From 30dfb6af2e2cd2cbc1632031202f48c1ef6a876f Mon Sep 17 00:00:00 2001 From: RHE Date: Wed, 27 Dec 2017 09:58:36 +0100 Subject: moon_forming for policy templates Change-Id: I8f19a9c4d791d509a6c0349424252ea24c56ab6b Signed-off-by: RHE --- moon_forming/run.sh | 12 +++-- python_moonclient/Changelog | 10 +++- python_moonclient/python_moonclient/__init__.py | 2 +- python_moonclient/python_moonclient/config.py | 44 ++++++++++------ tests/functional/scenario_tests/mls.py | 59 ++++++++++++++++++++++ tests/functional/scenario_tests/rbac.py | 61 +++++++++++++++++++++++ tools/moon_kubernetes/README.md | 8 +-- tools/moon_kubernetes/init_k8s.sh | 2 +- tools/moon_kubernetes/start_moon.sh | 21 ++++---- tools/moon_kubernetes/templates/moon_forming.yaml | 11 ++-- 10 files changed, 189 insertions(+), 41 deletions(-) create mode 100644 tests/functional/scenario_tests/mls.py create mode 100644 tests/functional/scenario_tests/rbac.py diff --git a/moon_forming/run.sh b/moon_forming/run.sh index a4d89204..6cf90f56 100644 --- a/moon_forming/run.sh +++ b/moon_forming/run.sh @@ -5,8 +5,9 @@ populate_args=$* echo "Waiting for Consul (http://consul:8500)" while ! python -c "import requests; req = requests.get('http://consul:8500')" 2>/dev/null ; do sleep 5 ; - echo "." + echo -n "." done +echo "." echo "Consul (http://consul:8500) is up." python3 /root/conf2consul.py /etc/moon/moon.conf @@ -14,8 +15,9 @@ python3 /root/conf2consul.py /etc/moon/moon.conf echo "Waiting for DB (tcp://db:3306)" while ! python -c "import socket, sys; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect(('db', 3306)); sys.exit(0)" 2>/dev/null ; do sleep 5 ; - echo "." + echo -n "." done +echo "." echo "Database (http://db:3306) is up." moon_db_manager upgrade @@ -23,15 +25,17 @@ moon_db_manager upgrade echo "Waiting for Keystone (http://keystone:5000)" while ! python -c "import requests; req = requests.get('http://keystone:5000')" 2>/dev/null ; do sleep 5 ; - echo "." + echo -n "." done +echo "." echo "Keystone (http://keystone:5000) is up." echo "Waiting for Manager (http://manager:8082)" while ! python -c "import requests; req = requests.get('http://manager:8082')" 2>/dev/null ; do sleep 5 ; - echo "." + echo -n "." done +echo "." echo "Manager (http://manager:8082) is up." for i in /data/*.py ; do diff --git a/python_moonclient/Changelog b/python_moonclient/Changelog index 854200cb..cd099ae3 100644 --- a/python_moonclient/Changelog +++ b/python_moonclient/Changelog @@ -9,4 +9,12 @@ CHANGES 0.1.0 ----- -- First version of the python-moonclient \ No newline at end of file +- First version of the python-moonclient + +1.0.0 +----- +- First public version of the python-moonclient + +1.0.1 +----- +- Fix a bug in configuration diff --git a/python_moonclient/python_moonclient/__init__.py b/python_moonclient/python_moonclient/__init__.py index d7cdd111..2249a1b6 100644 --- a/python_moonclient/python_moonclient/__init__.py +++ b/python_moonclient/python_moonclient/__init__.py @@ -3,4 +3,4 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -__version__ = "0.0.1" +__version__ = "1.0.1" diff --git a/python_moonclient/python_moonclient/config.py b/python_moonclient/python_moonclient/config.py index d6317820..300ebf1a 100644 --- a/python_moonclient/python_moonclient/config.py +++ b/python_moonclient/python_moonclient/config.py @@ -21,17 +21,36 @@ def get_configuration(consul_host, consul_port, key): def get_config_data(consul_host, consul_port): conf_data = dict() - conf_data['manager_host'] = get_configuration(consul_host, consul_port, - 'components/manager')['components/manager']['external']['hostname'] - conf_data['manager_port'] = get_configuration(consul_host, consul_port, - 'components/manager')['components/manager']['external']['port'] - # conf_data['authz_host'] = get_configuration(consul_host, consul_port, - # 'components/interface')['components/interface']['external']['hostname'] - # conf_data['authz_port'] = get_configuration(consul_host, consul_port, - # 