diff options
88 files changed, 157 insertions, 1911 deletions
diff --git a/moon_authz/Dockerfile b/moon_authz/Dockerfile index 7ab172b0..fea9555d 100644 --- a/moon_authz/Dockerfile +++ b/moon_authz/Dockerfile @@ -1,12 +1,8 @@ -FROM ubuntu:latest - -RUN apt update && apt install python3.5 python3-pip -y -RUN pip3 install pip --upgrade +FROM python:3 ADD . /root WORKDIR /root/ -RUN pip3 install -r requirements.txt --upgrade -RUN pip3 install /root/dist/* --upgrade +RUN pip3 install -r requirements.txt RUN pip3 install . CMD ["python3", "-m", "moon_authz"]
\ No newline at end of file diff --git a/moon_authz/README.rst b/moon_authz/README.md index ded4e99a..696c29a1 100644 --- a/moon_authz/README.rst +++ b/moon_authz/README.md @@ -1,5 +1,4 @@ -Core module for the Moon project -================================ +# moon_authz This package contains the core module for the Moon project It is designed to provide authorization features to all OpenStack components. diff --git a/moon_authz/moon_authz/api/authorization.py b/moon_authz/moon_authz/api/authorization.py index 4cd8de06..d7832ef0 100644 --- a/moon_authz/moon_authz/api/authorization.py +++ b/moon_authz/moon_authz/api/authorization.py @@ -19,20 +19,20 @@ from flask_restful import Resource # - call the next security function # - call the master if an element is absent -LOG = logging.getLogger("moon.api." + __name__) +LOG = logging.getLogger("moon.authz.api." + __name__) class Authz(Resource): """ Endpoint for authz requests """ + __version__ = "0.1.0" __urls__ = ( "/authz", "/authz/", - "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>", ) - __version__ = "0.1.0" + pdp_id = None meta_rule_id = None keystone_project_id = None @@ -47,13 +47,11 @@ class Authz(Resource): self.cache = kwargs.get("cache") self.context = None - def post(self, uuid=None, subject_name=None, object_name=None, action_name=None): + def post(self): """Get a response on an authorization request - :param uuid: uuid of a tenant or an intra_extension - :param subject_name: name of the subject or the request - :param object_name: name of the object - :param action_name: name of the action + :request: + :return: { "args": {}, "ctx": { @@ -255,47 +253,47 @@ class Authz(Resource): self.context.current_state = "passed" LOG.info("__exec_instructions False {}".format(self.context.current_state)) - def __update_current_request(self): - index = self.payload["authz_context"]["index"] - current_header_id = self.payload["authz_context"]['headers'][index] - previous_header_id = self.payload["authz_context"]['headers'][index - 1] - current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id) - previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id) - # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy - if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session": - subject = self.payload["authz_context"]['current_request'].get("subject") - subject_category_id = None - role_names = [] - for category_id, category_value in ModelManager.get_subject_categories("admin").items(): - if category_value["name"] == "role": - subject_category_id = category_id - break - for assignment_id, assignment_value in PolicyManager.get_subject_assignments( - "admin", previous_policy_id, subject, subject_category_id).items(): - for data_id in assignment_value["assignments"]: - data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id) - for _data in data: - for key, value in _data["data"].items(): - role_names.append(value["name"]) - new_role_ids = [] - for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items(): - if perimeter_value["name"] in role_names: - new_role_ids.append(perimeter_id) - break - perimeter_id = None - for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items(): - if perimeter_value["name"] == "*": - break - - self.payload["authz_context"]['current_request']['object'] = new_role_ids[0] - self.payload["authz_context"]['current_request']['action'] = perimeter_id - elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac": - self.payload["authz_context"]['current_request']['subject'] = \ - self.payload["authz_context"]['initial_request']['subject'] - self.payload["authz_context"]['current_request']['object'] = \ - self.payload["authz_context"]['initial_request']['object'] - self.payload["authz_context"]['current_request']['action'] = \ - self.payload["authz_context"]['initial_request']['action'] + # def __update_current_request(self): + # index = self.payload["authz_context"]["index"] + # current_header_id = self.payload["authz_context"]['headers'][index] + # previous_header_id = self.payload["authz_context"]['headers'][index - 1] + # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id) + # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id) + # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy + # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session": + # subject = self.payload["authz_context"]['current_request'].get("subject") + # subject_category_id = None + # role_names = [] + # for category_id, category_value in ModelManager.get_subject_categories("admin").items(): + # if category_value["name"] == "role": + # subject_category_id = category_id + # break + # for assignment_id, assignment_value in PolicyManager.get_subject_assignments( + # "admin", previous_policy_id, subject, subject_category_id).items(): + # for data_id in assignment_value["assignments"]: + # data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id) + # for _data in data: + # for key, value in _data["data"].items(): + # role_names.append(value["name"]) + # new_role_ids = [] + # for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items(): + # if perimeter_value["name"] in role_names: + # new_role_ids.append(perimeter_id) + # break + # perimeter_id = None + # for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items(): + # if perimeter_value["name"] == "*": + # break + # + # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0] + # self.payload["authz_context"]['current_request']['action'] = perimeter_id + # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac": + # self.payload["authz_context"]['current_request']['subject'] = \ + # self.payload["authz_context"]['initial_request']['subject'] + # self.payload["authz_context"]['current_request']['object'] = \ + # self.payload["authz_context"]['initial_request']['object'] + # self.payload["authz_context"]['current_request']['action'] = \ + # self.payload["authz_context"]['initial_request']['action'] def get_authz(self): # self.keystone_project_id = payload["id"] diff --git a/moon_authz/moon_authz/api/generic.py b/moon_authz/moon_authz/api/generic.py deleted file mode 100644 index f4e13e42..00000000 --- a/moon_authz/moon_authz/api/generic.py +++ /dev/null @@ -1,131 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -Those API are helping API used to manage the Moon platform. -""" - -from flask_restful import Resource, request -from oslo_log import log as logging -import moon_authz.api -from python_moonutilities.security_functions import check_auth - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.authz.api." + __name__) - - -class Status(Resource): - """ - Endpoint for status requests - """ - - __urls__ = ("/status", "/status/", "/status/<string:component_id>") - - def get(self, component_id=None): - """Retrieve status of all components - - :return: { - "orchestrator": { - "status": "Running" - }, - "security_router": { - "status": "Running" - } - } - """ - raise NotImplemented - - -class Logs(Resource): - """ - Endpoint for logs requests - """ - - __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>") - - def get(self, component_id=None): - """Get logs from the Moon platform - - :param component_id: the ID of the component your are looking for (optional) - :return: [ - "2015-04-15-13:45:20 - "2015-04-15-13:45:21 - "2015-04-15-13:45:22 - "2015-04-15-13:45:23 - ] - """ - filter_str = request.args.get('filter', '') - from_str = request.args.get('from', '') - to_str = request.args.get('to', '') - event_number = request.args.get('event_number', '') - try: - event_number = int(event_number) - except ValueError: - event_number = None - args = dict() - args["filter"] = filter_str - args["from"] = from_str - args["to"] = to_str - args["event_number"] = event_number - - raise NotImplemented - - -class API(Resource): - """ - Endpoint for API requests - """ - - __urls__ = ( - "/api", - "/api/", - "/api/<string:group_id>", - "/api/<string:group_id>/", - "/api/<string:group_id>/<string:endpoint_id>") - - @check_auth - def get(self, group_id="", endpoint_id="", user_id=""): - """Retrieve all API endpoints or a specific endpoint if endpoint_id is given - - :param group_id: the name of one existing group (ie generic, ...) - :param endpoint_id: the name of one existing component (ie Logs, Status, ...) - :return: { - "group_name": { - "endpoint_name": { - "description": "a description", - "methods": { - "get": "description of the HTTP method" - }, - "urls": ('/api', '/api/', '/api/<string:endpoint_id>') - } - } - """ - __methods = ("get", "post", "put", "delete", "options", "patch") - api_list = filter(lambda x: "__" not in x, dir(moon_authz.api)) - api_desc = dict() - for api_name in api_list: - api_desc[api_name] = {} - group_api_obj = eval("moon_interface.api.{}".format(api_name)) - api_desc[api_name]["description"] = group_api_obj.__doc__ - if "__version__" in dir(group_api_obj): - api_desc[api_name]["version"] = group_api_obj.__version__ - object_list = list(filter(lambda x: "__" not in x, dir(group_api_obj))) - for obj in map(lambda x: eval("moon_interface.api.{}.{}".format(api_name, x)), object_list): - if "__urls__" in dir(obj): - api_desc[api_name][obj.__name__] = dict() - api_desc[api_name][obj.__name__]["urls"] = obj.__urls__ - api_desc[api_name][obj.__name__]["methods"] = dict() - for _method in filter(lambda x: x in __methods, dir(obj)): - docstring = eval("moon_interface.api.{}.{}.{}.__doc__".format(api_name, obj.__name__, _method)) - api_desc[api_name][obj.__name__]["methods"][_method] = docstring - api_desc[api_name][obj.__name__]["description"] = str(obj.