diff options
author | Thomas Duval <thomas.duval@orange.com> | 2020-06-03 10:06:52 +0200 |
---|---|---|
committer | Thomas Duval <thomas.duval@orange.com> | 2020-06-03 10:06:52 +0200 |
commit | 7bb53c64da2dcf88894bfd31503accdd81498f3d (patch) | |
tree | 4310e12366818af27947b5e2c80cb162da93a4b5 /tools | |
parent | cbea4e360e9bfaa9698cf7c61c83c96a1ba89b8c (diff) |
Update to new version 5.4HEADstable/jermamaster
Signed-off-by: Thomas Duval <thomas.duval@orange.com>
Change-Id: Idcd868133d75928a1ffd74d749ce98503e0555ea
Diffstat (limited to 'tools')
45 files changed, 0 insertions, 3894 deletions
diff --git a/tools/bin/README.md b/tools/bin/README.md deleted file mode 100644 index 71ff4a44..00000000 --- a/tools/bin/README.md +++ /dev/null @@ -1,8 +0,0 @@ -# Automated Tools/Scripts - -## api2pdf -```bash -python3 $MOON_HOME/tools/bin/api2rst.py -pandoc api.rst --toc -o api.pdf -evince api.pdf -``` diff --git a/tools/bin/api2rst.py b/tools/bin/api2rst.py deleted file mode 100644 index 6d407bdf..00000000 --- a/tools/bin/api2rst.py +++ /dev/null @@ -1,145 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os -import sys -import requests -import logging -import time -import json - -os.unsetenv("http_proxy") -logging.basicConfig(level=logging.INFO) -logger = logging.getLogger(__name__) - -HOST = "172.18.0.11" -PORT = 38001 -COMPONENT = sys.argv[2] if len(sys.argv) > 1 else "Interface" -FILENAME = sys.argv[2] if len(sys.argv) > 2 else "api.rst" -CURRENT_TIME = time.strftime("%Y/%m/%d %H:%M:%S %Z") -REVISION = time.strftime("%Y%m%d_%H%M%S_%Z") -AUTHOR = "Thomas Duval <thomas.duval@orange.com>" - -logger.info("Writing to {}".format(FILENAME)) - -toc = ( - "generic", - "models", - "policies", - "pdp", - "meta_rules", - "meta_data", - "perimeter", - "data", - "assignments", - "rules", - "authz", -) - - -def get_api_list(): - url = "http://{}:{}/api".format(HOST, PORT) - cnx = requests.get(url) - try: - return cnx.json() - except json.decoder.JSONDecodeError: - logger.error("Error decoding JSON on {}\n{}".format(url, cnx.content)) - sys.exit(1) - - -def analyse_description(desc): - result = "" - if not desc: - return "No description" - for line in desc.splitlines(): - if line.strip().startswith(":"): - if ":request body:" in line: - result += ":request body:\n\n.. code-block:: json\n\n" - result += line.replace(":request body: ", "") + "\n\n" - elif ":return:" in line: - result += ":return:\n\n.. code-block:: json\n\n" - result += line.replace(":return: ", "") + "\n" - else: - result += line.strip() + "\n\n" - else: - result += line + "\n" - return result - - -def filter_and_sort(list_group_api): - results = list() - keys = list_group_api.keys() - for element in toc: - if element in keys: - results.append(element) - for element in keys: - if element not in results: - results.append(element) - return results - - -def main(): - list_group_api = get_api_list() - - _toc = filter_and_sort(list_group_api) - - file_desc = open(FILENAME, "w") - length_of_title = len("Moon {component} API".format(component=COMPONENT)) - file_desc.write(HEADERS.format( - component=COMPONENT, - date=CURRENT_TIME, - revision=REVISION, - title_headers="="*length_of_title, - author=AUTHOR - )) - - for key in _toc: - logger.info(key) - file_desc.write("{}\n".format(key)) - file_desc.write("{}\n\n".format("="*len(key))) - if "description" in list_group_api[key]: - file_desc.write("{}\n\n".format(list_group_api[key]["description"])) - version = "unknown" - logger.debug(list_group_api.keys()) - if "version" in list_group_api[key]: - version = list_group_api[key]["version"] - file_desc.write("Version: {}\n\n".format(version)) - for api in list_group_api[key]: - logger.info("\t{}".format(api)) - if api in ("description", "version"): - continue - file_desc.write("{}\n".format(api)) - file_desc.write("{}\n\n".format("-" * len(api))) - - file_desc.write("{}\n\n".format(list_group_api[key][api]["description"])) - - file_desc.write("URLs are:\n\n") - for _url in list_group_api[key][api]["urls"]: - file_desc.write("* {}\n".format(_url)) - - file_desc.write("\nMethods are:\n\n") - for _method in list_group_api[key][api]["methods"]: - file_desc.write("→ {}\n".format(_method)) - file_desc.write("{}\n\n".format("~"*(len(_method) + 2))) - file_desc.write("{}\n\n".format(analyse_description(list_group_api[key][api]["methods"][_method]))) - -HEADERS = """{title_headers} -Moon {component} API -{title_headers} - -:Info: See <https://git.opnfv.org/cgit/moon/> for code. -:Author: {author} -:Date: {date} -:Revision: $Revision: {revision} $ -:Description: List of the API served by the Moon {component} component - -This document list all of the API connectors served by the Moon {component} component -Here are Moon API with some examples of posted data and returned data. -All requests must be prefixed with the host and port, for example: http://localhost:38001/authz/123456789/123456789/servers/list - -""" - -if __name__ == "__main__": - main() diff --git a/tools/bin/bootstrap.py b/tools/bin/bootstrap.py deleted file mode 100644 index 6f2a5e03..00000000 --- a/tools/bin/bootstrap.py +++ /dev/null @@ -1,235 +0,0 @@ -import os -import sys -import time -import requests -import yaml -import logging -import json -import base64 -import mysql.connector -import re -import subprocess - -logging.basicConfig(level=logging.INFO) -log = logging.getLogger("moon.bootstrap") -requests_log = logging.getLogger("requests.packages.urllib3") -requests_log.setLevel(logging.WARNING) -requests_log.propagate = True - -if len(sys.argv) == 2: - if os.path.isfile(sys.argv[1]): - CONF_FILENAME = sys.argv[1] - CONSUL_HOST = "consul" - else: - CONF_FILENAME = "moon.conf" - CONSUL_HOST = sys.argv[1] - CONSUL_PORT = 8500 -else: - CONSUL_HOST = sys.argv[1] if len(sys.argv) > 1 else "consul" - CONSUL_PORT = sys.argv[2] if len(sys.argv) > 2 else 8500 - CONF_FILENAME = sys.argv[3] if len(sys.argv) > 3 else "moon.conf" -HEADERS = {"content-type": "application/json"} - - -def search_config_file(): - data_config = None - for _file in ( - CONF_FILENAME, - "conf/moon.conf", - "../moon.conf", - "../conf/moon.conf", - "/etc/moon/moon.conf", - ): - try: - data_config = yaml.safe_load(open(_file)) - except FileNotFoundError: - data_config = None - continue - else: - break - if not data_config: - raise Exception("Configuration file not found...") - return data_config - - -def put(key, value): - url = "http://{host}:{port}/v1/kv/{key}".format(host=CONSUL_HOST, port=CONSUL_PORT, key=key) - log.info(url) - req = requests.put( - url, - headers=HEADERS, - json=value - ) - if req.status_code != 200: - raise Exception("Error connecting to Consul ({}, {})".format(req.status_code, req.text)) - - -def get(key): - url = "http://{host}:{port}/v1/kv/{key}".format(host=CONSUL_HOST, port=CONSUL_PORT, key=key) - req = requests.get(url) - data = req.json() - for item in data: - log.info("{} {} -> {}".format( - req.status_code, - item["Key"], - json.loads(base64.b64decode(item["Value"]).decode("utf-8")) - )) - yield json.loads(base64.b64decode(item["Value"]).decode("utf-8")) - - -def start_consul(data_config): - cmd = ["docker", "run", "-d", "--net=moon", "--name=consul", "--hostname=consul", "-p", "8500:8500", "consul"] - output = subprocess.run(cmd, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - if output.returncode != 0: - log.info(" ".join(cmd)) - log.info(output.returncode) - log.error(output.stderr) - log.error(output.stdout) - raise Exception("Error starting Consul container!") - while True: - try: - req = requests.get("http://{}:{}/ui".format(CONSUL_HOST, CONSUL_PORT)) - except requests.exceptions.ConnectionError: - log.info("Waiting for Consul ({}:{})".format(CONSUL_HOST, CONSUL_PORT)) - time.sleep(1) - continue - else: - break - # if req.status_code in (302, 200): - # break - # log.info("Waiting for Consul ({}:{})".format(CONSUL_HOST, CONSUL_PORT)) - # time.sleep(1) - log.info("Consul is up") - - req = requests.get("http://{}:{}/v1/kv/database".format(CONSUL_HOST, CONSUL_PORT)) - if req.status_code == 200: - log.info("Consul is already populated") - return - - put("database", data_config["database"]) - put("messenger", data_config["messenger"]) - put("slave", data_config["slave"]) - put("docker", data_config["docker"]) - put("logging", data_config["logging"]) - put("components_port_start", data_config["components"]["port_start"]) - - for _key, _value in data_config["components"].items(): - if type(_value) is dict: - put("components/{}".format(_key), data_config["components"][_key]) - - for _key, _value in data_config["plugins"].items(): - put("plugins/{}".format(_key), data_config["plugins"][_key]) - - for _key, _value in data_config["openstack"].items(): - put("openstack/{}".format(_key), data_config["openstack"][_key]) - - -def start_database(): - cmd = ["docker", "run", "-dti", "--net=moon", "--hostname=db", "--name=db", - "-e", "MYSQL_ROOT_PASSWORD=p4sswOrd1", "-e", "MYSQL_DATABASE=moon", "-e", "MYSQL_USER=moon", - "-e", "MYSQL_PASSWORD=p4sswOrd1", "-p", "3306:3306", "mysql:latest"] - output = subprocess.run(cmd, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - if output.returncode != 0: - log.info(cmd) - log.error(output.stderr) - log.error(output.stdout) - raise Exception("Error starting DB container!") - for database in get("database"): - database_url = database['url'] - match = re.search("(?P<proto>^[\\w+]+):\/\/(?P<user>\\w+):(?P<password>.+)@(?P<host>\\w+):*(?P<port>\\d*)", - database_url) - config = match.groupdict() - while True: - try: - conn = mysql.connector.connect( - host=config["host"], - user=config["user"], - password=config["password"], - database="moon" - ) - conn.close() - except mysql.connector.errors.InterfaceError: - log.info("Waiting for Database ({})".format(config["host"])) - time.sleep(1) - continue - else: - log.info("Database is up, populating it...") - output = subprocess.run(["moon_db_manager", "upgrade"], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - if output.returncode != 0: - raise Exception("Error populating the database!") - break - - -def start_keystone(): - output = subprocess.run(["docker", "run", "-dti", "--net=moon", "--hostname=keystone", "--name=keystone", - "-e", "DB_HOST=db", "-e", "DB_PASSWORD_ROOT=p4sswOrd1", "-p", "35357:35357", - "-p", "5000:5000", "keystone:mitaka"], - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - if output.returncode != 0: - raise Exception("Error starting Keystone container!") - # TODO: Keystone answers request too quickly - # even if it is not fully loaded - # we must test if a token retrieval is possible or not - # to see if Keystone is truly up and running - for config in get("openstack/keystone"): - while True: - try: - time.sleep(1) - req = requests.get(config["url"]) - except requests.exceptions.ConnectionError: - log.info("Waiting for Keystone ({})".format(config["url"])) - time.sleep(1) - continue - else: - log.info("Keystone is up") - break - - -def start_moon(data_config): - cmds = [ - # ["docker", "run", "-dti", "--net=moon", "--name=wrapper", "--hostname=wrapper", "-p", - # "{0}:{0}".format(data_config['components']['wrapper']['port']), - # data_config['components']['wrapper']['container']], - ["docker", "run", "-dti", "--net=moon", "--name=manager", - "--hostname=manager", "-p", - "{0}:{0}".format(data_config['components']['manager']['port']), - data_config['components']['manager']['container']], - ["docker", "run", "-dti", "--net=moon", "--name=interface", - "--hostname=interface", "-p", - "{0}:{0}".format(data_config['components']['interface']['port']), - data_config['components']['interface']['container']], - ] - for cmd in cmds: - log.warning("Start {}".format(cmd[-1])) - # answer = input() - # if answer.lower() in ("y", "yes", "o", "oui"): - output = subprocess.run(cmd, - stdout=subprocess.PIPE, - stderr=subprocess.PIPE) - time.sleep(3) - if output.returncode != 0: - log.info(" ".join(cmd)) - log.info(output.returncode) - log.error(output.stderr) - log.error(output.stdout) - raise Exception("Error starting {} container!".format(cmd[-1])) - subprocess.run(["docker", "ps"]) - - -def main(): - data_config = search_config_file() - subprocess.run(["docker", "rm", "-f", "consul", "db", "manager", "wrapper", "interface", "authz*", "keystone"]) - start_consul(data_config) - start_database() - start_keystone() - start_moon(data_config) - -main() - diff --git a/tools/bin/build_all.sh b/tools/bin/build_all.sh deleted file mode 100644 index 5bbf6a19..00000000 --- a/tools/bin/build_all.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/usr/bin/env bash - -VERSION=v4.1 -export DOCKER_HOST=tcp://172.88.88.1:2376 - - -mkdir $MOON_HOME/moon_orchestrator/dist 2>/dev/null - -echo Building Moon_Orchestrator -cd $MOON_HOME/moon_orchestrator -docker build -t wukongsun/moon_orchestrator:${VERSION} . - -echo Building Moon_Interface -cd $MOON_HOME/moon_interface -docker build -t wukongsun/moon_interface:${VERSION} . - -echo Building Moon_Security_Router -cd $MOON_HOME/moon_secrouter -docker build -t wukongsun/moon_router:${VERSION} . - -echo Building Moon_Manager -cd $MOON_HOME/moon_manager -docker build -t wukongsun/moon_manager:${VERSION} . - -echo Building Moon_Authz -cd $MOON_HOME/moon_authz -docker build -t wukongsun/moon_authz:${VERSION} . - - -echo Building Moon_DB -cd $MOON_HOME/moon_db -python3 setup.py sdist bdist_wheel > /tmp/moon_db.log - -echo Building Moon_Utilities -cd $MOON_HOME/moon_utilities -python3 setup.py sdist bdist_wheel > /tmp/moon_utilities.log diff --git a/tools/bin/build_all_pip.sh b/tools/bin/build_all_pip.sh deleted file mode 100644 index 2b415bf0..00000000 --- a/tools/bin/build_all_pip.sh +++ /dev/null @@ -1,16 +0,0 @@ -#!/usr/bin/env bash - - -echo Building Moon_DB -cd $MOON_HOME/moon_db -python3 setup.py sdist bdist_wheel> /tmp/moon_db.log - - -echo Building Moon_Utilities -cd $MOON_HOME/moon_utilities -python3 setup.py sdist bdist_wheel> /tmp/moon_utilities.log - - -echo Building Moon_Orchestrator -cd $MOON_HOME/moon_orchestrator -python3 setup.py sdist bdist_wheel> /tmp/moon_orchestrator.log
\ No newline at end of file diff --git a/tools/bin/delete_orchestrator.sh b/tools/bin/delete_orchestrator.sh deleted file mode 100644 index 4d9d7c98..00000000 --- a/tools/bin/delete_orchestrator.sh +++ /dev/null @@ -1,61 +0,0 @@ -#!/usr/bin/env bash - -set +x - -kubectl delete -n moon -f tools/moon_kubernetes/templates/moon_orchestrator.yaml -for i in $(kubectl get deployments -n moon | grep wrapper | cut -d " " -f 1 | xargs); do - echo deleting $i - kubectl delete deployments/$i -n moon; -done -for i in $(kubectl get deployments -n moon | grep pipeline | cut -d " " -f 1 | xargs); do - echo deleting $i - kubectl delete deployments/$i -n moon; -done -for i in $(kubectl get services -n moon | grep wrapper | cut -d " " -f 1 | xargs); do - echo deleting $i - kubectl delete services/$i -n moon; -done -for i in $(kubectl get services -n moon | grep pipeline | cut -d " " -f 1 | xargs); do - echo deleting $i - kubectl delete services/$i -n moon; -done - -if [ "$1" = "build" ]; then - - DOCKER_ARGS="" - - cd moon_manager - docker build -t wukongsun/moon_manager:v4.3.1 . ${DOCKER_ARGS} - if [ "$2" = "push" ]; then - docker push wukongsun/moon_manager:v4.3.1 - fi - cd - - - cd moon_orchestrator - docker build -t wukongsun/moon_orchestrator:v4.3 . ${DOCKER_ARGS} - if [ "$2" = "push" ]; then - docker push wukongsun/moon_orchestrator:v4.3 - fi - cd - - - cd moon_interface - docker build -t wukongsun/moon_interface:v4.3 . ${DOCKER_ARGS} - if [ "$2" = "push" ]; then - docker push wukongsun/moon_interface:v4.3 - fi - cd - - - cd moon_authz - docker build -t wukongsun/moon_authz:v4.3 . ${DOCKER_ARGS} - if [ "$2" = "push" ]; then - docker push wukongsun/moon_authz:v4.3 - fi - cd - - - cd moon_wrapper - docker build -t wukongsun/moon_wrapper:v4.3 . ${DOCKER_ARGS} - if [ "$2" = "push" ]; then - docker push wukongsun/moon_wrapper:v4.3 - fi - cd - -fi diff --git a/tools/bin/get_keystone_token.py b/tools/bin/get_keystone_token.py deleted file mode 100644 index 1856aab8..00000000 --- a/tools/bin/get_keystone_token.py +++ /dev/null @@ -1,71 +0,0 @@ -import requests -from oslo_config import cfg -from oslo_log import log as logging -from python_moonutilities import exceptions - -CONF = cfg.CONF -LOG = logging.getLogger(__name__) - - -def login(user=None, password=None, domain=None, project=None, url=None): - print("""Configuration: - user: {user} - domain: {domain} - project: {project} - url: {url}""".format( - user=CONF.keystone.user, - domain=CONF.keystone.domain, - project=CONF.keystone.project, - url=CONF.keystone.url, - )) - if not user: - user = CONF.keystone.user - if not password: - password = CONF.keystone.password - if not domain: - domain = CONF.keystone.domain - if not project: - project = CONF.keystone.project - if not url: - url = CONF.keystone.url - headers = { - "Content-Type": "application/json" - } - data_auth = { - "auth": { - "identity": { - "methods": [ - "password" - ], - "password": { - "user": { - "domain": { - "id": domain - }, - "name": user, - "password": password - } - } - }, - "scope": { - "project": { - "domain": { - "id": domain - }, - "name": project - } - } - } - } - - req = requests.post("{}/auth/tokens".format(url), - json=data_auth, headers=headers, - verify=False) - - if req.status_code not in (200, 201): - LOG.error(req.text) - raise exceptions.KeystoneError - headers['X-Auth-Token'] = req.headers['X-Subject-Token'] - return headers - -print(login()['X-Auth-Token']) diff --git a/tools/bin/moon_lib_upload.sh b/tools/bin/moon_lib_upload.sh deleted file mode 100644 index d2dc2a3f..00000000 --- a/tools/bin/moon_lib_upload.sh +++ /dev/null @@ -1,27 +0,0 @@ -#!