aboutsummaryrefslogtreecommitdiffstats
path: root/moon_engine/conf
diff options
context:
space:
mode:
Diffstat (limited to 'moon_engine/conf')
-rw-r--r--moon_engine/conf/config.cfg12
-rw-r--r--moon_engine/conf/moon.yaml58
-rw-r--r--moon_engine/conf/moon_engine_users.json1
-rw-r--r--moon_engine/conf/policy_mls.json495
-rw-r--r--moon_engine/conf/policy_rbac.json393
-rw-r--r--moon_engine/conf/policy_rbac_mls.json525
6 files changed, 1484 insertions, 0 deletions
diff --git a/moon_engine/conf/config.cfg b/moon_engine/conf/config.cfg
new file mode 100644
index 00000000..4a7ea99c
--- /dev/null
+++ b/moon_engine/conf/config.cfg
@@ -0,0 +1,12 @@
+# Copyright 2018 Orange and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+# configuration for Gunicorn
+bind = "127.0.0.1:8081"
+workers = 2
+pid_file_dir = "/tmp/"
+
+# configuration for moon_engine
+moon = "conf/moon.yaml"
diff --git a/moon_engine/conf/moon.yaml b/moon_engine/conf/moon.yaml
new file mode 100644
index 00000000..b46c219e
--- /dev/null
+++ b/moon_engine/conf/moon.yaml
@@ -0,0 +1,58 @@
+type: "pipeline"
+uuid:
+manager_url: ""
+incremental_updates: false
+api_token:
+data: conf/policy_rbac.json
+debug: true
+
+management:
+ password: admin
+ url:
+ user: admin
+ token_file: moon_engine_users.json
+
+orchestration:
+ driver: moon_engine.plugins.pyorchestrator
+ connection: local
+ port: 20000...20100
+ config_dir: /tmp
+
+authorization:
+ driver: moon_engine.plugins.authz
+
+plugins:
+ directory: /tmp
+
+logging:
+ version: 1
+
+ formatters:
+ brief:
+ format: "%(levelname)s %(name)s %(message)-30s"
+ custom:
+ format: "%(asctime)-15s %(levelname)s %(name)s %(message)s"
+
+ handlers:
+ console:
+ class : logging.StreamHandler
+ formatter: custom
+ level : INFO
+ stream : ext://sys.stdout
+ file:
+ class : logging.handlers.RotatingFileHandler
+ formatter: custom
+ level : DEBUG
+ filename: /tmp/moon_engine.log
+ maxBytes: 1048576
+ backupCount: 3
+
+ loggers:
+ moon:
+ level: DEBUG
+ handlers: [console, file]
+ propagate: no
+
+ root:
+ level: ERROR
+ handlers: [console]
diff --git a/moon_engine/conf/moon_engine_users.json b/moon_engine/conf/moon_engine_users.json
new file mode 100644
index 00000000..e9b18176
--- /dev/null
+++ b/moon_engine/conf/moon_engine_users.json
@@ -0,0 +1 @@
+{"_default": {}} \ No newline at end of file
diff --git a/moon_engine/conf/policy_mls.json b/moon_engine/conf/policy_mls.json
new file mode 100644
index 00000000..eac3220a
--- /dev/null
+++ b/moon_engine/conf/policy_mls.json
@@ -0,0 +1,495 @@
+{
+ "policies": [
+ {
+ "name": "MLS Policy",
+ "genre": "authz",
+ "description": "MLS policy",
+ "model": {
+ "name": "MLS"
+ },
+ "mandatory": true,
+ "override": true
+ }
+ ],
+ "models": [
+ {
+ "name": "MLS",
+ "description": "",
+ "meta_rules": [
+ {
+ "name": "mls"
+ }
+ ],
+ "override": true
+ }
+ ],
+ "subjects": [
+ {
+ "name": "admin",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "MLS Policy"
+ }
+ ]
+ },
+ {
+ "name": "demo",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "MLS Policy"
+ }
+ ]
+ }
+ ],
+ "subject_categories": [
+ {
+ "name": "level",
+ "description": "subject level"
+ }
+ ],
+ "subject_data": [
+ {
+ "name": "high",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "medium",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "low",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ }
+ ],
+ "subject_assignments": [
+ {
+ "subject": {"name": "admin"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "high"}]
+ },
+ {
+ "subject": {"name": "demo"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "low"}]
+ }
+ ],
+ "objects": [
+ {
+ "name": "vm1",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "MLS Policy"
+ }
+ ]
+ },
+ {
+ "name": "vm2",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "MLS Policy"
+ }
+ ]
+ },
+ {
+ "name": "vm3",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "MLS Policy"
+ }
+ ]
+ }
+ ],
+ "object_categories": [
