diff options
Diffstat (limited to 'moonv4')
61 files changed, 2526 insertions, 0 deletions
diff --git a/moonv4/moon_orchestrator/LICENSE b/moonv4/moon_orchestrator/LICENSE new file mode 100644 index 00000000..4143aac2 --- /dev/null +++ b/moonv4/moon_orchestrator/LICENSE @@ -0,0 +1,204 @@ + + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + +--- License for python-keystoneclient versions prior to 2.1 --- + +All rights reserved. + +Redistribution and use in source and binary forms, with or without +modification, are permitted provided that the following conditions are met: + + 1. Redistributions of source code must retain the above copyright notice, + this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. Neither the name of this project nor the names of its contributors may + be used to endorse or promote products derived from this software without + specific prior written permission. + +THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" +AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE +DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE +FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, +OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/moonv4/moon_orchestrator/MANIFEST.in b/moonv4/moon_orchestrator/MANIFEST.in new file mode 100644 index 00000000..1f674d50 --- /dev/null +++ b/moonv4/moon_orchestrator/MANIFEST.in @@ -0,0 +1,9 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +include README.rst +include LICENSE +include setup.py +include requirements.txt diff --git a/moonv4/moon_orchestrator/README.rst b/moonv4/moon_orchestrator/README.rst new file mode 100644 index 00000000..77fbe4c5 --- /dev/null +++ b/moonv4/moon_orchestrator/README.rst @@ -0,0 +1,130 @@ +================================ +Core module for the Moon project +================================ + +This package contains the main module for the Moon project +It is designed to provide the main entry point for the Moon platform. + +For any other information, refer to the parent project: + + https://git.opnfv.org/moon + + +Usage +===== + +Get the code +------------ + + git clone https://git.opnfv.org/moon + cd moon + MOON_HOME=$(pwd) + +Create an initial docker +------------------------ + + cd /tmp + git clone https://github.com/rebirthmonkey/vmspace.git + cd docker/ubuntu_python + # Check the proxy settings in Dockerfile + docker build ubuntu:python . + +Configure the network +--------------------- + + docker network create -d bridge --subnet=172.18.0.0/16 --gateway=172.18.0.1 moon + echo "127.0.0.1 messenger db" | sudo tee -a /etc/hosts + +Start Rabbitmq +-------------- + + docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management + +Start MySQL server +------------------ + + docker run -dti --net=moon --hostname db --name db -e MYSQL_ROOT_PASSWORD=password -p 3306:3306 mysql:8 + cd $(MOON_HOME)/moon_orchestrator + mysql -h db -uroot -ppassword < bin/init_db.sql + +Get python packages for all components +-------------------------------------- + + cd $(MOON_HOME)/moon_orchestrator + bash bin/build_all.sh + mysql -h db -uroot -ppassword < bin/init_db.sql + +Start Orchestrator +------------------ + + cd $(MOON_HOME)/moon_orchestrator + pyvenv tests/venv + . tests/venv/bin/activate + pip install -r ../moon_db/requirements.txt + pip install -r ../moon_utilities/requirements.txt + pip install -r requirements.txt + pip install dist/moon_db-0.1.0.tar.gz + pip install dist/moon_utilities-0.1.0.tar.gz + pip install . + # Check the proxy settings in $(MOON_HOME)/moon_orchestrator/conf/moon.conf + moon_orchestrator + +Get some logs +------------- + + docker logs messenger + docker logs router + docker logs interface + +Get the API in PDF +------------------ + + cd $(MOON_HOME)/moon_interface/tools + sudo pip install requests + sudo apt-get install pandoc + /usr/bin/python3 api2rst.py + pandoc api.rst -o api.pdf + evince api.pdf + +How to hack the Moon platform +============================= + +Update the moon_interface +------------------------- + +Go to the directory $(MOON_HOME)/moon_interface and update the code accordingly to your needs, +then update the python package. + + python setup.py sdist + cp dist/moon_interface_* ../moon_orchestrator/dist + # kill moon_orchestrator if needed and restart it + +Update the moon_secrouter +------------------------- + +Go to the directory $(MOON_HOME)/moon_secrouter and update the code accordingly to your needs, +then update the python package. + + python setup.py sdist + cp