aboutsummaryrefslogtreecommitdiffstats
path: root/moonv4/moon_manager
diff options
context:
space:
mode:
Diffstat (limited to 'moonv4/moon_manager')
-rw-r--r--moonv4/moon_manager/moon_manager/api/master.py345
-rw-r--r--moonv4/moon_manager/moon_manager/api/policies.py48
-rw-r--r--moonv4/moon_manager/moon_manager/messenger.py4
-rw-r--r--moonv4/moon_manager/requirements.txt3
4 files changed, 396 insertions, 4 deletions
diff --git a/moonv4/moon_manager/moon_manager/api/master.py b/moonv4/moon_manager/moon_manager/api/master.py
new file mode 100644
index 00000000..e63406c5
--- /dev/null
+++ b/moonv4/moon_manager/moon_manager/api/master.py
@@ -0,0 +1,345 @@
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+from oslo_log import log as logging
+from moon_utilities.security_functions import call, notify
+from moon_db.core import PDPManager, PolicyManager, ModelManager
+
+LOG = logging.getLogger(__name__)
+
+
+class Master(object):
+ """
+ Retrieve the current status of all components.
+ """
+
+ __version__ = "0.1.0"
+ __policies = None
+ __policy_ids = []
+ __models = None
+ __model_ids = []
+ __meta_rules = None
+ __meta_rule_ids = []
+
+ @property
+ def policies(self):
+ if not self.__policies:
+ self.__policies = {}
+ if self.__policy_ids:
+ for policy_id in self.__policy_ids:
+ self.__policies.update(call("moon_manager",
+ method="get_policies",
+ ctx={
+ "id": policy_id,
+ "call_master": True,
+ "user_id": "admin"
+ },
+ args={})["policies"])
+ else:
+ self.__policies = call("moon_manager",
+ method="get_policies",
+ ctx={
+ "id": None,
+ "call_master": True,
+ "user_id": "admin"
+ },
+ args={})["policies"]
+ LOG.info("__get_policies={}".format(self.__policies))
+ return self.__policies
+
+ @property
+ def models(self):
+ if not self.__models:
+ self.__models = {}
+ if self.__model_ids:
+ for model_id in self.__model_ids:
+ self.__models.update(call("moon_manager",
+ method="get_models",
+ ctx={
+ "id": model_id,
+ "call_master": True,
+ "user_id": "admin"
+ },
+ args={})["models"])
+ else:
+ self.__models = call("moon_manager",
+ method="get_models",
+ ctx={
+ "id": None,
+ "call_master": True,
+ "user_id": "admin"
+ },
+ args={})["models"]
+ LOG.info("__get_models={}".format(self.__models))
+ return self.__models
+
+ @property
+ def meta_rules(self):
+ if not self.__meta_rules:
+ self.__meta_rules = {}
+ if self.__meta_rule_ids:
+ for meta_rule_id in self.__meta_rule_ids:
+ self.__meta_rules.update(call("moon_manager",
+ method="get_meta_rules",
+ ctx={
+ "meta_rule_id": meta_rule_id,
+ "call_master": True,
+ "user_id": "admin"
+ },
+ args={})["meta_rules"])
+ else:
+ self.__meta_rules = call("moon_manager",
+ method="get_meta_rules",
+ ctx={
+ "meta_rule_id": None,
+ "call_master": True,
+ "user_id": "admin"
+ },
+ args={})["meta_rules"]
+ LOG.info("__get_meta_rules={}".format(self.__meta_rules))
+ return self.__meta_rules
+
+ def __add_meta_data(self):
+ subject_categories = ModelManager.get_subject_categories("admin")
+ object_categories = ModelManager.get_object_categories("admin")
+ action_categories = ModelManager.get_action_categories("admin")
+ for meta_rule_id, meta_rule_value in self.meta_rules.items():
+ for _scat in meta_rule_value['subject_categories']:
+ if _scat not in subject_categories:
+ master_category = call("moon_manager", method="get_subject_categories",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": None,
+ },
+ args={"category_id": _scat})["subject_categories"]
+ ModelManager.add_subject_category("admin", _scat, master_category[_scat])
+ for _ocat in meta_rule_value['object_categories']:
+ if _ocat not in object_categories:
+ master_category = call("moon_manager", method="get_object_categories",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": None,
+ },
+ args={"category_id": _ocat})["object_categories"]