+ {
+ "name": "level",
+ "description": "object level"
+ }
+ ],
+ "object_data": [
+ {
+ "name": "high",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "medium",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "low",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ }
+ ],
+ "object_assignments": [
+ {
+ "object": {"name": "vm1"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "high"}]
+ },
+ {
+ "object": {"name": "vm2"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "medium"}]
+ },
+ {
+ "object": {"name": "vm3"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "low"}]
+ }
+ ],
+ "actions": [
+ {
+ "name": "use_image",
+ "description": "use_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "get_images",
+ "description": "get_images action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "update_image",
+ "description": "update_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "set_image",
+ "description": "set_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ }
+ ],
+ "action_categories": [
+ {
+ "name": "type",
+ "description": ""
+ }
+ ],
+ "action_data": [
+ {
+ "name": "read",
+ "description": "read action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ },
+ {
+ "name": "write",
+ "description": "write action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ },
+ {
+ "name": "execute",
+ "description": "execute action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ }
+ ],
+ "action_assignments": [
+ {
+ "action": {"name": "use_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}, {"name": "execute"}]
+ },
+ {
+ "action": {"name": "update_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}, {"name": "write"}]
+ },
+ {
+ "action": {"name": "set_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "write"}]
+ },
+ {
+ "action": {"name": "get_images"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}]
+ }
+ ],
+ "meta_rules": [
+ {
+ "name": "mls",
+ "description": "",
+ "subject_categories": [{"name": "level"}],
+ "object_categories": [{"name": "level"}],
+ "action_categories": [{"name": "type"}]
+ }
+ ],
+ "rules": [
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "high"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "medium"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "medium"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "low"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "high"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "medium"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "medium"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "low"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "high"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "high"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "medium"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "medium"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "mls"},
+ "rule": {
+ "subject_data": [{"name": "low"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ }
+ ],
+ "checks": {
+ "granted": [
+ ["admin", "vm1", "get_images"],
+ ["admin", "vm1", "set_image"],
+ ["admin", "vm1", "use_image"],
+ ["admin", "vm2", "get_images"],
+ ["admin", "vm2", "set_image"],
+ ["admin", "vm3", "get_images"],
+ ["demo", "vm1", "get_images"],
+ ["demo", "vm1", "set_image"],
+ ["demo", "vm2", "get_images"],
+ ["demo", "vm1", "get_images"]
+ ],
+ "denied": [
+ ["admin", "vm2", "update_image"],
+ ["admin", "vm3", "set_image"],
+ ["admin", "vm3", "update_image"],
+ ["demo", "vm1", "update_image"],
+ ["demo", "vm2", "set_image"],
+ ["demo", "vm2", "update_image"],
+ ["demo", "vm3", "get_images"],
+ ["demo", "vm3", "set_image"],
+ ["demo", "vm3", "update_image"]
+ ]
+ }
+} \ No newline at end of file
diff --git a/moon_engine/conf/policy_rbac.json b/moon_engine/conf/policy_rbac.json
new file mode 100644
index 00000000..a4bc959c
--- /dev/null
+++ b/moon_engine/conf/policy_rbac.json
@@ -0,0 +1,393 @@
