diff options
| author |   WuKong <rebirthmonkey@gmail.com> | 2017-12-23 21:49:35 +0100 |
|---|---|---|
| committer | WuKong <rebirthmonkey@gmail.com> | 2017-12-23 21:49:58 +0100 |
| commit | 1100c66ce03a059ebe7ece9734e799b49b3a5a9e (patch) | |
| tree | a057e7e7511f6675a9327b79e6919f07c5f89f07 /moon_orchestrator | |
| parent | 7a4dfdde6314476ae2a1a1c881ff1e3c430f790e (diff) | |
moonv4 cleanup
Change-Id: Icef927f3236d985ac13ff7376f6ce6314b2b39b0
Signed-off-by: WuKong <rebirthmonkey@gmail.com>
Diffstat (limited to 'moon_orchestrator')
60 files changed, 2861 insertions, 0 deletions
diff --git a/moon_orchestrator/Changelog b/moon_orchestrator/Changelog new file mode 100644 index 00000000..31aabf5d --- /dev/null +++ b/moon_orchestrator/Changelog @@ -0,0 +1,25 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +CHANGES +======= + +0.1.0 +----- +- First version of the moon_orchestrator library. + +1.0.0 +----- +- First public version of the moon_orchestrator library. + +1.0.1 +----- +- add Changelog + +1.1.0 +----- +- add bootstrap file to start Orchestrator with all configuration + diff --git a/moon_orchestrator/Dockerfile b/moon_orchestrator/Dockerfile new file mode 100644 index 00000000..aafe1784 --- /dev/null +++ b/moon_orchestrator/Dockerfile @@ -0,0 +1,15 @@ +FROM ubuntu:latest + +ENV CONSUL_HOST=consul +ENV CONSUL_PORT=8500 + +RUN apt update && apt install python3.5 python3-pip python3-mysql.connector -y +RUN pip3 install pip --upgrade + +ADD . /root +WORKDIR /root/ +RUN pip3 install -r requirements.txt --upgrade +#RUN pip3 install /root/dist/* --upgrade +RUN pip3 install . --upgrade + +CMD ["python3", "-m", "moon_orchestrator"]
\ No newline at end of file diff --git a/moon_orchestrator/LICENSE b/moon_orchestrator/LICENSE new file mode 100644 index 00000000..d6456956 --- /dev/null +++ b/moon_orchestrator/LICENSE @@ -0,0 +1,202 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/moon_orchestrator/MANIFEST.in b/moon_orchestrator/MANIFEST.in new file mode 100644 index 00000000..8de5a391 --- /dev/null +++ b/moon_orchestrator/MANIFEST.in @@ -0,0 +1,10 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +include README.rst +include LICENSE +include setup.py +include requirements.txt +graft conf diff --git a/moon_orchestrator/README.md b/moon_orchestrator/README.md new file mode 100644 index 00000000..d4cdc4fb --- /dev/null +++ b/moon_orchestrator/README.md @@ -0,0 +1,3 @@ +# Moon Orchestrator +Internal orchestrator used for the Moon framework + diff --git a/moon_orchestrator/conf/dockers/template.dockerfile b/moon_orchestrator/conf/dockers/template.dockerfile new file mode 100644 index 00000000..6bb8a0c6 --- /dev/null +++ b/moon_orchestrator/conf/dockers/template.dockerfile @@ -0,0 +1,25 @@ +# Pull base image. +FROM ubuntu:latest + +{{ proxy }} + +RUN apt-get update && apt-get install python3.5 python3-pip -y + +ADD dist/moon_utilities-0.1.0.tar.gz /root +WORKDIR /root/moon_utilities-0.1.0 +RUN pip3 install pip --upgrade +RUN pip3 install --upgrade -r requirements.txt +RUN pip3 install --upgrade . + +ADD dist/moon_db-0.1.0.tar.gz /root +WORKDIR /root/moon_db-0.1.0 +RUN pip3 install --upgrade -r requirements.txt +RUN pip3 install --upgrade . + +{{ run }} + +{% for port in ports %} +EXPOSE {{ port }} +{% endfor %} + +CMD {{ cmd }} diff --git a/moon_orchestrator/conf/moon.conf b/moon_orchestrator/conf/moon.conf new file mode 100644 index 00000000..49086d48 --- /dev/null +++ b/moon_orchestrator/conf/moon.conf @@ -0,0 +1,84 @@ +database: + url: mysql+pymysql://moon:p4sswOrd1@db/moon + driver: sql + +messenger: + url: rabbit://moon:p4sswOrd1@messenger:5672/moon + +docker: + url: tcp://172.88.88.1:2376 + network: moon + +slave: + name: + master: + url: + login: + password: + +openstack: + keystone: + url: http://keystone:5000/v3 + user: admin + password: p4ssw0rd + domain: default + project: admin + check_token: false + certificate: false + +plugins: + authz: + container: wukongsun/moon_authz:v4.1 + session: + container: asteroide/session:latest + +components: + interface: + port: 8081 + hostname: interface + bind: 0.0.0.0 + container: wukongsun/moon_interface:v4.1 + router: + container: wukongsun/moon_router:v4.1 + hostname: router + manager: + container: wukongsun/moon_manager:v4.1 + hostname: manager + orchestrator: + container: wukongsun/moon_orchestrator:v4.1 + hostname: orchestrator + port_start: 38001 + +logging: + version: 1 + + formatters: + brief: + format: "%(levelname)s %(name)s %(message)-30s" + custom: + format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" + + handlers: + console: + class : logging.StreamHandler + formatter: brief + level : INFO + stream : ext://sys.stdout + file: + class : logging.handlers.RotatingFileHandler + formatter: custom + level : DEBUG + filename: /tmp/moon.log + maxBytes: 1048576 + backupCount: 3 + + loggers: + moon: + level: DEBUG + handlers: [console, file] + propagate: no + + root: + level: ERROR + handlers: [console] + diff --git a/moon_orchestrator/conf/plugins/authz.py b/moon_orchestrator/conf/plugins/authz.py new file mode 100644 index 00000000..4a1441c9 --- /dev/null +++ b/moon_orchestrator/conf/plugins/authz.py @@ -0,0 +1,67 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import time +import hashlib +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (asteroide): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") +# TODO (asteroide): add specific configuration options for that plugin + + +class AuthzFunction(DockerBase): + + id = "moon_authz_function" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install -r requirements.txt +RUN pip3 install . +""" + + def __init__(self, uuid, conf_file="", docker=None, network_config=None): + self.id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest() + super(AuthzFunction, self).__init__( + name="moon_authz", + run_cmd=["python3", "-m", "moon_authz", uuid], + conf_file=conf_file, + docker=docker, + network_config=network_config, + build_cmd=self.__build, + id=self.id, + tag="" + # tag=CONF.security_function.container + ) + # note(asteroide): time to let the new docker boot + time.sleep(3) + # self.get_status() + + def get_status(self): + return True + # transport = oslo_messaging.get_transport(CONF) + # target = oslo_messaging.Target(topic=self.id, version='1.0') + # client = oslo_messaging.RPCClient(transport, target) + # LOG.info("Calling Status on {}".format(self.id)) + # ret = client.call({"component_id": self.id}, 'get_status', args=None) + # LOG.info(ret) + # return ret + + +def run(uuid, conf_file="", docker=None, network_config=None): + return AuthzFunction(uuid, + conf_file=conf_file, + docker=docker, + network_config=network_config) diff --git a/moon_orchestrator/conf/plugins/session.py b/moon_orchestrator/conf/plugins/session.py new file mode 100644 index 00000000..6fa2cfe2 --- /dev/null +++ b/moon_orchestrator/conf/plugins/session.py @@ -0,0 +1,67 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import time +import hashlib +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (asteroide): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") +# TODO (asteroide): add specific configuration options for that plugin + + +class AuthzFunction(DockerBase): + + id = "moon_session_function" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install -r requirements.txt +RUN pip3 install . +""" + + def __init__(self, uuid, conf_file="", docker=None, network_config=None): + self.id = "session_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest() + super(AuthzFunction, self).__init__( + name="moon_authz", + run_cmd=["python3", "-m", "moon_authz", uuid], + conf_file=conf_file, + docker=docker, + network_config=network_config, + build_cmd=self.