diff options
31 files changed, 640 insertions, 567 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json index 9b183a3c..b77bd810 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json +++ b/keystone-moon/examples/moon/policies/policy_admin/assignment.json @@ -1,41 +1,47 @@ { "subject_assignments": { - "domain":{ - "admin": ["ft"], - "demo": ["xx"] - }, - "role": { - "admin": ["admin"] + "role": { + "admin": ["root_role"] } }, - "action_assignments": { - "access": { - "read": ["admin", "user"], - "write": ["admin"], - "create": ["admin"], - "delete": ["admin"] + "action_id": { + "read": ["read"], + "write": ["write"] } }, - "object_assignments": { - "id": { - "subjects": ["subjects"], - "objects": ["objects"], - "actions": ["actions"], - "subject_categories": ["subject_categories"], - "object_categories": ["object_categories"], - "action_categories": ["action_categories"], - "subject_category_scope": ["subject_category_scope"], - "object_category_scope": ["object_category_scope"], - "action_category_scope": ["action_category_scope"], - "sub_rules": ["sub_rules"], - "sub_meta_rule": ["sub_meta_rule"], - "subject_assignments": ["subject_assignments"], - "object_assignments": ["object_assignments"], - "action_assignments": ["action_assignments"], - "sub_meta_rule_relations": ["sub_meta_rule_relations"], - "aggregation_algorithms": ["aggregation_algorithms"] + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_category_scopes": ["authz.subject_category_scopes"], + "authz.object_category_scopes": ["authz.object_category_scopes"], + "authz.action_category_scopes": ["authz.action_category_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] } } } diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_admin/metadata.json index 29770673..9ee8a11d 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json +++ b/keystone-moon/examples/moon/policies/policy_admin/metadata.json @@ -1,19 +1,18 @@ { - "name": "MLS_metadata", + "name": "RBAC Admin Policy", "model": "RBAC", "genre": "admin", "description": "", "subject_categories": [ - "domain", - "role" + "role" ], "action_categories": [ - "access" + "action_id" ], "object_categories": [ - "id" + "object_id" ] } diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_admin/metarule.json index 1cb06eb5..86dbfad2 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json +++ b/keystone-moon/examples/moon/policies/policy_admin/metarule.json @@ -1,9 +1,9 @@ { "sub_meta_rules": { "rbac_rule": { - "subject_categories": ["role", "domain"], - "action_categories": ["access"], - "object_categories": ["id"], + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], "algorithm": "inclusion" } }, diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json index 7716986d..a796dae9 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json +++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json @@ -1,30 +1,41 @@ { "subjects": [ - "admin", - "demo" + "admin" ], "actions": [ "read", - "write", - "create", - "delete" + "write" ], "objects": [ - "subjects", - "objects", - "actions", - "subject_categories", - "object_categories", - "action_categories", - "subject_category_scope", - "object_category_scope", - "action_category_scope", - "rules", - "subject_assignments", - "object_assignments", - "action_assignments", - "sub_meta_rule_algorithm", - "aggregation_algorithm", - "sub_meta_rules" + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_category_scopes", + "authz.object_category_scopes", + "authz.action_category_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" ] } diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json index 650405a9..e80c61c1 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/rule.json +++ b/keystone-moon/examples/moon/policies/policy_admin/rule.json @@ -1,22 +1,64 @@ { - "rbac_rule":[ - - ["admin" , "ft", "admin", "subjects"], - ["admin" , "ft", "admin", "objects"], - ["admin" , "ft", "admin", "actions"], - ["admin" , "ft", "admin", "subject_categories"], - ["admin" , "ft", "admin", "object_categories"], - ["admin" , "ft", "admin", "action_categories"], - ["admin" , "ft", "admin", "subject_category_scope"], - ["admin" , "ft", "admin", "object_category_scope"], - ["admin" , "ft", "admin", "action_category_scope"], - ["admin" , "ft", "admin", "sub_rules"], - ["admin" , "ft", "admin", "sub_meta_rule"], - ["admin" , "ft", "admin", "subject_assignments"], - ["admin" , "ft", "admin", "object_assignments"], - ["admin" , "ft", "admin", "action_assignments"], - ["admin" , "ft", "admin", "sub_meta_rule_relations"], - ["admin" , "ft", "admin", "aggregation_algorithms"] - + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_category_scopes"], + ["root_role" , "read", "authz.object_category_scopes"], + ["root_role" , "read", "authz.action_category_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_category_scopes"], + ["root_role" , "write", "authz.object_category_scopes"], + ["root_role" , "write", "authz.action_category_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] ] } diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json index 3742a5e4..74b1d019 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/scope.json +++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json @@ -1,39 +1,47 @@ { - "subject_scopes": { - "role": [ - "admin" - ], - "domain": [ - "ft", - "xx" - ] - }, - - "action_scopes": { - "access": [ - "admin", - "user" - ] - }, - - "object_scopes": { - "id": [ - "subjects", - "objects", - "actions", - "subject_categories", - "object_categories", - "action_categories", - "subject_category_scope", - "object_category_scope", - "action_category_scope", - "sub_rules", - "sub_meta_rule", - "subject_assignments", - "object_assignments", - "action_assignments", - "sub_meta_rule_relations", - "aggregation_algorithms" - ] + "subject_scopes": { + "role": [ + "root_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "action_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_category_scopes", + "authz.object_category_scopes", + "authz.action_category_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] } } diff --git a/keystone-moon/examples/moon/policies/policy_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_authz/assignment.json index ebab0ec6..6482830c 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/assignment.json +++ b/keystone-moon/examples/moon/policies/policy_authz/assignment.json @@ -56,7 +56,7 @@ "file1": ["storage"], "file2": ["storage"] }, - "id": { + "object_id": { "servers": ["servers"], "vm1": ["vm1"], "vm2": ["vm2"], diff --git a/keystone-moon/examples/moon/policies/policy_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_authz/metadata.json index 4a5a5a1a..d0db90db 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/metadata.json +++ b/keystone-moon/examples/moon/policies/policy_authz/metadata.json @@ -1,8 +1,8 @@ { - "name": "MLS_metadata", - "model": "MLS", + "name": "Multiple_Policy", + "model": "Multiple", "genre": "authz", - "description": "Multi Layer Security authorization policy", + "description": "Multiple Security Policies", "subject_categories": [ "subject_security_level", @@ -18,6 +18,6 @@ "object_categories": [ "object_security_level", "type", - "id" + "object_id" ] } diff --git a/keystone-moon/examples/moon/policies/policy_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_authz/metarule.json index df683ca9..c9afd6c2 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/metarule.json +++ b/keystone-moon/examples/moon/policies/policy_authz/metarule.json @@ -15,7 +15,7 @@ "rbac_rule": { "subject_categories": ["role", "domain"], "action_categories": ["access"], - "object_categories": ["id"], + "object_categories": ["object_id"], "algorithm": "inclusion" } }, diff --git a/keystone-moon/examples/moon/policies/policy_authz/scope.json b/keystone-moon/examples/moon/policies/policy_authz/scope.json index 4b69e469..9b313daf 100644 --- a/keystone-moon/examples/moon/policies/policy_authz/scope.json +++ b/keystone-moon/examples/moon/policies/policy_authz/scope.json @@ -38,7 +38,7 @@ "computing", "storage" ], - "id": [ + "object_id": [ "servers", "vm1", "vm2", diff --git a/keystone-moon/examples/moon/policies/policy_root/assignment.json b/keystone-moon/examples/moon/policies/policy_root/assignment.json new file mode 100644 index 00000000..2852de0c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/assignment.json @@ -0,0 +1,39 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"] + } + }, + + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + + "object_assignments": { + "object_id": { + "templates": ["templates"], + "sub_meta_rule_algorithm": ["sub_meta_rule_relations"], + "aggregation_algorithms": ["aggregation_algorithms"], + "tenants": ["tenants"], + "intra_extensions": ["intra_extensions"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_super/metadata.json b/keystone-moon/examples/moon/policies/policy_root/metadata.json index a67670e9..3e4b0f28 100644 --- a/keystone-moon/examples/moon/policies/policy_super/metadata.json +++ b/keystone-moon/examples/moon/policies/policy_root/metadata.json @@ -1,8 +1,8 @@ { - "name": "Super_Extension", + "name": "Root Policy", "model": "RBAC", - "genre": "authz", - "description": "", + "genre": "admin", + "description": "root extension", "subject_categories": [ "role" diff --git a/keystone-moon/examples/moon/policies/policy_super/metarule.json b/keystone-moon/examples/moon/policies/policy_root/metarule.json index 86dbfad2..86dbfad2 100644 --- a/keystone-moon/examples/moon/policies/policy_super/metarule.json +++ b/keystone-moon/examples/moon/policies/policy_root/metarule.json diff --git a/keystone-moon/examples/moon/policies/policy_root/perimeter.json b/keystone-moon/examples/moon/policies/policy_root/perimeter.json new file mode 100644 index 00000000..788a27f2 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/perimeter.json @@ -0,0 +1,31 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_root/rule.json b/keystone-moon/examples/moon/policies/policy_root/rule.json new file mode 100644 index 00000000..9bbd5e4c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/rule.json @@ -0,0 +1,44 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "templates"], + ["root_role" , "read", "aggregation_algorithms"], + ["root_role" , "read", "sub_meta_rule_algorithms"], + ["root_role" , "read", "tenants"], + ["root_role" , "read", "intra_extensions"], + ["root_role" , "write", "templates"], + ["root_role" , "write", "aggregation_algorithms"], + ["root_role" , "write", "sub_meta_rule_algorithms"], + ["root_role" , "write", "tenants"], + ["root_role" , "write", "intra_extensions"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_root/scope.json b/keystone-moon/examples/moon/policies/policy_root/scope.json new file mode 100644 index 00000000..43f9ced8 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_root/scope.json @@ -0,0 +1,39 @@ +{ + "subject_scopes": { + "role": [ + "root_role" + ] + }, + + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + + "object_scopes": { + "object_id": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_super/assignment.json b/keystone-moon/examples/moon/policies/policy_super/assignment.json deleted file mode 100644 index 352575aa..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/assignment.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "subject_assignments": { - "role": { - "super_admin": ["admin"] - } - }, - - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - - "object_assignments": { - "object_id": { - "templates": ["templates"], - "sub_meta_rule_algorithm": ["sub_meta_rule_relations"], - "aggregation_algorithms": ["aggregation_algorithms"], - "tenants": ["tenants"], - "intra_extensions": ["intra_extensions"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_super/perimeter.json b/keystone-moon/examples/moon/policies/policy_super/perimeter.json deleted file mode 100644 index 3a7364bc..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/perimeter.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "subjects": [ - "super_admin" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_super/rule.json b/keystone-moon/examples/moon/policies/policy_super/rule.json deleted file mode 100644 index b3115a90..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/rule.json +++ /dev/null @@ -1,14 +0,0 @@ -{ - "rbac_rule":[ - ["admin" , "read", "templates"], - ["admin" , "read", "aggregation_algorithms"], - ["admin" , "read", "sub_meta_rule_algorithms"], - ["admin" , "read", "tenants"], - ["admin" , "read", "intra_extensions"], - ["admin" , "write", "templates"], - ["admin" , "write", "aggregation_algorithms"], - ["admin" , "write", "sub_meta_rule_algorithms"], - ["admin" , "write", "tenants"], - ["admin" , "write", "intra_extensions"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_super/scope.json b/keystone-moon/examples/moon/policies/policy_super/scope.json deleted file mode 100644 index d581c747..00000000 --- a/keystone-moon/examples/moon/policies/policy_super/scope.