+{
+ "policies": [
+ {
+ "name": "RBAC Policy",
+ "genre": "authz",
+ "description": "RBAC policy",
+ "model": {
+ "name": "RBAC"
+ },
+ "mandatory": true,
+ "override": true
+ }
+ ],
+ "models": [
+ {
+ "name": "RBAC",
+ "description": "",
+ "meta_rules": [
+ {
+ "name": "rbac"
+ }
+ ],
+ "override": true
+ }
+ ],
+ "subjects": [
+ {
+ "name": "admin",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC Policy"
+ }
+ ]
+ },
+ {
+ "name": "demo",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC Policy"
+ }
+ ]
+ }
+ ],
+ "subject_categories": [
+ {
+ "name": "role",
+ "description": "role of a user"
+ }
+ ],
+ "subject_data": [
+ {
+ "name": "admin",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "role"
+ }
+ },
+ {
+ "name": "user",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "role"
+ }
+ }
+ ],
+ "subject_assignments": [
+ {
+ "subject": {"name": "admin"},
+ "category": {"name": "role"},
+ "assignments": [{"name": "admin"}]
+ },
+ {
+ "subject": {"name": "admin"},
+ "category": {"name": "role"},
+ "assignments": [{"name": "user"}]
+ },
+ {
+ "subject": {"name": "demo"},
+ "category": {"name": "role"},
+ "assignments": [{"name": "user"}]
+ }
+ ],
+ "objects": [
+ {
+ "name": "vm1",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC Policy"
+ }
+ ]
+ },
+ {
+ "name": "vm2",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC Policy"
+ }
+ ]
+ },
+ {
+ "name": "vm3",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC Policy"
+ }
+ ]
+ }
+ ],
+ "object_categories": [
+ {
+ "name": "id",
+ "description": "identification of the object"
+ }
+ ],
+ "object_data": [
+ {
+ "name": "vm1",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "id"
+ }
+ },
+ {
+ "name": "vm2",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "id"
+ }
+ },
+ {
+ "name": "vm3",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "id"
+ }
+ }
+ ],
+ "object_assignments": [
+ {
+ "object": {"name": "vm1"},
+ "category": {"name": "id"},
+ "assignments": [{"name": "vm1"}]
+ },
+ {
+ "object": {"name": "vm2"},
+ "category": {"name": "id"},
+ "assignments": [{"name": "vm2"}]
+ },
+ {
+ "object": {"name": "vm3"},
+ "category": {"name": "id"},
+ "assignments": [{"name": "vm3"}]
+ }
+ ],
+ "actions": [
+ {
+ "name": "use_image",
+ "description": "use_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "get_images",
+ "description": "get_images action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "update_image",
+ "description": "update_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "set_image",
+ "description": "set_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ }
+ ],
+ "action_categories": [
+ {
+ "name": "type",
+ "description": ""
+ }
+ ],
+ "action_data": [
+ {
+ "name": "read",
+ "description": "read action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ },
+ {
+ "name": "write",
+ "description": "write action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ },
+ {
+ "name": "execute",
+ "description": "execute action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ }
+ ],
+ "action_assignments": [
+ {
+ "action": {"name": "use_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}, {"name": "execute"}]
+ },
+ {
+ "action": {"name": "update_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}, {"name": "write"}]
+ },
+ {
+ "action": {"name": "set_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "write"}]
+ },
+ {
+ "action": {"name": "get_images"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}]
+ }
+ ],
+ "meta_rules": [
+ {
+ "name": "rbac",
+ "description": "",
+ "subject_categories": [{"name": "role"}],
+ "object_categories": [{"name": "id"}],
+ "action_categories": [{"name": "type"}]
+ }
+ ],
+ "rules": [
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "admin"}],
+ "object_data": [{"name": "vm1"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "admin"}],