dist/moon_secrouter* ../moon_orchestrator/dist + # kill moon_orchestrator if needed and restart it + +Problems that may arise +======================= + +If the moon_orchestrator doesn't want to start +(with, for example, the following error: `docker.errors.APIError: 409 Client Error: Conflict`), +check if the router and interface containers still exist and kill and delete them: + + docker kill interface + docker kill router + docker rm interface + docker rm router + +If the moon_orchestrator complains that it cannot request the RabbitMQ server, +check if the messenger server is up and running: + + docker ps + # you must see the messenger running here + # if not, restart it + docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management diff --git a/moonv4/moon_orchestrator/conf/dockers/template.dockerfile b/moonv4/moon_orchestrator/conf/dockers/template.dockerfile new file mode 100644 index 00000000..6bb8a0c6 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/dockers/template.dockerfile @@ -0,0 +1,25 @@ +# Pull base image. +FROM ubuntu:latest + +{{ proxy }} + +RUN apt-get update && apt-get install python3.5 python3-pip -y + +ADD dist/moon_utilities-0.1.0.tar.gz /root +WORKDIR /root/moon_utilities-0.1.0 +RUN pip3 install pip --upgrade +RUN pip3 install --upgrade -r requirements.txt +RUN pip3 install --upgrade . + +ADD dist/moon_db-0.1.0.tar.gz /root +WORKDIR /root/moon_db-0.1.0 +RUN pip3 install --upgrade -r requirements.txt +RUN pip3 install --upgrade . + +{{ run }} + +{% for port in ports %} +EXPOSE {{ port }} +{% endfor %} + +CMD {{ cmd }} diff --git a/moonv4/moon_orchestrator/conf/moon.conf b/moonv4/moon_orchestrator/conf/moon.conf new file mode 100644 index 00000000..c0d1d14c --- /dev/null +++ b/moonv4/moon_orchestrator/conf/moon.conf @@ -0,0 +1,87 @@ +[DEFAULT] +# proxy URL +#proxy=http://172.28.16.30:3128 +proxy= +transport_url=rabbit://moon:p4sswOrd1@messenger:5672/moon +#transport_url=rabbit://moon:p4sswOrd@localhost:5672/moon + +debug=True + +# directory where the python packages can be found +dist_dir=/home/vdsq3226/projets/opnfv/moonv4/moon_orchestrator/dist +plugin_dir=/etc/moon/plugins + +docker_url=unix://var/run/docker.sock + +root_policy_directory=policy_root +policy_directory=/etc/moon/policies + +[slave] + +# name of the slave +# example slave_name=slave1 +slave_name= + +# URL of the RabbitMQ bus of the Master +# example: master_url=rabbit://moon:p4sswOrd1@master_messenger:5672/moon +master_url= + +# login name of the master administrator +# example: master_login=admin +master_login= + +# password of the master administrator +# example: master_password=p4ssw0rd +master_password= + +[database] + +# Database for that server (may be different from master to slave) +url=mysql+pymysql://moon:p4sswOrd1@db/moon +driver=sql + +[database_configuration] + +# Database for configuration elements (may be different from master to slave) +driver=memory +url= + +[orchestrator] +host=127.0.0.1 +port=38002 +container= + +[security_router] +host=172.18.0.10 + +# Name of the container to download (if empty build from scratch) +# example: container=moon/moon_secrouter:latest +container= + +[security_manager] +host=172.18.0.10 + +# Name of the container to download (if empty build from scratch) +# example: container=moon/moon_manager:latest +container= + +[interface] +host=172.18.0.11 +port=38001 +# Name of the container to download (if empty build from scratch) +# example: container=moon/moon_interface:latest +container= + +[security_function] +# Name of the container to download (if empty build from scratch) +# example: container=moon/moon_secfunction:latest +container= + +[keystone] +url=http://keystone:5000/v3 +user=admin +password=p4ssw0rd +domain=default +project=admin +check_token=False +server_crt=False diff --git a/moonv4/moon_orchestrator/conf/plugins/authz.py b/moonv4/moon_orchestrator/conf/plugins/authz.py new file mode 100644 index 00000000..c472b36a --- /dev/null +++ b/moonv4/moon_orchestrator/conf/plugins/authz.py @@ -0,0 +1,66 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import time +import hashlib +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (asteroide): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") +# TODO (asteroide): add specific configuration options for that plugin + + +class AuthzFunction(DockerBase): + + id = "moon_authz_function" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install -r requirements.txt +RUN pip3 install . +""" + + def __init__(self, uuid, conf_file="", docker=None, network_config=None): + self.id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest() + super(AuthzFunction, self).