diff options
Diffstat (limited to 'keystone-moon/examples/moon/policies')
29 files changed, 606 insertions, 0 deletions
diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json b/keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json new file mode 100644 index 00000000..c917638c --- /dev/null +++ b/keystone-moon/examples/moon/policies/mls_conf/authz/assignment.json @@ -0,0 +1,25 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "user1": ["low"], + "user2": ["medium"], + "user3": ["high"] + } + }, + + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "vm1": ["low"], + "vm2": ["medium"] + } + } +}
\ No newline at end of file diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json b/keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json new file mode 100644 index 00000000..0c21f178 --- /dev/null +++ b/keystone-moon/examples/moon/policies/mls_conf/authz/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "MLS_metadata", + "model": "MLS", + "genre": "authz", + "description": "", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "computing_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json b/keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json new file mode 100644 index 00000000..0f717458 --- /dev/null +++ b/keystone-moon/examples/moon/policies/mls_conf/authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "relation_super": { + "subject_categories": ["subject_security_level"], + "action_categories": ["computing_action"], + "object_categories": ["object_security_level"], + "relation": "relation_super" + } + }, + "aggregation": "and_true_aggregation" +} + diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/rules.json b/keystone-moon/examples/moon/policies/mls_conf/authz/rules.json new file mode 100644 index 00000000..7badb6f5 --- /dev/null +++ b/keystone-moon/examples/moon/policies/mls_conf/authz/rules.json @@ -0,0 +1,13 @@ +{ + "relation_super":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ] +}
\ No newline at end of file diff --git a/keystone-moon/examples/moon/policies/mls_conf/authz/scope.json b/keystone-moon/examples/moon/policies/mls_conf/authz/scope.json new file mode 100644 index 00000000..f07b0071 --- /dev/null +++ b/keystone-moon/examples/moon/policies/mls_conf/authz/scope.json @@ -0,0 +1,24 @@ +{ + "subject_category_scope": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_category_scope": { + "computing_action": [ + "vm_admin", + "vm_access" + ] + }, + + "object_category_scope": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json new file mode 100644 index 00000000..e1c208df --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_admin/assignment.json @@ -0,0 +1,37 @@ +{ + "subject_assignments": { + "role":{ + "admin": ["admin" ] + } + }, + + "action_assignments": { + "ie_action":{ + "read": ["ie_admin", "ie_access"], + "write": ["ie_admin"], + "create": ["ie_admin"], + "delete": ["ie_admin"] + } + }, + + "object_assignments": { + "id": { + "subjects": ["subjects"], + "objects": ["objects"], + "actions": ["actions"], + "subject_categories": ["subject_categories"], + "object_categories": ["object_categories"], + "action_categories": ["action_categories"], + "subject_category_scope": ["subject_category_scope"], + "object_category_scope": ["object_category_scope"], + "action_category_scope": ["action_category_scope"], + "sub_rules": ["sub_rules"], + "sub_meta_rule": ["sub_meta_rule"], + "subject_assignments": ["subject_assignments"], + "object_assignments": ["object_assignments"], + "action_assignments": ["action_assignments"], + "sub_meta_rule_relations": ["sub_meta_rule_relations"], + "aggregation_algorithms": ["aggregation_algorithms"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json new file mode 100644 index 00000000..f65cb271 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC_metadata", + "model": "RBAC", + "genre": "authz", + "description": "Role Based access Control authorization policy", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "ie_action" + ], + + "object_categories": [ + "id" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json new file mode 100644 index 00000000..3a2c7b75 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "relation_super": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + }, + "aggregation": "and_true_aggregation" +} + diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json new file mode 100644 index 00000000..e570aae1 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_admin/perimeter.json @@ -0,0 +1,29 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write", + "create", + "delete" + ], + "objects": [ + "subjects", + "objects", + "actions", + "subject_categories", + "object_categories", + "action_categories", + "subject_category_scope", + "object_category_scope", + "action_category_scope", + "sub_rules", + "subject_assignments", + "object_assignments", + "action_assignments", + "sub_meta_rule_relations", + "aggregation_algorithms", + "sub_meta_rule" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/rules.json b/keystone-moon/examples/moon/policies/policy_mls_admin/rules.json