/usr/bin/env bash - -# usage: moon_update.sh <GPG_ID> - -COMPONENT=$(basename $(pwd)) -GPG_ID=$1 - -if [ -f setup.py ]; then - echo -else - echo "Not a python package" - exit 1 -fi - -VERSION=${COMPONENT}-$(grep __version__ ${COMPONENT}/__init__.py | cut -d "\"" -f 2) - -python3 setup.py sdist bdist_wheel - -echo $COMPONENT -echo $VERSION - -# Instead of "A0A96E75", use your own GPG ID -rm dist/*.asc 2>/dev/null -gpg --detach-sign -u "${GPG_ID}" -a dist/${VERSION}-py3-none-any.whl -gpg --detach-sign -u "${GPG_ID}" -a dist/${VERSION/_/-}.tar.gz -twine upload dist/${VERSION}-py3-none-any.whl dist/${VERSION}-py3-none-any.whl.asc -twine upload dist/${VERSION/_/-}.tar.gz dist/${VERSION/_/-}.tar.gz.asc diff --git a/tools/bin/set_auth.src b/tools/bin/set_auth.src deleted file mode 100644 index d955e30b..00000000 --- a/tools/bin/set_auth.src +++ /dev/null @@ -1,7 +0,0 @@ -export OS_USERNAME=admin -export OS_PASSWORD=p4ssw0rd -export OS_REGION_NAME=Orange -export OS_TENANT_NAME=admin -export OS_AUTH_URL=http://keystone:5000/v3 -export OS_DOMAIN_NAME=Default -export MOON_URL=http://172.18.0.11:38001 diff --git a/tools/bin/start.sh b/tools/bin/start.sh deleted file mode 100755 index e95ac393..00000000 --- a/tools/bin/start.sh +++ /dev/null @@ -1,39 +0,0 @@ -#!/usr/bin/env bash - -VERSION=4.1 -export DOCKER_HOST=tcp://172.88.88.1:2376 - -echo -e "\033[31mDeleting previous dockers\033[m" -docker rm -f $(docker ps -a | grep moon | cut -d " " -f 1) 2>/dev/null -docker rm -f messenger db keystone consul 2>/dev/null - -echo -e "\033[32mStarting Messenger\033[m" -docker run -dti --net=moon --hostname messenger --name messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=p4sswOrd1 -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -e RABBITMQ_HIPE_COMPILE=1 -p 5671:5671 -p 5672:5672 -p 8080:15672 rabbitmq:3-management - -echo -e "\033[32mStarting DB manager\033[m" -docker run -dti --net=moon --hostname db --name db -e MYSQL_ROOT_PASSWORD=p4sswOrd1 -e MYSQL_DATABASE=moon -e MYSQL_USER=moon -e MYSQL_PASSWORD=p4sswOrd1 -p 3306:3306 mysql:latest - -docker run -d --net=moon --name=consul --hostname=consul -p 8500:8500 consul - -echo "waiting for Database (it may takes time)..." -echo -e "\033[35m" -sed '/ready for connections/q' <(docker logs db -f) -echo -e "\033[m" - -echo "waiting for Messenger (it may takes time)..." -echo -e "\033[35m" -sed '/Server startup complete;/q' <(docker logs messenger -f) -echo -e "\033[m" - -docker run -dti --net moon --hostname keystone --name keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 keystone:mitaka - -echo -e "\033[32mConfiguring Moon platform\033[m" -sudo pip install moon_db -moon_db_manager upgrade - -cd ${MOON_HOME}/moon_orchestrator -python3 populate_consul.py - -echo -e "\033[32mStarting Moon platform\033[m" - -docker container run -dti --net moon --hostname orchestrator --name orchestrator wukongsun/moon_orchestrator:${VERSION} diff --git a/tools/moon_jenkins/Dockerfile b/tools/moon_jenkins/Dockerfile deleted file mode 100644 index 058f388c..00000000 --- a/tools/moon_jenkins/Dockerfile +++ /dev/null @@ -1,8 +0,0 @@ -FROM jenkinsci/blueocean - -ENV JAVA_OPTS="-Djenkins.install.runSetupWizard=false" - -COPY security.groovy /usr/share/jenkins/ref/init.groovy.d/security.groovy - -COPY plugins.txt /usr/share/jenkins/ref/plugins.txt -RUN /usr/local/bin/install-plugins.sh < /usr/share/jenkins/ref/plugins.txt
\ No newline at end of file diff --git a/tools/moon_jenkins/README.md b/tools/moon_jenkins/README.md deleted file mode 100644 index 684b351c..00000000 --- a/tools/moon_jenkins/README.md +++ /dev/null @@ -1,37 +0,0 @@ -# Moon Jenkins -The aim of this repo is to give a quick way to start with jenkins in containers. -These were the aims of the automation: -- minimal interaction with Jenkins GUI - the plugins in plugins.txt are installed automatically, the admin user is setup based on environment variables, proxy variables are inherited from environment -- the build of the custom image is integrated in the same workflow - -## Prerequisites -- one host running a newer version of the docker-engine -- docker-compose 1.18.0 - -## Usage -- Setup secrets: -```bash -export JENKINS_USER=admin -export JENKINS_PASSWORD=admin -``` -- Deploy jenkins: -```bash -docker-compose up -d - ``` -- Test: Jenkins GUI can be available on `http://<docker host IP>:8080` - - -## Pipeline Creation -You may find bellow an example of pipeline creation using BlueOcean interface. -As example I used a clone (https://github.com/brutus333/moon.git) of the moon project (https://git.opnfv.org/moon/) - -Click on "Create a new job" in the classical Jenkins UI and follow the steps highlighted bellow: - -![Create Multibranch Pipeline](images/Create%20Multibranch%20Pipeline.png) -![Select Source](images/Select%20Source%20Multibranch%20Pipeline.png) -![Configure Source](images/Git%20Source%20Multibranch%20Pipeline.png) -![Multibranch Pipeline Log](images/Multibranch%20Pipeline%20Log.png) - -Clicking on BlueOcean shows the pipeline in the blueocean interface: - -![Blue Ocean Pipeline success](images/blue%20ocean%20success%20pipeline.png) diff --git a/tools/moon_jenkins/docker-compose.yml b/tools/moon_jenkins/docker-compose.yml deleted file mode 100644 index eb9354ce..00000000 --- a/tools/moon_jenkins/docker-compose.yml +++ /dev/null @@ -1,20 +0,0 @@ -version: '3.1' - -services: - jenkins: - build: - context: . - image: blueocean:v0.4 - ports: - - 8080:8080 - - 50000:50000 - environment: - - jenkins_user=${JENKINS_USER} - - jenkins_password=${JENKINS_PASSWORD} - volumes: - - jenkins-data:/var/jenkins_home - - /var/run/docker.sock:/var/run/docker.sock - user: root - -volumes: - jenkins-data:
\ No newline at end of file diff --git a/tools/moon_jenkins/images/Create Multibranch Pipeline.png b/tools/moon_jenkins/images/Create Multibranch Pipeline.png Binary files differdeleted file mode 100644 index c71415c0..00000000 --- a/tools/moon_jenkins/images/Create Multibranch Pipeline.png +++ /dev/null diff --git a/tools/moon_jenkins/images/Git Source Multibranch Pipeline.png b/tools/moon_jenkins/images/Git Source Multibranch Pipeline.png Binary files differdeleted file mode 100644 index dd37f217..00000000 --- a/tools/moon_jenkins/images/Git Source Multibranch Pipeline.png +++ /dev/null diff --git a/tools/moon_jenkins/images/Multibranch Pipeline Log.png b/tools/moon_jenkins/images/Multibranch Pipeline Log.png Binary files differdeleted file mode 100644 index a1905934..00000000 --- a/tools/moon_jenkins/images/Multibranch Pipeline Log.png +++ /dev/null diff --git a/tools/moon_jenkins/images/Select Source Multibranch Pipeline.png b/tools/moon_jenkins/images/Select Source Multibranch Pipeline.png Binary files differdeleted file mode 100644 index eadbe916..00000000 --- a/tools/moon_jenkins/images/Select Source Multibranch Pipeline.png +++ /dev/null diff --git a/tools/moon_jenkins/plugins.txt b/tools/moon_jenkins/plugins.txt deleted file mode 100644 index 65bae872..00000000 --- a/tools/moon_jenkins/plugins.txt +++ /dev/null @@ -1,100 +0,0 @@ -ssh-credentials -git -blueocean-dashboard -pipeline-model-api -pipeline-graph-analysis -workflow-support -display-url-api -blueocean-config -workflow-cps -branch-api -blueocean-i18n -workflow-job -blueocean-bitbucket-pipeline -favorite -docker-commons -pipeline-input-step -blueocean-pipeline-api-impl -workflow-api -jackson2-api -git-client -blueocean-pipeline-scm-api -blueocean -pipeline-build-step -jquery-detached -matrix-project -antisamy-markup-formatter -pipeline-model-extensions -docker-workflow -github -git-server -authentication-tokens -workflow-cps-global-lib -pipeline-model-definition -workflow-scm-step -pipeline-model-declarative-agent -cloudbees-bitbucket-branch-source -script-security -scm-api -blueocean-rest -variant -sse-gateway -htmlpublisher -matrix-auth -pubsub-light -blueocean-github-pipeline -token-macro -credentials -mercurial -plain-credentials -blueocean-events -github-api -blueocean-git-pipeline -structs -durable-task -pipeline-milestone-step -blueocean-pipeline-editor -blueocean-web -pipeline-stage-tags-metadata -ace-editor -blueocean-commons -blueocean-jira -blueocean-rest-impl -workflow-step-api -blueocean-personalization -workflow-basic-steps -blueocean-display-url -jira -pipeline-stage-step -jsch -blueocean-jwt -cloudbees-folder -credentials-binding -github-branch-source -apache-httpcomponents-client-4-api -blueocean-autofavorite -workflow-multibranch -mailer -workflow-durable-task-step -junit -command-launcher -bouncycastle-api -build-timeout -timestamper -resource-disposer -ws-cleanup -ant -gradle -pipeline-rest-api -handlebars -momentjs -pipeline-stage-view -workflow-aggregator -pipeline-github-lib -mapdb-api -subversion -ssh-slaves -pam-auth -ldap -email-ext -locale
\ No newline at end of file diff --git a/tools/moon_jenkins/security.groovy b/tools/moon_jenkins/security.groovy deleted file mode 100644 index 0fb5ff6e..00000000 --- a/tools/moon_jenkins/security.groovy +++ /dev/null @@ -1,20 +0,0 @@ -#!groovy - -import jenkins.model.* -import hudson.security.* - -def instance = Jenkins.getInstance() - -def user = System.getenv()['jenkins_user'] -def pass = System.getenv()['jenkins_password'] -// Create user account -def hudsonRealm = new HudsonPrivateSecurityRealm(false) -hudsonRealm.createAccount(user,pass) -instance.setSecurityRealm(hudsonRealm) - -// Enable matrix auth strategy and set my_user as admin -def strategy = new GlobalMatrixAuthorizationStrategy() -strategy.add(Jenkins.ADMINISTER, user) -instance.setAuthorizationStrategy(strategy) - -instance.save() diff --git a/tools/moon_keystone/Dockerfile b/tools/moon_keystone/Dockerfile deleted file mode 100644 index 2a43bd92..00000000 --- a/tools/moon_keystone/Dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -FROM ubuntu:zesty - -ENV ADMIN_TOKEN=p4ssw0rd -ENV ADMIN_PASSWORD=p4ssw0rd -ENV DB_CONNECTION="mysql+pymysql" -ENV DB_DRIVER=sql -ENV DB_HOST=localhost -ENV DB_DATABASE=keystonedb -ENV DB_USER=keystone -ENV DB_PASSWORD=p4ssw0rd -ENV DB_USER_ROOT=root -ENV DB_PASSWORD_ROOT=p4sswOrd1 -ENV RABBIT_NODE=server -ENV INTERFACE_HOST="http://localhost:3001" - -RUN apt update && apt install apache2 rabbitmq-server keystone python-openstackclient libapache2-mod-wsgi mysql-client -y - -# RUN apt update && apt install iputils-ping net-tools -y - -ADD run.sh /root - -EXPOSE 35357 -EXPOSE 5000 - -CMD ["/bin/bash", "/root/run.sh"]
\ No newline at end of file diff --git a/tools/moon_keystone/README.md b/tools/moon_keystone/README.md deleted file mode 100644 index 7027324e..00000000 --- a/tools/moon_keystone/README.md +++ /dev/null @@ -1,26 +0,0 @@ -# Keystone container - -## build keystone image - -without proxy: -```bash -docker build -t keystone:mitaka . -``` - -with a proxy: -```bash -docker build --build-arg https_proxy=http://proxy:3128 --build-arg http_proxy=http://proxy:3128 -t keystone:mitaka . -``` - - -### access to the container -```bash -docker container exec -ti keystone /bin/bash -export OS_USERNAME=admin -export OS_PASSWORD=p4ssw0rd -export OS_REGION_NAME=Orange -export OS_TENANT_NAME=admin -export OS_AUTH_URL=http://localhost:5000/v3 -export OS_DOMAIN_NAME=Default -openstack project list -```
\ No newline at end of file diff --git a/tools/moon_keystone/run.sh b/tools/moon_keystone/run.sh deleted file mode 100644 index 2a61901e..00000000 --- a/tools/moon_keystone/run.sh +++ /dev/null @@ -1,81 +0,0 @@ -#!/usr/bin/env bash - -MY_HOSTNAME=localhost - -echo DB_HOST=$DB_HOST -echo DB_DATABASE=$DB_DATABASE -echo RABBIT_NODE=$RABBIT_NODE -echo RABBIT_NODE=$[RABBIT_NODE] -echo INTERFACE_HOST=$INTERFACE_HOST - -sed "s/#admin_token = <None>/admin_token=$ADMIN_TOKEN/g" -i /etc/keystone/keystone.conf -sed "s/#connection = <None>/connection = $DB_CONNECTION:\/\/$DB_USER:$DB_PASSWORD@$DB_HOST\/$DB_DATABASE/g" -i /etc/keystone/keystone.conf - -cat << EOF | tee -a /etc/keystone/keystone.conf -[cors] -allowed_origin = $INTERFACE_HOST -max_age = 3600 -allow_methods = POST,GET,DELETE -EOF - -until echo status | mysql -h${DB_HOST} -u${DB_USER_ROOT} -p${DB_PASSWORD_ROOT}; do - >&2 echo "MySQL is unavailable - sleeping" - sleep 1 -done - ->&2 echo "Mysql is up - executing command" - -mysql -h $DB_HOST -u$DB_USER_ROOT -p$DB_PASSWORD_ROOT <<EOF -CREATE DATABASE $DB_DATABASE DEFAULT CHARACTER SET utf8 DEFAULT COLLATE utf8_general_ci; -GRANT ALL ON $DB_DATABASE.* TO '$DB_USER'@'%' IDENTIFIED BY '$DB_PASSWORD'; -GRANT ALL ON $DB_DATABASE.* TO '$DB_USER'@'localhost' IDENTIFIED BY '$DB_PASSWORD'; -EOF - -keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone -keystone-manage credential_setup --keystone-user keystone --keystone-group keystone - -su -s /bin/sh -c "keystone-manage db_sync" keystone - -keystone-manage bootstrap \ - --bootstrap-password ${ADMIN_PASSWORD} \ - --bootstrap-username admin \ - --bootstrap-project-name admin \ - --bootstrap-role-name admin \ - --bootstrap-service-name keystone \ - --bootstrap-region-id Orange \ - --bootstrap-admin-url http://localhost:35357 \ - --bootstrap-public-url http://localhost:5000 \ - --bootstrap-internal-url http://localhost:5000 - - -service apache2 start - -export OS_USERNAME=admin -export OS_PASSWORD=${ADMIN_PASSWORD} -export OS_REGION_NAME=Orange -export OS_TENANT_NAME=admin -export OS_AUTH_URL=http://localhost:5000/v3 -export OS_DOMAIN_NAME=Default -export OS_IDENTITY_API_VERSION=3 - -openstack project create --description "Service Project" demo -openstack role create user -openstack role add --project demo --user demo user - -echo -e "\n Project list:" -openstack project list - -echo -e "\n Users list:" -openstack user list - -echo -e "\n Roles list:" -openstack role list - -echo -e "\n Service list:" -openstack service list - -echo -e "\n Endpoint list:" -openstack endpoint list - - -tail -f /var/log/apache2/keystone.log
\ No newline at end of file diff --git a/tools/moon_kubernetes/README.md b/tools/moon_kubernetes/README.md deleted file mode 100644 index e75fe086..00000000 --- a/tools/moon_kubernetes/README.md +++ /dev/null @@ -1,141 +0,0 @@ -# Moon Platform Setup -## Docker Installation -```bash -apt update -apt install -y docker.io -``` - -## K8S Installation -Choose the right K8S platform -### Minikube -```bash -curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectl -chmod +x ./kubectl -sudo mv ./kubectl /usr/local/bin/kubectl -curl -Lo minikube https://storage.googleapis.com/minikube/releases/v0.21.0/minikube-linux-amd64 && chmod +x minikube && sudo mv minikube /usr/local/bin/ -``` - -### Kubeadm -see: https://kubernetes.io/docs/setup/independent/install-kubeadm/ -```bash -apt-get update && apt-get install -y apt-transport-https -curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - -cat <<EOF >/etc/apt/sources.list.d/kubernetes.list -deb http://apt.kubernetes.io/ kubernetes-xenial main -EOF -apt-get update -apt-get install -y kubelet kubeadm kubectl -``` - -## Moon Deployment -### Deploy kubernete and moon -```bash -cd $MOON_HOME -bash tools/moon_kubernetes/init_k8s_moon.sh -``` -This will wait for kubernetes and then moon to be up - -To check that the platform is running correctely, -```bash -watch kubectl get po --namespace=kube-system -``` -You must see something like this: - - $ kubectl get po --namespace=kube-system - NAME READY STATUS RESTARTS AGE - calico-etcd-7qgjb 1/1 Running 0 1h - calico-node-f8zvm 2/2 Running 1 1h - calico-policy-controller-59fc4f7888-ns9kv 1/1 Running 0 1h - etcd-varuna 1/1 Running 0 1h - kube-apiserver-varuna 1/1 Running 0 1h - kube-controller-manager-varuna 1/1 Running 0 1h - kube-dns-bfbb49cd7-rgqxn 3/3 Running 0 1h - kube-proxy-x88wg 1/1 Running 0 1h - kube-scheduler-varuna 1/1 Running 0 1h - -```bash -watch kubectl get po --namespace=moon -``` - -You must see something like this: - - $ kubectl get po --namespace=moon - NAME READY STATUS RESTARTS AGE - consul-57b6d66975-9qnfx 1/1 Running 0 52m - db-867f9c6666-bq8cf 1/1 Running 0 52m - gui-bc9878b58-q288x 1/1 Running 0 51m - keystone-7d9cdbb69f-bl6ln 1/1 Running 0 52m - manager-5bfbb96988-2nvhd 1/1 Running 0 51m - manager-5bfbb96988-fg8vj 1/1 Running 0 51m - manager-5bfbb96988-w9wnk 1/1 Running 0 51m - orchestrator-65d8fb4574-tnfx2 1/1 Running 0 51m - wrapper-astonishing-748b7dcc4f-ngsvp 1/1 Running 0 51m - - -### Deploy or redeploy Moon only - -Kubernete shall be running. - -```bash -cd $MOON_HOME -sudo bash tools/moon_kubernetes/init_k8s_moon.sh moon -``` - - -### Troubleshoot -check *Consul* for: -- *Components/Manager*, e.g. -```json -{ - "port": 8082, - "bind": "0.0.0.0", - "hostname": "manager", - "container": "wukongsun/moon_manager:v4.3.1", - "external": { - "port": 30001, - "hostname": "$MOON_HOST" - } -} -``` -- *OpenStack/Keystone*: e.g. -```json -{ - "url": "http://keystone:5000/v3", - "user": "admin", - "password": "p4ssw0rd", - "domain": "default", - "project": "admin", - "check_token": false, - "certificate": false, - "external": { - "url": "http://$MOON_HOST:30006/v3" - } -} -``` - - -### Docker-K8S Port Mapping -```yamlex -manager: - port: 8082 - kport: 30001 -gui: - port: 3000 - kport: 30002 -orchestrator: - port: 8083 - kport: 30003 -consul: - port: 8500 - kport: 30005 -keystone: - port: 5000 - kport: 30006 -wrapper: - port: 8080 - kport: 30010 -interface: - port: 8080 -authz: - port: 8081 -``` diff --git a/tools/moon_kubernetes/conf/moon.conf b/tools/moon_kubernetes/conf/moon.conf deleted file mode 100644 index 5fc94edd..00000000 --- a/tools/moon_kubernetes/conf/moon.conf +++ /dev/null @@ -1,90 +0,0 @@ -database: - url: mysql+pymysql://moon:p4sswOrd1@db/moon - driver: sql - -openstack: - keystone: - url: http://keystone:5000/v3 - user: admin - password: p4ssw0rd - domain: default - project: admin - check_token: false - certificate: false - external: - url: http://keystone:30006/v3 - -components: - port_start: - 31001 - pipeline: - interface: - port: 8080 - bind: 0.0.0.0 - hostname: interface - container: moonplatform/moon_interface:latest - authz: - port: 8081 - bind: 0.0.0.0 - hostname: interface - container: moonplatform/moon_authz:latest - session: - container: asteroide/session:latest - port: 8082 - orchestrator: - port: 8083 - bind: 0.0.0.0 - hostname: orchestrator - container: moonplatform/moon_orchestrator:latest - external: - port: 30003 - hostname: orchestrator - wrapper: - port: 8080 - bind: 0.0.0.0 - hostname: wrapper - container: moonplatform/moon_wrapper:latest - timeout: 5 - manager: - port: 8082 - bind: 0.0.0.0 - hostname: manager - container: moonplatform/moon_manager:latest - external: - port: 30001 - hostname: manager - port_start: 31001 - -logging: - version: 1 - - formatters: - brief: - format: "%(levelname)s %(name)s %(message)-30s" - custom: - format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" - - handlers: - console: - class : logging.StreamHandler - formatter: custom - level : INFO - stream : ext://sys.stdout - file: - class : logging.handlers.RotatingFileHandler - formatter: custom - level : DEBUG - filename: /tmp/moon.log - maxBytes: 1048576 - backupCount: 3 - - loggers: - moon: - level: DEBUG - handlers: [console, file] - propagate: no - - root: - level: ERROR - handlers: [console] - diff --git a/tools/moon_kubernetes/conf/password_moon.txt b/tools/moon_kubernetes/conf/password_moon.txt deleted file mode 100644 index bb9bcf7d..00000000 --- a/tools/moon_kubernetes/conf/password_moon.txt +++ /dev/null @@ -1 +0,0 @@ -p4sswOrd1