__doc__) - if group_id in api_desc: - if endpoint_id in api_desc[group_id]: - return {group_id: {endpoint_id: api_desc[group_id][endpoint_id]}} - elif len(endpoint_id) > 0: - LOG.error("Unknown endpoint_id {}".format(endpoint_id)) - return {"error": "Unknown endpoint_id {}".format(endpoint_id)} - return {group_id: api_desc[group_id]} - return api_desc diff --git a/moon_authz/moon_authz/http_server.py b/moon_authz/moon_authz/http_server.py index 50e878d3..d24a02ca 100644 --- a/moon_authz/moon_authz/http_server.py +++ b/moon_authz/moon_authz/http_server.py @@ -12,7 +12,7 @@ from moon_authz.api.authorization import Authz from python_moonutilities.cache import Cache from python_moonutilities import exceptions -logger = logging.getLogger("moon." + __name__) +logger = logging.getLogger("moon.authz.http_server") CACHE = Cache() CACHE.update() diff --git a/moon_authz/moon_authz/server.py b/moon_authz/moon_authz/server.py index 974012dc..1919ebe5 100644 --- a/moon_authz/moon_authz/server.py +++ b/moon_authz/moon_authz/server.py @@ -8,20 +8,19 @@ from oslo_log import log as logging from moon_authz.http_server import HTTPServer as Server from python_moonutilities import configuration -LOG = logging.getLogger("moon.server") +LOG = logging.getLogger("moon.authz.server") DOMAIN = "moon_authz" -__CWD__ = os.path.dirname(os.path.abspath(__file__)) - def main(): + configuration.init_logging() + component_id = os.getenv("UUID") component_type = os.getenv("TYPE") tcp_port = os.getenv("PORT") pdp_id = os.getenv("PDP_ID") meta_rule_id = os.getenv("META_RULE_ID") keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID") - configuration.init_logging() LOG.info("component_type={}".format(component_type)) conf = configuration.get_configuration("plugins/{}".format(component_type)) conf["plugins/{}".format(component_type)]['id'] = component_id diff --git a/moon_authz/setup.py b/moon_authz/setup.py index a8dcd0c4..c3ac33c7 100644 --- a/moon_authz/setup.py +++ b/moon_authz/setup.py @@ -21,7 +21,7 @@ setup( description="", - long_description=open('README.rst').read(), + long_description=open('README.md').read(), # install_requires= , diff --git a/moon_forming/Dockerfile b/moon_forming/Dockerfile index bc6b699e..ca0eba76 100644 --- a/moon_forming/Dockerfile +++ b/moon_forming/Dockerfile @@ -1,4 +1,5 @@ FROM python:3 + WORKDIR /usr/src/app RUN pip install --no-cache-dir --upgrade requests pyyaml python_moonutilities python_moondb python_moonclient diff --git a/moon_interface/Dockerfile b/moon_interface/Dockerfile index 82160cc9..f4de15eb 100644 --- a/moon_interface/Dockerfile +++ b/moon_interface/Dockerfile @@ -1,12 +1,8 @@ -FROM ubuntu:latest - -RUN apt update && apt install python3.5 python3-pip -y -RUN pip3 install python_moonutilities python_moondb pip --upgrade +FROM python:3 ADD . /root WORKDIR /root/ -RUN pip3 install -r requirements.txt --upgrade -#RUN pip3 install /root/dist/* --upgrade +RUN pip3 install -r requirements.txt RUN pip3 install . CMD ["python3", "-m", "moon_interface"]
\ No newline at end of file diff --git a/moon_interface/Makefile b/moon_interface/Makefile deleted file mode 100644 index af91b904..00000000 --- a/moon_interface/Makefile +++ /dev/null @@ -1,12 +0,0 @@ -all: built run - -built: - docker build -t moon_policy:16.04 . - -run: - docker run -p 8000:8000 moon_policy:16.04 - -.PHONY: clean - -clean: - find . -name "*.py" -exec echo rm {}\; diff --git a/moon_manager/README.rst b/moon_interface/README.md index ded4e99a..4c0e483d 100644 --- a/moon_manager/README.rst +++ b/moon_interface/README.md @@ -1,5 +1,5 @@ -Core module for the Moon project -================================ +# moon_interface + This package contains the core module for the Moon project It is designed to provide authorization features to all OpenStack components. diff --git a/moon_interface/moon_interface/api/authz.py b/moon_interface/moon_interface/api/authz.py index c9f4697f..a284ff3a 100644 --- a/moon_interface/moon_interface/api/authz.py +++ b/moon_interface/moon_interface/api/authz.py @@ -18,7 +18,7 @@ from moon_interface.authz_requests import AuthzRequest __version__ = "0.1.0" -LOG = logging.getLogger("moon.interface.api." + __name__) +LOG = logging.getLogger("moon.interface.api.authz." + __name__) def pdp_in_cache(cache, uuid): @@ -45,39 +45,6 @@ def pdp_in_manager(cache, uuid): return pdp_in_cache(cache, uuid) -def container_exist(cache, uuid): - """Check if a PDP exist with this Keystone Project ID in the Manager component - - :param cache: Cache to use - :param uuid: Keystone Project ID - :return: True or False - """ - for key, value in cache.containers.items(): - if "keystone_project_id" not in value: - continue - if value["keystone_project_id"] == uuid: - try: - req = requests.head("http://{}:{}/".format( - value.get("hostname"), - value.get("port")[0].get("PublicPort"))) - LOG.info("container_exist {}".format(req.status_code)) - if req.status_code in (200, 201): - return value - return - except requests.exceptions.ConnectionError: - pass - # maybe hostname is not working so trying with IP address - try: - req = requests.head("http://{}:{}/".format( - value.get("ip"), - value.get("port")[0].get("PublicPort"))) - if req.status_code in (200, 201): - return value - return - except requests.exceptions.ConnectionError: - return - - def create_authz_request(cache, interface_name, manager_url, uuid, subject_name, object_name, action_name): """Create the authorization request and make the first call to the Authz function diff --git a/moon_interface/moon_interface/containers.py b/moon_interface/moon_interface/containers.py deleted file mode 100644 index 4f93d742..00000000 --- a/moon_interface/moon_interface/containers.py +++ /dev/null @@ -1,102 +0,0 @@ -# Copyright 2017 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import docker -import logging -import re -import requests -import time -from python_moonutilities import configuration, exceptions - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.interface.container") - - -class DockerManager: - - def __init__(self): - docker_conf = configuration.get_configuration("docker")['docker'] - self.docker = docker.DockerClient(base_url=docker_conf['url']) - - def create_container(self, data): - """Create the container through the docker client - - :param data: { - "name": "authz", - "hostname": "authz123456789", - "port": { - "PrivatePort": 8090, - "Type": "tcp", - "IP": "0.0.0.0", - "PublicPort": 8090 - }, - "keystone_project_id": "keystone_project_id1", - "pdp_id": "123456789", - "container_name": "wukongsun/moon_authz:v4.1" - } - :return: container output - """ - output = self.docker.containers.run( - image=data.get("container_name"), - hostname=data.get("hostname", data.get("name"))[:63], - name=data.get("name"), - network='moon', - ports={'{}/{}'.format( - data.get("port").get("PrivatePort"), - data.get("port").get("Type") - ): int(data.get("port").get("PrivatePort"))}, - environment={ - "UUID": data.get("hostname"), - "BIND": data.get("port").get("IP"), - "TYPE": data.get("plugin_name"), - "PORT": data.get("port").get("PrivatePort"), - "PDP_ID": data.get("pdp_id"), - "META_RULE_ID": data.get("meta_rule_id"), - "KEYSTONE_PROJECT_ID": data.get("keystone_project_id"), - }, - detach=True - ) - try: - req = requests.head("http://{}:{}/".format(data.get("hostname"), data.get("port").get("PublicPort"))) - except requests.exceptions.ConnectionError: - pass - else: - if req.status_code != 200: - raise exceptions.DockerError("Container {} is not running!".format(data.get("hostname"))) - output.ip = "0.0.0.0" - return output - - # Note: host is not reachable through hostname so trying to find th IP address - res = output.exec_run("ip addr") - find = re.findall("inet (\d+\.\d+\.\d+\.\d+)", res.decode("utf-8")) - ip = "127.0.0.1" - for ip in find: - if ip.startswith("127"): - continue - break - cpt = 0 - while True: - try: - req = requests.head("http://{}:{}/".format(ip, data.get("port").get("PublicPort"))) - except requests.exceptions.ConnectionError: - pass - else: - if req.status_code not in (200, 201): - LOG.error("url={}".format("http://{}:{}/".format(ip, data.get("port").get("PublicPort")))) - LOG.error("req={}".format(req)) - raise exceptions.DockerError("Container {} is not running!".format(data.get("hostname"))) - output.ip = ip - return output - finally: - cpt += 1 - time.sleep(0.1) - if cpt > 20: - break - output.ip = ip - return output - - def delete_container(self, uuid): - raise NotImplementedError diff --git a/moon_interface/moon_interface/http_server.py b/moon_interface/moon_interface/http_server.py index 890bb82f..72576f6c 100644 --- a/moon_interface/moon_interface/http_server.py +++ b/moon_interface/moon_interface/http_server.py @@ -15,6 +15,10 @@ from python_moonutilities import configuration, exceptions logger = logging.getLogger("moon.interface.http") +__API__ = ( + Status, Logs, API + ) + class Server: """Base class for HTTP server""" @@ -59,10 +63,6 @@ class Server: def run(self): raise NotImplementedError() -__API__ = ( - Status, Logs, API - ) - class Root(Resource): """ @@ -132,5 +132,3 @@ class HTTPServer(Server): def run(self): self.app.run(host=self._host, port=self._port) # nosec - # self.app.run(debug=True, host=self._host, port=self._port) # nosec - diff --git a/moon_interface/moon_interface/server.py b/moon_interface/moon_interface/server.py index e53b4504..8b53d7f3 100644 --- a/moon_interface/moon_interface/server.py +++ b/moon_interface/moon_interface/server.py @@ -7,7 +7,7 @@ import logging from python_moonutilities import configuration, exceptions from moon_interface.http_server import HTTPServer -LOG = logging.getLogger("moon.interface") +LOG = logging.getLogger("moon.interface.server") def main(): @@ -23,10 +23,7 @@ def main(): port = 80 configuration.add_component(uuid="interface", name=hostname, port=port, bind=bind) LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) - server = HTTPServer(host=bind, port=port) - # LOG.info("Starting server") - # server = HTTPServer(host="0.0.0.0", port=8081) - return server + return HTTPServer(host=bind, port=port) if __name__ == '__main__': diff --git a/moon_interface/setup.py b/moon_interface/setup.py index 3460c991..db15ff54 100644 --- a/moon_interface/setup.py +++ b/moon_interface/setup.py @@ -21,7 +21,7 @@ setup( description="", - long_description=open('README.rst').read(), + long_description=open('README.md').read(), # install_requires= , diff --git a/moon_interface/tools/run.sh b/moon_interface/tools/run.sh deleted file mode 100644 index d1db1f00..00000000 --- a/moon_interface/tools/run.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/usr/bin/env bash - -http_proxy= /usr/bin/python3 /home/vdsq3226/projets/opnfv/opnfv-moon/moon_interface/tools/api2rst.py -pandoc api.rst --toc -o api.pdf -evince api.pdf diff --git a/moon_manager/Dockerfile b/moon_manager/Dockerfile index 873e3aa2..b5eb4e02 100644 --- a/moon_manager/Dockerfile +++ b/moon_manager/Dockerfile @@ -1,12 +1,8 @@ -FROM ubuntu:latest - -RUN apt update && apt install python3.5 python3-pip -y -RUN pip3 install pip --upgrade +FROM python:3 ADD . /root WORKDIR /root/ RUN pip3 install -r requirements.txt -#RUN pip3 install /root/dist/* --upgrade RUN pip3 install . CMD ["python3", "-m", "moon_manager"]