new file mode 100644 index 00000000..e17ba8f3 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_admin/rules.json @@ -0,0 +1,20 @@ +{ + "relation_super":[ + ["admin", "ie_admin", "subjects"], + ["admin", "ie_admin", "objects"], + ["admin", "ie_admin", "actions"], + ["admin", "ie_admin", "subject_categories"], + ["admin", "ie_admin", "object_categories"], + ["admin", "ie_admin", "action_categories"], + ["admin", "ie_admin", "subject_category_scope"], + ["admin", "ie_admin", "object_category_scope"], + ["admin", "ie_admin", "action_category_scope"], + ["admin", "ie_admin", "sub_rules"], + ["admin", "ie_admin", "sub_meta_rule"], + ["admin", "ie_admin", "subject_assignments"], + ["admin", "ie_admin", "object_assignments"], + ["admin", "ie_admin", "action_assignments"], + ["admin", "ie_admin", "sub_meta_rule_relations"], + ["admin", "ie_admin", "aggregation_algorithms"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_admin/scope.json b/keystone-moon/examples/moon/policies/policy_mls_admin/scope.json new file mode 100644 index 00000000..faf06d2c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_admin/scope.json @@ -0,0 +1,35 @@ +{ + "subject_category_scope": { + "role": [ + "admin" + ] + }, + + "action_category_scope": { + "ie_action": [ + "ie_access", + "ie_admin" + ] + }, + + "object_category_scope": { + "id": [ + "subjects", + "objects", + "actions", + "subject_categories", + "object_categories", + "action_categories", + "subject_category_scope", + "object_category_scope", + "action_category_scope", + "sub_rules", + "sub_meta_rule", + "subject_assignments", + "object_assignments", + "action_assignments", + "sub_meta_rule_relations", + "aggregation_algorithms" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json new file mode 100644 index 00000000..e2a244b3 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json @@ -0,0 +1,23 @@ +{ + "subject_assignments": { + "subject_security_level":{ + } + }, + + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json new file mode 100644 index 00000000..56dc57df --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json @@ -0,0 +1,19 @@ +{ + "name": "MLS_metadata", + "model": "MLS", + "genre": "authz", + "description": "Multi Layer Security authorization policy", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "computing_action", + "storage_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json new file mode 100644 index 00000000..0f717458 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "relation_super": { + "subject_categories": ["subject_security_level"], + "action_categories": ["computing_action"], + "object_categories": ["object_security_level"], + "relation": "relation_super" + } + }, + "aggregation": "and_true_aggregation" +} + diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json new file mode 100644 index 00000000..4bf88de7 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json @@ -0,0 +1,16 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list" + ], + "objects": [ + "servers" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/rules.json b/keystone-moon/examples/moon/policies/policy_mls_authz/rules.json new file mode 100644 index 00000000..f018a6fc --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/rules.json @@ -0,0 +1,13 @@ +{ + "relation_super":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json new file mode 100644 index 00000000..d3146acb --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json @@ -0,0 +1,24 @@ +{ + "subject_category_scope": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_category_scope": { + "computing_action": [ + "vm_access", + "vm_admin" + ] + }, + + "object_category_scope": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json new file mode 100644 index 00000000..e1c208df --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json @@ -0,0 +1,37 @@ +{ + "subject_assignments": { + "role":{ + "admin": ["admin" ] + } + }, + + "action_assignments": { + "ie_action":{ + "read": ["ie_admin", "ie_access"], + "write": ["ie_admin"], + "create": ["ie_admin"], + "delete": ["ie_admin"] + } + }, + + "object_assignments": { + "id": { + "subjects": ["subjects"], + "objects": ["objects"], + "actions": ["actions"], + "subject_categories": ["subject_categories"], + "object_categories": ["object_categories"], + "action_categories": ["action_categories"], + "subject_category_scope": ["subject_category_scope"], + "object_category_scope": ["object_category_scope"], + "action_category_scope": ["action_category_scope"], + "sub_rules": ["sub_rules"], + "sub_meta_rule": ["sub_meta_rule"], + "subject_assignments": ["subject_assignments"], + "object_assignments": ["object_assignments"], + "action_assignments": ["action_assignments"], + "sub_meta_rule_relations": ["sub_meta_rule_relations"], + "aggregation_algorithms": ["aggregation_algorithms"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json new file mode 100644 index 00000000..f65cb271 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC_metadata", + "model": "RBAC", + "genre": "authz", + "description": "Role