\ No newline at end of file diff --git a/tools/moon_kubernetes/conf/password_root.txt b/tools/moon_kubernetes/conf/password_root.txt deleted file mode 100644 index bb9bcf7d..00000000 --- a/tools/moon_kubernetes/conf/password_root.txt +++ /dev/null @@ -1 +0,0 @@ -p4sswOrd1
\ No newline at end of file diff --git a/tools/moon_kubernetes/init_k8s_moon.sh b/tools/moon_kubernetes/init_k8s_moon.sh deleted file mode 100644 index 0617de86..00000000 --- a/tools/moon_kubernetes/init_k8s_moon.sh +++ /dev/null @@ -1,280 +0,0 @@ -#!/bin/bash -#number of pods type that should be running or be stopped -declare -i pods_to_check=0 - #global variable on current namespace to check -current_namespace="" -#if set to 1 we check that the pods are running, otherwise we chack that the pods are stopped -declare -i check_running=1 -#name of the pod to check -match_pattern="" -#postfix used to recognize pods name -OS="unknown_os" - -#this function checks if a pod with name starting with $1 is in the Running / Stopped state depending on $heck_running -# $1 : the name the pods starts with (without the random string added by kubernate to the pod name) -# $2 : either the number of identical pods that shall be run or # -# $3 : if $2 is #, the number of lines of the pods name appear on which the pod appears -function check_pod() { - declare -i nb_arguments=$# - match_pattern="$1"; shift - if [ $nb_arguments -gt 2 ]; then - shift; declare -i nb_pods_pattern="$1" - if [ $check_running -eq 1 ]; then #check if pods are running - declare -i result=$(sudo kubectl get po --namespace=${current_namespace} | grep $match_pattern | grep "1/1" | grep -c "Running") - if [ $result -eq $nb_pods_pattern ]; then - pods_to_check=$pods_to_check+1 - fi - else #check if pods are stopped - declare -i result=$(sudo kubectl get po --namespace=${current_namespace} | grep $match_pattern | grep -c "Running\|Terminating") - if [ $result -eq 0 ]; then - pods_to_check=$pods_to_check+1 - fi - fi - else - declare -i nb=$1 - if [ $check_running -eq 1 ]; then #check if pods are running - declare -i result=$(sudo kubectl get po --namespace=${current_namespace} | grep $match_pattern | grep "$nb/$nb" | grep -c "Running") - if [ $result -eq 1 ]; then - pods_to_check=$pods_to_check+1 - fi - else #check if pods are stopped - declare -i result=$(sudo kubectl get po --namespace=${current_namespace} | grep $match_pattern | grep -c "Running\|Terminating") - if [ $result -eq 0 ]; then - pods_to_check=$pods_to_check+1 - fi - fi - fi -} - -#this function tests a list of pods -function check_pods() { - current_namespace="${1}"; shift - pods=("${@}") - declare -i pods_nb=${#pods[@]} - sleep 2 - while [ $pods_to_check -lt $pods_nb ] - do - pods_to_check=0 - for node in "${pods[@]}" - do - check_pod $node - done - - if [ $check_running -eq 1 ]; then - echo -ne "$pods_to_check node types on $pods_nb are running...\033[0K\r" - else - declare -i running_pods=$pods_nb-$pods_to_check - echo -ne "$running_pods node types on $pods_nb are still running...\033[0K\r" - fi - sleep 2 - done -} - -#this function checks if a list of pods ($2) in a specific namspace ($1) are in the Running state -function check_pods_running() { - check_running=1 - check_pods "${@}" - pods_to_check=0 -} - -#this function checks if a list of pods ($2) are not in a specific namspace ($1) -function check_pods_not_running() { - check_running=0 - check_pods "${@}" - pods_to_check=0 -} - -function wait_for_kubernate_calico() { - echo -ne "Waiting for kubernate... " - kube_namespace="kube-system" - declare -a kube_pods=("calico-etcd 1" "calico-node 2" "calico-policy-controller 1" "etcd-${OS} 1" "kube-apiserver-${OS} 1" "kube-controller-manager-${OS} 1" "kube-dns 3" "kube-proxy 1" "kube-scheduler-${OS} 1") - check_pods_running "$kube_namespace" "${kube_pods[@]}" -} - -function wait_for_moon_init() { - echo "Waiting for moon (consul, db, keystone) ..." - kube_namespace="moon" - declare -a kube_pods=("consul 1" "db 1" "keystone 1") - check_pods_running "$kube_namespace" "${kube_pods[@]}" -} - -function wait_for_moon_forming() { - echo "Waiting for moon (forming) ..." - kube_namespace="moon" - declare -a kube_pods=("forming 1") - check_pods_running "$kube_namespace" "${kube_pods[@]}" -} - -function wait_for_moon_manager() { - echo "Waiting for moon (manager) ..." - kube_namespace="moon" - declare -a kube_pods=("manager # 1") - check_pods_running "$kube_namespace" "${kube_pods[@]}" -} - -function wait_for_moon_end() { - echo "Waiting for moon (orchestrator, gui) ..." - kube_namespace="moon" - declare -a kube_pods=("gui 1" "orchestrator 1") - check_pods_running "$kube_namespace" "${kube_pods[@]}" -} - -function wait_for_moon_forming_to_end() { - echo "Waiting for moon forming to finish initialization. This can take few minutes..." - kube_namespace="moon" - declare -a kube_pods=("forming 1") - check_pods_not_running "$kube_namespace" "${kube_pods[@]}" -} - -function wait_for_moon_delete_to_end(){ - echo "Waiting for moon to terminate..." - kube_namespace="moon" - declare -a kube_pods=("consul 1" "db 1" "keystone 1" "manager # 3" "gui 1" "orchestrator 1") - check_pods_not_running "$kube_namespace" "${kube_pods[@]}" -} - -function check_os(){ - if [ -f /etc/os-release ]; then - # freedesktop.org and systemd - . /etc/os-release - OS=${ID} - elif type lsb_release >/dev/null 2>&1; then - # linuxbase.org - OS=$(lsb_release -si) - declare -i result=$(grep -i "debian" $OS) - if [ $result -eq 1 ]; then - OS="debian" - fi - declare -i result=$(grep -i "ubuntu" $OS) - if [ $result -eq 1 ]; then - OS="ubuntu" - fi - elif [ -f /etc/lsb-release ]; then - # For some versions of Debian/Ubuntu without lsb_release command - . /etc/lsb-release - OS=$DISTRIB_ID - declare -i result=$(grep -i "debian" $OS) - if [ $result -eq 1 ]; then - OS="debian" - fi - declare -i result=$(grep -i "ubuntu" $OS) - if [ $result -eq 1 ]; then - OS="ubuntu" - fi - elif [ -f /etc/debian_version ]; then - # Older Debian/Ubuntu/etc. - declare -i result=$(grep -i "debian" $OS) - if [ $result -eq 1 ]; then - OS="debian" - fi - declare -i result=$(grep -i "ubuntu" $OS) - if [ $result -eq 1 ]; then - OS="ubuntu" - fi - elif [ -f /etc/SuSe-release ]; then - # Older SuSE/etc. - echo "TO DO : get the name of the OS at the end of the pods name" - elif [ -f /etc/redhat-release ]; then - # Older Red Hat, CentOS, etc. - echo "TO DO : get the name of the OS at the end of the pods name" - else - # Fall back to uname, e.g. "Linux <version>", also works for BSD, etc. - OS=$(uname -s) - echo "TO DO : get the name of the OS at the end of the pods name" - fi - echo "postfix used to detect pods name : ${OS}" -} - -declare -i nb_arguments=$# -declare -i init_kubernate=1 - -if [ $# -eq 1 ]; then - if [ $1 == "moon" ]; then - init_kubernate=0 - fi - - if [ $1 == "-h" ]; then - echo "Usage : " - echo " - 'bash tools/moon_kubernetes/init_k8s_moon.sh' launches the kubernates platform and the moon platform." - echo " - 'bash tools/moon_kubernetes/init_k8s_moon.sh moon' launches the moon platform only. If the moon platform is already launched, it deletes and recreates it." - echo " " - fi -fi - -if [ $init_kubernate -eq 1 ]; then - check_os - echo "==============================" - echo "Launching kubernate " - echo "==============================" - sudo kubeadm reset - sudo swapoff -a - sudo kubeadm init --pod-network-cidr=192.168.0.0/16 # network for Calico - #sudo kubeadm init --pod-network-cidr=10.244.0.0/16 # network for Canal - - mkdir -p $HOME/.kube - sudo cp -f /etc/kubernetes/admin.conf $HOME/.kube/config - sudo chown $(id -u):$(id -g) $HOME/.kube/config - - kubectl apply -f http://docs.projectcalico.org/v2.4/getting-started/kubernetes/installation/hosted/kubeadm/1.6/calico.yaml - #kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.6/rbac.yaml - #kubectl apply -f https://raw.githubusercontent.com/projectcalico/canal/master/k8s-install/1.6/canal.yaml - #kubectl create -f https://raw.githubusercontent.com/kubernetes/dashboard/master/src/deploy/recommended/kubernetes-dashboard.yaml - - kubectl delete deployment kube-dns --namespace=kube-system - kubectl apply -f tools/moon_kubernetes/templates/kube-dns.yaml - kubectl taint nodes --all node-role.kubernetes.io/master- # malke the master also as a node - - kubectl proxy& - - wait_for_kubernate_calico - - echo "==============================" - echo "Kubernate platform is ready ! " - echo "==============================" -fi - -echo "============================" -echo "Launching moon " -echo "============================" -#check if the moon platform is running, if so we terminate it -declare -i moon_is_running=$(sudo kubectl get namespace | grep -c moon) -if [ $moon_is_running -eq 1 ]; then - sudo kubectl delete namespace moon - wait_for_moon_delete_to_end - sleep 2 -fi - -#launching moon -kubectl create namespace moon -kubectl create configmap moon-config --from-file tools/moon_kubernetes/conf/moon.conf -n moon -kubectl create configmap config --from-file ~/.kube/config -n moon -kubectl create configmap moon-policy-templates --from-file tests/functional/scenario_tests -n moon -kubectl create secret generic mysql-root-pass --from-file=tools/moon_kubernetes/conf/password_root.txt -n moon -kubectl create secret generic mysql-pass --from-file=tools/moon_kubernetes/conf/password_moon.txt -n moon - -kubectl create -n moon -f tools/moon_kubernetes/templates/consul.yaml -kubectl create -n moon -f tools/moon_kubernetes/templates/db.yaml -kubectl create -n moon -f tools/moon_kubernetes/templates/keystone.yaml -wait_for_moon_init - - -kubectl create -n moon -f tools/moon_kubernetes/templates/moon_forming.yaml -wait_for_moon_forming - - -kubectl create -n moon -f tools/moon_kubernetes/templates/moon_manager.yaml -wait_for_moon_manager - - -kubectl create -n moon -f tools/moon_kubernetes/templates/moon_orchestrator.yaml -kubectl create -n moon -f tools/moon_kubernetes/templates/moon_gui.yaml -wait_for_moon_end - -#wait the end of pods initialization performed by moon forming -wait_for_moon_forming_to_end - -echo "========================== " -echo "Moon platform is ready !" -echo "==========================" - - diff --git a/tools/moon_kubernetes/templates/consul.yaml b/tools/moon_kubernetes/templates/consul.yaml deleted file mode 100644 index f0fb764e..00000000 --- a/tools/moon_kubernetes/templates/consul.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - namespace: moon - name: consul -spec: - replicas: 1 - template: - metadata: - labels: - app: consul - spec: - hostname: consul - containers: - - name: consul - image: consul:latest - ports: - - containerPort: 8500 ---- - -apiVersion: v1 -kind: Service -metadata: - name: consul - namespace: moon -spec: - ports: - - port: 8500 - targetPort: 8500 - nodePort: 30005 - selector: - app: consul - type: NodePort diff --git a/tools/moon_kubernetes/templates/db.yaml b/tools/moon_kubernetes/templates/db.yaml deleted file mode 100644 index 5a0e5e98..00000000 --- a/tools/moon_kubernetes/templates/db.yaml +++ /dev/null @@ -1,55 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - namespace: moon - name: db -spec: - replicas: 1 - strategy: - type: Recreate - template: - metadata: - labels: - app: db - spec: - containers: - - name: db - image: mysql:5.7 - env: - - name: MYSQL_DATABASE - value: "moon" - - name: MYSQL_USER - value: "moon" - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-pass - key: password_moon.txt - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: mysql-root-pass - key: password_root.txt - ports: - - containerPort: 3306 - name: mysql -# volumeMounts: -# - name: mysql-persistent-storage -# mountPath: /var/lib/mysql -# volumes: -# - name: mysql-persistent-storage -# persistentVolumeClaim: -# claimName: mysql-pv-claim ---- - -apiVersion: v1 -kind: Service -metadata: - namespace: moon - name: db -spec: - ports: - - port: 3306 - selector: - app: db ----
\ No newline at end of file diff --git a/tools/moon_kubernetes/templates/keystone.yaml b/tools/moon_kubernetes/templates/keystone.yaml deleted file mode 100644 index e4218e4c..00000000 --- a/tools/moon_kubernetes/templates/keystone.yaml +++ /dev/null @@ -1,39 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - namespace: moon - name: keystone -spec: - replicas: 1 - template: - metadata: - labels: - app: keystone - spec: - hostname: keystone - containers: - - name: keystone - image: asteroide/keystone:pike-cors - env: - - name: KEYSTONE_HOSTNAME - value: "127.0.0.1" - - name: KEYSTONE_PORT - value: "30006" - ports: - - containerPort: 35357 - containerPort: 5000 ---- - -apiVersion: v1 -kind: Service -metadata: - name: keystone - namespace: moon -spec: - ports: - - port: 5000 - targetPort: 5000 - nodePort: 30006 - selector: - app: keystone - type: NodePort diff --git a/tools/moon_kubernetes/templates/kube-dns.yaml b/tools/moon_kubernetes/templates/kube-dns.yaml deleted file mode 100644 index c8f18fd8..00000000 --- a/tools/moon_kubernetes/templates/kube-dns.yaml +++ /dev/null @@ -1,183 +0,0 @@ -apiVersion: extensions/v1beta1 -kind: Deployment -metadata: - annotations: - deployment.kubernetes.io/revision: "2" - kubectl.kubernetes.io/last-applied-configuration: | - {"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{"deployment.kubernetes.io/revision":"1"},"creationTimestamp":"2017-10-30T09:03:59Z","generation":1,"labels":{"k8s-app":"kube-dns"},"name":"kube-dns","namespace":"kube-system","resourceVersion":"556","selfLink":"/apis/extensions/v1beta1/namespaces/kube-system/deployments/kube-dns","uid":"4433b709-bd51-11e7-a055-80fa5b15034a"},"spec":{"replicas":1,"selector":{"matchLabels":{"k8s-app":"kube-dns"}},"strategy":{"rollingUpdate":{"maxSurge":"10%","maxUnavailable":0},"type":"RollingUpdate"},"template":{"metadata":{"creationTimestamp":null,"labels":{"k8s-app":"kube-dns"}},"spec":{"affinity":{"nodeAffinity":{"requiredDuringSchedulingIgnoredDuringExecution":{"nodeSelectorTerms":[{"matchExpressions":[{"key":"beta.kubernetes.io/arch","operator":"In","values":["amd64"]}]}]}}},"containers":[{"args":["--domain=cluster.local.","--dns-port=10053","--config-dir=/kube-dns-config","--v=2"],"env":[{"name":"PROMETHEUS_PORT","value":"10055"}],"image":"gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold":5,"httpGet":{"path":"/healthcheck/kubedns","port":10054,"scheme":"HTTP"},"initialDelaySeconds":60,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"name":"kubedns","ports":[{"containerPort":10053,"name":"dns-local","protocol":"UDP"},{"containerPort":10053,"name":"dns-tcp-local","protocol":"TCP"},{"containerPort":10055,"name":"metrics","protocol":"TCP"}],"readinessProbe":{"failureThreshold":3,"httpGet":{"path":"/readiness","port":8081,"scheme":"HTTP"},"initialDelaySeconds":3,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"resources":{"limits":{"memory":"170Mi"},"requests":{"cpu":"100m","memory":"70Mi"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/kube-dns-config","name":"kube-dns-config"}]},{"args":["-v=2","-logtostderr","-configDir=/etc/k8s/dns/dnsmasq-nanny","-restartDnsmasq=true","--","-k","--cache-size=1000","--log-facility=-","--server=/cluster.local/127.0.0.1#10053","--server=/in-addr.arpa/127.0.0.1#10053","--server=/ip6.arpa/127.0.0.1#10053","--server=8.8.8.8"],"image":"gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold":5,"httpGet":{"path":"/healthcheck/dnsmasq","port":10054,"scheme":"HTTP"},"initialDelaySeconds":60,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"name":"dnsmasq","ports":[{"containerPort":53,"name":"dns","protocol":"UDP"},{"containerPort":53,"name":"dns-tcp","protocol":"TCP"}],"resources":{"requests":{"cpu":"150m","memory":"20Mi"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File","volumeMounts":[{"mountPath":"/etc/k8s/dns/dnsmasq-nanny","name":"kube-dns-config"}]},{"args":["--v=2","--logtostderr","--probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,A","--probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,A"],"image":"gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5","imagePullPolicy":"IfNotPresent","livenessProbe":{"failureThreshold":5,"httpGet":{"path":"/metrics","port":10054,"scheme":"HTTP"},"initialDelaySeconds":60,"periodSeconds":10,"successThreshold":1,"timeoutSeconds":5},"name":"sidecar","ports":[{"containerPort":10054,"name":"metrics","protocol":"TCP"}],"resources":{"requests":{"cpu":"10m","memory":"20Mi"}},"terminationMessagePath":"/dev/termination-log","terminationMessagePolicy":"File"}],"dnsPolicy":"Default","restartPolicy":"Always","schedulerName":"default-scheduler","securityContext":{},"serviceAccount":"kube-dns","serviceAccountName":"kube-dns","terminationGracePeriodSeconds":30,"tolerations":[{"key":"CriticalAddonsOnly","operator":"Exists"},{"effect":"NoSchedule","key":"node-role.kubernetes.io/master"}],"volumes":[{"configMap":{"defaultMode":420,"name":"kube-dns","optional":true},"name":"kube-dns-config"}]}}},"status":{"availableReplicas":1,"conditions":[{"lastTransitionTime":"2017-10-30T09:05:11Z","lastUpdateTime":"2017-10-30T09:05:11Z","message":"Deployment has minimum availability.","reason":"MinimumReplicasAvailable","status":"True","type":"Available"}],"observedGeneration":1,"readyReplicas":1,"replicas":1,"updatedReplicas":1}} - creationTimestamp: 2017-10-30T09:03:59Z - generation: 2 - labels: - k8s-app: kube-dns - name: kube-dns - namespace: kube-system - resourceVersion: "300076" - selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/kube-dns - uid: 4433b709-bd51-11e7-a055-80fa5b15034a -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: kube-dns - strategy: - rollingUpdate: - maxSurge: 10% - maxUnavailable: 0 - type: RollingUpdate - template: - metadata: - creationTimestamp: null - labels: - k8s-app: kube-dns - spec: - affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: beta.kubernetes.io/arch - operator: In - values: - - amd64 - containers: - - args: - - --domain=cluster.local. - - --dns-port=10053 - - --config-dir=/kube-dns-config - - --v=2 - env: - - name: PROMETHEUS_PORT - value: "10055" - image: gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.5 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthcheck/kubedns - port: 10054 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: kubedns - ports: - - containerPort: 10053 - name: dns-local - protocol: UDP - - containerPort: 10053 - name: dns-tcp-local - protocol: TCP - - containerPort: 10055 - name: metrics - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /readiness - port: 8081 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - resources: - limits: - memory: 340Mi - requests: - cpu: 200m - memory: 140Mi - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /kube-dns-config - name: kube-dns-config - - args: - - -v=2 - - -logtostderr - - -configDir=/etc/k8s/dns/dnsmasq-nanny - - -restartDnsmasq=true - - -- - - -k - - --dns-forward-max=300 - - --cache-size=1000 - - --log-facility=- - - --server=/cluster.local/127.0.0.1#10053 - - --server=/in-addr.arpa/127.0.0.1#10053 - - --server=/ip6.arpa/127.0.0.1#10053 - - --server=8.8.8.8 - image: gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.5 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthcheck/dnsmasq - port: 10054 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: dnsmasq - ports: - - containerPort: 53 - name: dns - protocol: UDP - - containerPort: 53 - name: dns-tcp - protocol: TCP - resources: - requests: - cpu: 150m - memory: 20Mi - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /etc/k8s/dns/dnsmasq-nanny - name: kube-dns-config - - args: - - --v=2 - - --logtostderr - - --probe=kubedns,127.0.0.1:10053,kubernetes.default.svc.cluster.local,5,A - - --probe=dnsmasq,127.0.0.1:53,kubernetes.default.svc.cluster.local,5,A - image: gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.5 - imagePullPolicy: IfNotPresent - livenessProbe: - failureThreshold: 5 - httpGet: - path: /metrics - port: 10054 - scheme: HTTP - initialDelaySeconds: 60 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 5 - name: sidecar - ports: - - containerPort: 10054 - name: metrics - protocol: TCP - resources: - requests: - cpu: 10m - memory: 20Mi - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - dnsPolicy: Default - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: kube-dns - serviceAccountName: kube-dns - terminationGracePeriodSeconds: 30 - tolerations: - - key: CriticalAddonsOnly - operator: Exists - - effect: NoSchedule - key: node-role.kubernetes.io/master - volumes: - - configMap: - defaultMode: 420 - name: kube-dns - optional: true - name: kube-dns-config diff --git a/tools/moon_kubernetes/templates/moon_forming.yaml b/tools/moon_kubernetes/templates/moon_forming.yaml deleted file mode 100644 index 1214a41a..00000000 --- a/tools/moon_kubernetes/templates/moon_forming.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: forming - namespace: moon -spec: - template: - metadata: - name: forming - spec: - containers: - - name: forming - image: moonplatform/moon_forming:latest - env: - - name: POPULATE_ARGS - value: "--verbose" # debug mode: --debug - volumeMounts: - - name: config-volume - mountPath: /etc/moon - - name: templates-volume - mountPath: /data - volumes: - - name: config-volume - configMap: - name: moon-config - - name: templates-volume - configMap: - name: moon-policy-templates - restartPolicy: Never - #backoffLimit: 4
\ No newline at end of file diff --git a/tools/moon_kubernetes/templates/moon_functest.yaml b/tools/moon_kubernetes/templates/moon_functest.yaml deleted file mode 100644 index e876849e..00000000 --- a/tools/moon_kubernetes/templates/moon_functest.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: batch/v1 -kind: Job -metadata: - name: functest - namespace: moon -spec: - template: - metadata: - name: functest - spec: - containers: - - name: functest - image: moonplatform/moon_python_func_test:latest - volumeMounts: - - name: config-volume - mountPath: /etc/moon - - name: tests-volume - mountPath: /data - volumes: - - name: config-volume - configMap: - name: moon-config - - name: tests-volume - hostPath: - path: "{{PATH}}" - restartPolicy: Never - #backoffLimit: 4 diff --git a/tools/moon_kubernetes/templates/moon_gui.yaml b/tools/moon_kubernetes/templates/moon_gui.yaml deleted file mode 100644 index eca4267d..00000000 --- a/tools/moon_kubernetes/templates/moon_gui.yaml +++ /dev/null @@ -1,42 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - namespace: moon - name: gui -spec: - replicas: 1 - template: - metadata: - labels: - app: gui - spec: - hostname: gui - containers: - - name: gui - image: moonplatform/moon_gui:latest - env: - - name: MANAGER_HOST - value: "127.0.0.1" - - name: MANAGER_PORT - value: "30001" - - name: KEYSTONE_HOST - value: "127.0.0.1" - - name: KEYSTONE_PORT - value: "30006" - ports: - - containerPort: 80 ---- - -apiVersion: v1 -kind: Service -metadata: - name: gui - namespace: moon -spec: - ports: - - port: 80 - targetPort: 80 - nodePort: 30002 - selector: - app: gui - type: NodePort diff --git a/tools/moon_kubernetes/templates/moon_manager.yaml b/tools/moon_kubernetes/templates/moon_manager.yaml deleted file mode 100644 index 8eb59482..00000000 --- a/tools/moon_kubernetes/templates/moon_manager.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - name: manager - namespace: moon -spec: - replicas: 1 - template: - metadata: - labels: - app: manager - spec: - hostname: manager - containers: - - name: manager - image: moonplatform/moon_manager:latest - ports: - - containerPort: 8082 ---- - -apiVersion: v1 -kind: Service -metadata: - name: manager - namespace: moon -spec: - ports: - - port: 8082 - targetPort: 8082 - nodePort: 30001 - selector: - app: manager - type: NodePort diff --git a/tools/moon_kubernetes/templates/moon_orchestrator.yaml b/tools/moon_kubernetes/templates/moon_orchestrator.yaml deleted file mode 100644 index a4ae2bd9..00000000 --- a/tools/moon_kubernetes/templates/moon_orchestrator.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: apps/v1beta1 -kind: Deployment -metadata: - namespace: moon - name: orchestrator -spec: - replicas: 1 - template: - metadata: - labels: - app: orchestrator - spec: - hostname: orchestrator - containers: - - name: orchestrator - image: moonplatform/moon_orchestrator:latest - ports: - - containerPort: 8083 - volumeMounts: - - name: config-volume - mountPath: /root/.kube - volumes: - - name: config-volume - configMap: - name: config ---- - -apiVersion: v1 -kind: Service -metadata: - name: orchestrator - namespace: moon -spec: - ports: - - port: 8083 - targetPort: 8083 - nodePort: 30003 - selector: - app: orchestrator - type: NodePort diff --git a/tools/openstack/README.md b/tools/openstack/README.md deleted file mode 100644 index 8b5d06e5..00000000 --- a/tools/openstack/README.md +++ /dev/null @@ -1,73 +0,0 @@ -# OpenStack -## Installation -For the *Moon* platform, you must have the following OpenStack components installed somewhere: -- *Nova*, see [Nova install](https://docs.openstack.org/mitaka/install-guide-ubuntu/nova-controller-install.html) -- *Glance*, see [Glance install](https://docs.openstack.org/glance/pike/install/) -- *Keystone* is automatically installed and configured in the Moon platform. -After the Moon platform installation, the Keystone server will be available -at: `http://localhost:30005 or http://\<servername\>:30005` - -You can also use your own Keystone server if you want. - -## Configuration -Before updating the configuration of the OpenStack platform, check that the platform -is working without Moon, use the following commands: -```bash -# set authentication -openstack endpoint list -openstack user list -openstack server list -``` - -In order to connect the OpenStack platform with the Moon platform, you must update some -configuration files in Nova and Glance: -- `/etc/nova/policy.json` -- `/etc/glance/policy.json` - -In some installed platform, the `/etc/nova/policy.json` can be absent so you have -to create one. You can find example files in those directory: -- `${MOON}/tools/openstack/nova/policy.json` -- `${MOON}/tools/openstack/glance/policy.json` - -Each line is mapped to an OpenStack API interface, for example, the following line -allows the user to get details for every virtual machines in the cloud -(the corresponding shell command is `openstack server list`): - - "os_compute_api:servers:detail": "", - -This lines indicates that there is no special authorisation to use this API, -every users can use it. If you want that the Moon platform handles that authorisation, -update this line with: - - "os_compute_api:servers:detail": "http://my_hostname:31001/authz" - -1) by replacing `my_hostname` with the hostname (or the IP address) of the Moon platform. -2) by updating the TCP port (default: 31001) with the good one. - -To find this TCP port, use the following command: - - $ kubectl get services -n moon | grep wrapper | cut -d ":" -f 2 | cut -d " " -f 1 - 31002/TCP - -## Tests -Here is a shell script to authenticate to the OpenStack platform as `admin`: -```bash -export OS_USERNAME=admin -export OS_PASSWORD=p4ssw0rd -export OS_REGION_NAME=Orange -export OS_TENANT_NAME=admin -export OS_AUTH_URL=http://moon_hostname:30006/v3 -export OS_DOMAIN_NAME=Default -export OS_IDENTITY_API_VERSION=3 -``` - -For the `demo_user`, use: -```bash -export OS_USERNAME=demo_user -export OS_PASSWORD=your_secret_password -export OS_REGION_NAME=Orange -export OS_TENANT_NAME=demo -export OS_AUTH_URL=http://moon_hostname:30006/v3 -export OS_DOMAIN_NAME=Default -export OS_IDENTITY_API_VERSION=3 -``` diff --git a/tools/openstack/glance/policy.json b/tools/openstack/glance/policy.json deleted file mode 100644 index 5505f67f..00000000 --- a/tools/openstack/glance/policy.json +++ /dev/null @@ -1,62 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "http://my_hostname:31001/authz", - "delete_image": "http://my_hostname:31001/authz", - "get_image": "http://my_hostname:31001/authz", - "get_images": "http://my_hostname:31001/authz", - "modify_image": "http://my_hostname:31001/authz", - "publicize_image": "role:admin", - "communitize_image": "", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "role:admin", - "get_tasks": "role:admin", - "add_task": "role:admin", - "modify_task": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/tools/openstack/nova/policy.json b/tools/openstack/nova/policy.json deleted file mode 100644 index 29763ce3..00000000 --- a/tools/openstack/nova/policy.json +++ /dev/null @@ -1,488 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "cells_scheduler_filter:TargetCellFilter": "is_admin:True", - - "compute:create": "http://my_hostname:31001/authz", - "compute:create:attach_network": "", - "compute:create:attach_volume": "", - "compute:create:forced_host": "is_admin:True", - - "compute:get": "http://my_hostname:31001/authz", - "compute:get_all": "http://my_hostname:31001/authz", - "compute:get_all_tenants": "is_admin:True", - - "compute:update": "", - - "compute:get_instance_metadata": "", - "compute:get_all_instance_metadata": "", - "compute:get_all_instance_system_metadata": "", - "compute:update_instance_metadata": "", - "compute:delete_instance_metadata": "", - - "compute:get_instance_faults": "", - "compute:get_diagnostics": "", - "compute:get_instance_diagnostics": "", - - "compute:start": "rule:admin_or_owner", - "compute:stop": "rule:admin_or_owner", - - "compute:get_lock": "", - "compute:lock": "rule:admin_or_owner", - "compute:unlock": "rule:admin_or_owner", - "compute:unlock_override": "rule:admin_api", - - "compute:get_vnc_console": "", - "compute:get_spice_console": "", - "compute:get_rdp_console": "", - "compute:get_serial_console": "", - "compute:get_mks_console": "", - "compute:get_console_output": "", - - "compute:reset_network": "", - "compute:inject_network_info": "", - "compute:add_fixed_ip": "", - "compute:remove_fixed_ip": "", - - "compute:attach_volume": "", - "compute:detach_volume": "", - "compute:swap_volume": "", - - "compute:attach_interface": "", - "compute:detach_interface": "", - - "compute:set_admin_password": "", - - "compute:rescue": "", - "compute:unrescue": "", - - "compute:suspend": "", - "compute:resume": "", - - "compute:pause": "", - "compute:unpause": "", - - "compute:shelve": "", - "compute:shelve_offload": "", - "compute:unshelve": "", - - "compute:snapshot": "", - "compute:snapshot_volume_backed": "", - "compute:backup": "", - - "compute:resize": "", - "compute:confirm_resize": "", - "compute:revert_resize": "", - - "compute:rebuild": "", - "compute:reboot": "", - "compute:delete": "rule:admin_or_owner", - "compute:soft_delete": "rule:admin_or_owner", - "compute:force_delete": "rule:admin_or_owner", - - "compute:security_groups:add_to_instance": "", - "compute:security_groups:remove_from_instance": "", - - "compute:delete": "", - "compute:soft_delete": "", - "compute:force_delete": "", - "compute:restore": "", - - "compute:volume_snapshot_create": "", - "compute:volume_snapshot_delete": "", - - "admin_api": "is_admin:True", - "compute_extension:accounts": "rule:admin_api", - "compute_extension:admin_actions": "rule:admin_api", - "compute_extension:admin_actions:pause": "rule:admin_or_owner", - "compute_extension:admin_actions:unpause": "rule:admin_or_owner", - "compute_extension:admin_actions:suspend": "rule:admin_or_owner", - "compute_extension:admin_actions:resume": "rule:admin_or_owner", - "compute_extension:admin_actions:lock": "rule:admin_or_owner", - "compute_extension:admin_actions:unlock": "rule:admin_or_owner", - "compute_extension:admin_actions:resetNetwork": "rule:admin_api", - "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", - "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", - "compute_extension:admin_actions:migrateLive": "rule:admin_api", - "compute_extension:admin_actions:resetState": "rule:admin_api", - "compute_extension:admin_actions:migrate": "rule:admin_api", - "compute_extension:aggregates": "rule:admin_api", - "compute_extension:agents": "rule:admin_api", - "compute_extension:attach_interfaces": "", - "compute_extension:baremetal_nodes": "rule:admin_api", - "compute_extension:cells": "rule:admin_api", - "compute_extension:cells:create": "rule:admin_api", - "compute_extension:cells:delete": "rule:admin_api", - "compute_extension:cells:update": "rule:admin_api", - "compute_extension:cells:sync_instances": "rule:admin_api", - "compute_extension:certificates": "", - "compute_extension:cloudpipe": "rule:admin_api", - "compute_extension:cloudpipe_update": "rule:admin_api", - "compute_extension:config_drive": "", - "compute_extension:console_output": "", - "compute_extension:consoles": "", - "compute_extension:createserverext": "", - "compute_extension:deferred_delete": "", - "compute_extension:disk_config": "", - "compute_extension:evacuate": "rule:admin_api", - "compute_extension:extended_server_attributes": "rule:admin_api", - "compute_extension:extended_status": "", - "compute_extension:extended_availability_zone": "", - "compute_extension:extended_ips": "", - "compute_extension:extended_ips_mac": "", - "compute_extension:extended_vif_net": "", - "compute_extension:extended_volumes": "", - "compute_extension:fixed_ips": "rule:admin_api", - "compute_extension:flavor_access": "", - "compute_extension:flavor_access:addTenantAccess": "rule:admin_api", - "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api", - "compute_extension:flavor_disabled": "", - "compute_extension:flavor_rxtx": "", - "compute_extension:flavor_swap": "", - "compute_extension:flavorextradata": "", - "compute_extension:flavorextraspecs:index": "", - "compute_extension:flavorextraspecs:show": "", - "compute_extension:flavorextraspecs:create": "rule:admin_api", - "compute_extension:flavorextraspecs:update": "rule:admin_api", - "compute_extension:flavorextraspecs:delete": "rule:admin_api", - "compute_extension:flavormanage": "rule:admin_api", - "compute_extension:floating_ip_dns": "", - "compute_extension:floating_ip_pools": "", - "compute_extension:floating_ips": "", - "compute_extension:floating_ips_bulk": "rule:admin_api", - "compute_extension:fping": "", - "compute_extension:fping:all_tenants": "rule:admin_api", - "compute_extension:hide_server_addresses": "is_admin:False", - "compute_extension:hosts": "rule:admin_api", - "compute_extension:hypervisors": "rule:admin_api", - "compute_extension:image_size": "", - "compute_extension:instance_actions": "", - "compute_extension:instance_actions:events": "rule:admin_api", - "compute_extension:instance_usage_audit_log": "rule:admin_api", - "compute_extension:keypairs": "", - "compute_extension:keypairs:index": "", - "compute_extension:keypairs:show": "", - "compute_extension:keypairs:create": "", - "compute_extension:keypairs:delete": "", - "compute_extension:multinic": "", - "compute_extension:networks": "rule:admin_api", - "compute_extension:networks:view": "", - "compute_extension:networks_associate": "rule:admin_api", - "compute_extension:os-tenant-networks": "", - "compute_extension:quotas:show": "", - "compute_extension:quotas:update": "rule:admin_api", - "compute_extension:quotas:delete": "rule:admin_api", - "compute_extension:quota_classes": "", - "compute_extension:rescue": "", - "compute_extension:security_group_default_rules": "rule:admin_api", - "compute_extension:security_groups": "", - "compute_extension:server_diagnostics": "rule:admin_api", - "compute_extension:server_groups": "", - "compute_extension:server_password": "", - "compute_extension:server_usage": "", - "compute_extension:services": "rule:admin_api", - "compute_extension:shelve": "", - "compute_extension:shelveOffload": "rule:admin_api", - "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", - "compute_extension:simple_tenant_usage:list": "rule:admin_api", - "compute_extension:unshelve": "", - "compute_extension:users": "rule:admin_api", - "compute_extension:virtual_interfaces": "", - "compute_extension:virtual_storage_arrays": "", - "compute_extension:volumes": "", - "compute_extension:volume_attachments:index": "", - "compute_extension:volume_attachments:show": "", - "compute_extension:volume_attachments:create": "", - "compute_extension:volume_attachments:update": "", - "compute_extension:volume_attachments:delete": "", - "compute_extension:volumetypes": "", - "compute_extension:availability_zone:list": "", - "compute_extension:availability_zone:detail": "rule:admin_api", - "compute_extension:used_limits_for_admin": "rule:admin_api", - "compute_extension:migrations:index": "rule:admin_api", - "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api", - "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api", - "compute_extension:console_auth_tokens": "rule:admin_api", - "compute_extension:os-server-external-events:create": "rule:admin_api", - - "network:get_all": "", - "network:get": "", - "network:create": "", - "network:delete": "", - "network:associate": "", - "network:disassociate": "", - "network:get_vifs_by_instance": "", - "network:allocate_for_instance": "", - "network:deallocate_for_instance": "", - "network:validate_networks": "", - "network:get_instance_uuids_by_ip_filter": "", - "network:get_instance_id_by_floating_address": "", - "network:setup_networks_on_host": "", - "network:get_backdoor_port": "", - - "network:get_floating_ip": "", - "network:get_floating_ip_pools": "", - "network:get_floating_ip_by_address": "", - "network:get_floating_ips_by_project": "", - "network:get_floating_ips_by_fixed_address": "", - "network:allocate_floating_ip": "", - "network:associate_floating_ip": "", - "network:disassociate_floating_ip": "", - "network:release_floating_ip": "", - "network:migrate_instance_start": "", - "network:migrate_instance_finish": "", - - "network:get_fixed_ip": "", - "network:get_fixed_ip_by_address": "", - "network:add_fixed_ip_to_instance": "", - "network:remove_fixed_ip_from_instance": "", - "network:add_network_to_project": "", - "network:get_instance_nw_info": "", - - "network:get_dns_domains": "", - "network:add_dns_entry": "", - "network:modify_dns_entry": "", - "network:delete_dns_entry": "", - "network:get_dns_entries_by_address": "", - "network:get_dns_entries_by_name": "", - "network:create_private_dns_domain": "", - "network:create_public_dns_domain": "", - "network:delete_dns_domain": "", - "network:attach_external_network": "rule:admin_api", - "network:get_vif_by_mac_address": "", - - "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", - "os_compute_api:servers:index:get_all_tenants": "is_admin:True", - "os_compute_api:servers:confirm_resize": "", - "os_compute_api:servers:create": "http://my_hostname:31001/authz", - "os_compute_api:servers:create:attach_network": "", - "os_compute_api:servers:create:attach_volume": "", - "os_compute_api:servers:create:forced_host": "rule:admin_api", - "os_compute_api:servers:delete": "http://my_hostname:31001/authz", - "os_compute_api:servers:update": "http://my_hostname:31001/authz", - "os_compute_api:servers:detail": "http://my_hostname:31001/authz", - "os_compute_api:servers:index": "http://my_hostname:31001/authz", - "os_compute_api:servers:reboot": "http://my_hostname:31001/authz", - "os_compute_api:servers:rebuild": "http://my_hostname:31001/authz", - "os_compute_api:servers:resize": "http://my_hostname:31001/authz", - "os_compute_api:servers:revert_resize": "http://my_hostname:31001/authz", - "os_compute_api:servers:show": "http://my_hostname:31001/authz", - "os_compute_api:servers:create_image": "", - "os_compute_api:servers:create_image:allow_volume_backed": "", - "os_compute_api:servers:start": "rule:admin_or_owner", - "os_compute_api:servers:stop": "rule:admin_or_owner", - "os_compute_api:os-access-ips:discoverable": "", - "os_compute_api:os-access-ips": "", - "os_compute_api:os-admin-actions": "rule:admin_api", - "os_compute_api:os-admin-actions:discoverable": "", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", - "os_compute_api:os-admin-password": "", - "os_compute_api:os-admin-password:discoverable": "", - "os_compute_api:os-aggregates:discoverable": "", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-aggregates:create": "rule:admin_api", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:os-aggregates:delete": "rule:admin_api", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-agents:discoverable": "", - "os_compute_api:os-attach-interfaces": "", - "os_compute_api:os-attach-interfaces:discoverable": "", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-baremetal-nodes:discoverable": "", - "os_compute_api:os-block-device-mapping-v1:discoverable": "", - "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-cells:create": "rule:admin_api", - "os_compute_api:os-cells:delete": "rule:admin_api", - "os_compute_api:os-cells:update": "rule:admin_api", - "os_compute_api:os-cells:sync_instances": "rule:admin_api", - "os_compute_api:os-cells:discoverable": "", - "os_compute_api:os-certificates:create": "", - "os_compute_api:os-certificates:show": "", - "os_compute_api:os-certificates:discoverable": "", - "os_compute_api:os-cloudpipe": "rule:admin_api", - "os_compute_api:os-cloudpipe:discoverable": "", - "os_compute_api:os-config-drive": "", - "os_compute_api:os-consoles:discoverable": "", - "os_compute_api:os-consoles:create": "", - "os_compute_api:os-consoles:delete": "", - "os_compute_api:os-consoles:index": "", - "os_compute_api:os-consoles:show": "", - "os_compute_api:os-console-output:discoverable": "", - "os_compute_api:os-console-output": "", - "os_compute_api:os-remote-consoles": "", - "os_compute_api:os-remote-consoles:discoverable": "", - "os_compute_api:os-create-backup:discoverable": "", - "os_compute_api:os-create-backup": "rule:admin_or_owner", - "os_compute_api:os-deferred-delete": "", - "os_compute_api:os-deferred-delete:discoverable": "", - "os_compute_api:os-disk-config": "", - "os_compute_api:os-disk-config:discoverable": "", - "os_compute_api:os-evacuate": "rule:admin_api", - "os_compute_api:os-evacuate:discoverable": "", - "os_compute_api:os-extended-server-attributes": "rule:admin_api", - "os_compute_api:os-extended-server-attributes:discoverable": "", - "os_compute_api:os-extended-status": "", - "os_compute_api:os-extended-status:discoverable": "", - "os_compute_api:os-extended-availability-zone": "", - "os_compute_api:os-extended-availability-zone:discoverable": "", - "os_compute_api:extensions": "", - "os_compute_api:extension_info:discoverable": "", - "os_compute_api:os-extended-volumes": "", - "os_compute_api:os-extended-volumes:discoverable": "", - "os_compute_api:os-fixed-ips": "rule:admin_api", - "os_compute_api:os-fixed-ips:discoverable": "", - "os_compute_api:os-flavor-access": "", - "os_compute_api:os-flavor-access:discoverable": "", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-rxtx": "", - "os_compute_api:os-flavor-rxtx:discoverable": "", - "os_compute_api:flavors:discoverable": "", - "os_compute_api:os-flavor-extra-specs:discoverable": "", - "os_compute_api:os-flavor-extra-specs:index": "", - "os_compute_api:os-flavor-extra-specs:show": "", - "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", - "os_compute_api:os-flavor-manage:discoverable": "", - "os_compute_api:os-flavor-manage": "rule:admin_api", - "os_compute_api:os-floating-ip-dns": "", - "os_compute_api:os-floating-ip-dns:discoverable": "", - "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", - "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", - "os_compute_api:os-floating-ip-pools": "", - "os_compute_api:os-floating-ip-pools:discoverable": "", - "os_compute_api:os-floating-ips": "", - "os_compute_api:os-floating-ips:discoverable": "", - "os_compute_api:os-floating-ips-bulk": "rule:admin_api", - "os_compute_api:os-floating-ips-bulk:discoverable": "", - "os_compute_api:os-fping": "", - "os_compute_api:os-fping:discoverable": "", - "os_compute_api:os-fping:all_tenants": "rule:admin_api", - "os_compute_api:os-hide-server-addresses": "is_admin:False", - "os_compute_api:os-hide-server-addresses:discoverable": "", - "os_compute_api:os-hosts": "rule:admin_api", - "os_compute_api:os-hosts:discoverable": "", - "os_compute_api:os-hypervisors": "rule:admin_api", - "os_compute_api:os-hypervisors:discoverable": "", - "os_compute_api:images:discoverable": "", - "os_compute_api:image-size": "", - "os_compute_api:image-size:discoverable": "", - "os_compute_api:os-instance-actions": "", - "os_compute_api:os-instance-actions:discoverable": "", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log:discoverable": "", - "os_compute_api:ips:discoverable": "", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:os-keypairs:discoverable": "", - "os_compute_api:os-keypairs": "", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:limits:discoverable": "", - "os_compute_api:limits": "", - "os_compute_api:os-lock-server:discoverable": "", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", - "os_compute_api:os-migrate-server:discoverable": "", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", - "os_compute_api:os-multinic": "", - "os_compute_api:os-multinic:discoverable": "", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-networks:view": "", - "os_compute_api:os-networks:discoverable": "", - "os_compute_api:os-networks-associate": "rule:admin_api", - "os_compute_api:os-networks-associate:discoverable": "", - "os_compute_api:os-pause-server:discoverable": "", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", - "os_compute_api:os-pci:pci_servers": "", - "os_compute_api:os-pci:discoverable": "", - "os_compute_api:os-pci:index": "rule:admin_api", - "os_compute_api:os-pci:detail": "rule:admin_api", - "os_compute_api:os-pci:show": "rule:admin_api", - "os_compute_api:os-personality:discoverable": "", - "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", - "os_compute_api:os-quota-sets:discoverable": "", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:defaults": "", - "os_compute_api:os-quota-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:delete": "rule:admin_api", - "os_compute_api:os-quota-sets:detail": "rule:admin_api", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-quota-class-sets:discoverable": "", - "os_compute_api:os-rescue": "", - "os_compute_api:os-rescue:discoverable": "", - "os_compute_api:os-scheduler-hints:discoverable": "", - "os_compute_api:os-security-group-default-rules:discoverable": "", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-security-groups": "", - "os_compute_api:os-security-groups:discoverable": "", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:os-server-diagnostics:discoverable": "", - "os_compute_api:os-server-password": "", - "os_compute_api:os-server-password:discoverable": "", - "os_compute_api:os-server-usage": "", - "os_compute_api:os-server-usage:discoverable": "", - "os_compute_api:os-server-groups": "", - "os_compute_api:os-server-groups:discoverable": "", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:os-services:discoverable": "", - "os_compute_api:server-metadata:discoverable": "", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:server-metadata:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner", - "os_compute_api:server-metadata:create": "rule:admin_or_owner", - "os_compute_api:server-metadata:update": "rule:admin_or_owner", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", - "os_compute_api:servers:discoverable": "", - "os_compute_api:os-shelve:shelve": "", - "os_compute_api:os-shelve:shelve:discoverable": "", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:discoverable": "", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-suspend-server:discoverable": "", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks:discoverable": "", - "os_compute_api:os-shelve:unshelve": "", - "os_compute_api:os-user-data:discoverable": "", - "os_compute_api:os-virtual-interfaces": "", - "os_compute_api:os-virtual-interfaces:discoverable": "", - "os_compute_api:os-volumes": "", - "os_compute_api:os-volumes:discoverable": "", - "os_compute_api:os-volumes-attachments:index": "", - "os_compute_api:os-volumes-attachments:show": "", - "os_compute_api:os-volumes-attachments:create": "", - "os_compute_api:os-volumes-attachments:update": "", - "os_compute_api:os-volumes-attachments:delete": "", - "os_compute_api:os-volumes-attachments:discoverable": "", - "os_compute_api:os-availability-zone:list": "", - "os_compute_api:os-availability-zone:discoverable": "", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-used-limits:discoverable": "", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-migrations:discoverable": "", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:discoverable": "", - "os_compute_api:os-console-auth-tokens": "rule:admin_api", - "os_compute_api:os-server-external-events:create": "rule:admin_api" -} diff --git a/tools/policies/generate_opst_policy.py b/tools/policies/generate_opst_policy.py deleted file mode 100644 index dd01d1c1..00000000 --- a/tools/policies/generate_opst_policy.py +++ /dev/null @@ -1,167 +0,0 @@ -import json -import os -import logging -import argparse - - -FILES = [ - "cinder.policy.json", - "glance.policy.json", - "keystone.policy.json", - "neutron.policy.json", - "nova.policy.json", -] -policy = { - "pdps": [{ - "name": "external_pdp", - "keystone_project_id": "", - "description": "", - "policies": [{"name": "OpenStack RBAC Policy"}]} - ], - - "policies": [{ - "name": "OpenStack RBAC Policy", - "genre": "authz", - "description": "A RBAC policy similar of what you can find through policy.json files", - "model": {"name": "OPST_RBAC"}, "mandatory": True, "override": True} - ], - - "models": [{"name": "OPST_RBAC", "description": "", "meta_rules": [{"name": "rbac"}], "override": True}], - - "subjects": [ - {"name": "admin", "description": "", "extra": {}, "policies": [{"name": "OpenStack RBAC Policy"}]}, - {"name": "demo", "description": "", "extra": {}, "policies": [{"name": "OpenStack RBAC Policy"}]} - ], - - "subject_categories": [{"name": "role", "description": "a role in OpenStack"}], - - "subject_data": [ - {"name": "admin", "description": "the admin role", "policies": [], "category": {"name": "role"}}, - {"name": "member", "description": "the member role", "policies": [], "category": {"name": "role"}} - ], - - "subject_assignments": [ - {"subject": {"name": "admin"}, "category": {"name": "role"}, "assignments": [{"name": "admin"}, {"name": "member"}]}, - {"subject": {"name": "demo"}, "category": {"name": "role"}, "assignments": [{"name": "member"}]} - ], - - "objects": [], - - "object_categories": [{"name": "id", "description": "the UID of each virtual machine"}], - - "object_data": [ - { - "name": "all_vm", - "description": "represents all virtual machines in this project", - "policies": [], - "category": {"name": "id"}}, - ], - - "object_assignments": [], - - "actions": [], - - "action_categories": [{"name": "action_id", "description": ""}], - - "action_data": [], - - "action_assignments": [], - - "meta_rules": [ - { - "name": "rbac", "description": "", - "subject_categories": [{"name": "role"}], - "object_categories": [{"name": "id"}], - "action_categories": [{"name": "action_id"}] - } - ], - - "rules": [], - -} -logger = logging.getLogger(__name__) - - -def init(): - parser = argparse.ArgumentParser() - parser.add_argument("--verbose", '-v', action='store_true', help='verbose mode') - parser.add_argument("--debug", '-d', action='store_true', help='debug mode') - parser.add_argument("--dir", help='directory containing policy files', default="./policy.json.d") - parser.add_argument("--indent", '-i', help='indent the output (default:None)', type=int, default=None) - parser.add_argument("--output", '-o', help='output name', type=str, default="opst_default_policy.json") - args = parser.parse_args() - logging_format = "%(levelname)s: %(message)s" - if args.verbose: - logging.basicConfig(level=logging.INFO, format=logging_format) - if args.debug: - logging.basicConfig(level=logging.DEBUG, format=logging_format) - else: - logging.basicConfig(format=logging_format) - return args - - -def get_rules(args): - results = {} - for f in FILES: - _json_file = json.loads(open(os.path.join(args.dir, f)).read()) - keys = list(_json_file.keys()) - values = list(_json_file.values()) - for value in values: - if value in keys: - keys.remove(value) - component = os.path.basename(f).split(".")[0] - results[component] = keys - return results - - -def build_dict(results): - for key in results: - for rule in results[key]: - _output = { - "name": rule, - "description": "{} action for {}".format(rule, key), - "extra": {"component": key}, - "policies": [] - } - policy['actions'].append(_output) - _output = { - "name": rule, - "description": "{} action for {}".format(rule, key), - "policies": [], - "category": {"name": "action_id"} - } - policy['action_data'].append(_output) - _output = { - "action": {"name": rule}, - "category": {"name": "action_id"}, - "assignments": [{"name": rule}, ]} - policy['action_assignments'].append(_output) - _output = { - "meta_rule": {"name": "rbac"}, - "rule": { - "subject_data": [{"name": "admin"}], - "object_data": [{"name": "all_vm"}], - "action_data": [{"name": rule}] - }, - "policy": {"name": "OpenStack RBAC Policy"}, - "instructions": {"decision": "grant"}, - "enabled": True - } - policy['rules'].append(_output) - # TODO: add rules for member only - # TODO: add rules for everyone - - -def write_dict(args): - json.dump(policy, open(args.output, "w"), indent=args.indent) - - -def main(): - args = init() - rules = get_rules(args) - build_dict(rules) - write_dict(args) - - -if __name__ == "__main__": - main()