\ No newline at end of file diff --git a/moon_interface/README.rst b/moon_manager/README.md index ded4e99a..c74ccc28 100644 --- a/moon_interface/README.rst +++ b/moon_manager/README.md @@ -1,5 +1,4 @@ -Core module for the Moon project -================================ +# moon_manager This package contains the core module for the Moon project It is designed to provide authorization features to all OpenStack components. diff --git a/moon_manager/moon_manager/api/containers.py b/moon_manager/moon_manager/api/containers.py deleted file mode 100644 index 6dc50ea5..00000000 --- a/moon_manager/moon_manager/api/containers.py +++ /dev/null @@ -1,178 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. -""" -PDP are Policy Decision Point. - -""" - -import copy -from docker import Client -from flask import request -from flask_restful import Resource -from oslo_log import log as logging -from python_moonutilities.security_functions import check_auth -from python_moonutilities import configuration - -docker_conf = configuration.get_configuration("docker")['docker'] -docker = Client(base_url=docker_conf['url']) - -__version__ = "0.1.0" - -LOG = logging.getLogger("moon.manager.api." + __name__) - - -class Container(Resource): - """ - Endpoint for container requests - """ - - __urls__ = ( - "/containers", - "/containers/", - "/containers/<string:uuid>", - "/containers/<string:uuid>/", - ) - - def __init__(self): - self.containers = {} - self.update() - - def update(self): - for _container in docker.containers(): - if _container['Id'] not in self.containers: - self.containers[_container['Id']] = { - "name": _container["Names"], - "port": _container["Ports"], - } - - @check_auth - def get(self, uuid=None, user_id=None): - """Retrieve all containers - - :param uuid: uuid of the container - :param user_id: user ID who do the request - :return: { - "containers": { - "da0fd80fc1dc146e1b...a2e07d240cde09f0a": { - "name": [ - "/wrapper" - ], - "port": [ - { - "PrivatePort": 8080, - "Type": "tcp", - "IP": "0.0.0.0", - "PublicPort": 8080 - } - ] - }, - } - } - :internal_api: get_containers - """ - # try: - # data = [{"name": item["Names"], "port": item["Ports"], } for item in docker.containers()] - # except Exception as e: - # LOG.error(e, exc_info=True) - # return {"result": False, - # "error": str(e)} - return {"containers": self.containers} - - @check_auth - def post(self, uuid=None, user_id=None): - """Add a new container. - - :param uuid: uuid of the pdp (not used here) - :param user_id: user ID who do the request - :request body: { - "id": "id of the new container", - "name": "name of the new container", - "hostname": "hostname of the new container", - "port": { - "PrivatePort": 8080, - "Type": "tcp", - "IP": "0.0.0.0", - "PublicPort": 8080 - }, - "keystone_project_id": "keystone_project_id1", - "pdp_id": "PDP UUID", - "container_name": "wukongsun/moon_authz:v4.1" - } - :return: { - "containers": { - "da0fd80fc1dc146e1b...a2e07d240cde09f0a": { - "name": [ - "/wrapper" - ], - "port": [ - { - "PrivatePort": 8080, - "Type": "tcp", - "IP": "0.0.0.0", - "PublicPort": 8080 - } - ] - }, - } - } - :internal_api: add_container - """ - try: - self.update() - self.containers[request.json.get('id')] = copy.deepcopy(request.json) - LOG.info("Added a new container {}".format(request.json.get('name'))) - except Exception as e: - LOG.error(e, exc_info=True) - return {"result": False, - "error": str(e)}, 500 - return {"containers": self.containers} - - @check_auth - def delete(self, uuid=None, user_id=None): - """Delete a pdp - - :param uuid: uuid of the pdp to delete - :param user_id: user ID who do the request - :return: { - "result": "True or False", - "message": "optional message" - } - :internal_api: delete_pdp - """ - # try: - # data = PDPManager.delete_pdp(user_id=user_id, pdp_id=uuid) - # except Exception as e: - # LOG.error(e, exc_info=True) - # return {"result": False, - # "error": str(e)} - # return {"result": True} - raise NotImplementedError - - @check_auth - def patch(self, uuid=None, user_id=None): - """Update a pdp - - :param uuid: uuid of the pdp to update - :param user_id: user ID who do the request - :return: { - "pdp_id1": { - "name": "...", - "security_pipeline": [...], - "keystone_project_id": "keystone_project_id1", - "description": "...", - } - } - :internal_api: update_pdp - """ - # try: - # data = PDPManager.update_pdp(user_id=user_id, pdp_id=uuid, value=request.json) - # add_container(uuid=uuid, pipeline=data[uuid]['security_pipeline']) - # except Exception as e: - # LOG.error(e, exc_info=True) - # return {"result": False, - # "error": str(e)} - # return {"pdps": data} - raise NotImplementedError - diff --git a/moon_manager/moon_manager/api/generic.py b/moon_manager/moon_manager/api/generic.py index bd7dcdac..f46bfd35 100644 --- a/moon_manager/moon_manager/api/generic.py +++ b/moon_manager/moon_manager/api/generic.py @@ -21,7 +21,11 @@ class Status(Resource): Endpoint for status requests """ - __urls__ = ("/status", "/status/", "/status/<string:component_id>") + __urls__ = ( + "/status", + "/status/", + "/status/<string:component_id>" + ) def get(self, component_id=None): """Retrieve status of all components @@ -43,7 +47,11 @@ class Logs(Resource): Endpoint for logs requests """ - __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>") + __urls__ = ( + "/logs", + "/logs/", + "/logs/<string:component_id>" + ) def get(self, component_id=None): """Get logs from the Moon platform @@ -83,7 +91,8 @@ class API(Resource): "/api/", "/api/<string:group_id>", "/api/<string:group_id>/", - "/api/<string:group_id>/<string:endpoint_id>") + "/api/<string:group_id>/<string:endpoint_id>" + ) @check_auth def get(self, group_id="", endpoint_id="", user_id=""): diff --git a/moon_manager/moon_manager/api/meta_rules.py b/moon_manager/moon_manager/api/meta_rules.py index ceba0ffb..21552dd7 100644 --- a/moon_manager/moon_manager/api/meta_rules.py +++ b/moon_manager/moon_manager/api/meta_rules.py @@ -23,10 +23,12 @@ class MetaRules(Resource): Endpoint for meta rules requests """ - __urls__ = ("/meta_rules", - "/meta_rules/", - "/meta_rules/<string:meta_rule_id>", - "/meta_rules/<string:meta_rule_id>/") + __urls__ = ( + "/meta_rules", + "/meta_rules/", + "/meta_rules/<string:meta_rule_id>", + "/meta_rules/<string:meta_rule_id>/" + ) @check_auth def get(self, meta_rule_id=None, user_id=None): diff --git a/moon_manager/moon_manager/http_server.py b/moon_manager/moon_manager/http_server.py index 584e71a2..6aa2cd44 100644 --- a/moon_manager/moon_manager/http_server.py +++ b/moon_manager/moon_manager/http_server.py @@ -20,12 +20,20 @@ from moon_manager.api.perimeter import Subjects, Objects, Actions from moon_manager.api.data import SubjectData, ObjectData, ActionData from moon_manager.api.assignments import SubjectAssignments, ObjectAssignments, ActionAssignments from moon_manager.api.rules import Rules -# from moon_manager.api.containers import Container from python_moonutilities import configuration, exceptions from python_moondb.core import PDPManager -LOG = logging.getLogger("moon.manager.http") +LOG = logging.getLogger("moon.manager.http_server") + +__API__ = ( + Status, Logs, API, + MetaRules, SubjectCategories, ObjectCategories, ActionCategories, + Subjects, Objects, Actions, Rules, + SubjectAssignments, ObjectAssignments, ActionAssignments, + SubjectData, ObjectData, ActionData, + Models, Policies, PDP + ) class Server: @@ -71,16 +79,6 @@ class Server: def run(self): raise NotImplementedError() -__API__ = ( - Status, Logs, API, - MetaRules, SubjectCategories, ObjectCategories, ActionCategories, - Subjects, Objects, Actions, - SubjectAssignments, ObjectAssignments, ActionAssignments, - SubjectData, ObjectData, ActionData, - Rules, #Container, - Models, Policies, PDP - ) - class Root(Resource): """ @@ -113,7 +111,7 @@ class HTTPServer(Server): conf = configuration.get_configuration("components/manager") self.manager_hostname = conf["components/manager"].get("hostname", "manager") self.manager_port = conf["components/manager"].get("port", 80) - #Todo : specify only few urls instead of * + # TODO : specify only few urls instead of * CORS(self.app) self.api = Api(self.app) self.__set_route() @@ -133,8 +131,8 @@ class HTTPServer(Server): def __set_route(self): self.api.add_resource(Root, '/') - for api in __API__: - self.api.add_resource(api, *api.__urls__) + for _api in __API__: + self.api.add_resource(_api, *_api.__urls__) @staticmethod def __check_if_db_is_up(): @@ -154,4 +152,3 @@ class HTTPServer(Server): def run(self): self.__check_if_db_is_up() self.app.run(debug=True, host=self._host, port=self._port) # nosec - diff --git a/moon_manager/moon_manager/server.py b/moon_manager/moon_manager/server.py index bcc52cb3..f4c01611 100644 --- a/moon_manager/moon_manager/server.py +++ b/moon_manager/moon_manager/server.py @@ -3,18 +3,15 @@ # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. -import os from oslo_config import cfg from oslo_log import log as logging from python_moonutilities import configuration, exceptions from moon_manager.http_server import HTTPServer -LOG = logging.getLogger("moon.manager") +LOG = logging.getLogger("moon.manager.server") CONF = cfg.CONF DOMAIN = "moon_manager" -__CWD__ = os.path.dirname(os.path.abspath(__file__)) - def main(): configuration.init_logging() @@ -29,8 +26,7 @@ def main(): port = 80 configuration.add_component(uuid="manager", name=hostname, port=port, bind=bind) LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) - server = HTTPServer(host=bind, port=port) - return server + return HTTPServer(host=bind, port=port) if __name__ == '__main__': diff --git a/moon_manager/requirements.txt b/moon_manager/requirements.txt index 15ba715b..e2dd5c96 100644 --- a/moon_manager/requirements.txt +++ b/moon_manager/requirements.txt @@ -3,4 +3,3 @@ flask_restful flask_cors python_moonutilities python_moondb -docker-py diff --git a/moon_manager/setup.py b/moon_manager/setup.py index a6fc5fc7..bd8a70f0 100644 --- a/moon_manager/setup.py +++ b/moon_manager/setup.py @@ -21,7 +21,7 @@ setup( description="", - long_description=open('README.rst').read(), + long_description=open('README.md').read(), # install_requires= , diff --git a/moon_orchestrator/Dockerfile b/moon_orchestrator/Dockerfile index aafe1784..e9f83094 100644 --- a/moon_orchestrator/Dockerfile +++ b/moon_orchestrator/Dockerfile @@ -1,15 +1,8 @@ -FROM ubuntu:latest - -ENV CONSUL_HOST=consul -ENV CONSUL_PORT=8500 - -RUN apt update && apt install python3.5 python3-pip python3-mysql.connector -y -RUN pip3 install pip --upgrade +FROM python:3 ADD . /root WORKDIR /root/ -RUN pip3 install -r requirements.txt --upgrade -#RUN pip3 install /root/dist/* --upgrade -RUN pip3 install . --upgrade +RUN pip3 install -r requirements.txt +RUN pip3 install . CMD ["python3", "-m", "moon_orchestrator"]