'components/interface')['components/interface']['external']['port'] - conf_data['keystone_host'] = get_configuration(consul_host, consul_port, - 'openstack/keystone')['openstack/keystone']['external']['url'] - # conf_data['keystone_port'] = '5000' + conf_data['manager_host'] = get_configuration( + consul_host, consul_port, + 'components/manager')['components/manager']['external']['hostname'] + conf_data['manager_port'] = get_configuration( + consul_host, consul_port, + 'components/manager')['components/manager']['external']['port'] + try: + requests.get("http://{}:{}/".format( + conf_data['manager_host'], + conf_data['manager_port'] + ), + timeout=2) + except requests.exceptions.ConnectionError: + conf_data['manager_host'] = get_configuration(consul_host, consul_port, + 'components/manager')[ + 'components/manager']['hostname'] + conf_data['manager_port'] = get_configuration(consul_host, consul_port, + 'components/manager')[ + 'components/manager']['port'] + + conf_data['keystone_host'] = get_configuration( + consul_host, consul_port, + 'openstack/keystone')['openstack/keystone']['external']['url'] + try: + requests.get(conf_data['keystone_host'], timeout=2) + except requests.exceptions.ConnectionError: + conf_data['keystone_host'] = get_configuration( + consul_host, consul_port, + 'openstack/keystone')['openstack/keystone']['url'] + conf_data['keystone_user'] = get_configuration(consul_host, consul_port, 'openstack/keystone')['openstack/keystone']['user'] conf_data['keystone_password'] = get_configuration(consul_host, consul_port, @@ -39,6 +58,3 @@ def get_config_data(consul_host, consul_port): conf_data['keystone_project'] = get_configuration(consul_host, consul_port, 'openstack/keystone')['openstack/keystone']['project'] return conf_data - -# get_conf_data('88.88.88.2', '30005') -# get_conf_data('127.0.0.1', 8082) diff --git a/tests/functional/scenario_tests/mls.py b/tests/functional/scenario_tests/mls.py new file mode 100644 index 00000000..0e6285c9 --- /dev/null +++ b/tests/functional/scenario_tests/mls.py @@ -0,0 +1,59 @@ + +pdp_name = "pdp_mls" +policy_name = "MLS Policy example" +model_name = "MLS" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"subject-security-level": "", } +object_categories = {"object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "adminuser": {"subject-security-level": "high"}, + "user1": {"subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"object-security-level": "medium"}, + "vm1": {"object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "mls": { + "id": "", + "value": ("subject-security-level", + "object-security-level", + "action-type")}, +} + +rules = { + "mls": ( + { + "rule": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + ) +} diff --git a/tests/functional/scenario_tests/rbac.py b/tests/functional/scenario_tests/rbac.py new file mode 100644 index 00000000..1d2cabee --- /dev/null +++ b/tests/functional/scenario_tests/rbac.py @@ -0,0 +1,61 @@ + +pdp_name = "pdp_rbac1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} + +subject_assignments = { + "adminuser": + ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), + "user1": + ({"role": "employee"}, {"role": "*"}), +} +object_assignments = { + "vm0": + ({"id": "vm0"}, {"id": "*"}), + "vm1": + ({"id": "vm1"}, {"id": "*"}) +} +action_assignments = { + "start": + ({"action-type": "vm-action"}, {"action-type": "*"}), + "stop": + ({"action-type": "vm-action"}, {"action-type": "*"}) +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + ) + }, + { + "rule": ("employee", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tools/moon_kubernetes/README.md b/tools/moon_kubernetes/README.md index a74a1321..b47bbfaf 100644 --- a/tools/moon_kubernetes/README.md +++ b/tools/moon_kubernetes/README.md @@ -30,8 +30,8 @@ apt-get install -y kubelet kubeadm kubectl ## Moon Deployment ### Initiate K8S ```bash -cd $MOON_HOME/tools/moon_kubernes -sudo bash init_k8s.sh +cd $MOON_HOME +bash tools/moon_kubernes/init_k8s.sh ``` Wait until all the kubeadm containers are in the `running` state: @@ -56,8 +56,8 @@ You must see something like this: ### Deploy Moon ```bash -cd $MOON_HOME/tools/moon_kubernes -sudo bash start_moon.sh +cd $MOON_HOME +sudo bash tools/moon_kubernes/start_moon.sh ``` Wait until all the Moon containers are in the `running` state: diff --git a/tools/moon_kubernetes/init_k8s.sh b/tools/moon_kubernetes/init_k8s.sh index fcfdfb5e..8ec1237c 100644 --- a/tools/moon_kubernetes/init_k8s.sh +++ b/tools/moon_kubernetes/init_k8s.sh @@ -20,7 +20,7 @@ kubectl apply -f http://docs.projectcalico.org/v2.4/getting-started/kubernetes/i #kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml kubectl delete deployment kube-dns --namespace=kube-system -kubectl apply -f templates/kube-dns.yaml +kubectl apply -f tools/moon_kubernetes/templates/kube-dns.yaml kubectl taint nodes --all node-role.kubernetes.io/master- # make the master also as a node diff --git a/tools/moon_kubernetes/start_moon.sh b/tools/moon_kubernetes/start_moon.sh index 3892a3fa..47d6998b 100644 --- a/tools/moon_kubernetes/start_moon.sh +++ b/tools/moon_kubernetes/start_moon.sh @@ -3,21 +3,22 @@ set -x kubectl create namespace moon -kubectl create configmap moon-config --from-file conf/moon.conf -n moon +kubectl create configmap moon-config --from-file tools/moon_kubernetes/conf/moon.conf -n moon kubectl create configmap config --from-file ~/.kube/config -n moon -kubectl create secret generic mysql-root-pass --from-file=conf/password_root.txt -n moon -kubectl create secret generic mysql-pass --from-file=conf/password_moon.txt -n moon +kubectl create configmap moon-policy-templates --from-file tests/functional/scenario_tests -n moon +kubectl create secret generic mysql-root-pass --from-file=tools/moon_kubernetes/conf/password_root.txt -n moon +kubectl create secret generic mysql-pass --from-file=tools/moon_kubernetes/conf/password_moon.txt -n moon -kubectl create -n moon -f templates/consul.yaml -kubectl create -n moon -f templates/db.yaml -kubectl create -n moon -f templates/keystone.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/consul.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/db.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/keystone.yaml echo ========================================= kubectl get pods -n moon echo ========================================= sleep 10 -kubectl create -n moon -f templates/moon_forming.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/moon_forming.yaml echo Waiting for jobs forming sleep 5 @@ -25,11 +26,11 @@ kubectl get jobs -n moon kubectl logs -n moon jobs/forming sleep 5 -kubectl create -n moon -f templates/moon_manager.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/moon_manager.yaml sleep 2 -kubectl create -n moon -f templates/moon_orchestrator.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/moon_orchestrator.yaml -kubectl create -n moon -f templates/moon_gui.yaml +kubectl create -n moon -f tools/moon_kubernetes/templates/moon_gui.yaml diff --git a/tools/moon_kubernetes/templates/moon_forming.yaml b/tools/moon_kubernetes/templates/moon_forming.yaml index efcc51d8..334ee175 100644 --- a/tools/moon_kubernetes/templates/moon_forming.yaml +++ b/tools/moon_kubernetes/templates/moon_forming.yaml @@ -10,22 +10,21 @@ spec: spec: containers: - name: forming - image: wukongsun/moon_forming:v1.3 + image: wukongsun/moon_forming:latest env: - name: POPULATE_ARGS value: "--verbose" # debug mode: --debug volumeMounts: - name: config-volume mountPath: /etc/moon - - name: test-volume + - name: templates-volume mountPath: /data volumes: - name: config-volume configMap: name: moon-config - - name: test-volume - hostPath: - path: tests/functional/scenario_enabled - type: Directory + - name: templates-volume + configMap: + name: moon-policy-templates restartPolicy: Never #backoffLimit: 4 \ No newline at end of file -- cgit 1.2.3-korg