add a new example of policy for release 2 of moon

Change-Id: I6c64ddecb6c7ed3f3947b9582e40e945ec76ed21 Signed-off-by: WuKong <rebirthmonkey@gmail.com>
author: WuKong <rebirthmonkey@gmail.com> 2015-07-08 18:29:07 +0200
committer: WuKong <rebirthmonkey@gmail.com> 2015-07-08 18:29:07 +0200
commit: e4d3af31c2835909abafafd3711822fe4eed2a84 (patch)
tree: 1e5f5762ca0e19b5f34dcdacf01e1c94897f2f65 /keystone-moon
parent: 8bb53c04f2cf12f1aa6dd2ae0af46cbfcd758265 (diff)
4 files changed, 158 insertions, 0 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_r2/assignment.json b/keystone-moon/examples/moon/policies/policy_r2/assignment.json
new file mode 100644
index 00000000..f907de5a
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/assignment.json
@@ -0,0 +1,70 @@
+{
+    "subject_assignments": {
+        "subject_security_level":{
+			"user1": ["high"],
+			"user2": ["medium"],
+			"user3": ["low"]
+        },
+		"domain":{
+			"user1": ["ft"],
+			"user2": ["ft"],
+			"user3": ["xxx"]
+        },
+		"role": {
+			"user1": ["admin"],
+			"user2": ["dev"],
+			"user3": ["admin", "dev"]
+		}
+    },
+
+    "action_assignments": {
+        "resource_action":{
+			"pause": ["vm_admin"],
+			"unpause": ["vm_admin"],
+			"start": ["vm_admin"],
+			"stop": ["vm_admin"],
+			"list": ["vm_access", "vm_admin"],
+			"create": ["vm_admin"]
+			"storage_list": ["storage_access"],
+			"download": ["storage_access"],
+			"post": ["storage_admin"]
+			"upload": ["storage_admin"]
+        },
+		"access": {
+			"pause": ["write"],
+			"unpause": ["write"],
+			"start": ["write"],
+			"stop": ["write"],
+			"list": ["read"],
+			"create": ["write"]
+			"storage_list": ["read"],
+			"download": ["read"],
+			"post": ["write"]
+			"upload": ["write"]
+		}
+    },
+
+    "object_assignments": {
+        "object_security_level": {
+            "servers": ["low"],
+			"vm1": ["low"],
+			"vm2": ["medium"],
+			"file1": ["low"],
+			"file2": ["medium"]
+        },
+		"type": {
+			"servers": ["computing"],
+			"vm1": ["computing"],
+			"vm2": ["computing"],
+			"file1": ["storage"],
+			"file2": ["storage"]
+		},
+		"id": {
+			"servers": ["servers"],
+			"vm1": ["vm1"],
+			"vm2": ["vm2"],
+			"file1": ["file1"],
+			"file2": ["file2"]
+		}
+    }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_r2/metadata.json b/keystone-moon/examples/moon/policies/policy_r2/metadata.json
new file mode 100644
index 00000000..4a5a5a1a
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/metadata.json
@@ -0,0 +1,23 @@
+{
+    "name": "MLS_metadata",
+    "model": "MLS",
+    "genre": "authz",
+    "description": "Multi Layer Security authorization policy",
+
+    "subject_categories": [
+        "subject_security_level",
+		"domain",
+		"role"
+    ],
+
+    "action_categories": [
+        "resource_action",
+        "access"
+    ],
+
+    "object_categories": [
+        "object_security_level",
+		"type",
+		"id"
+    ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_r2/metarule.json b/keystone-moon/examples/moon/policies/policy_r2/metarule.json
new file mode 100644
index 00000000..df683ca9
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/metarule.json
@@ -0,0 +1,24 @@
+{
+    "sub_meta_rules": {
+		"mls_rule": {
+			"subject_categories": ["subject_security_level"],
+			"action_categories": ["resource_action"],
+			"object_categories": ["object_security_level"],
+			"algorithm": "inclusion"
+		},
+		"dte_rule": {
+			"subject_categories": ["domain"],
+			"action_categories": ["access"],
+			"object_categories": ["type"],
+			"algorithm": "inclusion"
+		},
+		"rbac_rule": {
+			"subject_categories": ["role", "domain"],
+			"action_categories": ["access"],
+			"object_categories": ["id"],
+			"algorithm": "inclusion"
+		}
+	},
+	"aggregation": "all_true"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_r2/rule.json b/keystone-moon/examples/moon/policies/policy_r2/rule.json
new file mode 100644
index 00000000..348f6d63
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/rule.json
@@ -0,0 +1,41 @@
+{
+	"mls_rule":[
+		["high", "vm_admin", "medium"],
+		["high", "vm_admin", "low"],
+		["medium", "vm_admin", "low"],
+		["high", "vm_access", "high"],
+		["high", "vm_access", "medium"],
+		["high", "vm_access", "low"],
+		["medium", "vm_access", "medium"],
+		["medium", "vm_access", "low"],
+		["low", "vm_access", "low"]
+	],
+	"dte_rule":[
+		["ft", "read", "computing"],
+		["ft", "write", "computing"],
+		["ft", "read", "storage"],
+		["ft", "write", "storage"],
+		["xxx", "read", "storage"]
+	],
+	"rbac_rule":[
+		[dev", "xxx", "read", "servers"],
+		["dev", "xxx", "read", "vm1"],
+		["dev", "xxx", "read", "vm2"],
+		["dev", "xxx", "read", "file1"],
+		["dev", "xxx", "read", "file2"],
+		["dev", "xxx", "write", "vm1"],
+		["dev", "xxx", "write", "vm2"],
+		["dev", "xxx", "write", "file1"],
+		["dev", "xxx", "write", "file2"],
+		["admin", "xxx", "read", "servers"],
+		["admin", "ft", "read", "servers"],
+		["admin", "ft", "read", "vm1"],
+		["admin", "ft", "read", "vm2"],
+		["admin", "ft", "read", "file1"],
+		["admin", "ft", "read", "file2"],
+		["admin", "ft", "write", "vm1"],
+		["admin", "ft", "write", "vm2"],
+		["admin", "ft", "write", "file1"],
+		["admin", "ft", "write", "file2"]
+	],
+}
author	WuKong <rebirthmonkey@gmail.com>	2015-07-08 18:29:07 +0200
committer	WuKong <rebirthmonkey@gmail.com>	2015-07-08 18:29:07 +0200
commit	e4d3af31c2835909abafafd3711822fe4eed2a84 (patch)
tree	1e5f5762ca0e19b5f34dcdacf01e1c94897f2f65 /keystone-moon
parent	8bb53c04f2cf12f1aa6dd2ae0af46cbfcd758265 (diff)