\ No newline at end of file diff --git a/moon_orchestrator/README.md b/moon_orchestrator/README.md index d4cdc4fb..aec5cda2 100644 --- a/moon_orchestrator/README.md +++ b/moon_orchestrator/README.md @@ -1,3 +1,4 @@ -# Moon Orchestrator +# moon_orchestrator + Internal orchestrator used for the Moon framework diff --git a/moon_orchestrator/conf/dockers/template.dockerfile b/moon_orchestrator/conf/dockers/template.dockerfile deleted file mode 100644 index 6bb8a0c6..00000000 --- a/moon_orchestrator/conf/dockers/template.dockerfile +++ /dev/null @@ -1,25 +0,0 @@ -# Pull base image. -FROM ubuntu:latest - -{{ proxy }} - -RUN apt-get update && apt-get install python3.5 python3-pip -y - -ADD dist/moon_utilities-0.1.0.tar.gz /root -WORKDIR /root/moon_utilities-0.1.0 -RUN pip3 install pip --upgrade -RUN pip3 install --upgrade -r requirements.txt -RUN pip3 install --upgrade . - -ADD dist/moon_db-0.1.0.tar.gz /root -WORKDIR /root/moon_db-0.1.0 -RUN pip3 install --upgrade -r requirements.txt -RUN pip3 install --upgrade . - -{{ run }} - -{% for port in ports %} -EXPOSE {{ port }} -{% endfor %} - -CMD {{ cmd }} diff --git a/moon_orchestrator/conf/moon.conf b/moon_orchestrator/conf/moon.conf deleted file mode 100644 index 49086d48..00000000 --- a/moon_orchestrator/conf/moon.conf +++ /dev/null @@ -1,84 +0,0 @@ -database: - url: mysql+pymysql://moon:p4sswOrd1@db/moon - driver: sql - -messenger: - url: rabbit://moon:p4sswOrd1@messenger:5672/moon - -docker: - url: tcp://172.88.88.1:2376 - network: moon - -slave: - name: - master: - url: - login: - password: - -openstack: - keystone: - url: http://keystone:5000/v3 - user: admin - password: p4ssw0rd - domain: default - project: admin - check_token: false - certificate: false - -plugins: - authz: - container: wukongsun/moon_authz:v4.1 - session: - container: asteroide/session:latest - -components: - interface: - port: 8081 - hostname: interface - bind: 0.0.0.0 - container: wukongsun/moon_interface:v4.1 - router: - container: wukongsun/moon_router:v4.1 - hostname: router - manager: - container: wukongsun/moon_manager:v4.1 - hostname: manager - orchestrator: - container: wukongsun/moon_orchestrator:v4.1 - hostname: orchestrator - port_start: 38001 - -logging: - version: 1 - - formatters: - brief: - format: "%(levelname)s %(name)s %(message)-30s" - custom: - format: "%(asctime)-15s %(levelname)s %(name)s %(message)s" - - handlers: - console: - class : logging.StreamHandler - formatter: brief - level : INFO - stream : ext://sys.stdout - file: - class : logging.handlers.RotatingFileHandler - formatter: custom - level : DEBUG - filename: /tmp/moon.log - maxBytes: 1048576 - backupCount: 3 - - loggers: - moon: - level: DEBUG - handlers: [console, file] - propagate: no - - root: - level: ERROR - handlers: [console] - diff --git a/moon_orchestrator/conf/plugins/authz.py b/moon_orchestrator/conf/plugins/authz.py deleted file mode 100644 index 4a1441c9..00000000 --- a/moon_orchestrator/conf/plugins/authz.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os -import time -import hashlib -from oslo_config import cfg -from oslo_log import log as logging -import oslo_messaging -from moon_orchestrator.dockers import DockerBase - -LOG = logging.getLogger(__name__) -CONF = cfg.CONF -DOMAIN = "moon_orchestrator" - -__CWD__ = os.path.dirname(os.path.abspath(__file__)) -# TODO (asteroide): select the right template folder -TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") -# TODO (asteroide): add specific configuration options for that plugin - - -class AuthzFunction(DockerBase): - - id = "moon_authz_function" - __build = """RUN mkdir -p /etc/moon/ -COPY conf /etc/moon/ -ADD dist/{py_pkg}.tar.gz /root -WORKDIR /root/{py_pkg} -RUN pip3 install -r requirements.txt -RUN pip3 install . -""" - - def __init__(self, uuid, conf_file="", docker=None, network_config=None): - self.id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest() - super(AuthzFunction, self).__init__( - name="moon_authz", - run_cmd=["python3", "-m", "moon_authz", uuid], - conf_file=conf_file, - docker=docker, - network_config=network_config, - build_cmd=self.__build, - id=self.id, - tag="" - # tag=CONF.security_function.container - ) - # note(asteroide): time to let the new docker boot - time.sleep(3) - # self.get_status() - - def get_status(self): - return True - # transport = oslo_messaging.get_transport(CONF) - # target = oslo_messaging.Target(topic=self.id, version='1.0') - # client = oslo_messaging.RPCClient(transport, target) - # LOG.info("Calling Status on {}".format(self.id)) - # ret = client.call({"component_id": self.id}, 'get_status', args=None) - # LOG.info(ret) - # return ret - - -def run(uuid, conf_file="", docker=None, network_config=None): - return AuthzFunction(uuid, - conf_file=conf_file, - docker=docker, - network_config=network_config) diff --git a/moon_orchestrator/conf/plugins/session.py b/moon_orchestrator/conf/plugins/session.py deleted file mode 100644 index 6fa2cfe2..00000000 --- a/moon_orchestrator/conf/plugins/session.py +++ /dev/null @@ -1,67 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. - -import os -import time -import hashlib -from oslo_config import cfg -from oslo_log import log as logging -import oslo_messaging -from moon_orchestrator.dockers import DockerBase - -LOG = logging.getLogger(__name__) -CONF = cfg.CONF -DOMAIN = "moon_orchestrator" - -__CWD__ = os.path.dirname(os.path.abspath(__file__)) -# TODO (asteroide): select the right template folder -TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") -# TODO (asteroide): add specific configuration options for that plugin - - -class AuthzFunction(DockerBase): - - id = "moon_session_function" - __build = """RUN mkdir -p /etc/moon/ -COPY conf /etc/moon/ -ADD dist/{py_pkg}.tar.gz /root -WORKDIR /root/{py_pkg} -RUN pip3 install -r requirements.txt -RUN pip3 install . -""" - - def __init__(self, uuid, conf_file="", docker=None, network_config=None): - self.id = "session_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest() - super(AuthzFunction, self).__init__( - name="moon_authz", - run_cmd=["python3", "-m", "moon_authz", uuid], - conf_file=conf_file, - docker=docker, - network_config=network_config, - build_cmd=self.__build, - id=self.id, - tag="" - # tag=CONF.security_function.container - ) - # note(asteroide): time to let the new docker boot - time.sleep(3) - # self.get_status() - - def get_status(self): - return True - # transport = oslo_messaging.get_transport(CONF) - # target = oslo_messaging.Target(topic=self.id, version='1.0') - # client = oslo_messaging.RPCClient(transport, target) - # LOG.info("Calling Status on {}".format(self.id)) - # ret = client.call({"component_id": self.id}, 'get_status', args=None) - # LOG.info(ret) - # return ret - - -def run(uuid, conf_file="", docker=None, network_config=None): - return AuthzFunction(uuid, - conf_file=conf_file, - docker=docker, - network_config=network_config) diff --git a/moon_orchestrator/conf/policies/policy_authz/assignment.json b/moon_orchestrator/conf/policies/policy_authz/assignment.json deleted file mode 100644 index 7a6c722e..00000000 --- a/moon_orchestrator/conf/policies/policy_authz/assignment.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "subject_assignments": { - "subject_security_level":{ - "admin": ["high"], - "demo": ["medium"] - }, - "domain":{ - "admin": ["ft"], - "demo": ["xx"] - }, - "role": { - "admin": ["admin"], - "demo": ["dev"] - } - }, - - "action_assignments": { - "resource_action":{ - "pause": ["vm_admin"], - "unpause": ["vm_admin"], - "start": ["vm_admin"], - "stop": ["vm_admin"], - "list": ["vm_access", "vm_admin"], - "create": ["vm_admin"], - "storage_list": ["storage_access"], - "download": ["storage_access"], - "post": ["storage_admin"], - "upload": ["storage_admin"] - }, - "access": { - "pause": ["write"], - "unpause": ["write"], - "start": ["write"], - "stop": ["write"], - "list": ["read"], - "create": ["write"], - "storage_list": ["read"], - "download": ["read"], - "post": ["write"], - "upload": ["write"] - } - }, - - "object_assignments": { - "object_security_level": { - "servers": ["low"] - }, - "type": { - "servers": ["computing"] - }, - "object_id": { - "servers": ["servers"] - } - } -} diff --git a/moon_orchestrator/conf/policies/policy_authz/metadata.json b/moon_orchestrator/conf/policies/policy_authz/metadata.json deleted file mode 100644 index 21a99eb2..00000000 --- a/moon_orchestrator/conf/policies/policy_authz/metadata.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "name": "Simple_Policy", - "genre": "authz", - "description": "Simple Security Policy", - "pdp_pipeline": ["authz:rbac_rule", "authz:mls_rule"], - - "subject_categories": [ - "subject_security_level", - "domain", - "role" - ], - - "action_categories": [ - "resource_action", - "access" - ], - - "object_categories": [ - "object_security_level", - "type", - "object_id" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_authz/metarule.json b/moon_orchestrator/conf/policies/policy_authz/metarule.json deleted file mode 100644 index c9afd6c2..00000000 --- a/moon_orchestrator/conf/policies/policy_authz/metarule.