__build, + id=self.id, + tag="" + # tag=CONF.security_function.container + ) + # note(asteroide): time to let the new docker boot + time.sleep(3) + # self.get_status() + + def get_status(self): + return True + # transport = oslo_messaging.get_transport(CONF) + # target = oslo_messaging.Target(topic=self.id, version='1.0') + # client = oslo_messaging.RPCClient(transport, target) + # LOG.info("Calling Status on {}".format(self.id)) + # ret = client.call({"component_id": self.id}, 'get_status', args=None) + # LOG.info(ret) + # return ret + + +def run(uuid, conf_file="", docker=None, network_config=None): + return AuthzFunction(uuid, + conf_file=conf_file, + docker=docker, + network_config=network_config) diff --git a/moon_orchestrator/conf/policies/policy_authz/assignment.json b/moon_orchestrator/conf/policies/policy_authz/assignment.json new file mode 100644 index 00000000..7a6c722e --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_authz/assignment.json @@ -0,0 +1,55 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + }, + "domain":{ + "admin": ["ft"], + "demo": ["xx"] + }, + "role": { + "admin": ["admin"], + "demo": ["dev"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + }, + "access": { + "pause": ["write"], + "unpause": ["write"], + "start": ["write"], + "stop": ["write"], + "list": ["read"], + "create": ["write"], + "storage_list": ["read"], + "download": ["read"], + "post": ["write"], + "upload": ["write"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + }, + "type": { + "servers": ["computing"] + }, + "object_id": { + "servers": ["servers"] + } + } +} diff --git a/moon_orchestrator/conf/policies/policy_authz/metadata.json b/moon_orchestrator/conf/policies/policy_authz/metadata.json new file mode 100644 index 00000000..21a99eb2 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_authz/metadata.json @@ -0,0 +1,23 @@ +{ + "name": "Simple_Policy", + "genre": "authz", + "description": "Simple Security Policy", + "pdp_pipeline": ["authz:rbac_rule", "authz:mls_rule"], + + "subject_categories": [ + "subject_security_level", + "domain", + "role" + ], + + "action_categories": [ + "resource_action", + "access" + ], + + "object_categories": [ + "object_security_level", + "type", + "object_id" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_authz/metarule.json b/moon_orchestrator/conf/policies/policy_authz/metarule.json new file mode 100644 index 00000000..c9afd6c2 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_authz/metarule.json @@ -0,0 +1,24 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + }, + "dte_rule": { + "subject_categories": ["domain"], + "action_categories": ["access"], + "object_categories": ["type"], + "algorithm": "inclusion" + }, + "rbac_rule": { + "subject_categories": ["role", "domain"], + "action_categories": ["access"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moon_orchestrator/conf/policies/policy_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_authz/rule.json b/moon_orchestrator/conf/policies/policy_authz/rule.json new file mode 100644 index 00000000..25f9d93a --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_authz/rule.json @@ -0,0 +1,25 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ], + "dte_rule":[ + ["ft", "read", "computing"], + ["ft", "write", "computing"], + ["ft", "read", "storage"], + ["ft", "write", "storage"], + ["xx", "read", "storage"] + ], + "rbac_rule":[ + ["dev", "xx", "read", "servers"], + ["admin", "xx", "read", "servers"], + ["admin", "ft", "read", "servers"] + ] +} diff --git a/moon_orchestrator/conf/policies/policy_authz/scope.json b/moon_orchestrator/conf/policies/policy_authz/scope.json new file mode 100644 index 00000000..9b313daf --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_authz/scope.json @@ -0,0 +1,49 @@ +{ + "subject_scopes": { + "role": [ + "admin", + "dev" + ], + "subject_security_level": [ + "high", + "medium", + "low" + ], + "domain": [ + "ft", + "xx" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ], + "access": [ + "write", + "read" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ], + "type": [ + "computing", + "storage" + ], + "object_id": [ + "servers", + "vm1", + "vm2", + "file1", + "file2" + ] + } +} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json b/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json b/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json new file mode 100644 index 00000000..3c9be2e5 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "Empty_Policy", + "model": "", + "genre": "admin", + "description": "Empty Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json b/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json b/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json new file mode 100644 index 00000000..54dbfc31 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json @@ -0,0 +1,39 @@ +{ + "subjects": [], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/rule.json b/moon_orchestrator/conf/policies/policy_empty_admin/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_admin/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/scope.json b/moon_orchestrator/conf/policies/policy_empty_admin/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_admin/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json b/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json b/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json new file mode 100644 index 00000000..4f300d78 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json b/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json new file mode 100644 index 00000000..9da8a8c0 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json @@ -0,0 +1,5 @@ +{ + "subjects": [], + "actions": [], + "objects": [] +} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/rule.json b/moon_orchestrator/conf/policies/policy_empty_authz/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_authz/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/scope.json b/moon_orchestrator/conf/policies/policy_empty_authz/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_empty_authz/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json b/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json new file mode 100644 index 00000000..0712dfbc --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json @@ -0,0 +1,29 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + } + } +} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json b/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json new file mode 100644 index 00000000..c419c815 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "resource_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json b/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json new file mode 100644 index 00000000..e068927c --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/rule.json b/moon_orchestrator/conf/policies/policy_mls_authz/rule.json new file mode 100644 index 00000000..b17dc822 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_mls_authz/rule.json @@ -0,0 +1,16 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "low"], + ["high", "storage_admin", "medium"], + ["high", "storage_admin", "low"], + ["medium", "storage_admin", "low"], + ["high", "storage_access", "medium"], + ["high", "storage_access", "low"], + ["medium", "storage_access", "low"] + ] +} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/scope.json b/moon_orchestrator/conf/policies/policy_mls_authz/scope.json new file mode 100644 index 00000000..6cc1c28e --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_mls_authz/scope.json @@ -0,0 +1,26 @@ +{ + "subject_scopes": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json b/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json new file mode 100644 index 00000000..f2378333 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json @@ -0,0 +1,48 