\ No newline at end of file diff --git a/tools/policies/policy.json.d/cinder.policy.json b/tools/policies/policy.json.d/cinder.policy.json deleted file mode 100644 index 02af88bd..00000000 --- a/tools/policies/policy.json.d/cinder.policy.json +++ /dev/null @@ -1,104 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "admin_api": "is_admin:True", - - "volume:create": "", - "volume:delete": "rule:admin_or_owner", - "volume:get": "rule:admin_or_owner", - "volume:get_all": "rule:admin_or_owner", - "volume:get_volume_metadata": "rule:admin_or_owner", - "volume:delete_volume_metadata": "rule:admin_or_owner", - "volume:update_volume_metadata": "rule:admin_or_owner", - "volume:get_volume_admin_metadata": "rule:admin_api", - "volume:update_volume_admin_metadata": "rule:admin_api", - "volume:get_snapshot": "rule:admin_or_owner", - "volume:get_all_snapshots": "rule:admin_or_owner", - "volume:create_snapshot": "rule:admin_or_owner", - "volume:delete_snapshot": "rule:admin_or_owner", - "volume:update_snapshot": "rule:admin_or_owner", - "volume:extend": "rule:admin_or_owner", - "volume:update_readonly_flag": "rule:admin_or_owner", - "volume:retype": "rule:admin_or_owner", - "volume:update": "rule:admin_or_owner", - - "volume_extension:types_manage": "rule:admin_api", - "volume_extension:types_extra_specs": "rule:admin_api", - "volume_extension:access_types_qos_specs_id": "rule:admin_api", - "volume_extension:access_types_extra_specs": "rule:admin_api", - "volume_extension:volume_type_access": "rule:admin_or_owner", - "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", - "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", - "volume_extension:volume_type_encryption": "rule:admin_api", - "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", - "volume_extension:extended_snapshot_attributes": "rule:admin_or_owner", - "volume_extension:volume_image_metadata": "rule:admin_or_owner", - - "volume_extension:quotas:show": "", - "volume_extension:quotas:update": "rule:admin_api", - "volume_extension:quotas:delete": "rule:admin_api", - "volume_extension:quota_classes": "rule:admin_api", - "volume_extension:quota_classes:validate_setup_for_nested_quota_use": "rule:admin_api", - - "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", - "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", - "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", - "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", - "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", - "volume_extension:backup_admin_actions:force_delete": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", - "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", - - "volume_extension:volume_host_attribute": "rule:admin_api", - "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", - "volume_extension:volume_mig_status_attribute": "rule:admin_api", - "volume_extension:hosts": "rule:admin_api", - "volume_extension:services:index": "rule:admin_api", - "volume_extension:services:update" : "rule:admin_api", - - "volume_extension:volume_manage": "rule:admin_api", - "volume_extension:volume_unmanage": "rule:admin_api", - - "volume_extension:capabilities": "rule:admin_api", - - "volume:create_transfer": "rule:admin_or_owner", - "volume:accept_transfer": "", - "volume:delete_transfer": "rule:admin_or_owner", - "volume:get_all_transfers": "rule:admin_or_owner", - - "volume_extension:replication:promote": "rule:admin_api", - "volume_extension:replication:reenable": "rule:admin_api", - - "volume:enable_replication": "rule:admin_api", - "volume:disable_replication": "rule:admin_api", - "volume:failover_replication": "rule:admin_api", - "volume:list_replication_targets": "rule:admin_api", - - "backup:create" : "", - "backup:delete": "rule:admin_or_owner", - "backup:get": "rule:admin_or_owner", - "backup:get_all": "rule:admin_or_owner", - "backup:restore": "rule:admin_or_owner", - "backup:backup-import": "rule:admin_api", - "backup:backup-export": "rule:admin_api", - - "snapshot_extension:snapshot_actions:update_snapshot_status": "", - "snapshot_extension:snapshot_manage": "rule:admin_api", - "snapshot_extension:snapshot_unmanage": "rule:admin_api", - - "consistencygroup:create" : "group:nobody", - "consistencygroup:delete": "group:nobody", - "consistencygroup:update": "group:nobody", - "consistencygroup:get": "group:nobody", - "consistencygroup:get_all": "group:nobody", - - "consistencygroup:create_cgsnapshot" : "group:nobody", - "consistencygroup:delete_cgsnapshot": "group:nobody", - "consistencygroup:get_cgsnapshot": "group:nobody", - "consistencygroup:get_all_cgsnapshots": "group:nobody", - - "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api" -} diff --git a/tools/policies/policy.json.d/glance.policy.json b/tools/policies/policy.json.d/glance.policy.json deleted file mode 100644 index 5b1f6be7..00000000 --- a/tools/policies/policy.json.d/glance.policy.json +++ /dev/null @@ -1,63 +0,0 @@ -{ - "context_is_admin": "role:admin", - "default": "role:admin", - - "add_image": "", - "delete_image": "", - "get_image": "", - "get_images": "", - "modify_image": "", - "publicize_image": "role:admin", - "communitize_image": "", - "copy_from": "", - - "download_image": "", - "upload_image": "", - - "delete_image_location": "", - "get_image_location": "", - "set_image_location": "", - - "add_member": "", - "delete_member": "", - "get_member": "", - "get_members": "", - "modify_member": "", - - "manage_image_cache": "role:admin", - - "get_task": "", - "get_tasks": "", - "add_task": "", - "modify_task": "", - "tasks_api_access": "role:admin", - - "deactivate": "", - "reactivate": "", - - "get_metadef_namespace": "", - "get_metadef_namespaces":"", - "modify_metadef_namespace":"", - "add_metadef_namespace":"", - - "get_metadef_object":"", - "get_metadef_objects":"", - "modify_metadef_object":"", - "add_metadef_object":"", - - "list_metadef_resource_types":"", - "get_metadef_resource_type":"", - "add_metadef_resource_type_association":"", - - "get_metadef_property":"", - "get_metadef_properties":"", - "modify_metadef_property":"", - "add_metadef_property":"", - - "get_metadef_tag":"", - "get_metadef_tags":"", - "modify_metadef_tag":"", - "add_metadef_tag":"", - "add_metadef_tags":"" - -} diff --git a/tools/policies/policy.json.d/keystone.policy.json b/tools/policies/policy.json.d/keystone.policy.json deleted file mode 100644 index 263912bf..00000000 --- a/tools/policies/policy.json.d/keystone.policy.json +++ /dev/null @@ -1,260 +0,0 @@ -{ - "admin_required": "role:admin", - "cloud_admin": "role:admin and (is_admin_project:True or domain_id:admin_domain_id)", - "service_role": "role:service", - "service_or_admin": "rule:admin_required or rule:service_role", - "owner": "user_id:%(user_id)s or user_id:%(target.token.user_id)s", - "admin_or_owner": "(rule:admin_required and domain_id:%(target.token.user.domain.id)s) or rule:owner", - "admin_and_matching_domain_id": "rule:admin_required and domain_id:%(domain_id)s", - "service_admin_or_owner": "rule:service_or_admin or rule:owner", - - "default": "rule:admin_required", - - "identity:get_region": "", - "identity:list_regions": "", - "identity:create_region": "rule:cloud_admin", - "identity:update_region": "rule:cloud_admin", - "identity:delete_region": "rule:cloud_admin", - - "identity:get_service": "rule:admin_required", - "identity:list_services": "rule:admin_required", - "identity:create_service": "rule:cloud_admin", - "identity:update_service": "rule:cloud_admin", - "identity:delete_service": "rule:cloud_admin", - - "identity:get_endpoint": "rule:admin_required", - "identity:list_endpoints": "rule:admin_required", - "identity:create_endpoint": "rule:cloud_admin", - "identity:update_endpoint": "rule:cloud_admin", - "identity:delete_endpoint": "rule:cloud_admin", - - "identity:get_registered_limit": "", - "identity:list_registered_limits": "", - "identity:create_registered_limits": "rule:admin_required", - "identity:update_registered_limits": "rule:admin_required", - "identity:delete_registered_limit": "rule:admin_required", - - "identity:get_limit": "", - "identity:list_limits": "", - "identity:create_limits": "rule:admin_required", - "identity:update_limits": "rule:admin_required", - "identity:delete_limit": "rule:admin_required", - - "identity:get_domain": "rule:cloud_admin or rule:admin_and_matching_domain_id or token.project.domain.id:%(target.domain.id)s", - "identity:list_domains": "rule:cloud_admin", - "identity:create_domain": "rule:cloud_admin", - "identity:update_domain": "rule:cloud_admin", - "identity:delete_domain": "rule:cloud_admin", - - "admin_and_matching_target_project_domain_id": "rule:admin_required and domain_id:%(target.project.domain_id)s", - "admin_and_matching_project_domain_id": "rule:admin_required and domain_id:%(project.domain_id)s", - "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s", - "identity:list_projects": "rule:cloud_admin or rule:admin_and_matching_domain_id", - "identity:list_user_projects": "rule:owner or rule:admin_and_matching_domain_id", - "identity:create_project": "rule:cloud_admin or rule:admin_and_matching_project_domain_id", - "identity:update_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", - "identity:delete_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id", - "identity:create_project_tag": "rule:admin_required", - "identity:delete_project_tag": "rule:admin_required", - "identity:get_project_tag": "rule:admin_required", - "identity:list_project_tags": "rule:admin_required", - "identity:delete_project_tags": "rule:admin_required", - "identity:update_project_tags": "rule:admin_required", - - "admin_and_matching_target_user_domain_id": "rule:admin_required and domain_id:%(target.user.domain_id)s", - "admin_and_matching_user_domain_id": "rule:admin_required and domain_id:%(user.domain_id)s", - "identity:get_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id or rule:owner", - "identity:list_users": "rule:cloud_admin or rule:admin_and_matching_domain_id", - "identity:create_user": "rule:cloud_admin or rule:admin_and_matching_user_domain_id", - "identity:update_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", - "identity:delete_user": "rule:cloud_admin or rule:admin_and_matching_target_user_domain_id", - - "admin_and_matching_target_group_domain_id": "rule:admin_required and domain_id:%(target.group.domain_id)s", - "admin_and_matching_group_domain_id": "rule:admin_required and domain_id:%(group.domain_id)s", - "identity:get_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:list_groups": "rule:cloud_admin or rule:admin_and_matching_domain_id", - "identity:list_groups_for_user": "rule:owner or rule:admin_and_matching_target_user_domain_id", - "identity:create_group": "rule:cloud_admin or rule:admin_and_matching_group_domain_id", - "identity:update_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:delete_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:list_users_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:remove_user_from_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:check_user_in_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - "identity:add_user_to_group": "rule:cloud_admin or rule:admin_and_matching_target_group_domain_id", - - "identity:get_credential": "rule:admin_required", - "identity:list_credentials": "rule:admin_required or user_id:%(user_id)s", - "identity:create_credential": "rule:admin_required", - "identity:update_credential": "rule:admin_required", - "identity:delete_credential": "rule:admin_required", - - "identity:ec2_get_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - "identity:ec2_list_credentials": "rule:admin_required or rule:owner", - "identity:ec2_create_credential": "rule:admin_required or rule:owner", - "identity:ec2_delete_credential": "rule:admin_required or (rule:owner and user_id:%(target.credential.user_id)s)", - - "identity:get_role": "rule:admin_required", - "identity:list_roles": "rule:admin_required", - "identity:create_role": "rule:cloud_admin", - "identity:update_role": "rule:cloud_admin", - "identity:delete_role": "rule:cloud_admin", - - "identity:get_domain_role": "rule:cloud_admin or rule:get_domain_roles", - "identity:list_domain_roles": "rule:cloud_admin or rule:list_domain_roles", - "identity:create_domain_role": "rule:cloud_admin or rule:domain_admin_matches_domain_role", - "identity:update_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", - "identity:delete_domain_role": "rule:cloud_admin or rule:domain_admin_matches_target_domain_role", - "domain_admin_matches_domain_role": "rule:admin_required and domain_id:%(role.domain_id)s", - "get_domain_roles": "rule:domain_admin_matches_target_domain_role or rule:project_admin_matches_target_domain_role", - "domain_admin_matches_target_domain_role": "rule:admin_required and domain_id:%(target.role.domain_id)s", - "project_admin_matches_target_domain_role": "rule:admin_required and project_domain_id:%(target.role.domain_id)s", - "list_domain_roles": "rule:domain_admin_matches_filter_on_list_domain_roles or rule:project_admin_matches_filter_on_list_domain_roles", - "domain_admin_matches_filter_on_list_domain_roles": "rule:admin_required and domain_id:%(domain_id)s", - "project_admin_matches_filter_on_list_domain_roles": "rule:admin_required and project_domain_id:%(domain_id)s", - "admin_and_matching_prior_role_domain_id": "rule:admin_required and domain_id:%(target.prior_role.domain_id)s", - "implied_role_matches_prior_role_domain_or_global": "(domain_id:%(target.implied_role.domain_id)s or None:%(target.implied_role.domain_id)s)", - - "identity:get_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:list_implied_roles": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:create_implied_role": "rule:cloud_admin or (rule:admin_and_matching_prior_role_domain_id and rule:implied_role_matches_prior_role_domain_or_global)", - "identity:delete_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - "identity:list_role_inference_rules": "rule:cloud_admin", - "identity:check_implied_role": "rule:cloud_admin or rule:admin_and_matching_prior_role_domain_id", - - "identity:list_system_grants_for_user": "rule:admin_required", - "identity:check_system_grant_for_user": "rule:admin_required", - "identity:create_system_grant_for_user": "rule:admin_required", - "identity:revoke_system_grant_for_user": "rule:admin_required", - - "identity:list_system_grants_for_group": "rule:admin_required", - "identity:check_system_grant_for_group": "rule:admin_required", - "identity:create_system_grant_for_group": "rule:admin_required", - "identity:revoke_system_grant_for_group": "rule:admin_required", - - "identity:check_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "identity:list_grants": "rule:cloud_admin or rule:domain_admin_for_list_grants or rule:project_admin_for_list_grants", - "identity:create_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "identity:revoke_grant": "rule:cloud_admin or rule:domain_admin_for_grants or rule:project_admin_for_grants", - "domain_admin_for_grants": "rule:domain_admin_for_global_role_grants or rule:domain_admin_for_domain_role_grants", - "domain_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and rule:domain_admin_grant_match", - "domain_admin_for_domain_role_grants": "rule:admin_required and domain_id:%(target.role.domain_id)s and rule:domain_admin_grant_match", - "domain_admin_grant_match": "domain_id:%(domain_id)s or domain_id:%(target.project.domain_id)s", - "project_admin_for_grants": "rule:project_admin_for_global_role_grants or rule:project_admin_for_domain_role_grants", - "project_admin_for_global_role_grants": "rule:admin_required and None:%(target.role.domain_id)s and project_id:%(project_id)s", - "project_admin_for_domain_role_grants": "rule:admin_required and project_domain_id:%(target.role.domain_id)s and project_id:%(project_id)s", - "domain_admin_for_list_grants": "rule:admin_required and rule:domain_admin_grant_match", - "project_admin_for_list_grants": "rule:admin_required and project_id:%(project_id)s", - - "admin_on_domain_filter": "rule:admin_required and domain_id:%(scope.domain.id)s", - "admin_on_project_filter": "rule:admin_required and project_id:%(scope.project.id)s", - "admin_on_domain_of_project_filter": "rule:admin_required and domain_id:%(target.project.domain_id)s", - "identity:list_role_assignments": "rule:cloud_admin or rule:admin_on_domain_filter or rule:admin_on_project_filter", - "identity:list_role_assignments_for_tree": "rule:cloud_admin or