+ LOG.info("Add scat {} {}".format(_ocat, master_category[_ocat]))
+ ModelManager.add_object_category("admin", _ocat, master_category[_ocat])
+ for _acat in meta_rule_value['action_categories']:
+ if _acat not in action_categories:
+ master_category = call("moon_manager", method="get_action_categories",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": None,
+ },
+ args={"category_id": _acat})["action_categories"]
+ LOG.info("Add scat {} {}".format(_acat, master_category[_acat]))
+ ModelManager.add_action_category("admin", _acat, master_category[_acat])
+
+ def __add_meta_rule(self):
+ meta_rules = ModelManager.get_meta_rules("admin")
+ LOG.info("meta_rules={}".format(meta_rules))
+ for uuid, value in self.meta_rules.items():
+ if uuid not in meta_rules:
+ ModelManager.add_meta_rule("admin", uuid, value=value)
+
+ def __add_perimeter(self, subject_name=None, object_name=None):
+ for policy_id in self.policies:
+ subjects = call("moon_manager", method="get_subjects",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ },
+ args={"perimeter_id": None, "perimeter_name": subject_name})["subjects"]
+ for subject_id, subject_value in subjects.items():
+ # FIXME (asteroide): if a subject with the same name had been already created before
+ # it will not have the same ID as the subject in master
+ PolicyManager.add_subject("admin", policy_id=policy_id, perimeter_id=subject_id, value=subject_value)
+ for policy_id in self.policies:
+ objects = call("moon_manager", method="get_objects",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ },
+ args={"perimeter_id": None, "perimeter_name": object_name})["objects"]
+ for object_id, object_value in objects.items():
+ # FIXME (asteroide): if a object with the same name had been already created before
+ # it will not have the same ID as the object in master
+ PolicyManager.add_object("admin", policy_id=policy_id, perimeter_id=object_id, value=object_value)
+ for policy_id in self.policies:
+ actions = call("moon_manager", method="get_actions",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ },
+ args={"perimeter_id": None})["actions"]
+ for action_id, action_value in actions.items():
+ # FIXME (asteroide): if a action with the same name had been already created before
+ # it will not have the same ID as the action in master
+ PolicyManager.add_action("admin", policy_id=policy_id, perimeter_id=action_id, value=action_value)
+
+ def __add_data(self):
+ subject_categories = ModelManager.get_subject_categories("admin")
+ object_categories = ModelManager.get_object_categories("admin")
+ action_categories = ModelManager.get_action_categories("admin")
+ for policy_id in self.policies:
+ for category in subject_categories.keys():
+ subject_data = call("moon_manager", method="get_subject_data",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "category_id": category
+ },
+ args={"data_id": None})["subject_data"]
+ if not subject_data:
+ continue
+ for data in subject_data:
+ PolicyManager.set_subject_data("admin", policy_id=policy_id,
+ category_id=data['category_id'], value=data)
+ for category in object_categories:
+ object_data = call("moon_manager", method="get_object_data",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "category_id": category
+ },
+ args={"data_id": None})["object_data"]
+ if not object_data:
+ continue
+ for data in object_data:
+ PolicyManager.add_object_data("admin", policy_id=policy_id,
+ category_id=data['category_id'], value=data)
+ for category in action_categories:
+ action_data = call("moon_manager", method="get_action_data",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "category_id": category
+ },
+ args={"data_id": None})["action_data"]
+ if not action_data:
+ continue
+ for data in action_data:
+ PolicyManager.add_action_data("admin", policy_id=policy_id,