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"], + "demo": ["dev_role"] + } + }, + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + "object_assignments": { + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_scopes": ["authz.subject_scopes"], + "authz.object_scopes": ["authz.object_scopes"], + "authz.action_scopes": ["authz.action_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_scopes": ["admin.subject_scopes"], + "admin.object_scopes": ["admin.object_scopes"], + "admin.action_scopes": ["admin.action_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json b/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json new file mode 100644 index 00000000..9ee8a11d --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC Admin Policy", + "model": "RBAC", + "genre": "admin", + "description": "", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json b/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json b/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json new file mode 100644 index 00000000..1155533e --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json @@ -0,0 +1,42 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json b/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json new file mode 100644 index 00000000..c89ceff3 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json @@ -0,0 +1,94 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_scopes"], + ["root_role" , "read", "authz.object_scopes"], + ["root_role" , "read", "authz.action_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_scopes"], + ["root_role" , "write", "authz.object_scopes"], + ["root_role" , "write", "authz.action_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_scopes"], + ["root_role" , "read", "admin.object_scopes"], + ["root_role" , "read", "admin.action_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_scopes"], + ["root_role" , "write", "admin.object_scopes"], + ["root_role" , "write", "admin.action_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"], + ["dev_role" , "read", "authz.subjects"], + ["dev_role" , "read", "authz.objects"], + ["dev_role" , "read", "authz.actions"], + ["dev_role" , "read", "authz.subject_categories"], + ["dev_role" , "read", "authz.object_categories"], + ["dev_role" , "read", "authz.action_categories"], + ["dev_role" , "read", "authz.subject_scopes"], + ["dev_role" , "read", "authz.object_scopes"], + ["dev_role" , "read", "authz.action_scopes"], + ["dev_role" , "read", "authz.subject_assignments"], + ["dev_role" , "read", "authz.object_assignments"], + ["dev_role" , "read", "authz.action_assignments"], + ["dev_role" , "read", "authz.aggregation_algorithm"], + ["dev_role" , "read", "authz.sub_meta_rules"], + ["dev_role" , "read", "authz.rules"], + ["dev_role" , "read", "admin.subjects"], + ["dev_role" , "read", "admin.objects"], + ["dev_role" , "read", "admin.actions"], + ["dev_role" , "read", "admin.subject_categories"], + ["dev_role" , "read", "admin.object_categories"], + ["dev_role" , "read", "admin.action_categories"], + ["dev_role" , "read", "admin.subject_scopes"], + ["dev_role" , "read", "admin.object_scopes"], + ["dev_role" , "read", "admin.action_scopes"], + ["dev_role" , "read", "admin.subject_assignments"], + ["dev_role" , "read", "admin.object_assignments"], + ["dev_role" , "read", "admin.action_assignments"], + ["dev_role" , "read", "admin.aggregation_algorithm"], + ["dev_role" , "read", "admin.sub_meta_rules"], + ["dev_role" , "read", "admin.rules"] + ] +} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json b/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json new file mode 100644 index 00000000..149056a6 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json @@ -0,0 +1,48 @@ +{ + "subject_scopes": { + "role": [ + "root_role", + "dev_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "object_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/moon_orchestrator/conf/policies/policy_root/assignment.json b/moon_orchestrator/conf/policies/policy_root/assignment.json new file mode 100644 index 00000000..e849ae13 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_root/assignment.json @@ -0,0 +1,39 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"] + } + }, + + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + + "object_assignments": { + "object_id": { + "templates": ["templates"], + "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"], + "aggregation_algorithms": ["aggregation_algorithms"], + "tenants": ["tenants"], + "intra_extensions": ["intra_extensions"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/moon_orchestrator/conf/policies/policy_root/metadata.json b/moon_orchestrator/conf/policies/policy_root/metadata.json new file mode 100644 index 00000000..9dd7a928 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_root/metadata.json @@ -0,0 +1,19 @@ +{ + "name": "Root Policy", + "model": "RBAC", + "genre": "admin", + "description": "root extension", + "pdp_pipeline": ["authz:rbac_rule"], + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_root/metarule.json b/moon_orchestrator/conf/policies/policy_root/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_root/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moon_orchestrator/conf/policies/policy_root/perimeter.json b/moon_orchestrator/conf/policies/policy_root/perimeter.json new file mode 100644 index 00000000..788a27f2 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_root/perimeter.json @@ -0,0 +1,31 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moon_orchestrator/conf/policies/policy_root/rule.json b/moon_orchestrator/conf/policies/policy_root/rule.json new file mode 100644 index 00000000..9bbd5e4c --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_root/rule.json @@ -0,0 +1,44 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "templates"], + ["root_role" , "read", "aggregation_algorithms"], + ["root_role" , "read", "sub_meta_rule_algorithms"], + ["root_role" , "read", "tenants"], + ["root_role" , "read", "intra_extensions"], + ["root_role" , "write", "templates"], + ["root_role" , "write", "aggregation_algorithms"], + ["root_role" , "write", "sub_meta_rule_algorithms"], + ["root_role" , "write", "tenants"], + ["root_role" , "write", "intra_extensions"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] + ] +} diff --git a/moon_orchestrator/conf/policies/policy_root/scope.json b/moon_orchestrator/conf/policies/policy_root/scope.json new file mode 100644 index 00000000..43f9ced8 --- /dev/null +++ b/moon_orchestrator/conf/policies/policy_root/scope.json @@ -0,0 +1,39 @@ +{ + "subject_scopes": { + "role": [ + "root_role" + ] + }, + + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + + "object_scopes": { + "object_id": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/moon_orchestrator/moon_orchestrator/__init__.py b/moon_orchestrator/moon_orchestrator/__init__.py new file mode 100644 index 00000000..2302dea9 --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/__init__.py @@ -0,0 +1,6 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +__version__ = "1.1.0" diff --git a/moon_orchestrator/moon_orchestrator/__main__.py b/moon_orchestrator/moon_orchestrator/__main__.py new file mode 100644 index 00000000..9ebc3a7f --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/__main__.py @@ -0,0 +1,4 @@ +from moon_orchestrator.server import main + +server = main() +server.run() diff --git a/moon_orchestrator/moon_orchestrator/api/__init__.py b/moon_orchestrator/moon_orchestrator/api/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/api/__init__.py diff --git a/moon_orchestrator/moon_orchestrator/api/generic.py b/moon_orchestrator/moon_orchestrator/api/generic.py new file mode 100644 index 00000000..84de4e69 --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/api/generic.py @@ -0,0 +1,131 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. +""" +Those