Based access Control authorization policy", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "ie_action" + ], + + "object_categories": [ + "id" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json new file mode 100644 index 00000000..3a2c7b75 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "relation_super": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + }, + "aggregation": "and_true_aggregation" +} + diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json new file mode 100644 index 00000000..e570aae1 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json @@ -0,0 +1,29 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write", + "create", + "delete" + ], + "objects": [ + "subjects", + "objects", + "actions", + "subject_categories", + "object_categories", + "action_categories", + "subject_category_scope", + "object_category_scope", + "action_category_scope", + "sub_rules", + "subject_assignments", + "object_assignments", + "action_assignments", + "sub_meta_rule_relations", + "aggregation_algorithms", + "sub_meta_rule" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json new file mode 100644 index 00000000..e17ba8f3 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/rules.json @@ -0,0 +1,20 @@ +{ + "relation_super":[ + ["admin", "ie_admin", "subjects"], + ["admin", "ie_admin", "objects"], + ["admin", "ie_admin", "actions"], + ["admin", "ie_admin", "subject_categories"], + ["admin", "ie_admin", "object_categories"], + ["admin", "ie_admin", "action_categories"], + ["admin", "ie_admin", "subject_category_scope"], + ["admin", "ie_admin", "object_category_scope"], + ["admin", "ie_admin", "action_category_scope"], + ["admin", "ie_admin", "sub_rules"], + ["admin", "ie_admin", "sub_meta_rule"], + ["admin", "ie_admin", "subject_assignments"], + ["admin", "ie_admin", "object_assignments"], + ["admin", "ie_admin", "action_assignments"], + ["admin", "ie_admin", "sub_meta_rule_relations"], + ["admin", "ie_admin", "aggregation_algorithms"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json new file mode 100644 index 00000000..faf06d2c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json @@ -0,0 +1,35 @@ +{ + "subject_category_scope": { + "role": [ + "admin" + ] + }, + + "action_category_scope": { + "ie_action": [ + "ie_access", + "ie_admin" + ] + }, + + "object_category_scope": { + "id": [ + "subjects", + "objects", + "actions", + "subject_categories", + "object_categories", + "action_categories", + "subject_category_scope", + "object_category_scope", + "action_category_scope", + "sub_rules", + "sub_meta_rule", + "subject_assignments", + "object_assignments", + "action_assignments", + "sub_meta_rule_relations", + "aggregation_algorithms" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json new file mode 100644 index 00000000..e804b56a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/assignment.json @@ -0,0 +1,28 @@ +{ + "subject_assignments": { + "role":{ + "admin": ["admin" ] + } + }, + + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"] + }, + "storage_action":{ + "get": ["vm_access"], + "set": ["vm_access", "vm_admin"] + } + }, + + "object_assignments": { + "id": { + "servers": ["servers"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json new file mode 100644 index 00000000..7f34ed7a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/metadata.json @@ -0,0 +1,19 @@ +{ + "name": "MLS_metadata", + "model": "MLS", + "genre": "authz", + "description": "Multi Layer Security authorization policy", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "computing_action", + "storage_action" + ], + + "object_categories": [ + "id" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json new file mode 100644 index 00000000..ce828339 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "relation_super": { + "subject_categories": ["role"], + "action_categories": ["computing_action", "storage_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + }, + "aggregation": "and_true_aggregation" +} + diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json new file mode 100644 index 00000000..4bf88de7 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/perimeter.json @@ -0,0 +1,16 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list" + ], + "objects": [ + "servers" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json new file mode 100644 index 00000000..7f9dc3bb --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/rules.json @@ -0,0 +1,6 @@ +{ + "relation_super":[ + ["admin", "vm_admin", "vm_admin", "servers"], + ["admin", "vm_access", "vm_access", "servers"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json new file mode 100644 index 00000000..34c5350a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_authz/scope.json @@ -0,0 +1,24 @@ +{ + "subject_category_scope": { + "role": [ + "admin" + ] + }, + + "action_category_scope": { + "computing_action": [ + "vm_access", + "vm_admin" + ], + "storage_action": [ + "vm_access", + "vm_admin" + ] + }, + + "object_category_scope": { + "id": [ + "servers" + ] + } +} |