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "admin" - ] - }, - - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - - "object_scopes": { - "object_id": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions" - ] - } -} diff --git a/keystone-moon/examples/moon/super_extension/policy/assignment.json b/keystone-moon/examples/moon/super_extension/policy/assignment.json deleted file mode 100644 index 352d3928..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/assignment.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "subject_category_assignments": { - "role":{ - "admin": [ - "super_user", - "super_admin", - "super_root", - "inter_extension_user", - "inter_extension_admin", - "inter_extension_root" - ] - } - }, - "object_category_assignments": { - "action": { - "intra_extension": [], - "mapping": [], - "inter_extension": [] - }, - "object_id": { - "intra_extension": ["intra_extension"], - "mapping": ["mapping"], - "inter_extension": ["inter_extension"] - } - } -} diff --git a/keystone-moon/examples/moon/super_extension/policy/configuration.json b/keystone-moon/examples/moon/super_extension/policy/configuration.json deleted file mode 100644 index 18918e7f..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/configuration.json +++ /dev/null @@ -1,43 +0,0 @@ -{ - "subject_category_values": { - "role": [ - "super_user", - "super_admin", - "super_root", - "inter_extension_user", - "inter_extension_admin", - "inter_extension_root" - ] - }, - - "object_category_values": { - "action": [ - "list", - "create", - "destroy", - "delegate" - ], - "object_id": [ - "intra_extension", - "mapping", - "inter_extension" - ] - }, - - "rules":{ - "permission": [ - ["super_user", "intra_extension", "list"], - ["super_admin", "intra_extension", "create"], - ["super_admin", "intra_extension", "destroy"], - ["super_root", "intra_extension", "delegate"], - ["super_user", "mapping", "list"], - ["super_admin", "mapping", "create"], - ["super_admin", "mapping", "destroy"], - ["super_root", "mapping", "delegate"], - ["inter_extension_user", "inter_extension", "list"], - ["inter_extension_admin", "inter_extension", "create"], - ["inter_extension_admin", "inter_extension", "destroy"], - ["inter_extension_root", "inter_extension", "delegate"] - ] - } -}
\ No newline at end of file diff --git a/keystone-moon/examples/moon/super_extension/policy/metadata.json b/keystone-moon/examples/moon/super_extension/policy/metadata.json deleted file mode 100644 index 316bfcb7..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/metadata.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "name": "RBAC_metadata", - "model": "RBAC", - "genre": "super", - "description": "", - - "subject_categories": [ - "role" - ], - - "object_categories": [ - "object_id", - "action" - ], - - "meta_rule": { - "sub_meta_rules": { - "permission": { - "subject_categories": ["role"], - "object_categories": ["object_id", "action"], - "relation": "permission" - } - }, - "aggregation": "and_true_aggregation" - } -} diff --git a/keystone-moon/examples/moon/super_extension/policy/perimeter.json b/keystone-moon/examples/moon/super_extension/policy/perimeter.json deleted file mode 100644 index 5d511654..00000000 --- a/keystone-moon/examples/moon/super_extension/policy/perimeter.json +++ /dev/null @@ -1,10 +0,0 @@ -{ - "subjects": [ - "admin" - ], - "objects": [ - "intra_extension", - "mapping", - "inter_extension" - ] -}
\ No newline at end of file diff --git a/keystone-moon/keystone/contrib/moon/backends/__init__.py b/keystone-moon/keystone/contrib/moon/backends/__init__.py index 28b42dd4..237bdc3e 100644 --- a/keystone-moon/keystone/contrib/moon/backends/__init__.py +++ b/keystone-moon/keystone/contrib/moon/backends/__init__.py @@ -90,6 +90,7 @@ rules = { sub_meta_rule_id1: { rule_id1: [subject_scope1, subject_scope2, ..., action_scope1, ..., object_scope1, ... ], rule_id2: [subject_scope3, subject_scope4, ..., action_scope3, ..., object_scope3, ... ], + rule_id3: [thomas, write, admin.subjects] ...}, sub_meta_rule_id2: { }, ...} diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py index ddc06831..b2efb723 100644 --- a/keystone-moon/keystone/contrib/moon/backends/memory.py +++ b/keystone-moon/keystone/contrib/moon/backends/memory.py @@ -36,21 +36,4 @@ class ConfigurationConnector(ConfigurationDriver): return self.aggregation_algorithm_dict def get_sub_meta_rule_algorithm_dict(self): - return self.sub_meta_rule_algorithm_dict - -# class SuperExtensionConnector(SuperExtensionDriver): -# -# def __init__(self): -# super(SuperExtensionConnector, self).__init__() -# # Super_Extension is loaded every time the server is started -# self.__uuid = uuid4().hex -# # self.__super_extension = Extension() -# _policy_abs_dir = os.path.join(CONF.moon.super_extension_directory, 'policy') -# # self.__super_extension.load_from_json(_policy_abs_dir) -# -# def get_super_extensions(self): -# return None -# -# def admin(self, sub, obj, act): -# # return self.__super_extension.authz(sub, obj, act) -# return True + return self.sub_meta_rule_algorithm_dict
\ No newline at end of file diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py index 3b331dda..b2e91db0 100644 --- a/keystone-moon/keystone/contrib/moon/backends/sql.py +++ b/keystone-moon/keystone/contrib/moon/backends/sql.py @@ -310,7 +310,6 @@ class Rule(sql.ModelBase, sql.DictBase): __all_objects__ = ( - IntraExtensionUnknown, Tenant, Subject, Object, @@ -362,10 +361,7 @@ class TenantConnector(TenantDriver): ref = query.first() tenant_ref = ref.to_dict() tenant_ref.update(tenant_dict) - new_tenant = Tenant( - id=tenant_id, - tenant=tenant_ref - ) + new_tenant = Tenant(id=tenant_id, tenant=tenant_ref) for attr in Tenant.attributes: if attr != 'id': setattr(ref, attr, getattr(new_tenant, attr)) @@ -382,8 +378,6 @@ class IntraExtensionConnector(IntraExtensionDriver): ref_list = query.all() return {_ref.id: _ref.intraextension for _ref in ref_list} - # TODO (dthom): load_intra_extension(self): - def del_intra_extension(self, intra_extension_id): with sql.transaction() as session: ref = session.query(IntraExtension).get(intra_extension_id) diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py index d8737dd9..fadc2731 100644 --- a/keystone-moon/keystone/contrib/moon/controllers.py +++ b/keystone-moon/keystone/contrib/moon/controllers.py @@ -94,6 +94,7 @@ class Tenants(controller.V3Controller): tenant_id = kw.get("tenant_id", None) return