API are helping API used to manage the Moon platform. +""" + +from flask_restful import Resource, request +import logging +import moon_orchestrator.api +from python_moonutilities.security_functions import check_auth + +__version__ = "0.1.0" + +LOG = logging.getLogger("moon.orchestrator.api." + __name__) + + +class Status(Resource): + """ + Endpoint for status requests + """ + + __urls__ = ("/status", "/status/", "/status/<string:component_id>") + + def get(self, component_id=None): + """Retrieve status of all components + + :return: { + "orchestrator": { + "status": "Running" + }, + "security_router": { + "status": "Running" + } + } + """ + raise NotImplemented + + +class Logs(Resource): + """ + Endpoint for logs requests + """ + + __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>") + + def get(self, component_id=None): + """Get logs from the Moon platform + + :param component_id: the ID of the component your are looking for (optional) + :return: [ + "2015-04-15-13:45:20 + "2015-04-15-13:45:21 + "2015-04-15-13:45:22 + "2015-04-15-13:45:23 + ] + """ + filter_str = request.args.get('filter', '') + from_str = request.args.get('from', '') + to_str = request.args.get('to', '') + event_number = request.args.get('event_number', '') + try: + event_number = int(event_number) + except ValueError: + event_number = None + args = dict() + args["filter"] = filter_str + args["from"] = from_str + args["to"] = to_str + args["event_number"] = event_number + + raise NotImplemented + + +class API(Resource): + """ + Endpoint for API requests + """ + + __urls__ = ( + "/api", + "/api/", + "/api/<string:group_id>", + "/api/<string:group_id>/", + "/api/<string:group_id>/<string:endpoint_id>") + + @check_auth + def get(self, group_id="", endpoint_id="", user_id=""): + """Retrieve all API endpoints or a specific endpoint if endpoint_id is given + + :param group_id: the name of one existing group (ie generic, ...) + :param endpoint_id: the name of one existing component (ie Logs, Status, ...) + :return: { + "group_name": { + "endpoint_name": { + "description": "a description", + "methods": { + "get": "description of the HTTP method" + }, + "urls": ('/api', '/api/', '/api/<string:endpoint_id>') + } + } + """ + __methods = ("get", "post", "put", "delete", "options", "patch") + api_list = filter(lambda x: "__" not in x, dir(moon_orchestrator.api)) + api_desc = dict() + for api_name in api_list: + api_desc[api_name] = {} + group_api_obj = eval("moon_interface.api.{}".format(api_name)) + api_desc[api_name]["description"] = group_api_obj.__doc__ + if "__version__" in dir(group_api_obj): + api_desc[api_name]["version"] = group_api_obj.__version__ + object_list = list(filter(lambda x: "__" not in x, dir(group_api_obj))) + for obj in map(lambda x: eval("moon_interface.api.{}.{}".format(api_name, x)), object_list): + if "__urls__" in dir(obj): + api_desc[api_name][obj.__name__] = dict() + api_desc[api_name][obj.__name__]["urls"] = obj.__urls__ + api_desc[api_name][obj.__name__]["methods"] = dict() + for _method in filter(lambda x: x in __methods, dir(obj)): + docstring = eval("moon_interface.api.{}.{}.{}.__doc__".format(api_name, obj.__name__, _method)) + api_desc[api_name][obj.__name__]["methods"][_method] = docstring + api_desc[api_name][obj.__name__]["description"] = str(obj.__doc__) + if group_id in api_desc: + if endpoint_id in api_desc[group_id]: + return {group_id: {endpoint_id: api_desc[group_id][endpoint_id]}} + elif len(endpoint_id) > 0: + LOG.error("Unknown endpoint_id {}".format(endpoint_id)) + return {"error": "Unknown endpoint_id {}".format(endpoint_id)} + return {group_id: api_desc[group_id]} + return api_desc diff --git a/moon_orchestrator/moon_orchestrator/api/pods.py b/moon_orchestrator/moon_orchestrator/api/pods.py new file mode 100644 index 00000000..9bca4d93 --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/api/pods.py @@ -0,0 +1,127 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from flask import request +from flask_restful import Resource +from python_moonutilities.security_functions import check_auth +import logging + +LOG = logging.getLogger("moon.orchestrator.api.pods") + + +class Pods(Resource): + """ + Endpoint for pdp requests + """ + + __urls__ = ( + "/pods", + "/pods/", + "/pods/<string:uuid>", + "/pods/<string:uuid>/", + ) + + def __init__(self, **kwargs): + self.driver = kwargs.get("driver") + self.create_security_function = kwargs.get("create_security_function_hook") + + @check_auth + def get(self, uuid=None, user_id=None): + """Retrieve all pods + + :param uuid: uuid of the pod + :param user_id: user ID who do the request + :return: { + "pod_id1": { + "name": "...", + "replicas": "...", + "description": "...", + } + } + :internal_api: get_pdp + """ + pods = {} + # LOG.info("pods={}".format(self.driver.get_pods())) + if uuid: + return {"pods": self.driver.get_pods(uuid)} + for _pod_key, _pod_values in self.driver.get_pods().items(): + pods[_pod_key] = [] + for _pod_value in _pod_values: + if _pod_value['namespace'] != "moon": + continue + pods[_pod_key].append(_pod_value) + return {"pods": pods} + + @check_auth + def post(self, uuid=None, user_id=None): + """Create a new pod. + + :param uuid: uuid of the pod (not used here) + :param user_id: user ID who do the request + :request body: { + "name": "...", + "description": "...", + "type": "plugin_name" + } + :return: { + "pdp_id1": { + "name": "...", + "replicas": "...", + "description": "...", + } + } + """ + LOG.info("POST param={}".format(request.json)) + self.create_security_function( + request.json.get("keystone_project_id"), + request.json.get("pdp_id"), + request.json.get("security_pipeline"), + manager_data=request.json, + active_context=None, + active_context_name=None) + pods = {} + for _pod_key, _pod_values in self.driver.get_pods().items(): + pods[_pod_key] = [] + for _pod_value in _pod_values: + if _pod_value['namespace'] != "moon": + continue + pods[_pod_key].append(_pod_value) + return {"pods": pods} + + @check_auth + def delete(self, uuid=None, user_id=None): + """Delete a pod + + :param uuid: uuid of the pod to delete + :param user_id: user ID who do the request + :return: { + "result": "True or False", + "message": "optional message" + } + """ + return {"result": True} + + @check_auth + def patch(self, uuid=None, user_id=None): + """Update a pod + + :param uuid: uuid of the pdp to update + :param user_id: user ID who do the request + :request body: { + "name": "...", + "replicas": "...", + "description": "...", + } + :return: { + "pod_id1": { + "name": "...", + "replicas": "...", + "description": "...", + } + } + :internal_api: update_pdp + """ + return {"pods": None} + diff --git a/moon_orchestrator/moon_orchestrator/drivers.py b/moon_orchestrator/moon_orchestrator/drivers.py new file mode 100644 index 00000000..08c53be3 --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/drivers.py @@ -0,0 +1,175 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from kubernetes import client, config +import logging +import urllib3.exceptions +from python_moonutilities import configuration + +LOG = logging.getLogger("moon.orchestrator.drivers") + + +def get_driver(): + try: + return K8S() + except urllib3.exceptions.MaxRetryError as e: + LOG.exception(e) + return Docker() + + +class Driver: + + def __init__(self): + self.cache = {} + # example of cache: + # { + # "uuid_of_pod": { + # "ip": "", + # "hostname": "", + # "port": 30001, + # "pdp": "", + # "keystone_project_id": "", + # "plugin_name": "", + # "namespace": "" + # } + # } + + def get_pods(self, namespace=None): + raise NotImplementedError + + def load_pod(self, data, api_client=None, ext_client=None): + raise NotImplementedError + + def delete_pod(self, uuid=None, name=None): + raise NotImplementedError + + def get_slaves(self): + raise NotImplementedError + + +class K8S(Driver): + + def __init__(self): + super(K8S, self).