diff options
Diffstat (limited to 'keystone-moon')
14 files changed, 144 insertions, 13 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json new file mode 100644 index 00000000..3c9be2e5 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "Empty_Policy", + "model": "", + "genre": "admin", + "description": "Empty Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json new file mode 100644 index 00000000..54dbfc31 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json @@ -0,0 +1,39 @@ +{ + "subjects": [], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/rule.json b/keystone-moon/examples/moon/policies/policy_empty_admin/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_admin/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/scope.json b/keystone-moon/examples/moon/policies/policy_empty_admin/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_admin/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json new file mode 100644 index 00000000..4f300d78 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json new file mode 100644 index 00000000..9da8a8c0 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json @@ -0,0 +1,5 @@ +{ + "subjects": [], + "actions": [], + "objects": [] +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/rule.json b/keystone-moon/examples/moon/policies/policy_empty_authz/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_authz/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/scope.json b/keystone-moon/examples/moon/policies/policy_empty_authz/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_empty_authz/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json index ed1950b0..f2378333 100644 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json @@ -2,7 +2,7 @@ "subject_assignments": { "role": { "admin": ["root_role"], - "demo": ["dev"] + "demo": ["dev_role"] } }, "action_assignments": { diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index 4f8074f7..6f9832e9 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -411,10 +411,13 @@ class TenantManager(manager.Manager): if 'id' not in tenant_dict: tenant_dict['id'] = None keystone_tenant = self.__get_keystone_tenant_dict(tenant_dict['id'], tenant_dict['name']) - tenant_dict.update(keystone_tenant) + for att in keystone_tenant: + if keystone_tenant[att]: + tenant_dict[att] = keystone_tenant[att] # Sync users between intra_authz_extension and intra_admin_extension - if 'intra_admin_extension_id' in tenant_dict: - if 'intra_authz_extension_id' in tenant_dict: + self.moonlog_api.debug("add_tenant_dict {}".format(tenant_dict)) + if 'intra_admin_extension_id' in tenant_dict and tenant_dict['intra_admin_extension_id']: + if 'intra_authz_extension_id' in tenant_dict and tenant_dict['intra_authz_extension_id']: # authz_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_authz_extension_id']) # admin_subjects_dict = self.admin_api.get_subjects_dict(self.root_api.get_root_admin_id(), tenant_dict['intra_admin_extension_id']) # for _subject_id in authz_subjects_dict: @@ -1239,14 +1242,14 @@ class IntraExtensionManager(manager.Manager): def get_object_dict(self, user_id, intra_extension_id, object_id): objects_dict = self.driver.get_objects_dict(intra_extension_id) if object_id not in objects_dict: - raise ObjectUnknown("Unknown object name: {}".format(object_id)) + raise ObjectUnknown("Unknown object id: {}".format(object_id)) return objects_dict[object_id] @filter_input @enforce(("read", "write"), "objects") def del_object(self, user_id, intra_extension_id, object_id): if object_id not in self.driver.get_objects_dict(intra_extension_id): - raise ObjectUnknown("Unknown object name: {}".format(object_id)) + raise ObjectUnknown("Unknown object id: {}".format(object_id)) # Destroy assignments related to this category for object_category_id in self.driver.get_object_categories_dict(intra_extension_id): for _object_id in self.driver.get_objects_dict(intra_extension_id): @@ -1570,7 +1573,7 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "object_categories") def get_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id): if object_id not in self.driver.get_objects_dict(intra_extension_id): - raise ObjectUnknown("Unknown object name: {}".format(object_id)) + raise ObjectUnknown("Unknown object id: {}".format(object_id)) if object_category_id not in self.driver.get_object_categories_dict(intra_extension_id): raise ObjectCategoryUnknown() return self.driver.get_object_assignment_list(intra_extension_id, object_id, object_category_id) @@ -1581,7 +1584,7 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "object_categories") def add_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): if object_id not in self.driver.get_objects_dict(intra_extension_id): - raise ObjectUnknown("Unknown object name: {}".format(object_id)) + raise ObjectUnknown("Unknown object id: {}".format(object_id)) if object_category_id not in self.driver.get_object_categories_dict(intra_extension_id): raise ObjectCategoryUnknown() if object_scope_id not in self.driver.get_object_scopes_dict(intra_extension_id, object_category_id): @@ -1597,7 +1600,7 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "object_scopes") def del_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): if object_id not in self.driver.get_objects_dict(intra_extension_id): - raise ObjectUnknown("Unknown object name: {}".format(object_id)) + raise ObjectUnknown("Unknown object id: {}".format(object_id)) if object_category_id not in self.driver.get_object_categories_dict(intra_extension_id): raise ObjectCategoryUnknown() if object_scope_id not in self.driver.get_object_scopes_dict(intra_extension_id, object_category_id): @@ -1820,7 +1823,9 @@ class IntraExtensionAuthzManager(IntraExtensionManager): tenants_dict = self.tenant_api.get_tenants_dict(self.root_api.get_root_admin_id()) if tenant_id not in tenants_dict: - raise TenantUnknown() + # raise TenantUnknown("Cannot authz because Tenant is unknown {}".format(tenant_id)) + LOG.warning("Cannot authz because Tenant is not managed by Moon {}".format(tenant_id)) + return {'authz': True, 'comment': "Cannot authz because Tenant is not managed by Moon {}".format(tenant_id)} intra_extension_id = tenants_dict[tenant_id][genre] if not intra_extension_id: raise TenantNoIntraExtension() @@ -1831,7 +1836,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): subject_id = _subject_id break if not subject_id: - raise SubjectUnknown() + raise SubjectUnknown("Unknown subject id: {}".format(subject_k_id)) objects_dict = self.driver.get_objects_dict(intra_extension_id) object_id = None for _object_id in objects_dict: @@ -1839,7 +1844,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): object_id = _object_id break if not object_id: - raise ObjectUnknown("Unknown object name: {}".format(object_id)) + raise ObjectUnknown("Unknown object name: {}".format(object_name)) actions_dict = self.driver.get_actions_dict(intra_extension_id) action_id = None @@ -1848,7 +1853,7 @@ class IntraExtensionAuthzManager(IntraExtensionManager): action_id = _action_id break if not action_id: - raise ActionUnknown() + raise ActionUnknown("Unknown action name: {}".format(action_name)) return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id) def add_subject_dict(self, user_id, intra_extension_id, subject_dict): |