rule:admin_on_domain_of_project_filter", - "identity:get_policy": "rule:cloud_admin", - "identity:list_policies": "rule:cloud_admin", - "identity:create_policy": "rule:cloud_admin", - "identity:update_policy": "rule:cloud_admin", - "identity:delete_policy": "rule:cloud_admin", - - "identity:check_token": "rule:admin_or_owner", - "identity:validate_token": "rule:service_admin_or_owner", - "identity:validate_token_head": "rule:service_or_admin", - "identity:revocation_list": "rule:service_or_admin", - "identity:revoke_token": "rule:admin_or_owner", - - "identity:create_trust": "user_id:%(trust.trustor_user_id)s", - "identity:list_trusts": "", - "identity:list_roles_for_trust": "", - "identity:get_role_for_trust": "", - "identity:delete_trust": "", - "identity:get_trust": "", - - "identity:create_consumer": "rule:admin_required", - "identity:get_consumer": "rule:admin_required", - "identity:list_consumers": "rule:admin_required", - "identity:delete_consumer": "rule:admin_required", - "identity:update_consumer": "rule:admin_required", - - "identity:authorize_request_token": "rule:admin_required", - "identity:list_access_token_roles": "rule:admin_required", - "identity:get_access_token_role": "rule:admin_required", - "identity:list_access_tokens": "rule:admin_required", - "identity:get_access_token": "rule:admin_required", - "identity:delete_access_token": "rule:admin_required", - - "identity:list_projects_for_endpoint": "rule:admin_required", - "identity:add_endpoint_to_project": "rule:admin_required", - "identity:check_endpoint_in_project": "rule:admin_required", - "identity:list_endpoints_for_project": "rule:admin_required", - "identity:remove_endpoint_from_project": "rule:admin_required", - - "identity:create_endpoint_group": "rule:admin_required", - "identity:list_endpoint_groups": "rule:admin_required", - "identity:get_endpoint_group": "rule:admin_required", - "identity:update_endpoint_group": "rule:admin_required", - "identity:delete_endpoint_group": "rule:admin_required", - "identity:list_projects_associated_with_endpoint_group": "rule:admin_required", - "identity:list_endpoints_associated_with_endpoint_group": "rule:admin_required", - "identity:get_endpoint_group_in_project": "rule:admin_required", - "identity:list_endpoint_groups_for_project": "rule:admin_required", - "identity:add_endpoint_group_to_project": "rule:admin_required", - "identity:remove_endpoint_group_from_project": "rule:admin_required", - - "identity:create_identity_provider": "rule:cloud_admin", - "identity:list_identity_providers": "rule:cloud_admin", - "identity:get_identity_provider": "rule:cloud_admin", - "identity:update_identity_provider": "rule:cloud_admin", - "identity:delete_identity_provider": "rule:cloud_admin", - - "identity:create_protocol": "rule:cloud_admin", - "identity:update_protocol": "rule:cloud_admin", - "identity:get_protocol": "rule:cloud_admin", - "identity:list_protocols": "rule:cloud_admin", - "identity:delete_protocol": "rule:cloud_admin", - - "identity:create_mapping": "rule:cloud_admin", - "identity:get_mapping": "rule:cloud_admin", - "identity:list_mappings": "rule:cloud_admin", - "identity:delete_mapping": "rule:cloud_admin", - "identity:update_mapping": "rule:cloud_admin", - - "identity:create_service_provider": "rule:cloud_admin", - "identity:list_service_providers": "rule:cloud_admin", - "identity:get_service_provider": "rule:cloud_admin", - "identity:update_service_provider": "rule:cloud_admin", - "identity:delete_service_provider": "rule:cloud_admin", - - "identity:get_auth_catalog": "", - "identity:get_auth_projects": "", - "identity:get_auth_domains": "", - "identity:get_auth_system": "", - - "identity:list_projects_for_user": "", - "identity:list_domains_for_user": "", - - "identity:list_revoke_events": "rule:service_or_admin", - - "identity:create_policy_association_for_endpoint": "rule:cloud_admin", - "identity:check_policy_association_for_endpoint": "rule:cloud_admin", - "identity:delete_policy_association_for_endpoint": "rule:cloud_admin", - "identity:create_policy_association_for_service": "rule:cloud_admin", - "identity:check_policy_association_for_service": "rule:cloud_admin", - "identity:delete_policy_association_for_service": "rule:cloud_admin", - "identity:create_policy_association_for_region_and_service": "rule:cloud_admin", - "identity:check_policy_association_for_region_and_service": "rule:cloud_admin", - "identity:delete_policy_association_for_region_and_service": "rule:cloud_admin", - "identity:get_policy_for_endpoint": "rule:cloud_admin", - "identity:list_endpoints_for_policy": "rule:cloud_admin", - - "identity:create_domain_config": "rule:cloud_admin", - "identity:get_domain_config": "rule:cloud_admin", - "identity:get_security_compliance_domain_config": "", - "identity:update_domain_config": "rule:cloud_admin", - "identity:delete_domain_config": "rule:cloud_admin", - "identity:get_domain_config_default": "rule:cloud_admin", - - "identity:get_application_credential": "rule:admin_or_owner", - "identity:list_application_credentials": "rule:admin_or_owner", - "identity:create_application_credential": "rule:admin_or_owner", - "identity:delete_application_credential": "rule:admin_or_owner" -} diff --git a/tools/policies/policy.json.d/neutron.policy.json b/tools/policies/policy.json.d/neutron.policy.json deleted file mode 100644 index 15f17203..00000000 --- a/tools/policies/policy.json.d/neutron.policy.json +++ /dev/null @@ -1,235 +0,0 @@ -{ - "context_is_admin": "role:admin or user_name:neutron", - "owner": "tenant_id:%(tenant_id)s", - "admin_or_owner": "rule:context_is_admin or rule:owner", - "context_is_advsvc": "role:advsvc", - "admin_or_network_owner": "rule:context_is_admin or tenant_id:%(network:tenant_id)s", - "admin_owner_or_network_owner": "rule:owner or rule:admin_or_network_owner", - "admin_only": "rule:context_is_admin", - "regular_user": "", - "admin_or_data_plane_int": "rule:context_is_admin or role:data_plane_integrator", - "shared": "field:networks:shared=True", - "shared_subnetpools": "field:subnetpools:shared=True", - "shared_address_scopes": "field:address_scopes:shared=True", - "external": "field:networks:router:external=True", - "default": "rule:admin_or_owner", - - "create_subnet": "rule:admin_or_network_owner", - "create_subnet:segment_id": "rule:admin_only", - "create_subnet:service_types": "rule:admin_only", - "get_subnet": "rule:admin_or_owner or rule:shared", - "get_subnet:segment_id": "rule:admin_only", - "update_subnet": "rule:admin_or_network_owner", - "update_subnet:service_types": "rule:admin_only", - "delete_subnet": "rule:admin_or_network_owner", - - "create_subnetpool": "", - "create_subnetpool:shared": "rule:admin_only", - "create_subnetpool:is_default": "rule:admin_only", - "get_subnetpool": "rule:admin_or_owner or rule:shared_subnetpools", - "update_subnetpool": "rule:admin_or_owner", - "update_subnetpool:is_default": "rule:admin_only", - "delete_subnetpool": "rule:admin_or_owner", - - "create_address_scope": "", - "create_address_scope:shared": "rule:admin_only", - "get_address_scope": "rule:admin_or_owner or rule:shared_address_scopes", - "update_address_scope": "rule:admin_or_owner", - "update_address_scope:shared": "rule:admin_only", - "delete_address_scope": "rule:admin_or_owner", - - "create_network": "", - "get_network": "rule:admin_or_owner or rule:shared or rule:external or rule:context_is_advsvc", - "get_network:router:external": "rule:regular_user", - "get_network:segments": "rule:admin_only", - "get_network:provider:network_type": "rule:admin_only", - "get_network:provider:physical_network": "rule:admin_only", - "get_network:provider:segmentation_id": "rule:admin_only", - "get_network:queue_id": "rule:admin_only", - "get_network_ip_availabilities": "rule:admin_only", - "get_network_ip_availability": "rule:admin_only", - "create_network:shared": "rule:admin_only", - "create_network:router:external": "rule:admin_only", - "create_network:is_default": "rule:admin_only", - "create_network:segments": "rule:admin_only", - "create_network:provider:network_type": "rule:admin_only", - "create_network:provider:physical_network": "rule:admin_only", - "create_network:provider:segmentation_id": "rule:admin_only", - "update_network": "rule:admin_or_owner", - "update_network:segments": "rule:admin_only", - "update_network:shared": "rule:admin_only", - "update_network:provider:network_type": "rule:admin_only", - "update_network:provider:physical_network": "rule:admin_only", - "update_network:provider:segmentation_id": "rule:admin_only", - "update_network:router:external": "rule:admin_only", - "delete_network": "rule:admin_or_owner", - - "create_segment": "rule:admin_only", - "get_segment": "rule:admin_only", - "update_segment": "rule:admin_only", - "delete_segment": "rule:admin_only", - - "network_device": "field:port:device_owner=~^network:", - "create_port": "", - "create_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:mac_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", - "create_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:binding:host_id": "rule:admin_only", - "create_port:binding:profile": "rule:admin_only", - "create_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "create_port:allowed_address_pairs": "rule:admin_or_network_owner", - "get_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - "get_port:queue_id": "rule:admin_only", - "get_port:binding:vif_type": "rule:admin_only", - "get_port:binding:vif_details": "rule:admin_only", - "get_port:binding:host_id": "rule:admin_only", - "get_port:binding:profile": "rule:admin_only", - "update_port": "rule:admin_or_owner or rule:context_is_advsvc", - "update_port:device_owner": "not rule:network_device or rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:mac_address": "rule:admin_only or rule:context_is_advsvc", - "update_port:fixed_ips:ip_address": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:fixed_ips:subnet_id": "rule:context_is_advsvc or rule:admin_or_network_owner or rule:shared", - "update_port:port_security_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:binding:host_id": "rule:admin_only", - "update_port:binding:profile": "rule:admin_only", - "update_port:mac_learning_enabled": "rule:context_is_advsvc or rule:admin_or_network_owner", - "update_port:allowed_address_pairs": "rule:admin_or_network_owner", - "update_port:data_plane_status": "rule:admin_or_data_plane_int", - "delete_port": "rule:context_is_advsvc or rule:admin_owner_or_network_owner", - - "get_router:ha": "rule:admin_only", - "create_router": "rule:regular_user", - "create_router:external_gateway_info:enable_snat": "rule:admin_only", - "create_router:distributed": "rule:admin_only", - "create_router:ha": "rule:admin_only", - "get_router": "http://192.168.1.50:31002/wrapper/authz/grant", - "get_router:distributed": "rule:admin_only", - "update_router": "rule:admin_or_owner", - "update_router:external_gateway_info": "rule:admin_or_owner", - "update_router:external_gateway_info:network_id": "rule:admin_or_owner", - "update_router:external_gateway_info:enable_snat": "rule:admin_only", - "update_router:distributed": "rule:admin_only", - "update_router:ha": "rule:admin_only", - "delete_router": "rule:admin_or_owner", - - "add_router_interface": "rule:admin_or_owner", - "remove_router_interface": "rule:admin_or_owner", - - "create_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - "update_router:external_gateway_info:external_fixed_ips": "rule:admin_only", - - "create_qos_queue": "rule:admin_only", - "get_qos_queue": "rule:admin_only", - - "update_agent": "rule:admin_only", - "delete_agent": "rule:admin_only", - "get_agent": "rule:admin_only", - - "create_dhcp-network": "rule:admin_only", - "delete_dhcp-network": "rule:admin_only", - "get_dhcp-networks": "rule:admin_only", - "create_l3-router": "rule:admin_only", - "delete_l3-router": "rule:admin_only", - "get_l3-routers": "rule:admin_only", - "get_dhcp-agents": "rule:admin_only", - "get_l3-agents": "rule:admin_only", - "get_loadbalancer-agent": "rule:admin_only", - "get_loadbalancer-pools": "rule:admin_only", - "get_agent-loadbalancers": "rule:admin_only", - "get_loadbalancer-hosting-agent": "rule:admin_only", - - "create_floatingip": "rule:regular_user", - "create_floatingip:floating_ip_address": "rule:admin_only", - "update_floatingip": "rule:admin_or_owner", - "delete_floatingip": "rule:admin_or_owner", - "get_floatingip": "rule:admin_or_owner", - - "create_network_profile": "rule:admin_only", - "update_network_profile": "rule:admin_only", - "delete_network_profile": "rule:admin_only", - "get_network_profiles": "", - "get_network_profile": "", - "update_policy_profiles": "rule:admin_only", - "get_policy_profiles": "", - "get_policy_profile": "", - - "create_metering_label": "rule:admin_only", - "delete_metering_label": "rule:admin_only", - "get_metering_label": "rule:admin_only", - - "create_metering_label_rule": "rule:admin_only", - "delete_metering_label_rule": "rule:admin_only", - "get_metering_label_rule": "rule:admin_only", - - "get_service_provider": "rule:regular_user", - "get_lsn": "rule:admin_only", - "create_lsn": "rule:admin_only", - - "create_flavor": "rule:admin_only", - "update_flavor": "rule:admin_only", - "delete_flavor": "rule:admin_only", - "get_flavors": "rule:regular_user", - "get_flavor": "rule:regular_user", - "create_service_profile": "rule:admin_only", - "update_service_profile": "rule:admin_only", - "delete_service_profile": "rule:admin_only", - "get_service_profiles": "rule:admin_only", - "get_service_profile": "rule:admin_only", - - "get_policy": "rule:regular_user", - "create_policy": "rule:admin_only", - "update_policy": "rule:admin_only", - "delete_policy": "rule:admin_only", - "get_policy_bandwidth_limit_rule": "rule:regular_user", - "create_policy_bandwidth_limit_rule": "rule:admin_only", - "delete_policy_bandwidth_limit_rule": "rule:admin_only", - "update_policy_bandwidth_limit_rule": "rule:admin_only", - "get_policy_dscp_marking_rule": "rule:regular_user", - "create_policy_dscp_marking_rule": "rule:admin_only", - "delete_policy_dscp_marking_rule": "rule:admin_only", - "update_policy_dscp_marking_rule": "rule:admin_only", - "get_rule_type": "rule:regular_user", - "get_policy_minimum_bandwidth_rule": "rule:regular_user", - "create_policy_minimum_bandwidth_rule": "rule:admin_only", - "delete_policy_minimum_bandwidth_rule": "rule:admin_only", - "update_policy_minimum_bandwidth_rule": "rule:admin_only", - - "restrict_wildcard": "(not field:rbac_policy:target_tenant=*) or rule:admin_only", - "create_rbac_policy": "", - "create_rbac_policy:target_tenant": "rule:restrict_wildcard", - "update_rbac_policy": "rule:admin_or_owner", - "update_rbac_policy:target_tenant": "rule:restrict_wildcard and rule:admin_or_owner", - "get_rbac_policy": "rule:admin_or_owner", - "delete_rbac_policy": "rule:admin_or_owner", - - "create_flavor_service_profile": "rule:admin_only", - "delete_flavor_service_profile": "rule:admin_only", - "get_flavor_service_profile": "rule:regular_user", - "get_auto_allocated_topology": "rule:admin_or_owner", - - "create_trunk": "rule:regular_user", - "get_trunk": "rule:admin_or_owner", - "delete_trunk": "rule:admin_or_owner", - "get_subports": "", - "add_subports": "rule:admin_or_owner", - "remove_subports": "rule:admin_or_owner", - - "get_security_groups": "rule:admin_or_owner", - "get_security_group": "rule:admin_or_owner", - "create_security_group": "rule:admin_or_owner", - "update_security_group": "rule:admin_or_owner", - "delete_security_group": "rule:admin_or_owner", - "get_security_group_rules": "rule:admin_or_owner", - "get_security_group_rule": "rule:admin_or_owner", - "create_security_group_rule": "rule:admin_or_owner", - "delete_security_group_rule": "rule:admin_or_owner", - - "get_loggable_resources": "rule:admin_only", - "create_log": "rule:admin_only", - "update_log": "rule:admin_only", - "delete_log": "rule:admin_only", - "get_logs": "rule:admin_only", - "get_log": "rule:admin_only" -} diff --git a/tools/policies/policy.json.d/nova.policy.json b/tools/policies/policy.json.d/nova.policy.json deleted file mode 100644 index da8f5740..00000000 --- a/tools/policies/policy.json.d/nova.policy.json +++ /dev/null @@ -1,485 +0,0 @@ -{ - "context_is_admin": "role:admin", - "admin_or_owner": "is_admin:True or project_id:%(project_id)s", - "default": "rule:admin_or_owner", - - "cells_scheduler_filter:TargetCellFilter": "is_admin:True", - - "compute:create": "", - "compute:create:attach_network": "", - "compute:create:attach_volume": "", - "compute:create:forced_host": "is_admin:True", - - "compute:get": "", - "compute:get_all": "", - "compute:get_all_tenants": "is_admin:True", - - "compute:update": "", - - "compute:get_instance_metadata": "", - "compute:get_all_instance_metadata": "", - "compute:get_all_instance_system_metadata": "", - "compute:update_instance_metadata": "", - "compute:delete_instance_metadata": "", - - "compute:get_instance_faults": "", - "compute:get_diagnostics": "", - "compute:get_instance_diagnostics": "", - - "compute:start": "rule:admin_or_owner", - "compute:stop": "rule:admin_or_owner", - - "compute:get_lock": "", - "compute:lock": "rule:admin_or_owner", - "compute:unlock": "rule:admin_or_owner", - "compute:unlock_override": "rule:admin_api", - - "compute:get_vnc_console": "", - "compute:get_spice_console": "", - "compute:get_rdp_console": "", - "compute:get_serial_console": "", - "compute:get_mks_console": "", - "compute:get_console_output": "", - - "compute:reset_network": "", - "compute:inject_network_info": "", - "compute:add_fixed_ip": "", - "compute:remove_fixed_ip": "", - - "compute:attach_volume": "", - "compute:detach_volume": "", - "compute:swap_volume": "", - - "compute:attach_interface": "", - "compute:detach_interface": "", - - "compute:set_admin_password": "", - - "compute:rescue": "", - "compute:unrescue": "", - - "compute:suspend": "", - "compute:resume": "", - - "compute:pause": "", - "compute:unpause": "", - - "compute:shelve": "", - "compute:shelve_offload": "", - "compute:unshelve": "", - - "compute:snapshot": "", - "compute:snapshot_volume_backed": "", - "compute:backup": "", - - "compute:resize": "", - "compute:confirm_resize": "", - "compute:revert_resize": "", - - "compute:rebuild": "", - "compute:reboot": "", - "compute:delete": "rule:admin_or_owner", - "compute:soft_delete": "rule:admin_or_owner", - "compute:force_delete": "rule:admin_or_owner", - - "compute:security_groups:add_to_instance": "", - "compute:security_groups:remove_from_instance": "", - - "compute:restore": "", - - "compute:volume_snapshot_create": "", - "compute:volume_snapshot_delete": "", - - "admin_api": "is_admin:True", - "compute_extension:accounts": "rule:admin_api", - "compute_extension:admin_actions": "rule:admin_api", - "compute_extension:admin_actions:pause": "rule:admin_or_owner", - "compute_extension:admin_actions:unpause": "rule:admin_or_owner", - "compute_extension:admin_actions:suspend": "rule:admin_or_owner", - "compute_extension:admin_actions:resume": "rule:admin_or_owner", - "compute_extension:admin_actions:lock": "rule:admin_or_owner", - "compute_extension:admin_actions:unlock": "rule:admin_or_owner", - "compute_extension:admin_actions:resetNetwork": "rule:admin_api", - "compute_extension:admin_actions:injectNetworkInfo": "rule:admin_api", - "compute_extension:admin_actions:createBackup": "rule:admin_or_owner", - "compute_extension:admin_actions:migrateLive": "rule:admin_api", - "compute_extension:admin_actions:resetState": "rule:admin_api", - "compute_extension:admin_actions:migrate": "rule:admin_api", - "compute_extension:aggregates": "rule:admin_api", - "compute_extension:agents": "rule:admin_api", - "compute_extension:attach_interfaces": "", - "compute_extension:baremetal_nodes": "rule:admin_api", - "compute_extension:cells": "rule:admin_api", - "compute_extension:cells:create": "rule:admin_api", - "compute_extension:cells:delete": "rule:admin_api", - "compute_extension:cells:update": "rule:admin_api", - "compute_extension:cells:sync_instances": "rule:admin_api", - "compute_extension:certificates": "", - "compute_extension:cloudpipe": "rule:admin_api", - "compute_extension:cloudpipe_update": "rule:admin_api", - "compute_extension:config_drive": "", - "compute_extension:console_output": "", - "compute_extension:consoles": "", - "compute_extension:createserverext": "", - "compute_extension:deferred_delete": "", - "compute_extension:disk