+ "object_data": [{"name": "vm1"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "admin"}],
+ "object_data": [{"name": "vm1"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "admin"}],
+ "object_data": [{"name": "vm2"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "admin"}],
+ "object_data": [{"name": "vm2"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "admin"}],
+ "object_data": [{"name": "vm3"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "user"}],
+ "object_data": [{"name": "vm1"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "user"}],
+ "object_data": [{"name": "vm1"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac"},
+ "rule": {
+ "subject_data": [{"name": "user"}],
+ "object_data": [{"name": "vm2"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ }
+ ],
+ "checks": {
+ "granted": [
+ ["admin", "vm1", "get_images"],
+ ["admin", "vm1", "set_image"],
+ ["admin", "vm1", "use_image"],
+ ["admin", "vm2", "get_images"],
+ ["admin", "vm2", "set_image"],
+ ["admin", "vm3", "get_images"],
+ ["demo", "vm1", "get_images"],
+ ["demo", "vm1", "set_image"],
+ ["demo", "vm2", "get_images"],
+ ["demo", "vm1", "get_images"]
+ ],
+ "denied": [
+ ["admin", "vm2", "update_image"],
+ ["admin", "vm3", "set_image"],
+ ["admin", "vm3", "update_image"],
+ ["demo", "vm1", "update_image"],
+ ["demo", "vm2", "set_image"],
+ ["demo", "vm2", "update_image"],
+ ["demo", "vm3", "get_images"],
+ ["demo", "vm3", "set_image"],
+ ["demo", "vm3", "update_image"]
+ ]
+ }
+} \ No newline at end of file
diff --git a/moon_engine/conf/policy_rbac_mls.json b/moon_engine/conf/policy_rbac_mls.json
new file mode 100644
index 00000000..beb4e3ec
--- /dev/null
+++ b/moon_engine/conf/policy_rbac_mls.json
@@ -0,0 +1,525 @@
+{
+ "policies": [
+ {
+ "name": "RBAC+MLS Policy",
+ "genre": "authz",
+ "description": "RBAC+MLS policy",
+ "model": {
+ "name": "RBACMLS"
+ },
+ "mandatory": true,
+ "override": true
+ }
+ ],
+ "models": [
+ {
+ "name": "RBACMLS",
+ "description": "",
+ "meta_rules": [
+ {
+ "name": "rbac_mls"
+ }
+ ],
+ "override": true
+ }
+ ],
+ "subjects": [
+ {
+ "name": "admin",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC+MLS Policy"
+ }
+ ]
+ },
+ {
+ "name": "demo",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC+MLS Policy"
+ }
+ ]
+ }
+ ],
+ "subject_categories": [
+ {
+ "name": "role",
+ "description": "role of a user"
+ },
+ {
+ "name": "level",
+ "description": "subject level"
+ }
+ ],
+ "subject_data": [
+ {
+ "name": "high",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "admin",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "role"
+ }
+ },
+ {
+ "name": "member",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "role"
+ }
+ },
+ {
+ "name": "medium",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "low",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ }
+ ],
+ "subject_assignments": [
+ {
+ "subject": {"name": "admin"},
+ "category": {"name": "role"},
+ "assignments": [{"name": "admin"}]
+ },
+ {
+ "subject": {"name": "demo"},
+ "category": {"name": "role"},
+ "assignments": [{"name": "member"}]
+ },
+ {
+ "subject": {"name": "admin"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "high"}]
+ },
+ {
+ "subject": {"name": "demo"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "low"}]
+ }
+ ],
+ "objects": [
+ {
+ "name": "vm1",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC+MLS Policy"
+ }
+ ]
+ },
+ {
+ "name": "vm2",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC+MLS Policy"
+ }
+ ]
+ },
+ {
+ "name": "vm3",
+ "description": "",
+ "extra": {},
+ "policies": [
+ {
+ "name": "RBAC+MLS Policy"
+ }
+ ]
+ }
+ ],
+ "object_categories": [
+ {
+ "name": "level",
+ "description": "object level"
+ }
+ ],
+ "object_data": [
+ {
+ "name": "high",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "medium",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ },
+ {
+ "name": "low",
+ "description": "",
+ "policies": [],
+ "category": {