__init__() + config.load_kube_config() + self.client = client.CoreV1Api() + + def get_pods(self, name=None): + if name: + pods = self.client.list_pod_for_all_namespaces(watch=False) + for pod in pods.items: + LOG.info("get_pods {}".format(pod.metadata.name)) + if name in pod.metadata.name: + return pod + else: + return None + LOG.info("get_pods cache={}".format(self.cache)) + return self.cache + + @staticmethod + def __create_pod(client, data): + pod_manifest = { + 'apiVersion': 'extensions/v1beta1', + 'kind': 'Deployment', + 'metadata': { + 'name': data[0].get('name') + }, + 'spec': { + 'replicas': 1, + 'template': { + 'metadata': {'labels': {'app': data[0].get('name')}}, + 'hostname': data[0].get('name'), + 'spec': { + 'containers': [] + } + }, + } + } + for _data in data: + pod_manifest['spec']['template']['spec']['containers'].append( + { + 'image': _data.get('container', "busybox"), + 'name': _data.get('name'), + 'hostname': _data.get('name'), + 'ports': [ + {"containerPort": _data.get('port', 80)}, + ], + 'env': [ + {'name': "UUID", "value": _data.get('name', "None")}, + {'name': "TYPE", "value": _data.get('genre', "None")}, + {'name': "PORT", "value": str(_data.get('port', 80))}, + {'name': "PDP_ID", "value": _data.get('pdp_id', "None")}, + {'name': "META_RULE_ID", "value": _data.get('meta_rule_id', "None")}, + {'name': "KEYSTONE_PROJECT_ID", + "value": _data.get('keystone_project_id', "None")}, + ] + } + ) + resp = client.create_namespaced_deployment(body=pod_manifest, + namespace='moon') + LOG.info("Pod {} created!".format(data[0].get('name'))) + # logger.info(yaml.dump(pod_manifest, sys.stdout)) + # logger.info(resp) + return resp + + @staticmethod + def __create_service(client, data, expose=False): + service_manifest = { + 'apiVersion': 'v1', + 'kind': 'Service', + 'metadata': { + 'name': data.get('name'), + 'namespace': 'moon' + }, + 'spec': { + 'ports': [{ + 'port': data.get('port', 80), + 'targetPort': data.get('port', 80) + }], + 'selector': { + 'app': data.get('name') + }, + # 'type': 'NodePort', + 'endpoints': [{ + 'port': data.get('port', 80), + 'protocol': 'TCP', + }], + } + } + if expose: + service_manifest['spec']['ports'][0]['nodePort'] = \ + configuration.increment_port() + service_manifest['spec']['type'] = "NodePort" + resp = client.create_namespaced_service(namespace="moon", + body=service_manifest) + LOG.info("Service {} created!".format(data.get('name'))) + return resp + + def load_pod(self, data, api_client=None, ext_client=None, expose=False): + _client = api_client if api_client else self.client + pod = self.__create_pod(client=ext_client, data=data) + service = self.__create_service(client=_client, data=data[0], + expose=expose) + self.cache[pod.metadata.uid] = data + + def delete_pod(self, uuid=None, name=None): + LOG.info("Deleting pod {}".format(uuid)) + # TODO: delete_namespaced_deployment + # https://github.com/kubernetes-incubator/client-python/blob/master/kubernetes/client/apis/extensions_v1beta1_api.py + + def get_slaves(self): + contexts, active_context = config.list_kube_config_contexts() + return contexts, active_context + + +class Docker(Driver): + + def load_pod(self, data, api_client=None, ext_client=None): + LOG.info("Creating pod {}".format(data[0].get('name'))) + raise NotImplementedError + + def delete_pod(self, uuid=None, name=None): + LOG.info("Deleting pod {}".format(uuid)) + raise NotImplementedError diff --git a/moon_orchestrator/moon_orchestrator/http_server.py b/moon_orchestrator/moon_orchestrator/http_server.py new file mode 100644 index 00000000..e6a5ee57 --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/http_server.py @@ -0,0 +1,292 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from flask import Flask, jsonify +from flask_cors import CORS, cross_origin +from flask_restful import Resource, Api +import logging +from kubernetes import client, config +import random +import requests +import time +from moon_orchestrator import __version__ +from moon_orchestrator.api.pods import Pods +from moon_orchestrator.api.generic import Logs, Status +from python_moonutilities import configuration, exceptions +from python_moonutilities.misc import get_random_name +from moon_orchestrator.drivers import get_driver + +LOG = logging.getLogger("moon.orchestrator.http") + + +class Server: + """Base class for HTTP server""" + + def __init__(self, host="localhost", port=80, api=None, **kwargs): + """Run a server + + :param host: hostname of the server + :param port: port for the running server + :param kwargs: optional parameters + :return: a running server + """ + self._host = host + self._port = port + self._api = api + self._extra = kwargs + + @property + def host(self): + return self._host + + @host.setter + def host(self, name): + self._host = name + + @host.deleter + def host(self): + self._host = "" + + @property + def port(self): + return self._port + + @port.setter + def port(self, number): + self._port = number + + @port.deleter + def port(self): + self._port = 80 + + def run(self): + raise NotImplementedError() + +__API__ = ( + Status, Logs + ) + + +class Root(Resource): + """ + The root of the web service + """ + __urls__ = ("/", ) + __methods = ("get", "post", "put", "delete", "options") + + def get(self): + tree = {"/": {"methods": ("get",), "description": "List all methods for that service."}} + for item in __API__: + tree[item.__name__] = {"urls": item.__urls__} + _methods = [] + for _method in self.__methods: + if _method in dir(item): + _methods.append(_method) + tree[item.__name__]["methods"] = _methods + tree[item.__name__]["description"] = item.__doc__.strip() + return { + "version": __version__, + "tree": tree + } + + +class HTTPServer(Server): + + def __init__(self, host="localhost", port=80, **kwargs): + super(HTTPServer, self).__init__(host=host, port=port, **kwargs) + self.app = Flask(__name__) + conf = configuration.get_configuration("components/orchestrator") + self.orchestrator_hostname = conf["components/orchestrator"].get("hostname", "orchestrator") + self.orchestrator_port = conf["components/orchestrator"].get("port", 80) + conf = configuration.get_configuration("components/manager") + self.manager_hostname = conf["components/manager"].get("hostname", "manager") + self.manager_port = conf["components/manager"].get("port", 80) + # TODO : specify only few urls instead of * + # CORS(self.app) + self.api = Api(self.app) + self.driver = get_driver() + LOG.info("Driver = {}".format(self.driver.__class__)) + self.__set_route() + self.__hook_errors() + pdp = None + while True: + try: + pdp = requests.get( + "http://{}:{}/pdp".format(self.manager_hostname, + self.manager_port)) + except requests.exceptions.ConnectionError: + LOG.warning("Manager is not ready, standby...") + time.sleep(1) + except KeyError: + LOG.warning("Manager is not ready, standby...") + time.sleep(1) + else: + if "pdps" in pdp.json(): + break + LOG.debug("pdp={}".format(pdp)) + self.create_wrappers() + for _pdp_key, _pdp_value in pdp.json()['pdps'].items(): + if _pdp_value.get('keystone_project_id'): + # TODO: select context to add security function + self.create_security_function( + keystone_project_id=_pdp_value.get('keystone_project_id'), + pdp_id=_pdp_key, + policy_ids=_pdp_value.get('security_pipeline', [])) + + def __hook_errors(self): + + def get_404_json(e): + return jsonify({"result": False, "code": 404, "description": str(e)}), 404 + self.app.register_error_handler(404, get_404_json) + + def get_400_json(e): + return jsonify({"result": False, "code": 400, "description": str(e)}), 400 + self.app.register_error_handler(400, lambda e: get_400_json) + self.app.register_error_handler(403, exceptions.AuthException) + + def __set_route(self): + self.api.add_resource(Root, '/') + + for api in __API__: + self.api.add_resource(api, *api.