self.tenant_api.del_tenant(user_id, tenant_id) + @controller.protected() def set_tenant(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) tenant_id = kw.get('id', None) @@ -142,22 +143,25 @@ class IntraExtensions(controller.V3Controller): def add_intra_extension(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) intra_extension_dict = dict() - intra_extension_dict["intra_extension_name"] = kw.get("intra_extension_name", dict()) - intra_extension_dict["subject_categories"] = kw.get("subject_categories", dict()) - intra_extension_dict["object_categories"] = kw.get("object_categories", dict()) - intra_extension_dict["action_categories"] = kw.get("action_categories", dict()) - intra_extension_dict["subjects"] = kw.get("subjects", dict()) - intra_extension_dict["objects"] = kw.get("objects", dict()) - intra_extension_dict["actions"] = kw.get("actions", dict()) - intra_extension_dict["subject_category_scopes"] = kw.get("subject_category_scopes", dict()) - intra_extension_dict["object_category_scopes"] = kw.get("object_category_scopes", dict()) - intra_extension_dict["action_category_scopes"] = kw.get("action_category_scopes", dict()) - intra_extension_dict["subject_assignments"] = kw.get("subject_assignments", dict()) - intra_extension_dict["object_assignments"] = kw.get("object_assignments", dict()) - intra_extension_dict["action_assignments"] = kw.get("action_assignments", dict()) - intra_extension_dict["aggregation_algorithm"] = kw.get("aggregation_algorithm", dict()) - intra_extension_dict["sub_meta_rules"] = kw.get("sub_meta_rules", dict()) - intra_extension_dict["rules"] = kw.get("rules", dict()) + intra_extension_dict["name"] = kw.get("intra_extension_name", None) + intra_extension_dict["model"] = kw.get("intra_extension_model", None) + intra_extension_dict["genre"] = kw.get("intra_extension_genre", None) + intra_extension_dict["description"] = kw.get("intra_extension_description", None) + intra_extension_dict["subject_categories"] = kw.get("intra_extension_subject_categories", dict()) + intra_extension_dict["object_categories"] = kw.get("intra_extension_object_categories", dict()) + intra_extension_dict["action_categories"] = kw.get("intra_extension_action_categories", dict()) + intra_extension_dict["subjects"] = kw.get("intra_extension_subjects", dict()) + intra_extension_dict["objects"] = kw.get("intra_extension_objects", dict()) + intra_extension_dict["actions"] = kw.get("intra_extension_actions", dict()) + intra_extension_dict["subject_category_scopes"] = kw.get("intra_extension_subject_category_scopes", dict()) + intra_extension_dict["object_category_scopes"] = kw.get("intra_extension_object_category_scopes", dict()) + intra_extension_dict["action_category_scopes"] = kw.get("intra_extension_action_category_scopes", dict()) + intra_extension_dict["subject_assignments"] = kw.get("intra_extension_subject_assignments", dict()) + intra_extension_dict["object_assignments"] = kw.get("intra_extension_object_assignments", dict()) + intra_extension_dict["action_assignments"] = kw.get("intra_extension_action_assignments", dict()) + intra_extension_dict["aggregation_algorithm"] = kw.get("intra_extension_aggregation_algorithm", dict()) + intra_extension_dict["sub_meta_rules"] = kw.get("intra_extension_sub_meta_rules", dict()) + intra_extension_dict["rules"] = kw.get("intra_extension_rules", dict()) return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict) @controller.protected() @@ -179,6 +183,7 @@ class IntraExtensions(controller.V3Controller): intra_extension_dict = dict() intra_extension_dict["name"] = kw.get("intra_extension_name", None) intra_extension_dict["model"] = kw.get("intra_extension_model", None) + intra_extension_dict["genre"] = kw.get("intra_extension_genre", None) intra_extension_dict["description"] = kw.get("intra_extension_description", None) return self.admin_api.set_intra_extension_dict(user_id, ie_id, intra_extension_dict) @@ -781,13 +786,6 @@ class InterExtensions(controller.V3Controller): # return self.interextension_api.delete_inter_extension(kw["inter_extension_id"]) -@dependency.requires('authz_api') -class SuperExtensions(controller.V3Controller): - - def __init__(self): - super(SuperExtensions, self).__init__() - - @dependency.requires('moonlog_api', 'authz_api') class Logs(controller.V3Controller): @@ -803,7 +801,5 @@ class Logs(controller.V3Controller): def get_logs(self, context, **kw): user_id = self._get_user_id_from_token(context.get('token_id')) options = kw.get("options", "") - # FIXME (dthom): the authorization for get_logs must be done with an intra_extension - #if self.authz_api.admin(user["name"], "logs", "read"): return self.moonlog_api.get_logs(user_id, options) diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index fcb8ebfa..7761130e 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -25,9 +25,9 @@ from keystone.contrib.moon.algorithms import * CONF = config.CONF LOG = log.getLogger(__name__) -DEFAULT_USER_ID = uuid4().hex # default user_id for internal invocation -SUPER_TENANT_ID = uuid4().hex -SUPER_EXTENSION_ID = uuid4().hex +# TODO: call functions to get these 2 variables +ADMIN_ID = uuid4().hex # default user_id for internal invocation +ROOT_EXTENSION_ID = uuid4().hex _OPTS = [ @@ -104,35 +104,54 @@ def filter_input(func_or_str): def enforce(action_names, object_name, **extra): _action_name_list = action_names + _object_name = object_name def wrap(func): def wrapped(*args): # global actions self = args[0] - user_name = args[1] - intra_extension_id = args[2] - if intra_extension_id not in self.admin_api.get_intra_extensions(DEFAULT_USER_ID): - raise IntraExtensionUnknown() - - tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID) + user_id = args[1] intra_admin_extension_id = None - tenant_name = None - for tenant_id in tenants_dict: - if tenants_dict[tenant_id]['intra_authz_extension_id'] is intra_extension_id: - intra_admin_extension_id = tenants_dict[tenant_id]['intra_admin_extension_id'] - tenant_name = tenants_dict[tenant_id]['name'] + try: + intra_extension_id = args[2] + except: + intra_admin_extension_id = ROOT_EXTENSION_ID + + intra_extensions_dict = self.admin_api.get_intra_extensions(ADMIN_ID) + if intra_extension_id not in intra_extensions_dict: + raise IntraExtensionUnknown() + tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) + for _tenant_id in tenants_dict: + if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \ + tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id: + intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id'] if not intra_admin_extension_id: - args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.") + args[0].moonlog_api.warning("No Intra_Admin_Extension found, authorization granted by default.") return func(*args) else: - authz_result = False + objects_dict = self.admin_api.get_objects_dict(ADMIN_ID, intra_admin_extension_id) + object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name + object_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] is object_name: + object_id = _object_id + break if type(_action_name_list) in (str, unicode): action_name_list = (_action_name_list, ) else: action_name_list = _action_name_list - for action_name in action_name_list: - if self.authz_api.authz(tenant_name, user_name, object_name, action_name, 'admin'): + actions_dict = self.admin_api.get_actions_dict(ADMIN_ID, intra_admin_extension_id) + action_id_list = list() + for _action_name in action_name_list: + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] is _action_name: + action_id_list.append(_action_id) + break + + authz_result = False + for action_id in action_id_list: + if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id): authz_result = True else: authz_result = False @@ -143,42 +162,6 @@ def enforce(action_names, object_name, **extra): return wrap -def super_enforce(action_names, object_name, **extra): - _action_name_list = action_names - - def wrap(func): - def wrapped(*args): - # global actions - return func(*args) - # self = args[0] - # user_name = args[1] - # intra_extension_id = SUPER_EXTENSION_ID - # if intra_extension_id not in self.admin_api.get_intra_extensions_dict(DEFAULT_USER_ID): - # raise IntraExtensionUnknown() - # - # super_tenant_id = SUPER_TENANT_ID - # super_tenant_dict = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, super_tenant_id) - # - # if not super_tenant_dict: - # raise SuperExtensionUnknown() - # else: - # authz_result = False - # if type(_action_name_list) in (str, unicode): - # action_name_list = (_action_name_list, ) - # else: - # action_name_list = _action_name_list - # for action_name in action_name_list: - # if self.authz_api.authz(super_tenant_dict['name'], user_name, object_name, action_name, 'authz'): - # authz_result = True - # else: - # authz_result = False - # break - # if authz_result: - # return func(*args) - return wrapped - return wrap - - @dependency.provider('configuration_api') @dependency.requires('moonlog_api') class ConfigurationManager(manager.Manager): @@ -186,7 +169,7 @@ class ConfigurationManager(manager.Manager): def __init__(self): super(ConfigurationManager, self).__init__(CONF.moon.configuration_driver) - @super_enforce("read", "templates") + @enforce("read", "templates") def get_policy_templates_dict(self, user_id): """ Return a dictionary of all policy templates @@ -194,7 +177,7 @@ class ConfigurationManager(manager.Manager): """ return self.driver.get_policy_templates_dict() - @super_enforce("read", "templates") + @enforce("read", "templates") def get_policy_template_id_from_name(self, user_id, policy_template_name): policy_template_dict = self.driver.get_policy_templates_dict() for policy_template_id in policy_template_dict: @@ -202,7 +185,7 @@ class ConfigurationManager(manager.Manager): return policy_template_id return None - @super_enforce("read", "aggregation_algorithms") + @enforce("read", "aggregation_algorithms") def get_aggregation_algorithms_dict(self, user_id): """ Return a dictionary of all aggregation algorithm @@ -210,7 +193,7 @@ class ConfigurationManager(manager.Manager): """ return self.driver.get_aggregation_algorithms_dict() - @super_enforce("read", "aggregation_algorithms") + @enforce("read", "aggregation_algorithms") def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name): aggregation_algorithm_dict = self.driver.get_aggregation_algorithms_dict() for aggregation_algorithm_id in aggregation_algorithm_dict: @@ -218,7 +201,7 @@ class ConfigurationManager(manager.Manager): return aggregation_algorithm_id return None - @super_enforce("read", "sub_meta_rule_algorithms") + @enforce("read", "sub_meta_rule_algorithms") def get_sub_meta_rule_algorithms_dict(self, user_id): """ Return a dictionary of sub_meta_rule algorithm @@ -226,7 +209,7 @@ class ConfigurationManager(manager.Manager): """ return self.driver.get_sub_meta_rule_algorithms_dict() - @super_enforce("read", "sub_meta_rule_algorithms") + @enforce("read", "sub_meta_rule_algorithms") def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name): sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithms_dict() for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict: @@ -242,7 +225,7 @@ class TenantManager(manager.Manager): def __init__(self): super(TenantManager, self).__init__(CONF.moon.tenant_driver) - @super_enforce("read", "tenants") + @enforce("read", "tenants") def get_tenants_dict(self, user_id): """ Return a dictionary with all tenants @@ -259,31 +242,60 @@ class TenantManager(manager.Manager): """ return self.driver.get_tenants_dict() - @super_enforce(("read", "write"), "tenants") + @enforce(("read", "write"), "tenants") def add_tenant_dict(self, user_id, tenant_dict): tenants_dict = self.driver.get_tenants_dict() for tenant_id in tenants_dict: if tenants_dict[tenant_id]['name'] is tenant_dict['name']: raise TenantAddedNameExisting() + + # Sync users between intra_authz_extension and intra_admin_extension + if tenant_dict['intra_admin_extension']: + if not tenant_dict['intra_authz_extension']: + raise TenantNoIntraAuthzExtension + else: + authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension']) + admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension']) + for _subject_id in authz_subjects_dict: + if _subject_id not in admin_subjects_dict: + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id]) + for _subject_id in admin_subjects_dict: + if _subject_id not in authz_subjects_dict: + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id]) return self.driver.add_tenant_dict(uuid4().hex, tenant_dict) - @super_enforce("read", "tenants") + @enforce("read", "tenants") def get_tenant_dict(self, user_id, tenant_id): tenants_dict = self.driver.get_tenants_dict() if tenant_id not in tenants_dict: raise TenantUnknown() return tenants_dict[tenant_id] - @super_enforce(("read", "write"), "tenants") + @enforce(("read", "write"), "tenants") def del_tenant(self, user_id, tenant_id): if tenant_id not in self.driver.get_tenants_dict(): raise