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": ["subject_security_level"], - "action_categories": ["resource_action"], - "object_categories": ["object_security_level"], - "algorithm": "inclusion" - }, - "dte_rule": { - "subject_categories": ["domain"], - "action_categories": ["access"], - "object_categories": ["type"], - "algorithm": "inclusion" - }, - "rbac_rule": { - "subject_categories": ["role", "domain"], - "action_categories": ["access"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/moon_orchestrator/conf/policies/policy_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_authz/perimeter.json deleted file mode 100644 index 47a8ee45..00000000 --- a/moon_orchestrator/conf/policies/policy_authz/perimeter.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "subjects": [ - "admin", - "demo" - ], - "actions": [ - "pause", - "unpause", - "start", - "stop", - "create", - "list", - "upload", - "download", - "post", - "storage_list" - ], - "objects": [ - "servers" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_authz/rule.json b/moon_orchestrator/conf/policies/policy_authz/rule.json deleted file mode 100644 index 25f9d93a..00000000 --- a/moon_orchestrator/conf/policies/policy_authz/rule.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "mls_rule":[ - ["high", "vm_admin", "medium"], - ["high", "vm_admin", "low"], - ["medium", "vm_admin", "low"], - ["high", "vm_access", "high"], - ["high", "vm_access", "medium"], - ["high", "vm_access", "low"], - ["medium", "vm_access", "medium"], - ["medium", "vm_access", "low"], - ["low", "vm_access", "low"] - ], - "dte_rule":[ - ["ft", "read", "computing"], - ["ft", "write", "computing"], - ["ft", "read", "storage"], - ["ft", "write", "storage"], - ["xx", "read", "storage"] - ], - "rbac_rule":[ - ["dev", "xx", "read", "servers"], - ["admin", "xx", "read", "servers"], - ["admin", "ft", "read", "servers"] - ] -} diff --git a/moon_orchestrator/conf/policies/policy_authz/scope.json b/moon_orchestrator/conf/policies/policy_authz/scope.json deleted file mode 100644 index 9b313daf..00000000 --- a/moon_orchestrator/conf/policies/policy_authz/scope.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "admin", - "dev" - ], - "subject_security_level": [ - "high", - "medium", - "low" - ], - "domain": [ - "ft", - "xx" - ] - }, - - "action_scopes": { - "resource_action": [ - "vm_admin", - "vm_access", - "storage_admin", - "storage_access" - ], - "access": [ - "write", - "read" - ] - }, - - "object_scopes": { - "object_security_level": [ - "high", - "medium", - "low" - ], - "type": [ - "computing", - "storage" - ], - "object_id": [ - "servers", - "vm1", - "vm2", - "file1", - "file2" - ] - } -} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json b/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json deleted file mode 100644 index 24018a09..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_assignments": {}, - - "action_assignments": {}, - - "object_assignments": {} -} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json b/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json deleted file mode 100644 index 3c9be2e5..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "Empty_Policy", - "model": "", - "genre": "admin", - "description": "Empty Policy", - - "subject_categories": [], - - "action_categories": [], - - "object_categories": [] -} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json b/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json deleted file mode 100644 index 7acd8848..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": [], - "action_categories": [], - "object_categories": [], - "algorithm": "" - } - }, - "aggregation": "" -} - diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json b/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json deleted file mode 100644 index 54dbfc31..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "subjects": [], - "actions": [ - "read", - "write" - ], - "objects": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/rule.json b/moon_orchestrator/conf/policies/policy_empty_admin/rule.json deleted file mode 100644 index fe4fae5a..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_admin/rule.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mls_rule":[] -} diff --git a/moon_orchestrator/conf/policies/policy_empty_admin/scope.json b/moon_orchestrator/conf/policies/policy_empty_admin/scope.json deleted file mode 100644 index 1efebe6f..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_admin/scope.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_scopes": {}, - - "action_scopes": {}, - - "object_scopes": {} -} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json b/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json deleted file mode 100644 index 24018a09..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_assignments": {}, - - "action_assignments": {}, - - "object_assignments": {} -} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json b/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json deleted file mode 100644 index 4f300d78..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "MLS_Policy", - "model": "MLS", - "genre": "authz", - "description": "Multi Level Security Policy", - - "subject_categories": [], - - "action_categories": [], - - "object_categories": [] -} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json b/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json deleted file mode 100644 index 7acd8848..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": [], - "action_categories": [], - "object_categories": [], - "algorithm": "" - } - }, - "aggregation": "" -} - diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json deleted file mode 100644 index 9da8a8c0..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "subjects": [], - "actions": [], - "objects": [] -} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/rule.json b/moon_orchestrator/conf/policies/policy_empty_authz/rule.json deleted file mode 100644 index fe4fae5a..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_authz/rule.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mls_rule":[] -} diff --git a/moon_orchestrator/conf/policies/policy_empty_authz/scope.json b/moon_orchestrator/conf/policies/policy_empty_authz/scope.json deleted file mode 100644 index 1efebe6f..00000000 --- a/moon_orchestrator/conf/policies/policy_empty_authz/scope.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_scopes": {}, - - "action_scopes": {}, - - "object_scopes": {} -} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json b/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json deleted file mode 100644 index 0712dfbc..00000000 --- a/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "subject_assignments": { - "subject_security_level":{ - "admin": ["high"], - "demo": ["medium"] - } - }, - - "action_assignments": { - "resource_action":{ - "pause": ["vm_admin"], - "unpause": ["vm_admin"], - "start": ["vm_admin"], - "stop": ["vm_admin"], - "list": ["vm_access", "vm_admin"], - "create": ["vm_admin"], - "storage_list": ["storage_access"], - "download": ["storage_access"], - "post": ["storage_admin"], - "upload": ["storage_admin"] - } - }, - - "object_assignments": { - "object_security_level": { - "servers": ["low"] - } - } -} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json b/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json deleted file mode 100644 index c419c815..00000000 --- a/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "MLS_Policy", - "model": "MLS", - "genre": "authz", - "description": "Multi Level Security Policy", - - "subject_categories": [ - "subject_security_level" - ], - - "action_categories": [ - "resource_action" - ], - - "object_categories": [ - "object_security_level" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json b/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json deleted file mode 100644 index e068927c..00000000 --- a/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": ["subject_security_level"], - "action_categories": ["resource_action"], - "object_categories": ["object_security_level"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json b/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json deleted file mode 100644 index 47a8ee45..00000000 --- a/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "subjects": [ - "admin", - "demo" - ], - "actions": [ - "pause", - "unpause", - "start", - "stop", - "create", - "list", - "upload", - "download", - "post", - "storage_list" - ], - "objects": [ - "servers" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/rule.json b/moon_orchestrator/conf/policies/policy_mls_authz/rule.json deleted file mode 100644 index b17dc822..00000000 --- a/moon_orchestrator/conf/policies/policy_mls_authz/rule.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "mls_rule":[ - ["high", "vm_admin", "medium"], - ["high", "vm_admin", "low"], - ["medium", "vm_admin", "low"], - ["high", "vm_access", "medium"], - ["high", "vm_access", "low"], - ["medium", "vm_access", "low"], - ["high", "storage_admin", "medium"], - ["high", "storage_admin", "low"], - ["medium", "storage_admin", "low"], - ["high", "storage_access", "medium"], - ["high", "storage_access", "low"], - ["medium", "storage_access", "low"] - ] -} diff --git a/moon_orchestrator/conf/policies/policy_mls_authz/scope.json b/moon_orchestrator/conf/policies/policy_mls_authz/scope.json deleted file mode 100644 index 6cc1c28e..00000000 --- a/moon_orchestrator/conf/policies/policy_mls_authz/scope.