+ "name": "level"
+ }
+ }
+ ],
+ "object_assignments": [
+ {
+ "object": {"name": "vm1"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "high"}]
+ },
+ {
+ "object": {"name": "vm2"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "medium"}]
+ },
+ {
+ "object": {"name": "vm3"},
+ "category": {"name": "level"},
+ "assignments": [{"name": "low"}]
+ }
+ ],
+ "actions": [
+ {
+ "name": "use_image",
+ "description": "use_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "get_images",
+ "description": "get_images action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "update_image",
+ "description": "update_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ },
+ {
+ "name": "set_image",
+ "description": "set_image action for glance",
+ "extra": {
+ "component": "glance"
+ },
+ "policies": []
+ }
+ ],
+ "action_categories": [
+ {
+ "name": "type",
+ "description": ""
+ }
+ ],
+ "action_data": [
+ {
+ "name": "read",
+ "description": "read action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ },
+ {
+ "name": "write",
+ "description": "write action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ },
+ {
+ "name": "execute",
+ "description": "execute action",
+ "policies": [],
+ "category": {
+ "name": "type"
+ }
+ }
+ ],
+ "action_assignments": [
+ {
+ "action": {"name": "use_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}, {"name": "execute"}]
+ },
+ {
+ "action": {"name": "update_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}, {"name": "write"}]
+ },
+ {
+ "action": {"name": "set_image"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "write"}]
+ },
+ {
+ "action": {"name": "get_images"},
+ "category": {"name": "type"},
+ "assignments": [{"name": "read"}]
+ }
+ ],
+ "meta_rules": [
+ {
+ "name": "rbac_mls",
+ "description": "",
+ "subject_categories": [{"name": "role"}, {"name": "level"}],
+ "object_categories": [{"name": "level"}],
+ "action_categories": [{"name": "type"}]
+ }
+ ],
+ "rules": [
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "high"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "medium"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "medium"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "low"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "read"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "high"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "medium"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "medium"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "low"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "write"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "high"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "high"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "medium"}],
+ "object_data": [{"name": "medium"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "medium"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ },
+ {
+ "meta_rule": {"name": "rbac_mls"},
+ "rule": {
+ "subject_data": [{"name": "admin"}, {"name": "low"}],
+ "object_data": [{"name": "low"}],
+ "action_data": [{"name": "execute"}]
+ },
+ "policy": {"name": "RBAC+MLS Policy"},
+ "instructions": [{"decision": "grant"}],
+ "enabled": true
+ }
+ ],
+ "checks": {
+ "granted": [
+ ["admin", "vm1", "get_images"],
+ ["admin", "vm1", "set_image"],
+ ["admin", "vm1", "use_image"],
+ ["admin", "vm2", "get_images"],
+ ["admin", "vm2", "set_image"],
+ ["admin", "vm3", "get_images"],
+ ["demo", "vm1", "get_images"],
+ ["demo", "vm1", "set_image"],
+ ["demo", "vm2", "get_images"],
+ ["demo", "vm1", "get_images"]
+ ],
+ "denied": [
+ ["admin", "vm2", "update_image"],
+ ["admin", "vm3", "set_image"],
+ ["admin", "vm3", "update_image"],
+ ["demo", "vm1", "update_image"],
+ ["demo", "vm2", "set_image"],
+ ["demo", "vm2", "update_image"],
+ ["demo", "vm3", "get_images"],
+ ["demo", "vm3", "set_image"],
+ ["demo", "vm3", "update_image"]
+ ]
+ }
+} \ No newline at end of file