__urls__) + self.api.add_resource(Pods, *Pods.__urls__, + resource_class_kwargs={ + "driver": self.driver, + "create_security_function_hook": + self.create_security_function, + }) + + def run(self): + self.app.run(host=self._host, port=self._port) # nosec + + @staticmethod + def __filter_str(data): + return data.replace("@", "-") + + def create_wrappers(self): + contexts, active_context = self.driver.get_slaves() + LOG.debug("contexts: {}".format(contexts)) + LOG.debug("active_context: {}".format(active_context)) + conf = configuration.get_configuration("components/wrapper") + hostname = conf["components/wrapper"].get( + "hostname", "wrapper") + port = conf["components/wrapper"].get("port", 80) + container = conf["components/wrapper"].get( + "container", + "wukongsun/moon_wrapper:v4.3") + for _ctx in contexts: + _config = config.new_client_from_config(context=_ctx['name']) + LOG.debug("_config={}".format(_config)) + api_client = client.CoreV1Api(_config) + ext_client = client.ExtensionsV1beta1Api(_config) + # TODO: get data from consul + data = [{ + "name": hostname + "-" + get_random_name(), + "container": container, + "port": port, + "namespace": "moon" + }, ] + pod = self.driver.load_pod(data, api_client, ext_client, expose=True) + LOG.debug('wrapper pod={}'.format(pod)) + + def create_security_function(self, keystone_project_id, + pdp_id, policy_ids, manager_data={}, + active_context=None, + active_context_name=None): + """ Create security functions + + :param policy_id: the policy ID mapped to this security function + :param active_context: if present, add the security function in this + context + :param active_context_name: if present, add the security function in + this context name + if active_context_name and active_context are not present, add the + security function in all context (ie, in all slaves) + :return: None + """ + for key, value in self.driver.get_pods().items(): + for _pod in value: + if _pod.get('keystone_project_id') == keystone_project_id: + LOG.warning("A pod for this Keystone project {} " + "already exists.".format(keystone_project_id)) + return + + plugins = configuration.get_plugins() + conf = configuration.get_configuration("components/interface") + i_hostname = conf["components/interface"].get("hostname", "interface") + i_port = conf["components/interface"].get("port", 80) + i_container = conf["components/interface"].get( + "container", + "wukongsun/moon_interface:v4.3") + data = [ + { + "name": i_hostname + "-" + get_random_name(), + "container": i_container, + "port": i_port, + 'pdp_id': pdp_id, + 'genre': "interface", + 'keystone_project_id': keystone_project_id, + "namespace": "moon" + }, + ] + LOG.info("data={}".format(data)) + policies = manager_data.get('policies') + if not policies: + LOG.info("No policy data from Manager, trying to get them") + policies = requests.get("http://{}:{}/policies".format( + self.manager_hostname, self.manager_port)).json().get( + "policies", dict()) + LOG.info("policies={}".format(policies)) + models = manager_data.get('models') + if not models: + LOG.info("No models data from Manager, trying to get them") + models = requests.get("http://{}:{}/models".format( + self.manager_hostname, self.manager_port)).json().get( + "models", dict()) + LOG.info("models={}".format(models)) + + for policy_id in policy_ids: + if policy_id in policies: + genre = policies[policy_id].get("genre", "authz") + if genre in plugins: + for meta_rule in models[policies[policy_id]['model_id']]['meta_rules']: + data.append({ + "name": genre + "-" + get_random_name(), + "container": plugins[genre]['container'], + 'pdp_id': pdp_id, + "port": plugins[genre].get('port', 8080), + 'genre': genre, + 'policy_id': policy_id, + 'meta_rule_id': meta_rule, + 'keystone_project_id': keystone_project_id, + "namespace": "moon" + }) + LOG.info("data={}".format(data)) + contexts, _active_context = self.driver.get_slaves() + LOG.info("active_context_name={}".format(active_context_name)) + LOG.info("active_context={}".format(active_context)) + if active_context_name: + for _context in contexts: + if _context["name"] == active_context_name: + active_context = _context + break + if active_context: + active_context = _active_context + _config = config.new_client_from_config( + context=active_context['name']) + LOG.debug("_config={}".format(_config)) + api_client = client.CoreV1Api(_config) + ext_client = client.ExtensionsV1beta1Api(_config) + self.driver.load_pod(data, api_client, ext_client, expose=False) + return + LOG.info("contexts={}".format(contexts)) + for _ctx in contexts: + _config = config.new_client_from_config(context=_ctx['name']) + LOG.debug("_config={}".format(_config)) + api_client = client.CoreV1Api(_config) + ext_client = client.ExtensionsV1beta1Api(_config) + self.driver.load_pod(data, api_client, ext_client, expose=False) + + diff --git a/moon_orchestrator/moon_orchestrator/server.py b/moon_orchestrator/moon_orchestrator/server.py new file mode 100644 index 00000000..0cbd535a --- /dev/null +++ b/moon_orchestrator/moon_orchestrator/server.py @@ -0,0 +1,36 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import logging +from python_moonutilities import configuration, exceptions +from moon_orchestrator.http_server import HTTPServer + +LOG = logging.getLogger("moon.orchestrator") +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) + + +def main(): + configuration.init_logging() + try: + conf = configuration.get_configuration("components/orchestrator") + hostname = conf["components/orchestrator"].get("hostname", "orchestrator") + port = conf["components/orchestrator"].get("port", 80) + bind = conf["components/orchestrator"].get("bind", "127.0.0.1") + except exceptions.ConsulComponentNotFound: + hostname = "orchestrator" + bind = "127.0.0.1" + port = 80 + configuration.add_component(uuid="orchestrator", name=hostname, port=port, bind=bind) + LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) + server = HTTPServer(host=bind, port=port) + return server + + +if __name__ == '__main__': + server = main() + server.run() diff --git a/moon_orchestrator/requirements.txt b/moon_orchestrator/requirements.txt new file mode 100644 index 00000000..0d952e6c --- /dev/null +++ b/moon_orchestrator/requirements.txt @@ -0,0 +1,8 @@ +flask +flask_restful +flask_cors +werkzeug +python_moonutilities +python_moondb +kubernetes +pyaml
\ No newline at end of file diff --git a/moon_orchestrator/setup.py b/moon_orchestrator/setup.py new file mode 100644 index 00000000..624dba94 --- /dev/null +++ b/moon_orchestrator/setup.py @@ -0,0 +1,50 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from setuptools import setup, find_packages +import moon_orchestrator + + +with open('requirements.txt') as f: + required = f.read().splitlines() + +setup( + + name='moon_orchestrator', + + version=moon_orchestrator.__version__, + + packages=find_packages(), + + author="Thomas Duval", + + author_email="thomas.duval@orange.com", + + description="", + + long_description=open('README.md').read(), + + install_requires=required, + + include_package_data=True, + + url='https://git.opnfv.org/cgit/moon/', + + classifiers=[ + "Programming Language :: Python", + "Development Status :: 1 - Planning", + "License :: OSI Approved", + "Natural Language :: French", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + ], + + entry_points={ + 'console_scripts': [ + 'moon_orchestrator = moon_orchestrator.server:main', + ], + } + +) diff --git a/moon_orchestrator/tests/unit_python/conftest.py b/moon_orchestrator/tests/unit_python/conftest.py new file mode 100644 index 00000000..044489e6 --- /dev/null +++ b/moon_orchestrator/tests/unit_python/conftest.py @@ -0,0 +1,18 @@ +import pytest +import requests_mock +import mock_pods +from utilities import CONTEXT + + +@pytest.fixture +def context(): + return CONTEXT + + +@pytest.fixture(autouse=True) +def no_requests(monkeypatch): + """ Modify the response from Requests module + """ + with requests_mock.Mocker(real_http=True) as m: + mock_pods.register_pods(m) + yield m