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "subject_scopes": { - "subject_security_level": [ - "high", - "medium", - "low" - ] - }, - - "action_scopes": { - "resource_action": [ - "vm_admin", - "vm_access", - "storage_admin", - "storage_access" - ] - }, - - "object_scopes": { - "object_security_level": [ - "high", - "medium", - "low" - ] - } -} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json b/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json deleted file mode 100644 index f2378333..00000000 --- a/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "subject_assignments": { - "role": { - "admin": ["root_role"], - "demo": ["dev_role"] - } - }, - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - "object_assignments": { - "object_id": { - "authz.subjects": ["authz.subjects"], - "authz.objects": ["authz.objects"], - "authz.actions": ["authz.actions"], - "authz.subject_categories": ["authz.subject_categories"], - "authz.object_categories": ["authz.object_categories"], - "authz.action_categories": ["authz.action_categories"], - "authz.subject_scopes": ["authz.subject_scopes"], - "authz.object_scopes": ["authz.object_scopes"], - "authz.action_scopes": ["authz.action_scopes"], - "authz.subject_assignments": ["authz.subject_assignments"], - "authz.object_assignments": ["authz.object_assignments"], - "authz.action_assignments": ["authz.action_assignments"], - "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], - "authz.sub_meta_rules": ["authz.sub_meta_rules"], - "authz.rules": ["authz.rules"], - "admin.subjects": ["admin.subjects"], - "admin.objects": ["admin.objects"], - "admin.actions": ["admin.actions"], - "admin.subject_categories": ["admin.subject_categories"], - "admin.object_categories": ["admin.object_categories"], - "admin.action_categories": ["admin.action_categories"], - "admin.subject_scopes": ["admin.subject_scopes"], - "admin.object_scopes": ["admin.object_scopes"], - "admin.action_scopes": ["admin.action_scopes"], - "admin.subject_assignments": ["admin.subject_assignments"], - "admin.object_assignments": ["admin.object_assignments"], - "admin.action_assignments": ["admin.action_assignments"], - "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], - "admin.sub_meta_rules": ["admin.sub_meta_rules"], - "admin.rules": ["admin.rules"] - } - } -} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json b/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json deleted file mode 100644 index 9ee8a11d..00000000 --- a/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "RBAC Admin Policy", - "model": "RBAC", - "genre": "admin", - "description": "", - - "subject_categories": [ - "role" - ], - - "action_categories": [ - "action_id" - ], - - "object_categories": [ - "object_id" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json b/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json deleted file mode 100644 index 86dbfad2..00000000 --- a/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "rbac_rule": { - "subject_categories": ["role"], - "action_categories": ["action_id"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json b/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json deleted file mode 100644 index 1155533e..00000000 --- a/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "subjects": [ - "admin", - "demo" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json b/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json deleted file mode 100644 index c89ceff3..00000000 --- a/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "rbac_rule":[ - ["root_role" , "read", "authz.subjects"], - ["root_role" , "read", "authz.objects"], - ["root_role" , "read", "authz.actions"], - ["root_role" , "read", "authz.subject_categories"], - ["root_role" , "read", "authz.object_categories"], - ["root_role" , "read", "authz.action_categories"], - ["root_role" , "read", "authz.subject_scopes"], - ["root_role" , "read", "authz.object_scopes"], - ["root_role" , "read", "authz.action_scopes"], - ["root_role" , "read", "authz.subject_assignments"], - ["root_role" , "read", "authz.object_assignments"], - ["root_role" , "read", "authz.action_assignments"], - ["root_role" , "read", "authz.aggregation_algorithm"], - ["root_role" , "read", "authz.sub_meta_rules"], - ["root_role" , "read", "authz.rules"], - ["root_role" , "write", "authz.subjects"], - ["root_role" , "write", "authz.objects"], - ["root_role" , "write", "authz.actions"], - ["root_role" , "write", "authz.subject_categories"], - ["root_role" , "write", "authz.object_categories"], - ["root_role" , "write", "authz.action_categories"], - ["root_role" , "write", "authz.subject_scopes"], - ["root_role" , "write", "authz.object_scopes"], - ["root_role" , "write", "authz.action_scopes"], - ["root_role" , "write", "authz.subject_assignments"], - ["root_role" , "write", "authz.object_assignments"], - ["root_role" , "write", "authz.action_assignments"], - ["root_role" , "write", "authz.aggregation_algorithm"], - ["root_role" , "write", "authz.sub_meta_rules"], - ["root_role" , "write", "authz.rules"], - ["root_role" , "read", "admin.subjects"], - ["root_role" , "read", "admin.objects"], - ["root_role" , "read", "admin.actions"], - ["root_role" , "read", "admin.subject_categories"], - ["root_role" , "read", "admin.object_categories"], - ["root_role" , "read", "admin.action_categories"], - ["root_role" , "read", "admin.subject_scopes"], - ["root_role" , "read", "admin.object_scopes"], - ["root_role" , "read", "admin.action_scopes"], - ["root_role" , "read", "admin.subject_assignments"], - ["root_role" , "read", "admin.object_assignments"], - ["root_role" , "read", "admin.action_assignments"], - ["root_role" , "read", "admin.aggregation_algorithm"], - ["root_role" , "read", "admin.sub_meta_rules"], - ["root_role" , "read", "admin.rules"], - ["root_role" , "write", "admin.subjects"], - ["root_role" , "write", "admin.objects"], - ["root_role" , "write", "admin.actions"], - ["root_role" , "write", "admin.subject_categories"], - ["root_role" , "write", "admin.object_categories"], - ["root_role" , "write", "admin.action_categories"], - ["root_role" , "write", "admin.subject_scopes"], - ["root_role" , "write", "admin.object_scopes"], - ["root_role" , "write", "admin.action_scopes"], - ["root_role" , "write", "admin.subject_assignments"], - ["root_role" , "write", "admin.object_assignments"], - ["root_role" , "write", "admin.action_assignments"], - ["root_role" , "write", "admin.aggregation_algorithm"], - ["root_role" , "write", "admin.sub_meta_rules"], - ["root_role" , "write", "admin.rules"], - ["dev_role" , "read", "authz.subjects"], - ["dev_role" , "read", "authz.objects"], - ["dev_role" , "read", "authz.actions"], - ["dev_role" , "read", "authz.subject_categories"], - ["dev_role" , "read", "authz.object_categories"], - ["dev_role" , "read", "authz.action_categories"], - ["dev_role" , "read", "authz.subject_scopes"], - ["dev_role" , "read", "authz.object_scopes"], - ["dev_role" , "read", "authz.action_scopes"], - ["dev_role" , "read", "authz.subject_assignments"], - ["dev_role" , "read", "authz.object_assignments"], - ["dev_role" , "read", "authz.action_assignments"], - ["dev_role" , "read", "authz.aggregation_algorithm"], - ["dev_role" , "read", "authz.sub_meta_rules"], - ["dev_role" , "read", "authz.rules"], - ["dev_role" , "read", "admin.subjects"], - ["dev_role" , "read", "admin.objects"], - ["dev_role" , "read", "admin.actions"], - ["dev_role" , "read", "admin.subject_categories"], - ["dev_role" , "read", "admin.object_categories"], - ["dev_role" , "read", "admin.action_categories"], - ["dev_role" , "read", "admin.subject_scopes"], - ["dev_role" , "read", "admin.object_scopes"], - ["dev_role" , "read", "admin.action_scopes"], - ["dev_role" , "read", "admin.subject_assignments"], - ["dev_role" , "read", "admin.object_assignments"], - ["dev_role" , "read", "admin.action_assignments"], - ["dev_role" , "read", "admin.aggregation_algorithm"], - ["dev_role" , "read", "admin.sub_meta_rules"], - ["dev_role" , "read", "admin.rules"] - ] -} diff --git a/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json b/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json deleted file mode 100644 index 149056a6..00000000 --- a/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "root_role", - "dev_role" - ] - }, - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - "object_scopes": { - "object_id": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] - } -} diff --git a/moon_orchestrator/conf/policies/policy_root/assignment.json b/moon_orchestrator/conf/policies/policy_root/assignment.json deleted file mode 100644 index e849ae13..00000000 --- a/moon_orchestrator/conf/policies/policy_root/assignment.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "subject_assignments": { - "role": { - "admin": ["root_role"] - } - }, - - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - - "object_assignments": { - "object_id": { - "templates": ["templates"], - "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"], - "aggregation_algorithms": ["aggregation_algorithms"], - "tenants": ["tenants"], - "intra_extensions": ["intra_extensions"], - "admin.subjects": ["admin.subjects"], - "admin.objects": ["admin.objects"], - "admin.actions": ["admin.actions"], - "admin.subject_categories": ["admin.subject_categories"], - "admin.object_categories": ["admin.object_categories"], - "admin.action_categories": ["admin.action_categories"], - "admin.subject_category_scopes": ["admin.subject_category_scopes"], - "admin.object_category_scopes": ["admin.object_category_scopes"], - "admin.action_category_scopes": ["admin.action_category_scopes"], - "admin.subject_assignments": ["admin.subject_assignments"], - "admin.object_assignments": ["admin.object_assignments"], - "admin.action_assignments": ["admin.action_assignments"], - "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], - "admin.sub_meta_rules": ["admin.sub_meta_rules"], - "admin.rules": ["admin.rules"] - } - } -} diff --git a/moon_orchestrator/conf/policies/policy_root/metadata.json b/moon_orchestrator/conf/policies/policy_root/metadata.json deleted file mode 100644 index 9dd7a928..00000000 --- a/moon_orchestrator/conf/policies/policy_root/metadata.json +++ /dev/null @@ -1,19 +0,0 @@ -{ - "name": "Root Policy", - "model": "RBAC", - "genre": "admin", - "description": "root extension", - "pdp_pipeline": ["authz:rbac_rule"], - - "subject_categories": [ - "role" - ], - - "action_categories": [ - "action_id" - ], - - "object_categories": [ - "object_id" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_root/metarule.json b/moon_orchestrator/conf/policies/policy_root/metarule.json deleted file mode 100644 index 86dbfad2..00000000 --- a/moon_orchestrator/conf/policies/policy_root/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "rbac_rule": { - "subject_categories": ["role"], - "action_categories": ["action_id"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/moon_orchestrator/conf/policies/policy_root/perimeter.json b/moon_orchestrator/conf/policies/policy_root/perimeter.json deleted file mode 100644 index 788a27f2..00000000 --- a/moon_orchestrator/conf/policies/policy_root/perimeter.