aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json29
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json18
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json21
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/rule.json16
-rw-r--r--keystone-moon/examples/moon/policies/policy_mls_authz/scope.json26
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json (renamed from keystone-moon/examples/moon/policies/policy_admin/assignment.json)3
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json (renamed from keystone-moon/examples/moon/policies/policy_admin/metadata.json)0
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json (renamed from keystone-moon/examples/moon/policies/policy_admin/metarule.json)0
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json (renamed from keystone-moon/examples/moon/policies/policy_admin/perimeter.json)3
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json (renamed from keystone-moon/examples/moon/policies/policy_admin/rule.json)32
-rw-r--r--keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json (renamed from keystone-moon/examples/moon/policies/policy_admin/scope.json)3
-rw-r--r--keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh33
-rw-r--r--keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh39
-rw-r--r--keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh37
15 files changed, 268 insertions, 4 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json
new file mode 100644
index 00000000..0712dfbc
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json
@@ -0,0 +1,29 @@
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ "admin": ["high"],
+ "demo": ["medium"]
+ }
+ },
+
+ "action_assignments": {
+ "resource_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"],
+ "storage_list": ["storage_access"],
+ "download": ["storage_access"],
+ "post": ["storage_admin"],
+ "upload": ["storage_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "servers": ["low"]
+ }
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json
new file mode 100644
index 00000000..c419c815
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json
@@ -0,0 +1,18 @@
+{
+ "name": "MLS_Policy",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "Multi Level Security Policy",
+
+ "subject_categories": [
+ "subject_security_level"
+ ],
+
+ "action_categories": [
+ "resource_action"
+ ],
+
+ "object_categories": [
+ "object_security_level"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json
new file mode 100644
index 00000000..e068927c
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json
@@ -0,0 +1,12 @@
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["resource_action"],
+ "object_categories": ["object_security_level"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json
new file mode 100644
index 00000000..47a8ee45
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json
@@ -0,0 +1,21 @@
+{
+ "subjects": [
+ "admin",
+ "demo"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list",
+ "upload",
+ "download",
+ "post",
+ "storage_list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json
new file mode 100644
index 00000000..b17dc822
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json
@@ -0,0 +1,16 @@
+{
+ "mls_rule":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "low"],
+ ["high", "storage_admin", "medium"],
+ ["high", "storage_admin", "low"],
+ ["medium", "storage_admin", "low"],
+ ["high", "storage_access", "medium"],
+ ["high", "storage_access", "low"],
+ ["medium", "storage_access", "low"]
+ ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json
new file mode 100644
index 00000000..6cc1c28e
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json
@@ -0,0 +1,26 @@
+{
+ "subject_scopes": {
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ },
+
+ "action_scopes": {
+ "resource_action": [
+ "vm_admin",
+ "vm_access",
+ "storage_admin",
+ "storage_access"
+ ]
+ },
+
+ "object_scopes": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json
index 2c339a39..ed1950b0 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json
@@ -1,7 +1,8 @@
{
"subject_assignments": {
"role": {
- "admin": ["root_role"]
+ "admin": ["root_role"],
+ "demo": ["dev"]
}
},
"action_assignments": {
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json
index 9ee8a11d..9ee8a11d 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json
index 86dbfad2..86dbfad2 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json
diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json
index 3fe71bb5..1155533e 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json
@@ -1,6 +1,7 @@
{
"subjects": [
- "admin"
+ "admin",
+ "demo"
],
"actions": [
"read",
diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json
index 020dac41..c89ceff3 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/rule.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json
@@ -59,6 +59,36 @@
["root_role" , "write", "admin.action_assignments"],
["root_role" , "write", "admin.aggregation_algorithm"],
["root_role" , "write", "admin.sub_meta_rules"],
- ["root_role" , "write", "admin.rules"]
+ ["root_role" , "write", "admin.rules"],
+ ["dev_role" , "read", "authz.subjects"],
+ ["dev_role" , "read", "authz.objects"],
+ ["dev_role" , "read", "authz.actions"],
+ ["dev_role" , "read", "authz.subject_categories"],
+ ["dev_role" , "read", "authz.object_categories"],
+ ["dev_role" , "read", "authz.action_categories"],
+ ["dev_role" , "read", "authz.subject_scopes"],
+ ["dev_role" , "read", "authz.object_scopes"],
+ ["dev_role" , "read", "authz.action_scopes"],
+ ["dev_role" , "read", "authz.subject_assignments"],
+ ["dev_role" , "read", "authz.object_assignments"],
+ ["dev_role" , "read", "authz.action_assignments"],
+ ["dev_role" , "read", "authz.aggregation_algorithm"],
+ ["dev_role" , "read", "authz.sub_meta_rules"],
+ ["dev_role" , "read", "authz.rules"],
+ ["dev_role" , "read", "admin.subjects"],
+ ["dev_role" , "read", "admin.objects"],
+ ["dev_role" , "read", "admin.actions"],
+ ["dev_role" , "read", "admin.subject_categories"],
+ ["dev_role" , "read", "admin.object_categories"],
+ ["dev_role" , "read", "admin.action_categories"],
+ ["dev_role" , "read", "admin.subject_scopes"],
+ ["dev_role" , "read", "admin.object_scopes"],
+ ["dev_role" , "read", "admin.action_scopes"],
+ ["dev_role" , "read", "admin.subject_assignments"],
+ ["dev_role" , "read", "admin.object_assignments"],
+ ["dev_role" , "read", "admin.action_assignments"],
+ ["dev_role" , "read", "admin.aggregation_algorithm"],
+ ["dev_role" , "read", "admin.sub_meta_rules"],
+ ["dev_role" , "read", "admin.rules"]
]
}
diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json
index c8b4908a..149056a6 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json
@@ -1,7 +1,8 @@
{
"subject_scopes": {
"role": [
- "root_role"
+ "root_role",
+ "dev_role"
]
},
"action_scopes": {
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh
new file mode 100644
index 00000000..36afd5a1
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh
@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx `demo`
+
+# check that now moon authorizes the manipulation list_servers
+nova list
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `low_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation list_servers
+nova list
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `low_uuid` \ No newline at end of file
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh
new file mode 100644
index 00000000..f2c0e4fc
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh
@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# create a VM (vm1) in OpenStack
+nova create vm1.....
+
+# add corresponding object in moon
+moon object add vm1
+
+# check that moon blocks the vm1 manipulatin
+nova vm1 suspend ....
+
+# add object assignment for vm1
+moon object assignment `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation of vm1
+nova vm1 suspend ....
+
+# del object assignment for servers
+moon object assignment del `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `low_uuid`
+
+# check now moon unblock the manipulation of vm1
+nova vm1 suspend .... \ No newline at end of file
diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh
new file mode 100644
index 00000000..bf4bd3c8
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+# as user demo
+. openrc demo
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# check that moon blocks modification of object assignments
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# as user admin
+. openrc admin
+
+# select the admin intraextension
+moon intraextension select `test_admin_uuid`
+
+# add write permission to the dev_role user for assignment table
+moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`]
+
+# as user demo
+. openrc demo
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# check that moon authorizes modification of rule table by demo
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`