TenantUnknown() self.driver.del_tenant(tenant_id) - @super_enforce(("read", "write"), "tenants") + @enforce(("read", "write"), "tenants") def set_tenant_dict(self, user_id, tenant_id, tenant_dict): - if tenant_id not in self.driver.get_tenants_dict(): + tenants_dict = self.driver.get_tenants_dict() + if tenant_id not in tenants_dict: raise TenantUnknown() + + # Sync users between intra_authz_extension and intra_admin_extension + if tenant_dict['intra_admin_extension']: + if not tenant_dict['intra_authz_extension']: + raise TenantNoIntraAuthzExtension + else: + authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension']) + admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension']) + for _subject_id in authz_subjects_dict: + if _subject_id not in admin_subjects_dict: + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id]) + for _subject_id in admin_subjects_dict: + if _subject_id not in authz_subjects_dict: + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id]) return self.driver.set_tenant_dict(tenant_id, tenant_dict) @@ -291,7 +303,6 @@ class TenantManager(manager.Manager): class IntraExtensionManager(manager.Manager): def __init__(self): - self.__genre__ = None driver = CONF.moon.intraextension_driver super(IntraExtensionManager, self).__init__(driver) @@ -335,9 +346,9 @@ class IntraExtensionManager(manager.Manager): for category in meta_data_dict["action_categories"]: action_assignment_dict[category] = self.driver.get_action_assignment_list( intra_extension_id, action_id)[category] - authz_buffer['subject_attributes'] = dict() - authz_buffer['object_attributes'] = dict() - authz_buffer['action_attributes'] = dict() + authz_buffer['subject_assignments'] = dict() + authz_buffer['object_assignments'] = dict() + authz_buffer['action_assignments'] = dict() for _subject_category in meta_data_dict['subject_categories']: authz_buffer['subject_assignments'][_subject_category] = subject_assignment_dict[_subject_category] for _object_category in meta_data_dict['object_categories']: @@ -385,7 +396,7 @@ class IntraExtensionManager(manager.Manager): return False - @super_enforce("read", "intra_extensions") + @enforce("read", "intra_extensions") def get_intra_extensions_dict(self, user_id): """ :param user_id: @@ -647,13 +658,13 @@ class IntraExtensionManager(manager.Manager): rules[sub_rule_id].append(subrule) self.driver.set_rule_dict(intra_extension_dict["id"], sub_rule_id, uuid4().hex, rules) - @super_enforce(("read", "write"), "intra_extensions") + @enforce(("read", "write"), "intra_extensions") def load_intra_extension_dict(self, user_id, intra_extension_dict): ie_dict = dict() - # TODO: clean some values ie_dict['id'] = uuid4().hex ie_dict["name"] = filter_input(intra_extension_dict["name"]) - ie_dict["model"] = filter_input(intra_extension_dict["policymodel"]) + ie_dict["model"] = filter_input(intra_extension_dict["model"]) + ie_dict["genre"] = filter_input(intra_extension_dict["genre"]) ie_dict["description"] = filter_input(intra_extension_dict["description"]) ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict) self.moonlog_api.debug("Creation of IE: {}".format(ref)) @@ -667,7 +678,7 @@ class IntraExtensionManager(manager.Manager): self.__load_rule_file(ie_dict, policy_dir) return ref - @super_enforce("read", "intra_extensions") + @enforce("read", "intra_extensions") def get_intra_extension_dict(self, user_id, intra_extension_id): """ :param user_id: @@ -677,13 +688,13 @@ class IntraExtensionManager(manager.Manager): raise IntraExtensionUnknown() return self.driver.get_intra_extensions_dict()[intra_extension_id] - @super_enforce(("read", "write"), "intra_extensions") + @enforce(("read", "write"), "intra_extensions") def del_intra_extension(self, user_id, intra_extension_id): if intra_extension_id not in self.driver.get_intra_extensions_dict(): raise IntraExtensionUnknown() return self.driver.del_intra_extension(intra_extension_id) - @super_enforce(("read", "write"), "intra_extensions") + @enforce(("read", "write"), "intra_extensions") def set_intra_extension_dict(self, user_id, intra_extension_id, intra_extension_dict): if intra_extension_id not in self.driver.get_intra_extensions_dict(): raise IntraExtensionUnknown() @@ -1306,7 +1317,7 @@ class IntraExtensionManager(manager.Manager): @enforce(("read", "write"), "aggregation_algorithm") def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): if aggregation_algorithm_id: - if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(DEFAULT_USER_ID): + if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(ROOT_ID): raise AggregationAlgorithmUnknown() else: aggregation_algorithm_id = uuid4().hex @@ -1455,11 +1466,9 @@ class IntraExtensionManager(manager.Manager): @dependency.provider('authz_api') -@dependency.requires('identity_api', 'tenant_api', 'moonlog_api') class IntraExtensionAuthzManager(IntraExtensionManager): def __init__(self): - self.__genre__ = "authz" super(IntraExtensionAuthzManager, self).__init__() def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"): @@ -1467,14 +1476,14 @@ class IntraExtensionAuthzManager(IntraExtensionManager): """Check authorization for a particular action. :return: True or False or raise an exception """ - tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID) + tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) tenant_id = None for _tenant_id in tenants_dict: if tenants_dict[_tenant_id] is tenant_name: tenant_id = _tenant_id break - intra_extension_id = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, tenant_id)[genre] + intra_extension_id = self.tenant_api.get_tenant_dict(ADMIN_ID, tenant_id)[genre] if not intra_extension_id: raise TenantNoIntraExtension() @@ -1501,15 +1510,57 @@ class IntraExtensionAuthzManager(IntraExtensionManager): raise ActionUnknown() return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id) + def add_subject_dict(self, user_id, intra_extension_id, subject_dict): + # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin + return + + def del_subject(self, user_id, intra_extension_id, subject_id): + # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin + pass + + def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): + # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin + return + + # TODO: for other no heritaged functions, add raise AuthzException() + @dependency.provider('admin_api') -@dependency.requires('identity_api', 'tenant_api', 'moonlog_api') class IntraExtensionAdminManager(IntraExtensionManager): def __init__(self): - self.