\ No newline at end of file diff --git a/moon_orchestrator/tests/unit_python/mock_pods.py b/moon_orchestrator/tests/unit_python/mock_pods.py new file mode 100644 index 00000000..c5633152 --- /dev/null +++ b/moon_orchestrator/tests/unit_python/mock_pods.py @@ -0,0 +1,404 @@ +from kubernetes import client, config +from utilities import CONF, get_b64_conf, COMPONENTS + +pdp_mock = { + "pdp_id1": { + "name": "...", + "security_pipeline": ["policy_id_1", "policy_id_2"], + "keystone_project_id": "keystone_project_id1", + "description": "...", + }, + "pdp_id12": { + "name": "...", + "security_pipeline": ["policy_id_1", "policy_id_2"], + "keystone_project_id": "keystone_project_id1", + "description": "...", + } +} + +meta_rules_mock = { + "meta_rule_id1": { + "name": "meta_rule1", + "algorithm": "name of the meta rule algorithm", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + }, + "meta_rule_id2": { + "name": "name of the meta rules2", + "algorithm": "name of the meta rule algorithm", + "subject_categories": ["subject_category_id1", + "subject_category_id2"], + "object_categories": ["object_category_id1"], + "action_categories": ["action_category_id1"] + } +} + +policies_mock = { + "policy_id_1": { + "name": "test_policy1", + "model_id": "model_id_1", + "genre": "authz", + "description": "test", + }, + "policy_id_2": { + "name": "test_policy2", + "model_id": "model_id_2", + "genre": "authz", + "description": "test", + } +} + +subject_mock = { + "policy_id_1": { + "subject_id": { + "name": "subject_name", + "keystone_id": "keystone_project_id1", + "description": "a description" + } + }, + "policy_id_2": { + "subject_id": { + "name": "subject_name", + "keystone_id": "keystone_project_id1", + "description": "a description" + } + } +} + +subject_assignment_mock = { + "subject_id": { + "policy_id": "ID of the policy", + "subject_id": "ID of the subject", + "category_id": "ID of the category", + "assignments": [], + } +} + +object_mock = { + "policy_id_1": { + "object_id": { + "name": "object_name", + "description": "a description" + } + }, + "policy_id_2": { + "object_id": { + "name": "object_name", + "description": "a description" + } + } +} + +object_assignment_mock = { + "object_id": { + "policy_id": "ID of the policy", + "object_id": "ID of the object", + "category_id": "ID of the category", + "assignments": [], + } +} + +action_mock = { + "policy_id_1": { + "action_id": { + "name": "action_name", + "description": "a description" + } + }, + "policy_id_2": { + "action_id": { + "name": "action_name", + "description": "a description" + } + } +} + +action_assignment_mock = { + "action_id": { + "policy_id": "ID of the policy", + "action_id": "ID of the action", + "category_id": "ID of the category", + "assignments": [], + } +} + +models_mock = { + "model_id_1": { + "name": "test_model", + "description": "test", + "meta_rules": ["meta_rule_id1"] + }, + "model_id_2": { + "name": "test_model", + "description": "test", + "meta_rules": ["meta_rule_id2"] + }, +} + +rules_mock = { + "rules": { + "meta_rule_id": "meta_rule_id1", + "rule_id1": { + "rule": ["subject_data_id1", + "object_data_id1", + "action_data_id1"], + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + # "deny" to deny the request + ) + }, + "rule_id2": { + "rule": ["subject_data_id2", + "object_data_id2", + "action_data_id2"], + "instructions": ( + { + "update": { + "operation": "add", + # operations may be "add" or "delete" + "target": "rbac:role:admin" + # add the role admin to the current user + } + }, + {"chain": {"name": "rbac"}} + # chain with the policy named rbac + ) + } + } +} + + +def patch_k8s(monkeypatch): + def _load_kube_config_mockreturn(*args, **kwargs): + return + monkeypatch.setattr(config, 'load_kube_config', + _load_kube_config_mockreturn) + + def list_kube_config_contexts_mockreturn(*args, **kwargs): + return [{"name": "active_context"}], {"name": "active_context"} + monkeypatch.setattr(config, 'list_kube_config_contexts', + list_kube_config_contexts_mockreturn) + + def new_client_from_config_mockreturn(*args, **kwargs): + return {"client": True} + monkeypatch.setattr(config, 'new_client_from_config', + new_client_from_config_mockreturn) + + def list_pod_for_all_namespaces_mockreturn(*args, **kwargs): + class pods: + items = [] + return pods + monkeypatch.setattr(client.CoreV1Api, 'list_pod_for_all_namespaces', + list_pod_for_all_namespaces_mockreturn) + + def create_namespaced_deployment_mockreturn(*args, **kwargs): + + class metadata: + uid = "123456789" + + class pod: + def __init__(self): + self.metadata = metadata() + return pod() + monkeypatch.setattr(client.ExtensionsV1beta1Api, + 'create_namespaced_deployment', + create_namespaced_deployment_mockreturn) + + def create_namespaced_service_mockreturn(*args, **kwargs): + return {} + monkeypatch.setattr(client.CoreV1Api, + 'create_namespaced_service', + create_namespaced_service_mockreturn) + + +def register_pods(m): + """ Modify the response from Requests module + """ + register_consul(m) + register_pdp(m) + # register_meta_rules(m) + register_policies(m) + register_models(m) + # register_policy_subject(m, "policy_id_1") + # register_policy_subject(m, "policy_id_2") + # register_policy_object(m, "policy_id_1") + # register_policy_object(m, "policy_id_2") + # register_policy_action(m, "policy_id_1") + # register_policy_action(m, "policy_id_2") + # register_policy_subject_assignment(m, "policy_id_1", "subject_id") + # register_policy_subject_assignment_list(m1, "policy_id_1") + # register_policy_subject_assignment(m, "policy_id_2", "subject_id") + # register_policy_subject_assignment_list(m1, "policy_id_2") + # register_policy_object_assignment(m, "policy_id_1", "object_id") + # register_policy_object_assignment_list(m1, "policy_id_1") + # register_policy_object_assignment(m, "policy_id_2", "object_id") + # register_policy_object_assignment_list(m1, "policy_id_2") + # register_policy_action_assignment(m, "policy_id_1", "action_id") + # register_policy_action_assignment_list(m1, "policy_id_1") + # register_policy_action_assignment(m, "policy_id_2", "action_id") + # register_policy_action_assignment_list(m1, "policy_id_2") + # register_rules(m, "policy_id1") + + +def register_consul(m): + for component in COMPONENTS: + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/{}'.format(component), + json=[{'Key': component, 'Value': get_b64_conf(component)}] + ) + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/components_port_start', + json=[ + { + "LockIndex": 0, + "Key": "components_port_start", + "Flags": 0, + "Value": "MzEwMDE=", + "CreateIndex": 9, + "ModifyIndex": 9 + } + ], + ) + m.register_uri( + 'PUT', 'http://consul:8500/v1/kv/components_port_start', + json=[], + ) + m.register_uri( + 'GET', 'http://consul:8500/v1/kv/plugins?recurse=true', + json=[ + { + "LockIndex": 0, + "Key": "plugins/authz", + "Flags": 0, + "Value": "eyJjb250YWluZXIiOiAid3Vrb25nc3VuL21vb25fYXV0aHo6djQuMyIsICJwb3J0IjogODA4MX0=", + "CreateIndex": 14, + "ModifyIndex": 656 + } + ], + ) + + +def register_pdp(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'pdp'), + json={'pdps': pdp_mock} + ) + + +def register_meta_rules(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'meta_rules'), + json={'meta_rules': meta_rules_mock} + ) + + +def register_policies(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies'), + json={'policies': policies_mock} + ) + + +def register_models(m): + m.register_uri( + 'GET', 'http://{}:{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'models'), + json={'models': models_mock} + ) + + +def