+ category_id=data['category_id'], value=data)
+
+ def __add_assignments(self, subject_name=None, object_name=None):
+ for policy_id in self.policies:
+ assignments = call("moon_manager", method="get_subject_assignments",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "perimeter_id": None,
+ "perimeter_name": subject_name,
+ "category_id": None,
+ },
+ args={})["subject_assignments"]
+ for assignment_id, assignment_value in assignments.items():
+ _subject_id = assignment_value['subject_id']
+ _category_id = assignment_value['category_id']
+ for _data_id in assignment_value['assignments']:
+ PolicyManager.add_subject_assignment("admin", policy_id=policy_id,
+ subject_id=_subject_id, category_id=_category_id,
+ data_id=_data_id)
+ assignments = call("moon_manager", method="get_object_assignments",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "perimeter_id": None,
+ "perimeter_name": object_name,
+ "category_id": None,
+ },
+ args={})["object_assignments"]
+ for assignment_id, assignment_value in assignments.items():
+ _object_id = assignment_value['object_id']
+ _category_id = assignment_value['category_id']
+ for _data_id in assignment_value['assignments']:
+ PolicyManager.add_object_assignment("admin", policy_id=policy_id,
+ object_id=_object_id, category_id=_category_id,
+ data_id=_data_id)
+ assignments = call("moon_manager", method="get_action_assignments",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "perimeter_id": None,
+ "category_id": None,
+ },
+ args={})["action_assignments"]
+ for assignment_id, assignment_value in assignments.items():
+ _action_id = assignment_value['action_id']
+ _category_id = assignment_value['category_id']
+ for _data_id in assignment_value['assignments']:
+ PolicyManager.add_action_assignment("admin", policy_id=policy_id,
+ action_id=_action_id, category_id=_category_id,
+ data_id=_data_id)
+
+ def __add_rules(self):
+ for policy_id in self.policies:
+ _rules = call("moon_manager", method="get_rules",
+ ctx={
+ "user_id": "admin",
+ "call_master": True,
+ "id": policy_id,
+ "rule_id": None
+ },
+ args={})["rules"]
+ for rule in _rules["rules"]:
+ LOG.info("__add_rules {}".format(rule))
+ if rule["meta_rule_id"] in self.__meta_rule_ids:
+ PolicyManager.add_rule("admin",
+ policy_id=policy_id,
+ meta_rule_id=rule["meta_rule_id"],
+ value=rule)
+
+ def update_from_master(self, ctx, args):
+ LOG.info("update_from_master {}".format(ctx))
+ self.__policy_ids = ctx["security_pipeline"]
+
+ for policy_id, policy_value in self.policies.items():
+ self.__model_ids.append(policy_value["model_id"])
+
+ for model_id, model_value in self.models.items():
+ self.__meta_rule_ids.extend(model_value['meta_rules'])
+
+ self.__add_meta_data()
+
+ self.__add_meta_rule()
+
+ for policy_id in ctx["security_pipeline"]:
+ if policy_id in self.policies:
+ PolicyManager.add_policy("admin", policy_id, self.__policies[policy_id])
+
+ self.__add_perimeter(subject_name=ctx.get("subject_name"), object_name=ctx.get("object_name"))
+
+ self.__add_data()
+
+ self.__add_assignments(subject_name=ctx.get("subject_name"), object_name=ctx.get("object_name"))
+
+ self.__add_rules()
+
+ models = ModelManager.get_models("admin")
+ for model_id, model_value in self.models.items():
+ if model_id not in models:
+ ModelManager.add_model("admin", model_id, model_value)
+
+ pdp = PDPManager.add_pdp(user_id="admin", pdp_id=ctx["pdp_id"], value=args)
+ if "error" in pdp:
+ LOG.error("Error when adding PDP from master {}".format(pdp))
+ return False
+ LOG.info("pdp={}".format(pdp))
+ call("orchestrator", method="add_container",
+ ctx={"id": ctx.get("id"), "pipeline": ctx['security_pipeline']})
+ return True
+
diff --git a/moonv4/moon_manager/moon_manager/api/policies.py b/moonv4/moon_manager/moon_manager/api/policies.py
index 3c876fae..27e28a6c 100644