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "subjects": [ - "admin" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_category_scopes", - "admin.object_category_scopes", - "admin.action_category_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/moon_orchestrator/conf/policies/policy_root/rule.json b/moon_orchestrator/conf/policies/policy_root/rule.json deleted file mode 100644 index 9bbd5e4c..00000000 --- a/moon_orchestrator/conf/policies/policy_root/rule.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "rbac_rule":[ - ["root_role" , "read", "templates"], - ["root_role" , "read", "aggregation_algorithms"], - ["root_role" , "read", "sub_meta_rule_algorithms"], - ["root_role" , "read", "tenants"], - ["root_role" , "read", "intra_extensions"], - ["root_role" , "write", "templates"], - ["root_role" , "write", "aggregation_algorithms"], - ["root_role" , "write", "sub_meta_rule_algorithms"], - ["root_role" , "write", "tenants"], - ["root_role" , "write", "intra_extensions"], - ["root_role" , "read", "admin.subjects"], - ["root_role" , "read", "admin.objects"], - ["root_role" , "read", "admin.actions"], - ["root_role" , "read", "admin.subject_categories"], - ["root_role" , "read", "admin.object_categories"], - ["root_role" , "read", "admin.action_categories"], - ["root_role" , "read", "admin.subject_category_scopes"], - ["root_role" , "read", "admin.object_category_scopes"], - ["root_role" , "read", "admin.action_category_scopes"], - ["root_role" , "read", "admin.subject_assignments"], - ["root_role" , "read", "admin.object_assignments"], - ["root_role" , "read", "admin.action_assignments"], - ["root_role" , "read", "admin.aggregation_algorithm"], - ["root_role" , "read", "admin.sub_meta_rules"], - ["root_role" , "read", "admin.rules"], - ["root_role" , "write", "admin.subjects"], - ["root_role" , "write", "admin.objects"], - ["root_role" , "write", "admin.actions"], - ["root_role" , "write", "admin.subject_categories"], - ["root_role" , "write", "admin.object_categories"], - ["root_role" , "write", "admin.action_categories"], - ["root_role" , "write", "admin.subject_category_scopes"], - ["root_role" , "write", "admin.object_category_scopes"], - ["root_role" , "write", "admin.action_category_scopes"], - ["root_role" , "write", "admin.subject_assignments"], - ["root_role" , "write", "admin.object_assignments"], - ["root_role" , "write", "admin.action_assignments"], - ["root_role" , "write", "admin.aggregation_algorithm"], - ["root_role" , "write", "admin.sub_meta_rules"], - ["root_role" , "write", "admin.rules"] - ] -} diff --git a/moon_orchestrator/conf/policies/policy_root/scope.json b/moon_orchestrator/conf/policies/policy_root/scope.json deleted file mode 100644 index 43f9ced8..00000000 --- a/moon_orchestrator/conf/policies/policy_root/scope.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "root_role" - ] - }, - - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - - "object_scopes": { - "object_id": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_category_scopes", - "admin.object_category_scopes", - "admin.action_category_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] - } -} diff --git a/moon_orchestrator/moon_orchestrator/http_server.py b/moon_orchestrator/moon_orchestrator/http_server.py index e6a5ee57..62d785a2 100644 --- a/moon_orchestrator/moon_orchestrator/http_server.py +++ b/moon_orchestrator/moon_orchestrator/http_server.py @@ -18,7 +18,11 @@ from python_moonutilities import configuration, exceptions from python_moonutilities.misc import get_random_name from moon_orchestrator.drivers import get_driver -LOG = logging.getLogger("moon.orchestrator.http") +LOG = logging.getLogger("moon.orchestrator.http_server") + +__API__ = ( + Status, Logs + ) class Server: @@ -64,10 +68,6 @@ class Server: def run(self): raise NotImplementedError() -__API__ = ( - Status, Logs - ) - class Root(Resource): """ diff --git a/moon_orchestrator/moon_orchestrator/server.py b/moon_orchestrator/moon_orchestrator/server.py index 0cbd535a..ea1a0fbc 100644 --- a/moon_orchestrator/moon_orchestrator/server.py +++ b/moon_orchestrator/moon_orchestrator/server.py @@ -8,11 +8,9 @@ import logging from python_moonutilities import configuration, exceptions from moon_orchestrator.http_server import HTTPServer -LOG = logging.getLogger("moon.orchestrator") +LOG = logging.getLogger("moon.orchestrator.server") DOMAIN = "moon_orchestrator" -__CWD__ = os.path.dirname(os.path.abspath(__file__)) - def main(): configuration.init_logging() @@ -27,8 +25,7 @@ def main(): port = 80 configuration.add_component(uuid="orchestrator", name=hostname, port=port, bind=bind) LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) - server = HTTPServer(host=bind, port=port) - return server + return HTTPServer(host=bind, port=port) if __name__ == '__main__': diff --git a/moon_wrapper/Dockerfile b/moon_wrapper/Dockerfile index 55e7208d..77ffaee9 100644 --- a/moon_wrapper/Dockerfile +++ b/moon_wrapper/Dockerfile @@ -1,12 +1,8 @@ -FROM ubuntu:latest - -RUN apt update && apt install python3.5 python3-pip -y -RUN pip3 install pip --upgrade +FROM python:3 ADD . /root WORKDIR /root/ -RUN pip3 install -r requirements.txt --upgrade -RUN pip3 install /root/dist/* --upgrade +RUN pip3 install -r requirements.txt RUN pip3 install . CMD ["python3", "-m", "moon_wrapper"] diff --git a/moon_wrapper/README.md b/moon_wrapper/README.md index 4e8fd05c..cdd043a9 100644 --- a/moon_wrapper/README.md +++ b/moon_wrapper/README.md @@ -1,5 +1,4 @@ -Wrapper module for the Moon project -=================================== +# moon_wrapper This package contains the core module for the Moon project It is designed to provide authorization features to all OpenStack components. diff --git a/moon_wrapper/moon_wrapper/api/wrapper.py b/moon_wrapper/moon_wrapper/api/oslowrapper.py index e1ce783a..a422ee42 100644 --- a/moon_wrapper/moon_wrapper/api/wrapper.py +++ b/moon_wrapper/moon_wrapper/api/oslowrapper.py @@ -19,14 +19,14 @@ __version__ = "0.1.0" LOG = logging.getLogger("moon.wrapper.api." + __name__) -class Wrapper(Resource): +class OsloWrapper(Resource): """ Endpoint for authz requests """ __urls__ = ( - "/authz", - "/authz/", + "/authz/oslo", + "/authz/oslo/", ) def __init__(self, **kwargs): @@ -34,10 +34,6 @@ class Wrapper(Resource): self.CACHE = kwargs.get("cache", {}) self.TIMEOUT = 5 - # def get(self): - # LOG.info("GET") - # return self.manage_data() - def post(self): LOG.debug("POST {}".format(request.form)) response = flask.make_response("False") @@ -101,6 +97,7 @@ class Wrapper(Resource): rule = data.get('rule', "") _subject = self.__get_subject(target, credentials) _object = self.__get_object(target, credentials) + _action = rule _project_id = self.__get_project_id(target, credentials) LOG.debug("POST with args project={} / " "subject={} - object={} - action={}".format( @@ -112,7 +109,7 @@ class Wrapper(Resource): _project_id, _subject, _object, - rule + _action )) LOG.debug("Get interface {}".format(req.text)) if req.status_code == 200: diff --git a/moon_wrapper/moon_wrapper/http_server.py b/moon_wrapper/moon_wrapper/http_server.py index 1b429bc5..8027a0d3 100644 --- a/moon_wrapper/moon_wrapper/http_server.py +++ b/moon_wrapper/moon_wrapper/http_server.py @@ -8,15 +8,19 @@ from flask_restful import Resource, Api import logging from moon_wrapper import __version__ from moon_wrapper.api.generic import Status, Logs, API -from moon_wrapper.api.wrapper import Wrapper +from moon_wrapper.api.oslowrapper import OsloWrapper from python_moonutilities.cache import Cache from python_moonutilities import configuration, exceptions -logger = logging.getLogger("moon.wrapper.http") +logger = logging.getLogger("moon.wrapper.http_server") CACHE = Cache() +__API__ = ( + Status, Logs, API + ) + class Server: """Base class for HTTP server""" @@ -61,10 +65,6 @@ class Server: def run(self): raise NotImplementedError() -__API__ = ( - Status, Logs, API - ) - class Root(Resource): """ @@ -127,7 +127,7 @@ class HTTPServer(Server): for api in __API__: self.api.add_resource(api, *api.__urls__) - self.api.add_resource(Wrapper, *Wrapper.__urls__, + self.api.add_resource(OsloWrapper, *OsloWrapper.__urls__, resource_class_kwargs={ "orchestrator_url": self.orchestrator_url, "cache": CACHE, @@ -136,5 +136,4 @@ class HTTPServer(Server): def run(self): self.app.run(host=self._host, port=self._port) # nosec - # self.app.run(debug=True, host=self._host, port=self._port) # nosec diff --git a/moon_wrapper/moon_wrapper/server.py b/moon_wrapper/moon_wrapper/server.py index 2f236c4f..280fdb68 100644 --- a/moon_wrapper/moon_wrapper/server.py +++ b/moon_wrapper/moon_wrapper/server.py @@ -7,7 +7,7 @@ import logging from python_moonutilities import configuration, exceptions from moon_wrapper.http_server import HTTPServer -LOG = logging.getLogger("moon.wrapper") +LOG = logging.getLogger("moon.wrapper.server") def main(): @@ -24,8 +24,7 @@ def main(): port = 80 configuration.add_component(uuid="wrapper", name=hostname, port=port, bind=bind) LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind)) - server = HTTPServer(host=bind, port=port) - return server + return HTTPServer(host=bind, port=port) if __name__ == '__main__': diff --git a/python_moonclient/README.md b/python_moonclient/README.md index d1ebc786..1a9731e7 100644 --- a/python_moonclient/README.md +++ b/python_moonclient/README.md @@ -1,4 +1,4 @@ -# python-moonclient Package +# python-moonclient This package contains the core module for the Moon project. It is designed to provide authorization feature to all OpenStack components. @@ -11,13 +11,13 @@ python_moonutilities is a common Python lib for other Moon Python packages ## Build ### Build Python Package ```bash -cd ${MOON_HOME}/moonv4/python_moonclient +cd ${MOON_HOME}/python_moonclient python3 setup.py sdist bdist_wheel ``` ### Push Python Package to PIP ```bash -cd ${MOON_HOME}/moonv4/python_moonclient +cd ${MOON_HOME}/python_moonclient gpg --detach-sign -u "${GPG_ID}" -a