register_policy_subject(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/subjects'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', policy_id), + json={'subjects': subject_mock[policy_id]} + ) + + +def register_policy_object(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/objects'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', policy_id), + json={'objects': object_mock[policy_id]} + ) + + +def register_policy_action(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/actions'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', policy_id), + json={'actions': action_mock[policy_id]} + ) + + +def register_policy_subject_assignment(m, policy_id, subj_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/subject_assignments/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, + subj_id), + json={'subject_assignments': subject_assignment_mock} + ) + + +def register_policy_subject_assignment_list(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/subject_assignments'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id), + json={'subject_assignments': subject_assignment_mock} + ) + + +def register_policy_object_assignment(m, policy_id, obj_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/object_assignments/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, + obj_id), + json={'object_assignments': object_assignment_mock} + ) + + +def register_policy_object_assignment_list(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/object_assignments'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id), + json={'object_assignments': object_assignment_mock} + ) + + +def register_policy_action_assignment(m, policy_id, action_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/action_assignments/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, + action_id), + json={'action_assignments': action_assignment_mock} + ) + + +def register_policy_action_assignment_list(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/action_assignments'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id), + json={'action_assignments': action_assignment_mock} + ) + + +def register_rules(m, policy_id): + m.register_uri( + 'GET', 'http://{}:{}/{}/{}/{}'.format(CONF['components']['manager']['hostname'], + CONF['components']['manager']['port'], 'policies', + policy_id, 'rules'), + json={'rules': rules_mock} + )
\ No newline at end of file diff --git a/moon_orchestrator/tests/unit_python/requirements.txt b/moon_orchestrator/tests/unit_python/requirements.txt new file mode 100644 index 00000000..21975ce3 --- /dev/null +++ b/moon_orchestrator/tests/unit_python/requirements.txt @@ -0,0 +1,5 @@ +flask +flask_cors +flask_restful +python_moondb +python_moonutilities
\ No newline at end of file diff --git a/moon_orchestrator/tests/unit_python/test_pods.py b/moon_orchestrator/tests/unit_python/test_pods.py new file mode 100644 index 00000000..42c8404b --- /dev/null +++ b/moon_orchestrator/tests/unit_python/test_pods.py @@ -0,0 +1,43 @@ +import json +from mock_pods import patch_k8s +from utilities import get_json + + +def test_get_pods(context, monkeypatch): + patch_k8s(monkeypatch) + + import moon_orchestrator.server + server = moon_orchestrator.server.main() + _client = server.app.test_client() + req = _client.get("/pods") + assert req.status_code == 200 + assert req.data + data = get_json(req.data) + assert isinstance(data, dict) + assert "pods" in data + + +def test_add_pods(context, monkeypatch): + patch_k8s(monkeypatch) + + import moon_orchestrator.server + server = moon_orchestrator.server.main() + _client = server.app.test_client() + data = { + "keystone_project_id": context.get('project_id'), + "pdp_id": context.get('pdp_id'), + "security_pipeline": context.get('security_pipeline'), + } + req = _client.post("/pods", data=json.dumps(data), + headers={'Content-Type': 'application/json'}) + assert req.status_code == 200 + assert req.data + data = get_json(req.data) + assert isinstance(data, dict) + assert "pods" in data + assert data["pods"] + + +def test_delete_pods(context, monkeypatch): + # TODO + pass diff --git a/moon_orchestrator/tests/unit_python/utilities.py b/moon_orchestrator/tests/unit_python/utilities.py new file mode 100644 index 00000000..aec03d9d --- /dev/null +++ b/moon_orchestrator/tests/unit_python/utilities.py @@ -0,0 +1,173 @@ +import base64 +import json +import pytest +from uuid import uuid4 + + +CONF = { + "openstack": { + "keystone": { + "url": "http://keystone:5000/v3", + "user": "admin", + "check_token": False, + "password": "p4ssw0rd", + "domain": "default", + "certificate": False, + "project": "admin" + } + }, + "components": { + "wrapper": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_wrapper:v4.3", + "timeout": 5, + "hostname": "wrapper" + }, + "manager": { + "bind": "0.0.0.0", + "port": 8082, + "container": "wukongsun/moon_manager:v4.3", + "hostname": "manager" + }, + "port_start": 31001, + "orchestrator": { + "bind": "0.0.0.0", + "port": 8083, + "container": "wukongsun/moon_orchestrator:v4.3", + "hostname": "interface" + }, + "interface": { + "bind": "0.0.0.0", + "port": 8080, + "container": "wukongsun/moon_interface:v4.3", + "hostname": "interface" + } + }, + "plugins": { + "session": { + "port": 8082, + "container": "asteroide/session:latest" + }, + "authz": { + "port": 8081, + "container": "wukongsun/moon_authz:v4.3" + } + }, + "logging": { + "handlers": { + "file": { + "filename": "/tmp/moon.log", + "class": "logging.handlers.RotatingFileHandler", + "level": "DEBUG", + "formatter": "custom", + "backupCount": 3, + "maxBytes": 1048576 + }, + "console": { + "class": "logging.StreamHandler", + "formatter": "brief", + "level": "INFO", + "stream": "ext://sys.stdout" + } + }, + "formatters": { + "brief": { + "format": "%(levelname)s %(name)s %(message)-30s" + }, + "custom": { + "format": "%(asctime)-15s %(levelname)s %(name)s %(message)s" + } + }, + "root": { + "handlers": [ + "console" + ], + "level": "ERROR" + }, + "version": 1, + "loggers": { + "moon": { + "handlers": [ + "console", + "file" + ], + "propagate": False, + "level": "DEBUG" + } + } + }, + "slave": { + "name": None, + "master": { + "url": None, + "login": None, + "password": None + } + }, + "docker": { + "url": "tcp://172.88.88.1:2376", + "network": "moon" + }, + "database": { + "url": "sqlite:///database.db", + # "url": "mysql+pymysql://moon:p4sswOrd1@db/moon", + "driver": "sql" + }, + "messenger": { + "url": "rabbit://moon:p4sswOrd1@messenger:5672/moon" + } +} + + +CONTEXT = { + "project_id": "a64beb1cc224474fb4badd43173e7101", + "subject_name": "testuser", + "object_name": "vm1", + "action_name": "boot", + "request_id": uuid4().hex, + "interface_name": "interface", + "manager_url": "http://{}:{}".format( + CONF["components"]["manager"]["hostname"], + CONF["components"]["manager"]["port"] + ), + "cookie": uuid4().hex, + "pdp_id": "b3d3e18abf3340e8b635fd49e6634ccd", + "security_pipeline": ["f8f49a779ceb47b3ac810f01ef71b4e0"] + } + + +COMPONENTS = ( + "logging", + "openstack/keystone", + "database", + "slave", + "components/manager", + "components/orchestrator", + "components/interface", + "components/wrapper", +) + + +def get_b64_conf(component=None): + if component == "components": + return base64.b64encode( + json.dumps(CONF["components"]).encode('utf-8')+b"\n").decode('utf-8') + elif component in CONF: + return base64.b64encode( + json.dumps( + CONF[component]).encode('utf-8')+b"\n").decode('utf-8') + elif not component: + return base64.b64encode( + json.dumps(CONF).encode('utf-8')+b"\n").decode('utf-8') + elif "/" in component: + key1, _, key2 = component.partition("/") + return base64.b64encode( + json.dumps( + CONF[key1][key2]).encode('utf-8')+b"\n").decode('utf-8') + + +def get_json(data): + return json.loads(data.decode("utf-8")) + + |