diff options
author | WuKong <rebirthmonkey@gmail.com> | 2015-07-08 18:29:07 +0200 |
---|---|---|
committer | WuKong <rebirthmonkey@gmail.com> | 2015-07-08 18:29:07 +0200 |
commit | e4d3af31c2835909abafafd3711822fe4eed2a84 (patch) | |
tree | 1e5f5762ca0e19b5f34dcdacf01e1c94897f2f65 | |
parent | 8bb53c04f2cf12f1aa6dd2ae0af46cbfcd758265 (diff) |
add a new example of policy for release 2 of moon
Change-Id: I6c64ddecb6c7ed3f3947b9582e40e945ec76ed21
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
4 files changed, 158 insertions, 0 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_r2/assignment.json b/keystone-moon/examples/moon/policies/policy_r2/assignment.json new file mode 100644 index 00000000..f907de5a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_r2/assignment.json @@ -0,0 +1,70 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "user1": ["high"], + "user2": ["medium"], + "user3": ["low"] + }, + "domain":{ + "user1": ["ft"], + "user2": ["ft"], + "user3": ["xxx"] + }, + "role": { + "user1": ["admin"], + "user2": ["dev"], + "user3": ["admin", "dev"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"] + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"] + "upload": ["storage_admin"] + }, + "access": { + "pause": ["write"], + "unpause": ["write"], + "start": ["write"], + "stop": ["write"], + "list": ["read"], + "create": ["write"] + "storage_list": ["read"], + "download": ["read"], + "post": ["write"] + "upload": ["write"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"], + "vm1": ["low"], + "vm2": ["medium"], + "file1": ["low"], + "file2": ["medium"] + }, + "type": { + "servers": ["computing"], + "vm1": ["computing"], + "vm2": ["computing"], + "file1": ["storage"], + "file2": ["storage"] + }, + "id": { + "servers": ["servers"], + "vm1": ["vm1"], + "vm2": ["vm2"], + "file1": ["file1"], + "file2": ["file2"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_r2/metadata.json b/keystone-moon/examples/moon/policies/policy_r2/metadata.json new file mode 100644 index 00000000..4a5a5a1a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_r2/metadata.json @@ -0,0 +1,23 @@ +{ + "name": "MLS_metadata", + "model": "MLS", + "genre": "authz", + "description": "Multi Layer Security authorization policy", + + "subject_categories": [ + "subject_security_level", + "domain", + "role" + ], + + "action_categories": [ + "resource_action", + "access" + ], + + "object_categories": [ + "object_security_level", + "type", + "id" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_r2/metarule.json b/keystone-moon/examples/moon/policies/policy_r2/metarule.json new file mode 100644 index 00000000..df683ca9 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_r2/metarule.json @@ -0,0 +1,24 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + }, + "dte_rule": { + "subject_categories": ["domain"], + "action_categories": ["access"], + "object_categories": ["type"], + "algorithm": "inclusion" + }, + "rbac_rule": { + "subject_categories": ["role", "domain"], + "action_categories": ["access"], + "object_categories": ["id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/examples/moon/policies/policy_r2/rule.json b/keystone-moon/examples/moon/policies/policy_r2/rule.json new file mode 100644 index 00000000..348f6d63 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_r2/rule.json @@ -0,0 +1,41 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ], + "dte_rule":[ + ["ft", "read", "computing"], + ["ft", "write", "computing"], + ["ft", "read", "storage"], + ["ft", "write", "storage"], + ["xxx", "read", "storage"] + ], + "rbac_rule":[ + [dev", "xxx", "read", "servers"], + ["dev", "xxx", "read", "vm1"], + ["dev", "xxx", "read", "vm2"], + ["dev", "xxx", "read", "file1"], + ["dev", "xxx", "read", "file2"], + ["dev", "xxx", "write", "vm1"], + ["dev", "xxx", "write", "vm2"], + ["dev", "xxx", "write", "file1"], + ["dev", "xxx", "write", "file2"], + ["admin", "xxx", "read", "servers"], + ["admin", "ft", "read", "servers"], + ["admin", "ft", "read", "vm1"], + ["admin", "ft", "read", "vm2"], + ["admin", "ft", "read", "file1"], + ["admin", "ft", "read", "file2"], + ["admin", "ft", "write", "vm1"], + ["admin", "ft", "write", "vm2"], + ["admin", "ft", "write", "file1"], + ["admin", "ft", "write", "file2"] + ], +} |