diff options
| author |   Thomas Duval <thomas.duval@orange.com> | 2020-06-03 10:06:52 +0200 |
|---|---|---|
| committer | Thomas Duval <thomas.duval@orange.com> | 2020-06-03 10:06:52 +0200 |
| commit | 7bb53c64da2dcf88894bfd31503accdd81498f3d (patch) | |
| tree | 4310e12366818af27947b5e2c80cb162da93a4b5 /moon_engine/conf | |
| parent | cbea4e360e9bfaa9698cf7c61c83c96a1ba89b8c (diff) | |
Update to new version 5.4HEADstable/jermamaster
Signed-off-by: Thomas Duval <thomas.duval@orange.com>
Change-Id: Idcd868133d75928a1ffd74d749ce98503e0555ea
Diffstat (limited to 'moon_engine/conf')
| -rw-r--r-- | moon_engine/conf/config.cfg | 12 | ||||
| -rw-r--r-- | moon_engine/conf/moon.yaml | 58 | ||||
| -rw-r--r-- | moon_engine/conf/moon_engine_users.json | 1 | ||||
| -rw-r--r-- | moon_engine/conf/policy_mls.json | 495 | ||||
| -rw-r--r-- | moon_engine/conf/policy_rbac.json | 393 | ||||
| -rw-r--r-- | moon_engine/conf/policy_rbac_mls.json | 525 |
6 files changed, 1484 insertions, 0 deletions
diff --git a/moon_engine/conf/config.cfg b/moon_engine/conf/config.cfg new file mode 100644 index 00000000..4a7ea99c --- /dev/null +++ b/moon_engine/conf/config.cfg @@ -0,0 +1,12 @@ +# Copyright 2018 Orange and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +# configuration for Gunicorn +bind = "127.0.0.1:8081" +workers = 2 +pid_file_dir = "/tmp/" + +# configuration for moon_engine +moon = "conf/moon.yaml" diff --git a/moon_engine/conf/moon.yaml b/moon_engine/conf/moon.yaml new file mode 100644 index 00000000..b46c219e --- /dev/null +++ b/moon_engine/conf/moon.yaml @@ -0,0 +1,58 @@ +type: "pipeline" +uuid: +manager_url: "" +incremental_updates: false +api_token: +data: conf/policy_rbac.json +debug: true + +management: + password: admin + url: + user: admin + token_file: moon_engine_users.json + +orchestration: + driver: moon_engine.plugins.pyorchestrator + connection: local + port: 20000...20100 + config_dir: /tmp + +authorization: + driver: moon_engine.plugins.authz + +plugins: + directory: /tmp + +logging: + version: 1 + + formatters: + brief: + format: "%(levelname)s %(name)s %(message)-30s" + custom: + format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" + + handlers: + console: + class : logging.StreamHandler + formatter: custom + level : INFO + stream : ext://sys.stdout + file: + class : logging.handlers.RotatingFileHandler + formatter: custom + level : DEBUG + filename: /tmp/moon_engine.log + maxBytes: 1048576 + backupCount: 3 + + loggers: + moon: + level: DEBUG + handlers: [console, file] + propagate: no + + root: + level: ERROR + handlers: [console] diff --git a/moon_engine/conf/moon_engine_users.json b/moon_engine/conf/moon_engine_users.json new file mode 100644 index 00000000..e9b18176 --- /dev/null +++ b/moon_engine/conf/moon_engine_users.json @@ -0,0 +1 @@ +{"_default": {}}
\ No newline at end of file diff --git a/moon_engine/conf/policy_mls.json b/moon_engine/conf/policy_mls.json new file mode 100644 index 00000000..eac3220a --- /dev/null +++ b/moon_engine/conf/policy_mls.json @@ -0,0 +1,495 @@ +{ + "policies": [ + { + "name": "MLS Policy", + "genre": "authz", + "description": "MLS policy", + "model": { + "name": "MLS" + }, + "mandatory": true, + "override": true + } + ], + "models": [ + { + "name": "MLS", + "description": "", + "meta_rules": [ + { + "name": "mls" + } + ], + "override": true + } + ], + "subjects": [ + { + "name": "admin", + "description": "", + "extra": {}, + "policies": [ + { + "name": "MLS Policy" + } + ] + }, + { + "name": "demo", + "description": "", + "extra": {}, + "policies": [ + { + "name": "MLS Policy" + } + ] + } + ], + "subject_categories": [ + { + "name": "level", + "description": "subject level" + } + ], + "subject_data": [ + { + "name": "high", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "medium", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "low", + "description": "", + "policies": [], + "category": { + "name": "level" + } + } + ], + "subject_assignments": [ + { + "subject": {"name": "admin"}, + "category": {"name": "level"}, + "assignments": [{"name": "high"}] + }, + { + "subject": {"name": "demo"}, + "category": {"name": "level"}, + "assignments": [{"name": "low"}] + } + ], + "objects": [ + { + "name": "vm1", + "description": "", + "extra": {}, + "policies": [ + { + "name": "MLS Policy" + } + ] + }, + { + "name": "vm2", + "description": "", + "extra": {}, + "policies": [ + { + "name": "MLS Policy" + } + ] + }, + { + "name": "vm3", + "description": "", + "extra": {}, + "policies": [ + { + "name": "MLS Policy" + } + ] + } + ], + "object_categories": [ + { + "name": "level", + "description": "object level" + } + ], + "object_data": [ + { + "name": "high", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "medium", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "low", + "description": "", + "policies": [], + "category": { + "name": "level" + } + } + ], + "object_assignments": [ + { + "object": {"name": "vm1"}, + "category": {"name": "level"}, + "assignments": [{"name": "high"}] + }, + { + "object": {"name": "vm2"}, + "category": {"name": "level"}, + "assignments": [{"name": "medium"}] + }, + { + "object": {"name": "vm3"}, + "category": {"name": "level"}, + "assignments": [{"name": "low"}] + } + ], + "actions": [ + { + "name": "use_image", + "description": "use_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "get_images", + "description": "get_images action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "update_image", + "description": "update_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "set_image", + "description": "set_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + } + ], + "action_categories": [ + { + "name": "type", + "description": "" + } + ], + "action_data": [ + { + "name": "read", + "description": "read action", + "policies": [], + "category": { + "name": "type" + } + }, + { + "name": "write", + "description": "write action", + "policies": [], + "category": { + "name": "type" + } + }, + { + "name": "execute", + "description": "execute action", + "policies": [], + "category": { + "name": "type" + } + } + ], + "action_assignments": [ + { + "action": {"name": "use_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}, {"name": "execute"}] + }, + { + "action": {"name": "update_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}, {"name": "write"}] + }, + { + "action": {"name": "set_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "write"}] + }, + { + "action": {"name": "get_images"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}] + } + ], + "meta_rules": [ + { + "name": "mls", + "description": "", + "subject_categories": [{"name": "level"}], + "object_categories": [{"name": "level"}], + "action_categories": [{"name": "type"}] + } + ], + "rules": [ + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "high"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "medium"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "medium"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "low"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "high"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "medium"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "medium"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "low"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "high"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "high"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "medium"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "medium"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "mls"}, + "rule": { + "subject_data": [{"name": "low"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + } + ], + "checks": { + "granted": [ + ["admin", "vm1", "get_images"], + ["admin", "vm1", "set_image"], + ["admin", "vm1", "use_image"], + ["admin", "vm2", "get_images"], + ["admin", "vm2", "set_image"], + ["admin", "vm3", "get_images"], + ["demo", "vm1", "get_images"], + ["demo", "vm1", "set_image"], + ["demo", "vm2", "get_images"], + ["demo", "vm1", "get_images"] + ], + "denied": [ + ["admin", "vm2", "update_image"], + ["admin", "vm3", "set_image"], + ["admin", "vm3", "update_image"], + ["demo", "vm1", "update_image"], + ["demo", "vm2", "set_image"], + ["demo", "vm2", "update_image"], + ["demo", "vm3", "get_images"], + ["demo", "vm3", "set_image"], + ["demo", "vm3", "update_image"] + ] + } +}
\ No newline at end of file diff --git a/moon_engine/conf/policy_rbac.json b/moon_engine/conf/policy_rbac.json new file mode 100644 index 00000000..a4bc959c --- /dev/null +++ b/moon_engine/conf/policy_rbac.json @@ -0,0 +1,393 @@ +{ + "policies": [ + { + "name": "RBAC Policy", + "genre": "authz", + "description": "RBAC policy", + "model": { + "name": "RBAC" + }, + "mandatory": true, + "override": true + } + ], + "models": [ + { + "name": "RBAC", + "description": "", + "meta_rules": [ + { + "name": "rbac" + } + ], + "override": true + } + ], + "subjects": [ + { + "name": "admin", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC Policy" + } + ] + }, + { + "name": "demo", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC Policy" + } + ] + } + ], + "subject_categories": [ + { + "name": "role", + "description": "role of a user" + } + ], + "subject_data": [ + { + "name": "admin", + "description": "", + "policies": [], + "category": { + "name": "role" + } + }, + { + "name": "user", + "description": "", + "policies": [], + "category": { + "name": "role" + } + } + ], + "subject_assignments": [ + { + "subject": {"name": "admin"}, + "category": {"name": "role"}, + "assignments": [{"name": "admin"}] + }, + { + "subject": {"name": "admin"}, + "category": {"name": "role"}, + "assignments": [{"name": "user"}] + }, + { + "subject": {"name": "demo"}, + "category": {"name": "role"}, + "assignments": [{"name": "user"}] + } + ], + "objects": [ + { + "name": "vm1", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC Policy" + } + ] + }, + { + "name": "vm2", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC Policy" + } + ] + }, + { + "name": "vm3", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC Policy" + } + ] + } + ], + "object_categories": [ + { + "name": "id", + "description": "identification of the