dist/python_moonclient-X.Y.Z-py3-none-any.whl gpg --detach-sign -u "${GPG_ID}" -a dist/python_moonclient-X.Y.Z.tar.gz twine upload dist/python_moonclient-X.Y.Z-py3-none-any.whl dist/python_moonclient-X.Y.Z-py3-none-any.whl.asc @@ -28,6 +28,6 @@ twine upload dist/python_moonclient-X.Y.Z.tar.gz dist/python_moonclient-X.Y.Z.ta ### Python Unit Test launch Docker for Python unit tests ```bash -cd ${MOON_HOME}/moonv4/python_moonclient +cd ${MOON_HOME}/python_moonclient docker run --rm --volume $(pwd):/data wukongsun/moon_python_unit_test:latest ``` diff --git a/python_moonclient/python_moonclient/authz.py b/python_moonclient/python_moonclient/authz.py index 9458767e..b90bf00f 100644 --- a/python_moonclient/python_moonclient/authz.py +++ b/python_moonclient/python_moonclient/authz.py @@ -13,7 +13,7 @@ HOST_KEYSTONE = None PORT_KEYSTONE = None lock = threading.Lock() -logger = logging.getLogger(__name__) +logger = logging.getLogger("moonclient.authz") def _construct_payload(creds, current_rule, enforcer, target): @@ -122,7 +122,7 @@ def send_requests(scenario, authz_host, authz_port, keystone_project_id, request while request_cpt < limit: rule = (random.choice(SUBJECTS), random.choice(OBJECTS), random.choice(ACTIONS)) if destination.lower() == "wrapper": - url = "http://{}:{}/authz".format(authz_host, authz_port) + url = "http://{}:{}/authz/oslo".format(authz_host, authz_port) data = { 'target': { "user_id": random.choice(SUBJECTS), diff --git a/python_moonclient/python_moonclient/parse.py b/python_moonclient/python_moonclient/parse.py index 8960c41c..d31b3ebd 100644 --- a/python_moonclient/python_moonclient/parse.py +++ b/python_moonclient/python_moonclient/parse.py @@ -2,7 +2,7 @@ import logging import argparse -logger = logging.getLogger("python_moonclient.utils.parse") +logger = logging.getLogger("python_moonclient.parse") def parse(): diff --git a/python_moonclient/python_moonclient/pdp.py b/python_moonclient/python_moonclient/pdp.py index e628fe17..6841a276 100644 --- a/python_moonclient/python_moonclient/pdp.py +++ b/python_moonclient/python_moonclient/pdp.py @@ -3,7 +3,8 @@ import logging import requests from python_moonclient import config -logger = logging.getLogger("python_moonclient.utils.pdp") +logger = logging.getLogger("python_moonclient.pdp") + URL = None HEADERS = None KEYSTONE_USER = None @@ -11,8 +12,6 @@ KEYSTONE_PASSWORD = None KEYSTONE_PROJECT = None KEYSTONE_SERVER = None -# config = utils.config.get_config_data() - pdp_template = { "name": "test_pdp", diff --git a/python_moonclient/python_moonclient/policies.py b/python_moonclient/python_moonclient/policies.py index 80210811..0fae63c2 100644 --- a/python_moonclient/python_moonclient/policies.py +++ b/python_moonclient/python_moonclient/policies.py @@ -2,12 +2,10 @@ import logging import requests from . import config, models -logger = logging.getLogger("moonclient.models") +logger = logging.getLogger("moonclient.policies") URL = None HEADERS = None -FILE = open("/tmp/test.log", "w") -logger = logging.getLogger("utils.policies") policy_template = { "name": "test_policy", diff --git a/python_moonclient/python_moonclient/scripts.py b/python_moonclient/python_moonclient/scripts.py index 30759743..c880e497 100644 --- a/python_moonclient/python_moonclient/scripts.py +++ b/python_moonclient/python_moonclient/scripts.py @@ -3,7 +3,7 @@ from importlib.machinery import SourceFileLoader from . import parse, models, policies, pdp, authz -logger = logging.getLogger("python_moonclient.scripts") +logger = logging.getLogger("moonclient.scripts") def get_keystone_projects(): diff --git a/python_moonclient/setup.py b/python_moonclient/setup.py index 1c3ddb80..709e3ffa 100644 --- a/python_moonclient/setup.py +++ b/python_moonclient/setup.py @@ -9,6 +9,7 @@ import python_moonclient with open('requirements.txt') as f: required = f.read().splitlines() + setup( name='python-moonclient', @@ -42,12 +43,12 @@ setup( entry_points={ 'console_scripts': [ 'moon_get_keystone_projects = python_moonclient.scripts:get_keystone_projects', - 'moon_create_pdp = python_moonclient.scripts:create_pdp', 'moon_get_pdp = python_moonclient.scripts:get_pdp', - 'moon_send_authz_to_wrapper = python_moonclient.scripts:send_authz_to_wrapper', + 'moon_create_pdp = python_moonclient.scripts:create_pdp', 'moon_delete_pdp = python_moonclient.scripts:delete_pdp', 'moon_delete_policy = python_moonclient.scripts:delete_policy', - 'moon_map_pdp_to_project = python_moonclient.scripts:map_pdp_to_project' + 'moon_map_pdp_to_project = python_moonclient.scripts:map_pdp_to_project', + 'moon_send_authz_to_wrapper = python_moonclient.scripts:send_authz_to_wrapper' ], } diff --git a/python_moondb/python_moondb/backends/sql.py b/python_moondb/python_moondb/backends/sql.py index 5dba8eb2..b4a8531f 100644 --- a/python_moondb/python_moondb/backends/sql.py +++ b/python_moondb/python_moondb/backends/sql.py @@ -1815,61 +1815,3 @@ class ModelConnector(BaseConnector, ModelDriver): class SQLConnector(PDPConnector, PolicyConnector, ModelConnector): pass - -# class InterExtension(Base): -# __tablename__ = 'inter_extension' -# attributes = [ -# 'id', -# 'requesting_intra_extension_id', -# 'requested_intra_extension_id', -# 'virtual_entity_uuid', -# 'genre', -# 'description', -# ] -# id = sql.Column(sql.String(64), primary_key=True) -# requesting_intra_extension_id = sql.Column(sql.String(64)) -# requested_intra_extension_id = sql.Column(sql.String(64)) -# virtual_entity_uuid = sql.Column(sql.String(64)) -# genre = sql.Column(sql.String(64)) -# description = sql.Column(sql.Text()) -# -# @classmethod -# def from_dict(cls, d): -# """Override parent from_dict() method with a simpler implementation. -# """ -# new_d = d.copy() -# return cls(**new_d) -# -# def to_dict(self): -# """Override parent to_dict() method with a simpler implementation. -# """ -# return dict(six.iteritems(self)) -# -# -# class InterExtensionBaseConnector(InterExtensionDriver): -# -# def get_inter_extensions(self): -# with self.get_session_for_read() as session: -# query = session.query(InterExtension.id) -# interextensions = query.all() -# return [interextension.id for interextension in interextensions] -# -# def create_inter_extensions(self, inter_id, inter_extension): -# with self.get_session_for_read() as session: -# ie_ref = InterExtension.from_dict(inter_extension) -# session.add(ie_ref) -# return InterExtension.to_dict(ie_ref) -# -# def get_inter_extension(self, uuid): -# with self.get_session_for_read() as session: -# query = session.query(InterExtension) -# query = query.filter_by(id=uuid) -# ref = query.first() -# if not ref: -# raise exception.NotFound -# return ref.to_dict() -# -# def delete_inter_extensions(self, inter_extension_id): -# with self.get_session_for_read() as session: -# ref = session.query(InterExtension).get(inter_extension_id) -# session.delete(ref) diff --git a/python_moondb/python_moondb/core.py b/python_moondb/python_moondb/core.py index 49e9f711..49b3c7dd 100644 --- a/python_moondb/python_moondb/core.py +++ b/python_moondb/python_moondb/core.py @@ -212,6 +212,7 @@ class KeystoneDriver(Driver): conf = configuration.get_configuration("database")['database'] + KeystoneManager = keystone.KeystoneManager( KeystoneDriver(conf['driver'], conf['url']) ) @@ -227,71 +228,3 @@ PolicyManager = policy.PolicyManager( PDPManager = pdp.PDPManager( PDPDriver(conf['driver'], conf['url']) ) - - -# class LogDriver(object): -# -# def authz(self, message): -# """Log authorization message -# -# :param message: the message to log -# :type message: string -# :return: None -# """ -# raise NotImplementedError() # pragma: no cover -# -# def debug(self, message): -# """Log debug message -# -# :param message: the message to log -# :type message: string -# :return: None -# """ -# raise NotImplementedError() # pragma: no cover -# -# def info(self, message): -# """Log informational message -# -# :param message: the message to log -# :type message: string -# :return: None -# """ -# raise NotImplementedError() # pragma: no cover -# -# def warning(self, message): -# """Log warning message -# -# :param message: the message to log -# :type message: string -# :return: None -# """ -# raise NotImplementedError() # pragma: no cover -# -# def error(self, message): -# """Log error message -# -# :param message: the message to log -# :type message: string -# :return: None -# """ -# raise NotImplementedError() # pragma: no cover -# -# def critical(self, message): -# """Log critical message -# -# :param message: the message to log -# :type message: string -# :return: None -# """ -# raise NotImplementedError() # pragma: no cover -# -# def get_logs(self, options): -# """Get logs -# -# :param options: options to filter log events -# :type options: string eg: "event_number=10,from=2014-01-01-10:10:10,to=2014-01-01-12:10:10,filter=expression" -# :return: a list of log events -# -# TIME_FORMAT is '%Y-%m-%d-%H:%M:%S' -# """ -# raise NotImplementedError() # pragma: no cover diff --git a/tools/bin/README.md b/tools/bin/README.md index 3125c468..71ff4a44 100644 --- a/tools/bin/README.md +++ b/tools/bin/README.md @@ -1,5 +1,8 @@ # Automated Tools/Scripts -## moon_utilities_update -- update moon_utilities to PIP: `./moon_utilities_update.sh upload` -- locally update moon_utilities for each moon Python package: `./moon_utilities_update.sh copy`
\ No newline at end of file +## api2pdf +```bash +python3 $MOON_HOME/tools/bin/api2rst.py +pandoc api.rst --toc -o api.pdf +evince api.pdf +``` diff --git a/moon_interface/tools/api2rst.py b/tools/bin/api2rst.py index 6d407bdf..6d407bdf 100644 --- a/moon_interface/tools/api2rst.py +++ b/tools/bin/api2rst.py diff --git a/moon_interface/tools/get_keystone_token.py b/tools/bin/get_keystone_token.py index 1856aab8..1856aab8 100644 --- a/moon_interface/tools/get_keystone_token.py +++ b/tools/bin/get_keystone_token.py diff --git a/tools/moon_kubernetes/start_moon.sh b/tools/moon_kubernetes/start_moon.sh index 47d6998b..32d9740d 100644 --- a/tools/moon_kubernetes/start_moon.sh +++ b/tools/moon_kubernetes/start_moon.sh @@ -33,4 +33,6 @@ kubectl create -n moon -f tools/moon_kubernetes/templates/moon_orchestrator.yaml kubectl create -n moon -f tools/moon_kubernetes/templates/moon_gui.yaml +# load moon_wrapper on both master and slaves +# moon_create_wrapper |