_config": "", - "compute_extension:evacuate": "rule:admin_api", - "compute_extension:extended_server_attributes": "rule:admin_api", - "compute_extension:extended_status": "", - "compute_extension:extended_availability_zone": "", - "compute_extension:extended_ips": "", - "compute_extension:extended_ips_mac": "", - "compute_extension:extended_vif_net": "", - "compute_extension:extended_volumes": "", - "compute_extension:fixed_ips": "rule:admin_api", - "compute_extension:flavor_access": "", - "compute_extension:flavor_access:addTenantAccess": "rule:admin_api", - "compute_extension:flavor_access:removeTenantAccess": "rule:admin_api", - "compute_extension:flavor_disabled": "", - "compute_extension:flavor_rxtx": "", - "compute_extension:flavor_swap": "", - "compute_extension:flavorextradata": "", - "compute_extension:flavorextraspecs:index": "", - "compute_extension:flavorextraspecs:show": "", - "compute_extension:flavorextraspecs:create": "rule:admin_api", - "compute_extension:flavorextraspecs:update": "rule:admin_api", - "compute_extension:flavorextraspecs:delete": "rule:admin_api", - "compute_extension:flavormanage": "rule:admin_api", - "compute_extension:floating_ip_dns": "", - "compute_extension:floating_ip_pools": "", - "compute_extension:floating_ips": "", - "compute_extension:floating_ips_bulk": "rule:admin_api", - "compute_extension:fping": "", - "compute_extension:fping:all_tenants": "rule:admin_api", - "compute_extension:hide_server_addresses": "is_admin:False", - "compute_extension:hosts": "rule:admin_api", - "compute_extension:hypervisors": "rule:admin_api", - "compute_extension:image_size": "", - "compute_extension:instance_actions": "", - "compute_extension:instance_actions:events": "rule:admin_api", - "compute_extension:instance_usage_audit_log": "rule:admin_api", - "compute_extension:keypairs": "", - "compute_extension:keypairs:index": "", - "compute_extension:keypairs:show": "", - "compute_extension:keypairs:create": "", - "compute_extension:keypairs:delete": "", - "compute_extension:multinic": "", - "compute_extension:networks": "rule:admin_api", - "compute_extension:networks:view": "", - "compute_extension:networks_associate": "rule:admin_api", - "compute_extension:os-tenant-networks": "", - "compute_extension:quotas:show": "", - "compute_extension:quotas:update": "rule:admin_api", - "compute_extension:quotas:delete": "rule:admin_api", - "compute_extension:quota_classes": "", - "compute_extension:rescue": "", - "compute_extension:security_group_default_rules": "rule:admin_api", - "compute_extension:security_groups": "", - "compute_extension:server_diagnostics": "rule:admin_api", - "compute_extension:server_groups": "", - "compute_extension:server_password": "", - "compute_extension:server_usage": "", - "compute_extension:services": "rule:admin_api", - "compute_extension:shelve": "", - "compute_extension:shelveOffload": "rule:admin_api", - "compute_extension:simple_tenant_usage:show": "rule:admin_or_owner", - "compute_extension:simple_tenant_usage:list": "rule:admin_api", - "compute_extension:unshelve": "", - "compute_extension:users": "rule:admin_api", - "compute_extension:virtual_interfaces": "", - "compute_extension:virtual_storage_arrays": "", - "compute_extension:volumes": "", - "compute_extension:volume_attachments:index": "", - "compute_extension:volume_attachments:show": "", - "compute_extension:volume_attachments:create": "", - "compute_extension:volume_attachments:update": "", - "compute_extension:volume_attachments:delete": "", - "compute_extension:volumetypes": "", - "compute_extension:availability_zone:list": "", - "compute_extension:availability_zone:detail": "rule:admin_api", - "compute_extension:used_limits_for_admin": "rule:admin_api", - "compute_extension:migrations:index": "rule:admin_api", - "compute_extension:os-assisted-volume-snapshots:create": "rule:admin_api", - "compute_extension:os-assisted-volume-snapshots:delete": "rule:admin_api", - "compute_extension:console_auth_tokens": "rule:admin_api", - "compute_extension:os-server-external-events:create": "rule:admin_api", - - "network:get_all": "", - "network:get": "", - "network:create": "", - "network:delete": "", - "network:associate": "", - "network:disassociate": "", - "network:get_vifs_by_instance": "", - "network:allocate_for_instance": "", - "network:deallocate_for_instance": "", - "network:validate_networks": "", - "network:get_instance_uuids_by_ip_filter": "", - "network:get_instance_id_by_floating_address": "", - "network:setup_networks_on_host": "", - "network:get_backdoor_port": "", - - "network:get_floating_ip": "", - "network:get_floating_ip_pools": "", - "network:get_floating_ip_by_address": "", - "network:get_floating_ips_by_project": "", - "network:get_floating_ips_by_fixed_address": "", - "network:allocate_floating_ip": "", - "network:associate_floating_ip": "", - "network:disassociate_floating_ip": "", - "network:release_floating_ip": "", - "network:migrate_instance_start": "", - "network:migrate_instance_finish": "", - - "network:get_fixed_ip": "", - "network:get_fixed_ip_by_address": "", - "network:add_fixed_ip_to_instance": "", - "network:remove_fixed_ip_from_instance": "", - "network:add_network_to_project": "", - "network:get_instance_nw_info": "", - - "network:get_dns_domains": "", - "network:add_dns_entry": "", - "network:modify_dns_entry": "", - "network:delete_dns_entry": "", - "network:get_dns_entries_by_address": "", - "network:get_dns_entries_by_name": "", - "network:create_private_dns_domain": "", - "network:create_public_dns_domain": "", - "network:delete_dns_domain": "", - "network:attach_external_network": "rule:admin_api", - "network:get_vif_by_mac_address": "", - - "os_compute_api:servers:detail:get_all_tenants": "is_admin:True", - "os_compute_api:servers:index:get_all_tenants": "is_admin:True", - "os_compute_api:servers:confirm_resize": "", - "os_compute_api:servers:create": "", - "os_compute_api:servers:create:attach_network": "", - "os_compute_api:servers:create:attach_volume": "", - "os_compute_api:servers:create:forced_host": "rule:admin_api", - "os_compute_api:servers:delete": "", - "os_compute_api:servers:update": "", - "os_compute_api:servers:detail": "", - "os_compute_api:servers:index": "", - "os_compute_api:servers:reboot": "", - "os_compute_api:servers:rebuild": "", - "os_compute_api:servers:resize": "", - "os_compute_api:servers:revert_resize": "", - "os_compute_api:servers:show": "", - "os_compute_api:servers:create_image": "", - "os_compute_api:servers:create_image:allow_volume_backed": "", - "os_compute_api:servers:start": "rule:admin_or_owner", - "os_compute_api:servers:stop": "rule:admin_or_owner", - "os_compute_api:os-access-ips:discoverable": "", - "os_compute_api:os-access-ips": "", - "os_compute_api:os-admin-actions": "rule:admin_api", - "os_compute_api:os-admin-actions:discoverable": "", - "os_compute_api:os-admin-actions:reset_network": "rule:admin_api", - "os_compute_api:os-admin-actions:inject_network_info": "rule:admin_api", - "os_compute_api:os-admin-actions:reset_state": "rule:admin_api", - "os_compute_api:os-admin-password": "", - "os_compute_api:os-admin-password:discoverable": "", - "os_compute_api:os-aggregates:discoverable": "", - "os_compute_api:os-aggregates:index": "rule:admin_api", - "os_compute_api:os-aggregates:create": "rule:admin_api", - "os_compute_api:os-aggregates:show": "rule:admin_api", - "os_compute_api:os-aggregates:update": "rule:admin_api", - "os_compute_api:os-aggregates:delete": "rule:admin_api", - "os_compute_api:os-aggregates:add_host": "rule:admin_api", - "os_compute_api:os-aggregates:remove_host": "rule:admin_api", - "os_compute_api:os-aggregates:set_metadata": "rule:admin_api", - "os_compute_api:os-agents": "rule:admin_api", - "os_compute_api:os-agents:discoverable": "", - "os_compute_api:os-attach-interfaces": "", - "os_compute_api:os-attach-interfaces:discoverable": "", - "os_compute_api:os-baremetal-nodes": "rule:admin_api", - "os_compute_api:os-baremetal-nodes:discoverable": "", - "os_compute_api:os-block-device-mapping-v1:discoverable": "", - "os_compute_api:os-cells": "rule:admin_api", - "os_compute_api:os-cells:create": "rule:admin_api", - "os_compute_api:os-cells:delete": "rule:admin_api", - "os_compute_api:os-cells:update": "rule:admin_api", - "os_compute_api:os-cells:sync_instances": "rule:admin_api", - "os_compute_api:os-cells:discoverable": "", - "os_compute_api:os-certificates:create": "", - "os_compute_api:os-certificates:show": "", - "os_compute_api:os-certificates:discoverable": "", - "os_compute_api:os-cloudpipe": "rule:admin_api", - "os_compute_api:os-cloudpipe:discoverable": "", - "os_compute_api:os-config-drive": "", - "os_compute_api:os-consoles:discoverable": "", - "os_compute_api:os-consoles:create": "", - "os_compute_api:os-consoles:delete": "", - "os_compute_api:os-consoles:index": "", - "os_compute_api:os-consoles:show": "", - "os_compute_api:os-console-output:discoverable": "", - "os_compute_api:os-console-output": "", - "os_compute_api:os-remote-consoles": "", - "os_compute_api:os-remote-consoles:discoverable": "", - "os_compute_api:os-create-backup:discoverable": "", - "os_compute_api:os-create-backup": "rule:admin_or_owner", - "os_compute_api:os-deferred-delete": "", - "os_compute_api:os-deferred-delete:discoverable": "", - "os_compute_api:os-disk-config": "", - "os_compute_api:os-disk-config:discoverable": "", - "os_compute_api:os-evacuate": "rule:admin_api", - "os_compute_api:os-evacuate:discoverable": "", - "os_compute_api:os-extended-server-attributes": "rule:admin_api", - "os_compute_api:os-extended-server-attributes:discoverable": "", - "os_compute_api:os-extended-status": "", - "os_compute_api:os-extended-status:discoverable": "", - "os_compute_api:os-extended-availability-zone": "", - "os_compute_api:os-extended-availability-zone:discoverable": "", - "os_compute_api:extensions": "", - "os_compute_api:extension_info:discoverable": "", - "os_compute_api:os-extended-volumes": "", - "os_compute_api:os-extended-volumes:discoverable": "", - "os_compute_api:os-fixed-ips": "rule:admin_api", - "os_compute_api:os-fixed-ips:discoverable": "", - "os_compute_api:os-flavor-access": "", - "os_compute_api:os-flavor-access:discoverable": "", - "os_compute_api:os-flavor-access:remove_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-access:add_tenant_access": "rule:admin_api", - "os_compute_api:os-flavor-rxtx": "", - "os_compute_api:os-flavor-rxtx:discoverable": "", - "os_compute_api:flavors:discoverable": "", - "os_compute_api:os-flavor-extra-specs:discoverable": "", - "os_compute_api:os-flavor-extra-specs:index": "", - "os_compute_api:os-flavor-extra-specs:show": "", - "os_compute_api:os-flavor-extra-specs:create": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:update": "rule:admin_api", - "os_compute_api:os-flavor-extra-specs:delete": "rule:admin_api", - "os_compute_api:os-flavor-manage:discoverable": "", - "os_compute_api:os-flavor-manage": "rule:admin_api", - "os_compute_api:os-floating-ip-dns": "", - "os_compute_api:os-floating-ip-dns:discoverable": "", - "os_compute_api:os-floating-ip-dns:domain:update": "rule:admin_api", - "os_compute_api:os-floating-ip-dns:domain:delete": "rule:admin_api", - "os_compute_api:os-floating-ip-pools": "", - "os_compute_api:os-floating-ip-pools:discoverable": "", - "os_compute_api:os-floating-ips": "", - "os_compute_api:os-floating-ips:discoverable": "", - "os_compute_api:os-floating-ips-bulk": "rule:admin_api", - "os_compute_api:os-floating-ips-bulk:discoverable": "", - "os_compute_api:os-fping": "", - "os_compute_api:os-fping:discoverable": "", - "os_compute_api:os-fping:all_tenants": "rule:admin_api", - "os_compute_api:os-hide-server-addresses": "is_admin:False", - "os_compute_api:os-hide-server-addresses:discoverable": "", - "os_compute_api:os-hosts": "rule:admin_api", - "os_compute_api:os-hosts:discoverable": "", - "os_compute_api:os-hypervisors": "rule:admin_api", - "os_compute_api:os-hypervisors:discoverable": "", - "os_compute_api:images:discoverable": "", - "os_compute_api:image-size": "", - "os_compute_api:image-size:discoverable": "", - "os_compute_api:os-instance-actions": "", - "os_compute_api:os-instance-actions:discoverable": "", - "os_compute_api:os-instance-actions:events": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log": "rule:admin_api", - "os_compute_api:os-instance-usage-audit-log:discoverable": "", - "os_compute_api:ips:discoverable": "", - "os_compute_api:ips:index": "rule:admin_or_owner", - "os_compute_api:ips:show": "rule:admin_or_owner", - "os_compute_api:os-keypairs:discoverable": "", - "os_compute_api:os-keypairs": "", - "os_compute_api:os-keypairs:index": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:show": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:create": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:os-keypairs:delete": "rule:admin_api or user_id:%(user_id)s", - "os_compute_api:limits:discoverable": "", - "os_compute_api:limits": "", - "os_compute_api:os-lock-server:discoverable": "", - "os_compute_api:os-lock-server:lock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock": "rule:admin_or_owner", - "os_compute_api:os-lock-server:unlock:unlock_override": "rule:admin_api", - "os_compute_api:os-migrate-server:discoverable": "", - "os_compute_api:os-migrate-server:migrate": "rule:admin_api", - "os_compute_api:os-migrate-server:migrate_live": "rule:admin_api", - "os_compute_api:os-multinic": "", - "os_compute_api:os-multinic:discoverable": "", - "os_compute_api:os-networks": "rule:admin_api", - "os_compute_api:os-networks:view": "", - "os_compute_api:os-networks:discoverable": "", - "os_compute_api:os-networks-associate": "rule:admin_api", - "os_compute_api:os-networks-associate:discoverable": "", - "os_compute_api:os-pause-server:discoverable": "", - "os_compute_api:os-pause-server:pause": "rule:admin_or_owner", - "os_compute_api:os-pause-server:unpause": "rule:admin_or_owner", - "os_compute_api:os-pci:pci_servers": "", - "os_compute_api:os-pci:discoverable": "", - "os_compute_api:os-pci:index": "rule:admin_api", - "os_compute_api:os-pci:detail": "rule:admin_api", - "os_compute_api:os-pci:show": "rule:admin_api", - "os_compute_api:os-personality:discoverable": "", - "os_compute_api:os-preserve-ephemeral-rebuild:discoverable": "", - "os_compute_api:os-quota-sets:discoverable": "", - "os_compute_api:os-quota-sets:show": "rule:admin_or_owner", - "os_compute_api:os-quota-sets:defaults": "", - "os_compute_api:os-quota-sets:update": "rule:admin_api", - "os_compute_api:os-quota-sets:delete": "rule:admin_api", - "os_compute_api:os-quota-sets:detail": "rule:admin_api", - "os_compute_api:os-quota-class-sets:update": "rule:admin_api", - "os_compute_api:os-quota-class-sets:show": "is_admin:True or quota_class:%(quota_class)s", - "os_compute_api:os-quota-class-sets:discoverable": "", - "os_compute_api:os-rescue": "", - "os_compute_api:os-rescue:discoverable": "", - "os_compute_api:os-scheduler-hints:discoverable": "", - "os_compute_api:os-security-group-default-rules:discoverable": "", - "os_compute_api:os-security-group-default-rules": "rule:admin_api", - "os_compute_api:os-security-groups": "", - "os_compute_api:os-security-groups:discoverable": "", - "os_compute_api:os-server-diagnostics": "rule:admin_api", - "os_compute_api:os-server-diagnostics:discoverable": "", - "os_compute_api:os-server-password": "", - "os_compute_api:os-server-password:discoverable": "", - "os_compute_api:os-server-usage": "", - "os_compute_api:os-server-usage:discoverable": "", - "os_compute_api:os-server-groups": "", - "os_compute_api:os-server-groups:discoverable": "", - "os_compute_api:os-services": "rule:admin_api", - "os_compute_api:os-services:discoverable": "", - "os_compute_api:server-metadata:discoverable": "", - "os_compute_api:server-metadata:index": "rule:admin_or_owner", - "os_compute_api:server-metadata:show": "rule:admin_or_owner", - "os_compute_api:server-metadata:delete": "rule:admin_or_owner", - "os_compute_api:server-metadata:create": "rule:admin_or_owner", - "os_compute_api:server-metadata:update": "rule:admin_or_owner", - "os_compute_api:server-metadata:update_all": "rule:admin_or_owner", - "os_compute_api:servers:discoverable": "", - "os_compute_api:os-shelve:shelve": "", - "os_compute_api:os-shelve:shelve:discoverable": "", - "os_compute_api:os-shelve:shelve_offload": "rule:admin_api", - "os_compute_api:os-simple-tenant-usage:discoverable": "", - "os_compute_api:os-simple-tenant-usage:show": "rule:admin_or_owner", - "os_compute_api:os-simple-tenant-usage:list": "rule:admin_api", - "os_compute_api:os-suspend-server:discoverable": "", - "os_compute_api:os-suspend-server:suspend": "rule:admin_or_owner", - "os_compute_api:os-suspend-server:resume": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks": "rule:admin_or_owner", - "os_compute_api:os-tenant-networks:discoverable": "", - "os_compute_api:os-shelve:unshelve": "", - "os_compute_api:os-user-data:discoverable": "", - "os_compute_api:os-virtual-interfaces": "", - "os_compute_api:os-virtual-interfaces:discoverable": "", - "os_compute_api:os-volumes": "", - "os_compute_api:os-volumes:discoverable": "", - "os_compute_api:os-volumes-attachments:index": "", - "os_compute_api:os-volumes-attachments:show": "", - "os_compute_api:os-volumes-attachments:create": "", - "os_compute_api:os-volumes-attachments:update": "", - "os_compute_api:os-volumes-attachments:delete": "", - "os_compute_api:os-volumes-attachments:discoverable": "", - "os_compute_api:os-availability-zone:list": "", - "os_compute_api:os-availability-zone:discoverable": "", - "os_compute_api:os-availability-zone:detail": "rule:admin_api", - "os_compute_api:os-used-limits": "rule:admin_api", - "os_compute_api:os-used-limits:discoverable": "", - "os_compute_api:os-migrations:index": "rule:admin_api", - "os_compute_api:os-migrations:discoverable": "", - "os_compute_api:os-assisted-volume-snapshots:create": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:delete": "rule:admin_api", - "os_compute_api:os-assisted-volume-snapshots:discoverable": "", - "os_compute_api:os-console-auth-tokens": "rule:admin_api", - "os_compute_api:os-server-external-events:create": "rule:admin_api" -} |