aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/etc/policies/policy_authz
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/etc/policies/policy_authz')
-rw-r--r--keystone-moon/etc/policies/policy_authz/assignment.json55
-rw-r--r--keystone-moon/etc/policies/policy_authz/metadata.json23
-rw-r--r--keystone-moon/etc/policies/policy_authz/metarule.json24
-rw-r--r--keystone-moon/etc/policies/policy_authz/perimeter.json21
-rw-r--r--keystone-moon/etc/policies/policy_authz/rule.json25
-rw-r--r--keystone-moon/etc/policies/policy_authz/scope.json49
6 files changed, 197 insertions, 0 deletions
diff --git a/keystone-moon/etc/policies/policy_authz/assignment.json b/keystone-moon/etc/policies/policy_authz/assignment.json
new file mode 100644
index 00000000..7a6c722e
--- /dev/null
+++ b/keystone-moon/etc/policies/policy_authz/assignment.json
@@ -0,0 +1,55 @@
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ "admin": ["high"],
+ "demo": ["medium"]
+ },
+ "domain":{
+ "admin": ["ft"],
+ "demo": ["xx"]
+ },
+ "role": {
+ "admin": ["admin"],
+ "demo": ["dev"]
+ }
+ },
+
+ "action_assignments": {
+ "resource_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"],
+ "storage_list": ["storage_access"],
+ "download": ["storage_access"],
+ "post": ["storage_admin"],
+ "upload": ["storage_admin"]
+ },
+ "access": {
+ "pause": ["write"],
+ "unpause": ["write"],
+ "start": ["write"],
+ "stop": ["write"],
+ "list": ["read"],
+ "create": ["write"],
+ "storage_list": ["read"],
+ "download": ["read"],
+ "post": ["write"],
+ "upload": ["write"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "servers": ["low"]
+ },
+ "type": {
+ "servers": ["computing"]
+ },
+ "object_id": {
+ "servers": ["servers"]
+ }
+ }
+}
diff --git a/keystone-moon/etc/policies/policy_authz/metadata.json b/keystone-moon/etc/policies/policy_authz/metadata.json
new file mode 100644
index 00000000..d0db90db
--- /dev/null
+++ b/keystone-moon/etc/policies/policy_authz/metadata.json
@@ -0,0 +1,23 @@
+{
+ "name": "Multiple_Policy",
+ "model": "Multiple",
+ "genre": "authz",
+ "description": "Multiple Security Policies",
+
+ "subject_categories": [
+ "subject_security_level",
+ "domain",
+ "role"
+ ],
+
+ "action_categories": [
+ "resource_action",
+ "access"
+ ],
+
+ "object_categories": [
+ "object_security_level",
+ "type",
+ "object_id"
+ ]
+}
diff --git a/keystone-moon/etc/policies/policy_authz/metarule.json b/keystone-moon/etc/policies/policy_authz/metarule.json
new file mode 100644
index 00000000..c9afd6c2
--- /dev/null
+++ b/keystone-moon/etc/policies/policy_authz/metarule.json
@@ -0,0 +1,24 @@
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["resource_action"],
+ "object_categories": ["object_security_level"],
+ "algorithm": "inclusion"
+ },
+ "dte_rule": {
+ "subject_categories": ["domain"],
+ "action_categories": ["access"],
+ "object_categories": ["type"],
+ "algorithm": "inclusion"
+ },
+ "rbac_rule": {
+ "subject_categories": ["role", "domain"],
+ "action_categories": ["access"],
+ "object_categories": ["object_id"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
diff --git a/keystone-moon/etc/policies/policy_authz/perimeter.json b/keystone-moon/etc/policies/policy_authz/perimeter.json
new file mode 100644
index 00000000..47a8ee45
--- /dev/null
+++ b/keystone-moon/etc/policies/policy_authz/perimeter.json
@@ -0,0 +1,21 @@
+{
+ "subjects": [
+ "admin",
+ "demo"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list",
+ "upload",
+ "download",
+ "post",
+ "storage_list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
diff --git a/keystone-moon/etc/policies/policy_authz/rule.json b/keystone-moon/etc/policies/policy_authz/rule.json
new file mode 100644
index 00000000..25f9d93a
--- /dev/null
+++ b/keystone-moon/etc/policies/policy_authz/rule.json
@@ -0,0 +1,25 @@
+{
+ "mls_rule":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "high"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "medium"],
+ ["medium", "vm_access", "low"],
+ ["low", "vm_access", "low"]
+ ],
+ "dte_rule":[
+ ["ft", "read", "computing"],
+ ["ft", "write", "computing"],
+ ["ft", "read", "storage"],
+ ["ft", "write", "storage"],
+ ["xx", "read", "storage"]
+ ],
+ "rbac_rule":[
+ ["dev", "xx", "read", "servers"],
+ ["admin", "xx", "read", "servers"],
+ ["admin", "ft", "read", "servers"]
+ ]
+}
diff --git a/keystone-moon/etc/policies/policy_authz/scope.json b/keystone-moon/etc/policies/policy_authz/scope.json
new file mode 100644
index 00000000..9b313daf
--- /dev/null
+++ b/keystone-moon/etc/policies/policy_authz/scope.json
@@ -0,0 +1,49 @@
+{
+ "subject_scopes": {
+ "role": [
+ "admin",
+ "dev"
+ ],
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ],
+ "domain": [
+ "ft",
+ "xx"
+ ]
+ },
+
+ "action_scopes": {
+ "resource_action": [
+ "vm_admin",
+ "vm_access",
+ "storage_admin",
+ "storage_access"
+ ],
+ "access": [
+ "write",
+ "read"
+ ]
+ },
+
+ "object_scopes": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ],
+ "type": [
+ "computing",
+ "storage"
+ ],
+ "object_id": [
+ "servers",
+ "vm1",
+ "vm2",
+ "file1",
+ "file2"
+ ]
+ }
+}