object" + } + ], + "object_data": [ + { + "name": "vm1", + "description": "", + "policies": [], + "category": { + "name": "id" + } + }, + { + "name": "vm2", + "description": "", + "policies": [], + "category": { + "name": "id" + } + }, + { + "name": "vm3", + "description": "", + "policies": [], + "category": { + "name": "id" + } + } + ], + "object_assignments": [ + { + "object": {"name": "vm1"}, + "category": {"name": "id"}, + "assignments": [{"name": "vm1"}] + }, + { + "object": {"name": "vm2"}, + "category": {"name": "id"}, + "assignments": [{"name": "vm2"}] + }, + { + "object": {"name": "vm3"}, + "category": {"name": "id"}, + "assignments": [{"name": "vm3"}] + } + ], + "actions": [ + { + "name": "use_image", + "description": "use_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "get_images", + "description": "get_images action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "update_image", + "description": "update_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "set_image", + "description": "set_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + } + ], + "action_categories": [ + { + "name": "type", + "description": "" + } + ], + "action_data": [ + { + "name": "read", + "description": "read action", + "policies": [], + "category": { + "name": "type" + } + }, + { + "name": "write", + "description": "write action", + "policies": [], + "category": { + "name": "type" + } + }, + { + "name": "execute", + "description": "execute action", + "policies": [], + "category": { + "name": "type" + } + } + ], + "action_assignments": [ + { + "action": {"name": "use_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}, {"name": "execute"}] + }, + { + "action": {"name": "update_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}, {"name": "write"}] + }, + { + "action": {"name": "set_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "write"}] + }, + { + "action": {"name": "get_images"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}] + } + ], + "meta_rules": [ + { + "name": "rbac", + "description": "", + "subject_categories": [{"name": "role"}], + "object_categories": [{"name": "id"}], + "action_categories": [{"name": "type"}] + } + ], + "rules": [ + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "vm1"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "vm1"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "vm1"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "vm2"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "vm2"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "admin"}], + "object_data": [{"name": "vm3"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "user"}], + "object_data": [{"name": "vm1"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "user"}], + "object_data": [{"name": "vm1"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac"}, + "rule": { + "subject_data": [{"name": "user"}], + "object_data": [{"name": "vm2"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + } + ], + "checks": { + "granted": [ + ["admin", "vm1", "get_images"], + ["admin", "vm1", "set_image"], + ["admin", "vm1", "use_image"], + ["admin", "vm2", "get_images"], + ["admin", "vm2", "set_image"], + ["admin", "vm3", "get_images"], + ["demo", "vm1", "get_images"], + ["demo", "vm1", "set_image"], + ["demo", "vm2", "get_images"], + ["demo", "vm1", "get_images"] + ], + "denied": [ + ["admin", "vm2", "update_image"], + ["admin", "vm3", "set_image"], + ["admin", "vm3", "update_image"], + ["demo", "vm1", "update_image"], + ["demo", "vm2", "set_image"], + ["demo", "vm2", "update_image"], + ["demo", "vm3", "get_images"], + ["demo", "vm3", "set_image"], + ["demo", "vm3", "update_image"] + ] + } +}
\ No newline at end of file diff --git a/moon_engine/conf/policy_rbac_mls.json b/moon_engine/conf/policy_rbac_mls.json new file mode 100644 index 00000000..beb4e3ec --- /dev/null +++ b/moon_engine/conf/policy_rbac_mls.json @@ -0,0 +1,525 @@ +{ + "policies": [ + { + "name": "RBAC+MLS Policy", + "genre": "authz", + "description": "RBAC+MLS policy", + "model": { + "name": "RBACMLS" + }, + "mandatory": true, + "override": true + } + ], + "models": [ + { + "name": "RBACMLS", + "description": "", + "meta_rules": [ + { + "name": "rbac_mls" + } + ], + "override": true + } + ], + "subjects": [ + { + "name": "admin", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC+MLS Policy" + } + ] + }, + { + "name": "demo", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC+MLS Policy" + } + ] + } + ], + "subject_categories": [ + { + "name": "role", + "description": "role of a user" + }, + { + "name": "level", + "description": "subject level" + } + ], + "subject_data": [ + { + "name": "high", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "admin", + "description": "", + "policies": [], + "category": { + "name": "role" + } + }, + { + "name": "member", + "description": "", + "policies": [], + "category": { + "name": "role" + } + }, + { + "name": "medium", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "low", + "description": "", + "policies": [], + "category": { + "name": "level" + } + } + ], + "subject_assignments": [ + { + "subject": {"name": "admin"}, + "category": {"name": "role"}, + "assignments": [{"name": "admin"}] + }, + { + "subject": {"name": "demo"}, + "category": {"name": "role"}, + "assignments": [{"name": "member"}] + }, + { + "subject": {"name": "admin"}, + "category": {"name": "level"}, + "assignments": [{"name": "high"}] + }, + { + "subject": {"name": "demo"}, + "category": {"name": "level"}, + "assignments": [{"name": "low"}] + } + ], + "objects": [ + { + "name": "vm1", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC+MLS Policy" + } + ] + }, + { + "name": "vm2", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC+MLS Policy" + } + ] + }, + { + "name": "vm3", + "description": "", + "extra": {}, + "policies": [ + { + "name": "RBAC+MLS Policy" + } + ] + } + ], + "object_categories": [ + { + "name": "level", + "description": "object level" + } + ], + "object_data": [ + { + "name": "high", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "medium", + "description": "", + "policies": [], + "category": { + "name": "level" + } + }, + { + "name": "low", + "description": "", + "policies": [], + "category": { + "name": "level" + } + } + ], + "object_assignments": [ + { + "object": {"name": "vm1"}, + "category": {"name": "level"}, + "assignments": [{"name": "high"}] + }, + { + "object": {"name": "vm2"}, + "category": {"name": "level"}, + "assignments": [{"name": "medium"}] + }, + { + "object": {"name": "vm3"}, + "category": {"name": "level"}, + "assignments": [{"name": "low"}] + } + ], + "actions": [ + { + "name": "use_image", + "description": "use_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "get_images", + "description": "get_images action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "update_image", + "description": "update_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + }, + { + "name": "set_image", + "description": "set_image action for glance", + "extra": { + "component": "glance" + }, + "policies": [] + } + ], + "action_categories": [ + { + "name": "type", + "description": "" + } + ], + "action_data": [ + { + "name": "read", + "description": "read action", + "policies": [], + "category": { + "name": "type" + } + }, + { + "name": "write", + "description": "write action", + "policies": [], + "category": { + "name": "type" + } + }, + { + "name": "execute", + "description": "execute action", + "policies": [], + "category": { + "name": "type" + } + } + ], + "action_assignments": [ + { + "action": {"name": "use_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}, {"name": "execute"}] + }, + { + "action": {"name": "update_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}, {"name": "write"}] + }, + { + "action": {"name": "set_image"}, + "category": {"name": "type"}, + "assignments": [{"name": "write"}] + }, + { + "action": {"name": "get_images"}, + "category": {"name": "type"}, + "assignments": [{"name": "read"}] + } + ], + "meta_rules": [ + { + "name": "rbac_mls", + "description": "", + "subject_categories": [{"name": "role"}, {"name": "level"}], + "object_categories": [{"name": "level"}], + "action_categories": [{"name": "type"}] + } + ], + "rules": [ + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "high"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "medium"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "medium"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "low"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "read"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "high"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "medium"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "medium"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "low"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "write"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "high"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "high"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "medium"}], + "object_data": [{"name": "medium"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "medium"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + }, + { + "meta_rule": {"name": "rbac_mls"}, + "rule": { + "subject_data": [{"name": "admin"}, {"name": "low"}], + "object_data": [{"name": "low"}], + "action_data": [{"name": "execute"}] + }, + "policy": {"name": "RBAC+MLS Policy"}, + "instructions": [{"decision": "grant"}], + "enabled": true + } + ], + "checks": { + "granted": [ + ["admin", "vm1", "get_images"], + ["admin", "vm1", "set_image"], + ["admin", "vm1", "use_image"], + ["admin", "vm2", "get_images"], + ["admin", "vm2", "set_image"], + ["admin", "vm3", "get_images"], + ["demo", "vm1", "get_images"], + ["demo", "vm1", "set_image"], + ["demo", "vm2", "get_images"], + ["demo", "vm1", "get_images"] + ], + "denied": [ + ["admin", "vm2", "update_image"], + ["admin", "vm3", "set_image"], + ["admin", "vm3", "update_image"], + ["demo", "vm1", "update_image"], + ["demo", "vm2", "set_image"], + ["demo", "vm2", "update_image"], + ["demo", "vm3", "get_images"], + ["demo", "vm3", "set_image"], + ["demo", "vm3", "update_image"] + ] + } +}
\ No newline at end of file |