property āDataType: PersonalDataā. As the Required Structure contains a Node Template of the same type and with a property with equivalent key and value it exists a matching mapping. Hence, the compliance rule is valid.
The detection of relevant compliance areas in Topology Models is based on the detection of subgraph isomorphisms which also takes the types and attributes of Topology Elements forming the Topology Model into account. An example of a Compliance Rule that is detected and satisfied for a Topology Template is shown here:
Detected means: A Compliance Rule is detected if there is at least on matching mapping from the Identifier to the Topology Model.
Satisfied means: A Compliance Rule is satisfied if each area that has been found by the detector also satisfies the Required Structure. Otherwise a rule is unsatisfied.
In the following, a simple example is given describing how to use Topology Compliance Checking. We will describe how to create your first topology-based Compliance Rule and how to check the compliance of Topology Templates based on existing Compliance Rules.
Note: You should have a look at the Winery User Guide before reading this tutorial to get all the basic knowledge about Winery.
If you need help getting Winery up and running have a look at the Quickstart Guide
First, we need to create a Compliance Rule. Select the tab āOther Elementsā => āCompliance Rulesā to get an overview of the existing Compliance Rules in the repository. Click on āAdd newā to create a new Compliance Rule. A modal to add a new Compliance Rule appears:
Note: The namespace is used to identify all Topology Templates that are subject to the rule. This means each Compliance Rule defined for a certain namespace automatically applies to all Topology Templates defined in that namespace.
After the previous steps a Compliance Rule with empty Identifier and Required Structure is created.
Subsequent, the Topology Modeler of Winery can be used to model the Identifier and Required Structure of the Compliance Rule:
An exemplary Compliance Rule that is concerned with the storage of personal user data may look like this:
Identifier | Required Structure |
---|---|
The motivation for this Compliance Rule is to ensure that all MySQL databases that store personal data are hosted on a specific OpenStack Component with the HypervisorEndpoint: ā192.168.4.3ā.
After creating our first Compliance Rule we can check if a Topology Template with the same namespace satisfies this rule. Therefor, we can either use an existing Service Template or create a new Service Template. Note that it is important to ensure that the Compliance Rule is detected in your Topology Template. Compliance Rules that are not detected in a Topology Template are satisfied.
An example of a Topology Template that does not satisfy the Compliance Rule defined in Step 2.1 is shown below:
Topology Template | Result |
---|---|
The left side shows the modeled Topology Template. The specified property HypervisorEndpoint: ā192.168.0.0ā of the OpenStack component violates the constraints specified by the Compliance Rule. The violation is detected by the Compliance Checker and returned in the result.
After updating the property HypervisorEndpoint to ā192.168.4.3ā the Topology Template does satisfy the compliance rule defined in Step 2.1 as shown below:
Topology Template | Result |
---|---|