__init__( + name="moon_authz", + run_cmd=["python3", "-m", "moon_authz", uuid], + conf_file=conf_file, + docker=docker, + network_config=network_config, + build_cmd=self.__build, + id=self.id, + tag="" + # tag=CONF.security_function.container + ) + # note(asteroide): time to let the new docker boot + time.sleep(3) + self.get_status() + + def get_status(self): + transport = oslo_messaging.get_transport(CONF) + target = oslo_messaging.Target(topic=self.id, version='1.0') + client = oslo_messaging.RPCClient(transport, target) + LOG.info("Calling Status on {}".format(self.id)) + ret = client.call({"component_id": self.id}, 'get_status', args=None) + LOG.info(ret) + return ret + + +def run(uuid, conf_file="", docker=None, network_config=None): + return AuthzFunction(uuid, + conf_file=conf_file, + docker=docker, + network_config=network_config) diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_authz/assignment.json new file mode 100644 index 00000000..7a6c722e --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_authz/assignment.json @@ -0,0 +1,55 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + }, + "domain":{ + "admin": ["ft"], + "demo": ["xx"] + }, + "role": { + "admin": ["admin"], + "demo": ["dev"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + }, + "access": { + "pause": ["write"], + "unpause": ["write"], + "start": ["write"], + "stop": ["write"], + "list": ["read"], + "create": ["write"], + "storage_list": ["read"], + "download": ["read"], + "post": ["write"], + "upload": ["write"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + }, + "type": { + "servers": ["computing"] + }, + "object_id": { + "servers": ["servers"] + } + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_authz/metadata.json new file mode 100644 index 00000000..21a99eb2 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_authz/metadata.json @@ -0,0 +1,23 @@ +{ + "name": "Simple_Policy", + "genre": "authz", + "description": "Simple Security Policy", + "pdp_pipeline": ["authz:rbac_rule", "authz:mls_rule"], + + "subject_categories": [ + "subject_security_level", + "domain", + "role" + ], + + "action_categories": [ + "resource_action", + "access" + ], + + "object_categories": [ + "object_security_level", + "type", + "object_id" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_authz/metarule.json new file mode 100644 index 00000000..c9afd6c2 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_authz/metarule.json @@ -0,0 +1,24 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + }, + "dte_rule": { + "subject_categories": ["domain"], + "action_categories": ["access"], + "object_categories": ["type"], + "algorithm": "inclusion" + }, + "rbac_rule": { + "subject_categories": ["role", "domain"], + "action_categories": ["access"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_authz/rule.json new file mode 100644 index 00000000..25f9d93a --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_authz/rule.json @@ -0,0 +1,25 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ], + "dte_rule":[ + ["ft", "read", "computing"], + ["ft", "write", "computing"], + ["ft", "read", "storage"], + ["ft", "write", "storage"], + ["xx", "read", "storage"] + ], + "rbac_rule":[ + ["dev", "xx", "read", "servers"], + ["admin", "xx", "read", "servers"], + ["admin", "ft", "read", "servers"] + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_authz/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_authz/scope.json new file mode 100644 index 00000000..9b313daf --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_authz/scope.json @@ -0,0 +1,49 @@ +{ + "subject_scopes": { + "role": [ + "admin", + "dev" + ], + "subject_security_level": [ + "high", + "medium", + "low" + ], + "domain": [ + "ft", + "xx" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ], + "access": [ + "write", + "read" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ], + "type": [ + "computing", + "storage" + ], + "object_id": [ + "servers", + "vm1", + "vm2", + "file1", + "file2" + ] + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json new file mode 100644 index 00000000..3c9be2e5 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "Empty_Policy", + "model": "", + "genre": "admin", + "description": "Empty Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json new file mode 100644 index 00000000..54dbfc31 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/perimeter.json @@ -0,0 +1,39 @@ +{ + "subjects": [], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_admin/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json new file mode 100644 index 00000000..4f300d78 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json new file mode 100644 index 00000000..9da8a8c0 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/perimeter.json @@ -0,0 +1,5 @@ +{ + "subjects": [], + "actions": [], + "objects": [] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_empty_authz/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json new file mode 100644 index 00000000..0712dfbc --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json @@ -0,0 +1,29 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + } + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json new file mode 100644 index 00000000..c419c815 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "resource_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json new file mode 100644 index 00000000..e068927c --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json new file mode 100644 index 00000000..b17dc822 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json @@ -0,0 +1,16 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "low"], + ["high", "storage_admin", "medium"], + ["high", "storage_admin", "low"], + ["medium", "storage_admin", "low"], + ["high", "storage_access", "medium"], + ["high", "storage_access", "low"], + ["medium", "storage_access", "low"] + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json new file mode 100644 index 00000000..6cc1c28e --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json @@ -0,0 +1,26 @@ +{ + "subject_scopes": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json new file mode 100644 index 00000000..f2378333 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/assignment.json @@ -0,0 +1,48 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"], + "demo": ["dev_role"] + } + }, + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + "object_assignments": { + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_scopes": ["authz.subject_scopes"], + "authz.object_scopes": ["authz.object_scopes"], + "authz.action_scopes": ["authz.action_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_scopes": ["admin.subject_scopes"], + "admin.object_scopes": ["admin.object_scopes"], + "admin.action_scopes": ["admin.action_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json new file mode 100644 index 00000000..9ee8a11d --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC Admin Policy", + "model": "RBAC", + "genre": "admin", + "description": "", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json new file mode 100644 index 00000000..1155533e --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/perimeter.json @@ -0,0 +1,42 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json new file mode 100644 index 00000000..c89ceff3 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/rule.json @@ -0,0 +1,94 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_scopes"], + ["root_role" , "read", "authz.object_scopes"], + ["root_role" , "read", "authz.action_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_scopes"], + ["root_role" , "write", "authz.object_scopes"], + ["root_role" , "write", "authz.action_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_scopes"], + ["root_role" , "read", "admin.object_scopes"], + ["root_role" , "read", "admin.action_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_scopes"], + ["root_role" , "write", "admin.object_scopes"], + ["root_role" , "write", "admin.action_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"], + ["dev_role" , "read", "authz.subjects"], + ["dev_role" , "read", "authz.objects"], + ["dev_role" , "read", "authz.actions"], + ["dev_role" , "read", "authz.subject_categories"], + ["dev_role" , "read", "authz.object_categories"], + ["dev_role" , "read", "authz.action_categories"], + ["dev_role" , "read", "authz.subject_scopes"], + ["dev_role" , "read", "authz.object_scopes"], + ["dev_role" , "read", "authz.action_scopes"], + ["dev_role" , "read", "authz.subject_assignments"], + ["dev_role" , "read", "authz.object_assignments"], + ["dev_role" , "read", "authz.action_assignments"], + ["dev_role" , "read", "authz.aggregation_algorithm"], + ["dev_role" , "read", "authz.sub_meta_rules"], + ["dev_role" , "read", "authz.rules"], + ["dev_role" , "read", "admin.subjects"], + ["dev_role" , "read", "admin.objects"], + ["dev_role