__genre__ = "admin" super(IntraExtensionAdminManager, self).__init__() + def add_subject_dict(self, user_id, intra_extension_id, subject_dict): + # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin + return + + def del_subject(self, user_id, intra_extension_id, subject_id): + # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin + pass + + def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): + # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin + return + + def add_object_dict(self, user_id, intra_extension_id, object_name): + raise ObjectsWriteNoAuthorized() + + def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): + raise ObjectsWriteNoAuthorized() + + def del_object(self, user_id, intra_extension_id, object_id): + raise ObjectsWriteNoAuthorized() + + def add_action_dict(self, user_id, intra_extension_id, action_name): + raise ActionsWriteNoAuthorized() + + def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): + raise ActionsWriteNoAuthorized() + + def del_action(self, user_id, intra_extension_id, action_id): + raise ActionsWriteNoAuthorized() + @dependency.provider('moonlog_api') class LogManager(manager.Manager): @@ -1741,10 +1792,6 @@ class IntraExtensionDriver(object): def get_intra_extensions_dict(self): raise exception.NotImplemented() # pragma: no cover - # TODO: check with load - # def add_intra_extensions_dict(self): - # raise exception.NotImplemented() # pragma: no cover - def del_intra_extension(self, intra_extension_id): raise exception.NotImplemented() # pragma: no cover @@ -1979,18 +2026,6 @@ class LogDriver(object): raise exception.NotImplemented() # pragma: no cover -# @dependency.provider('superextension_api') -# class SuperExtensionManager(manager.Manager): -# -# def __init__(self): -# driver = CONF.moon.superextension_driver -# super(SuperExtensionManager, self).__init__(driver) -# -# def authz(self, sub, obj, act): -# #return self.driver.admin(sub, obj, act) -# return True - - # @dependency.provider('interextension_api') # @dependency.requires('identity_api') # class InterExtensionManager(manager.Manager): @@ -2028,26 +2063,6 @@ class LogDriver(object): # return ref # # -# class SuperExtensionDriver(object): -# -# def __init__(self): -# self.__super_extension = None -# -# def admin(self, sub, obj, act): -# return self.__super_extension.authz(sub, obj, act) -# -# def delegate(self, delegating_uuid, delegated_uuid, privilege): # TODO later -# pass -# -# # Getter and Setter for SuperExtensions -# -# def get_super_extensions(self): -# raise exception.NotImplemented() # pragma: no cover -# -# def create_super_extensions(self, super_id, super_extension): -# raise exception.NotImplemented() # pragma: no cover -# -# # class InterExtensionDriver(object): # # # Getter and Setter for InterExtensions diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py index 37116d68..d2e67030 100644 --- a/keystone-moon/keystone/contrib/moon/exception.py +++ b/keystone-moon/keystone/contrib/moon/exception.py @@ -69,6 +69,12 @@ class TenantNoIntraExtension(TenantException): logger = "ERROR" +class TenantNoIntraAuthzExtension(TenantNoIntraExtension): + message_format = _("The tenant has not intra_admin_extension.") + code = 400 + title = 'Tenant No Intra_Admin_Extension' + logger = "ERROR" + # Exceptions for IntraExtension @@ -230,6 +236,20 @@ class ActionNameExisting(AdminPerimeter): logger = "ERROR" +class ObjectsWriteNoAuthorized(AdminPerimeter): + message_format = _("The modification on Objects is not authorized.") + code = 400 + title = 'Objects Write No Authorized' + logger = "AUTHZ" + + +class ActionsWriteNoAuthorized(AdminPerimeter): + message_format = _("The modification on Actions is not authorized.") + code = 400 + title = 'Actions Write No Authorized' + logger = "AUTHZ" + + class SubjectScopeUnknown(AdminScope): message_format = _("The given subject scope is unknown.") code = 400 diff --git a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py index a49ca206..352b69ac 100644 --- a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py +++ b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py @@ -12,156 +12,183 @@ def upgrade(migrate_engine): meta.bind = migrate_engine intra_extension_table = sql.Table( - 'intra_extension', + 'intra_extensions', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('name', sql.String(64), nullable=False), - sql.Column('model', sql.String(64), nullable=True), - sql.Column('description', sql.Text(), nullable=True), + sql.Column('intra_extension', k_sql.JsonBlob(), nullable=True), mysql_engine='InnoDB', mysql_charset='utf8') intra_extension_table.create(migrate_engine, checkfirst=True) - subjects_table = sql.Table( - 'subject', + tenant_table = sql.Table( + 'tenants', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('subjects', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('tenant', k_sql.JsonBlob(), nullable=True), mysql_engine='InnoDB', mysql_charset='utf8') - subjects_table.create(migrate_engine, checkfirst=True) + tenant_table.create(migrate_engine, checkfirst=True) - objects_table = sql.Table( - 'object', + subject_categories_table = sql.Table( + 'subject_categories', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('objects', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('subject_category', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - objects_table.create(migrate_engine, checkfirst=True) + subject_categories_table.create(migrate_engine, checkfirst=True) - actions_table = sql.Table( - 'action', + object_categories_table = sql.Table( + 'object_categories', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('actions', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('object_category', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - actions_table.create(migrate_engine, checkfirst=True) + object_categories_table.create(migrate_engine, checkfirst=True) - subject_categories_table = sql.Table( - 'subject_category', + action_categories_table = sql.Table( + 'action_categories', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('subject_categories', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('action_category', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - subject_categories_table.create(migrate_engine, checkfirst=True) + action_categories_table.create(migrate_engine, checkfirst=True) - object_categories_table = sql.Table( - 'object_category', + subjects_table = sql.Table( + 