--- a/moonv4/moon_manager/moon_manager/api/policies.py
+++ b/moonv4/moon_manager/moon_manager/api/policies.py
@@ -64,7 +64,17 @@ class Perimeter(object):
def get_subjects(self, ctx, args):
try:
- data = self.manager.get_subjects(user_id=ctx["user_id"], policy_id=ctx["id"], perimeter_id=args['perimeter_id'])
+ data = self.manager.get_subjects(
+ user_id=ctx["user_id"],
+ policy_id=ctx["id"],
+ perimeter_id=args['perimeter_id']
+ )
+ if not args['perimeter_id']:
+ if "perimeter_name" in args:
+ for _data_id, _data_value in data.items():
+ if _data_value['name'] == args['perimeter_name']:
+ data = {_data_id: _data_value}
+ break
except Exception as e:
LOG.error(e, exc_info=True)
return {"result": False,
@@ -102,7 +112,17 @@ class Perimeter(object):
def get_objects(self, ctx, args):
try:
- data = self.manager.get_objects(user_id=ctx["user_id"], policy_id=ctx["id"], perimeter_id=args['perimeter_id'])
+ data = self.manager.get_objects(
+ user_id=ctx["user_id"],
+ policy_id=ctx["id"],
+ perimeter_id=args['perimeter_id']
+ )
+ if not args['perimeter_id']:
+ if "perimeter_name" in args:
+ for _data_id, _data_value in data.items():
+ if _data_value['name'] == args['perimeter_name']:
+ data = {_data_id: _data_value}
+ break
except Exception as e:
LOG.error(e, exc_info=True)
return {"result": False,
@@ -285,8 +305,30 @@ class Assignments(object):
def __init__(self):
self.manager = PolicyManager
+ def __get_subject_id(self, ctx, subject_name):
+ data = self.manager.get_subjects(
+ user_id=ctx["user_id"],
+ policy_id=ctx["id"],
+ perimeter_id=None
+ )
+ for _data_id, _data_value in data.items():
+ if _data_value['name'] == subject_name:
+ return _data_id
+
+ def __get_object_id(self, ctx, object_name):
+ data = self.manager.get_objects(
+ user_id=ctx["user_id"],
+ policy_id=ctx["id"],
+ perimeter_id=None
+ )
+ for _data_id, _data_value in data.items():
+ if _data_value['name'] == object_name:
+ return _data_id
+
def get_subject_assignments(self, ctx, args):
try:
+ if "perimeter_name" in args:
+ ctx["perimeter_id"] = self.__get_subject_id(ctx, args['perimeter_name'])
data = self.manager.get_subject_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
subject_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
@@ -322,6 +364,8 @@ class Assignments(object):
def get_object_assignments(self, ctx, args):
try:
+ if "perimeter_name" in args:
+ ctx["perimeter_id"] = self.__get_object_id(ctx, args['perimeter_name'])
data = self.manager.get_object_assignments(user_id=ctx["user_id"], policy_id=ctx["id"],
object_id=ctx["perimeter_id"], category_id=ctx["category_id"])
except Exception as e:
diff --git a/moonv4/moon_manager/moon_manager/messenger.py b/moonv4/moon_manager/moon_manager/messenger.py
index 784b9eab..3c44b6f6 100644
--- a/moonv4/moon_manager/moon_manager/messenger.py
+++ b/moonv4/moon_manager/moon_manager/messenger.py
@@ -12,6 +12,7 @@ from moon_utilities.api import APIList
from moon_manager.api.models import Models, MetaRules, MetaData
from moon_manager.api.policies import Policies, Perimeter, Data, Assignments, Rules
from moon_manager.api.pdp import PDP
+from moon_manager.api.master import Master
from moon_utilities.security_functions import call
from moon_utilities.exceptions import IntraExtensionUnknown
@@ -52,7 +53,8 @@ class Server:
Data(),
Assignments(),
Rules(),
- PDP()
+ PDP(),
+ Master()
]
self.server = oslo_messaging.get_rpc_server(self.transport, self.target, self.endpoints,
executor='threading',
diff --git a/moonv4/moon_manager/requirements.txt b/moonv4/moon_manager/requirements.txt
index 3b684f8d..a919c625 100644
--- a/moonv4/moon_manager/requirements.txt
+++ b/moonv4/moon_manager/requirements.txt
@@ -2,4 +2,5 @@ kombu !=4.0.1,!=4.0.0
oslo.messaging
oslo.config
vine
-oslo.log \ No newline at end of file
+oslo.log
+babel \ No newline at end of file