" , "read", "admin.actions"], + ["dev_role" , "read", "admin.subject_categories"], + ["dev_role" , "read", "admin.object_categories"], + ["dev_role" , "read", "admin.action_categories"], + ["dev_role" , "read", "admin.subject_scopes"], + ["dev_role" , "read", "admin.object_scopes"], + ["dev_role" , "read", "admin.action_scopes"], + ["dev_role" , "read", "admin.subject_assignments"], + ["dev_role" , "read", "admin.object_assignments"], + ["dev_role" , "read", "admin.action_assignments"], + ["dev_role" , "read", "admin.aggregation_algorithm"], + ["dev_role" , "read", "admin.sub_meta_rules"], + ["dev_role" , "read", "admin.rules"] + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json new file mode 100644 index 00000000..149056a6 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_rbac_admin/scope.json @@ -0,0 +1,48 @@ +{ + "subject_scopes": { + "role": [ + "root_role", + "dev_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "object_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_root/assignment.json new file mode 100644 index 00000000..e849ae13 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_root/assignment.json @@ -0,0 +1,39 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"] + } + }, + + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + + "object_assignments": { + "object_id": { + "templates": ["templates"], + "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"], + "aggregation_algorithms": ["aggregation_algorithms"], + "tenants": ["tenants"], + "intra_extensions": ["intra_extensions"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_root/metadata.json new file mode 100644 index 00000000..9dd7a928 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_root/metadata.json @@ -0,0 +1,19 @@ +{ + "name": "Root Policy", + "model": "RBAC", + "genre": "admin", + "description": "root extension", + "pdp_pipeline": ["authz:rbac_rule"], + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_root/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_root/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_root/perimeter.json new file mode 100644 index 00000000..788a27f2 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_root/perimeter.json @@ -0,0 +1,31 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_root/rule.json new file mode 100644 index 00000000..9bbd5e4c --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_root/rule.json @@ -0,0 +1,44 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "templates"], + ["root_role" , "read", "aggregation_algorithms"], + ["root_role" , "read", "sub_meta_rule_algorithms"], + ["root_role" , "read", "tenants"], + ["root_role" , "read", "intra_extensions"], + ["root_role" , "write", "templates"], + ["root_role" , "write", "aggregation_algorithms"], + ["root_role" , "write", "sub_meta_rule_algorithms"], + ["root_role" , "write", "tenants"], + ["root_role" , "write", "intra_extensions"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_root/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_root/scope.json new file mode 100644 index 00000000..43f9ced8 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_root/scope.json @@ -0,0 +1,39 @@ +{ + "subject_scopes": { + "role": [ + "root_role" + ] + }, + + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + + "object_scopes": { + "object_id": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/moonv4/moon_orchestrator/moon_orchestrator/__init__.py b/moonv4/moon_orchestrator/moon_orchestrator/__init__.py new file mode 100644 index 00000000..903c6518 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/__init__.py @@ -0,0 +1,6 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +__version__ = "0.1.0" diff --git a/moonv4/moon_orchestrator/moon_orchestrator/__main__.py b/moonv4/moon_orchestrator/moon_orchestrator/__main__.py new file mode 100644 index 00000000..b1feff49 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/__main__.py @@ -0,0 +1,3 @@ +from moon_orchestrator.server import main + +main() diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/__init__.py b/moonv4/moon_orchestrator/moon_orchestrator/api/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/api/__init__.py diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/configuration.py b/moonv4/moon_orchestrator/moon_orchestrator/api/configuration.py new file mode 100644 index 00000000..36c1f60d --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/api/configuration.py @@ -0,0 +1,63 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import