'subjects', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('object_categories', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('subject', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - object_categories_table.create(migrate_engine, checkfirst=True) + subjects_table.create(migrate_engine, checkfirst=True) - action_categories_table = sql.Table( - 'action_category', + objects_table = sql.Table( + 'objects', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('action_categories', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('object', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - action_categories_table.create(migrate_engine, checkfirst=True) + objects_table.create(migrate_engine, checkfirst=True) - subject_category_values_table = sql.Table( - 'subject_category_scope', + actions_table = sql.Table( + 'actions', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('subject_category_scope', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('action', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - subject_category_values_table.create(migrate_engine, checkfirst=True) + actions_table.create(migrate_engine, checkfirst=True) - object_category_values_table = sql.Table( - 'object_category_scope', + subject_scopes_table = sql.Table( + 'subject_scopes', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('object_category_scope', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('subject_scope', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - object_category_values_table.create(migrate_engine, checkfirst=True) + subject_scopes_table.create(migrate_engine, checkfirst=True) - action_category_values_table = sql.Table( - 'action_category_scope', + object_scopes_table = sql.Table( + 'object_scopes', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('action_category_scope', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('object_scope', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - action_category_values_table.create(migrate_engine, checkfirst=True) + object_scopes_table.create(migrate_engine, checkfirst=True) - subject_category_assignments_table = sql.Table( - 'subject_category_assignment', + action_scopes_table = sql.Table( + 'action_category_scopes', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('subject_category_assignments', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('action_scope', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - subject_category_assignments_table.create(migrate_engine, checkfirst=True) + action_scopes_table.create(migrate_engine, checkfirst=True) - object_category_assignments_table = sql.Table( - 'object_category_assignment', + subject_assignments_table = sql.Table( + 'subject_assignments', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('object_category_assignments', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('subject_category_assignment', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + sql.Column('subject_id', sql.ForeignKey("subjects.id"), nullable=False), + sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - object_category_assignments_table.create(migrate_engine, checkfirst=True) + subject_assignments_table.create(migrate_engine, checkfirst=True) - action_category_assignments_table = sql.Table( - 'action_category_assignment', + object_assignments_table = sql.Table( + 'object_assignments', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('action_category_assignments', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('object_assignments', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + sql.Column('object_id', sql.ForeignKey("objects.id"), nullable=False), + sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - action_category_assignments_table.create(migrate_engine, checkfirst=True) + object_assignments_table.create(migrate_engine, checkfirst=True) - meta_rule_table = sql.Table( - 'metarule', + action_assignments_table = sql.Table( + 'action_assignments', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('sub_meta_rules', k_sql.JsonBlob(), nullable=True), - sql.Column('aggregation', sql.Text(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('action_assignment', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + sql.Column('action_id', sql.ForeignKey("actions.id"), nullable=False), + sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - meta_rule_table.create(migrate_engine, checkfirst=True) + action_assignments_table.create(migrate_engine, checkfirst=True) - rule_table = sql.Table( - 'rule', + aggregation_algorithm_table = sql.Table( + 'aggregation_algorithm', meta, sql.Column('id', sql.String(64), primary_key=True), - sql.Column('rules', k_sql.JsonBlob(), nullable=True), - sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False), + sql.Column('aggregation_algorithm', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), mysql_engine='InnoDB', mysql_charset='utf8') - rule_table.create(migrate_engine, checkfirst=True) + aggregation_algorithm_table.create(migrate_engine, checkfirst=True) + + sub_meta_rules_table = sql.Table( + 'sub_meta_rules', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('sub_meta_rule', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + mysql_engine='InnoDB', + mysql_charset='utf8') + sub_meta_rules_table.create(migrate_engine, checkfirst=True) + + rules_table = sql.Table( + 'rules', + meta, + sql.Column('id', sql.String(64), primary_key=True), + sql.Column('rule', k_sql.JsonBlob(), nullable=True), + sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False), + mysql_engine='InnoDB', + mysql_charset='utf8') + rules_table.create(migrate_engine, checkfirst=True) + + # TODO: load root_extension def downgrade(migrate_engine): @@ -169,21 +196,22 @@ def downgrade(migrate_engine): meta.bind = migrate_engine for _table in ( - 'subject', - 'object', - 'action', - 'subject_category', - 'object_category', - 'action_category', - 'subject_category_scope', - 'object_category_scope', - 'action_category_scope', - 'subject_category_assignment', - 'object_category_assignment', - 'action_category_assignment', - 'metarule', - 'rule', - 'intra_extension', + 'rules', + 'sub_meta_rules', + 'action_category_assignments', + 'object_category_assignments', + 'subject_category_assignments', + 'action_category_scopes', + 'object_category_scopes', + 'subject_category_scopes', + 'actions', + 'objects', + 'subjects', + 'action_categories', + 'object_categories', + 'subject_categories', + 'tenants', + 'intra_extensions' ): try: table = sql.Table(_table, meta, autoload=True) |