json +from oslo_config import cfg +from oslo_log import log as logging +from moon_db.core import IntraExtensionRootManager +from moon_db.core import ConfigurationManager + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +class Configuration(object): + """ + Retrieve the global configuration. + """ + + __version__ = "0.1.0" + + def get_policy_templates(self, ctx, args): + """List all policy templates + + :param ctx: {"id": "intra_extension_id"} + :param args: {} + :return: { + "template_id": { + "name": "name of the template", + "description": "description of the template", + } + """ + templates = ConfigurationManager.get_policy_templates_dict(ctx["user_id"]) + return {"policy_templates": templates} + + def get_aggregation_algorithms(self, ctx, args): + """List all aggregation algorithms + + :param ctx: {"id": "intra_extension_id"} + :param args: {} + :return: { + "algorithm_id": { + "name": "name of the algorithm", + "description": "description of the algorithm", + } + } + """ + return {'aggregation_algorithms': ConfigurationManager.get_aggregation_algorithms_dict(ctx["user_id"])} + + def get_sub_meta_rule_algorithms(self, ctx, args): + """List all sub meta rule algorithms + + :param ctx: {"id": "intra_extension_id"} + :param args: {} + :return: { + "algorithm_id": { + "name": "name of the algorithm", + "description": "description of the algorithm", + } + } + """ + return {'sub_meta_rule_algorithms': ConfigurationManager.get_sub_meta_rule_algorithms_dict(ctx["user_id"])} diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/containers.py b/moonv4/moon_orchestrator/moon_orchestrator/api/containers.py new file mode 100644 index 00000000..3572d615 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/api/containers.py @@ -0,0 +1,152 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import hashlib +from oslo_config import cfg +from oslo_log import log as logging +# from moon_db.core import IntraExtensionRootManager +# from moon_db.core import ConfigurationManager +from moon_utilities.security_functions import call + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +class Containers(object): + """ + Manage containers. + """ + + __version__ = "0.1.0" + + def __init__(self, docker_manager): + self.docker_manager = docker_manager + self.components = dict() + for pdp_key, pdp_value in call("moon_manager", method="get_pdp", + ctx={"user_id": "admin", "id": None})["pdps"].items(): + self.add_container(ctx={"id": pdp_key, "pipeline": pdp_value["security_pipeline"]}) + + # for _ext_id, _ext_value in self.__get_pdp({"user_id": "admin"}, None)["intra_extensions"].items(): + # self.docker_manager.load(component="policy", uuid=_ext_id) + # # FIXME (asteroide): there may be other security_function here (delegation, ...) + # LOG.info("ADDING Containers {}".format(_ext_value)) + # self.docker_manager.load(component="function", uuid="{}_{}_{}".format("authz", "rbac_rule", _ext_id)) + + # def __get_pdp(self, ctx, args=None): + # """Get information about all pdp + # + # :param ctx: { + # "user_id": "uuid of a user", + # "id": "uuid of a tenant or an intra_extension" + # } + # :param args: {} + # :return: { + # "intra_extension_id": { + # "name": "name of the intra extension", + # "model": "model of the intra extension", + # "genre": "genre of the intra extension", + # "description": "description of the intra-extension" + # } + # } + # """ + # # TODO (asteroide): check if ctx["id"] is a tenant UUID or an intra_extension UUID. + # _ext = IntraExtensionRootManager.get_intra_extensions_dict(ctx["user_id"]) + # if ctx and "id" in ctx and ctx["id"]: + # if ctx["id"] in _ext: + # return {"pdp": {ctx["id"]: _ext[ctx["id"]]}} + # return {"error": "No pdp with id {}".format(ctx["id"])} + # return {"pdp": _ext} + + def get_container(self, ctx, args=None): + uuid = ctx.get("id") + keystone_project_id = ctx.get("keystone_project_id") + # _containers = self.docker_manager.get_component(uuid=uuid) + # LOG.info("containers={}".format(_containers)) + if uuid: + return self.components[uuid] + elif keystone_project_id: + for container_id, container_value in self.components.items(): + if container_value['keystone_project_id'] == keystone_project_id: + return {container_id: container_value} + else: + return {} + return {"containers": self.components} + + def add_container(self, ctx, args=None): + """Add containers linked to an intra-extension + + :param ctx: {"id": "intra_extension_uuid"} + :param args: {} + :return: { + "container_id1": {"status": True}, + "container_id2": {"status": True}, + } + """ + LOG.info("add_container {}".format(ctx)) + pdp = call("moon_manager", method="get_pdp", + ctx={"user_id": "admin", "id": ctx["id"]}, + args={})["pdps"] + pdp_id = list(pdp.keys())[0] + if not pdp[pdp_id]["keystone_project_id"]: + return {"result": "False", "message": "Cannot find keystone_project_id in pdp"} + keystone_project_id = pdp[pdp_id]["keystone_project_id"] + self.components[ctx["id"]] = [] + for policy_key, policy_value in call("moon_manager", method="get_policies", + ctx={"user_id": "admin", "id": None}, + args={})["policies"].items(): + if policy_key in ctx["pipeline"]: + models = call("moon_manager", method="get_models", + ctx={"user_id": "admin", "id": None}, + args={})["models"] + for meta_rule in models[policy_value['model_id']]['meta_rules']: + genre = policy_value['genre'] + pre_container_id = "pdp:{}_metarule:{}_project:{}".format(ctx["id"], meta_rule, keystone_project_id) + policy_component = self.docker_manager.load(component=genre, + uuid=pre_container_id) + self.components[ctx["id"]].append({ + "meta_rule_id": meta_rule, + "genre": policy_value['genre'], + "keystone_project_id": keystone_project_id, + "container_id": "authz_"+hashlib.sha224(pre_container_id.encode("utf-8")).hexdigest() + }) + return {"containers": self.components[ctx["id"]]} + # function_components = [] + # for pdp in ctx['pdp_pipeline']: + # key, value = pdp.split(":") + # LOG.info("add_container {}:{}".format(key, value)) + # function_components.append(self.docker_manager.load(component="function", + # uuid="{}_{}_{}".format(key, value, ctx["id"]))) + # containers = dict() + # containers[policy_component.id] = policy_component.get_status() + # for component in function_components: + # containers[component.id] = component.get_status() + # return {"containers": containers} + + def delete_container(self, ctx, args=None): + """Delete a container + + :param ctx: {"id": "intra_extension_uuid"} + :param args: {} + :return: {} + """ + try: + self.docker_manager.kill(component_id="moon_secpolicy_"+ctx["id"]) + try: + # FIXME (asteroide): need to select other security_function here + self.docker_manager.kill(component_id="moon_secfunction_authz_"+ctx["id"]) + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": True, + "error": {'code': 200, 'title': 'Moon Warning', 'description': str(e)}, + "intra_extension_id": ctx["id"], + "ctx": ctx, "args": args} + except Exception as e: + LOG.error(e, exc_info=True) + return {"result": False, + "error": {'code': 500, 'title': 'Moon Error', 'description': str(e)}, + "intra_extension_id": ctx["id"], + "ctx": ctx, "args": args} + return {"result": True} + diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/generic.py b/moonv4/moon_orchestrator/moon_orchestrator/api/generic.py new file mode 100644 index 00000000..cadd98d3 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/api/generic.py @@ -0,0 +1,29 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + + +class Status(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + + def get_status(self, ctx, args): + """Retrieve the current status of all components.""" + return {"status": "Running"} + + +class Logs(object): + """ + Retrieve the current status of all components. + """ + + __version__ = "0.1.0" + + def get_logs(self, ctx, args): + return {"error": "NotImplemented", "ctx": ctx, "args": args} + + diff --git a/moonv4/moon_orchestrator/moon_orchestrator/api/slaves.py b/moonv4/moon_orchestrator/moon_orchestrator/api/slaves.py new file mode 100644 index 00000000..66ddf256 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/api/slaves.py @@ -0,0 +1,76 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from oslo_config import cfg +from oslo_log import log as logging +from uuid import uuid4 + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +class Slaves(object): + """ + Manage containers. + """ + + __version__ = "0.1.0" + + def __init__(self, slaves): + self.slaves = slaves + + def add_slave(self, ctx, args=None): + """Add a new slave in the global list + + :param ctx: { + "name": "name of the slave", + "description": "description" + } + :param args: {} + :return: { + "uuid_of_the_slave": { + "name": "name of the slave", + "description": "description" + } + } + """ + if "name" in ctx: + for _id, _dict in self.slaves.items(): + if _dict['name'] == ctx['name']: + LOG.warning("A slave named {} already exists!".format(ctx['name'])) + return {"slaves": {_id: _dict}} + uuid = uuid4().hex + ctx.pop("method") + ctx.pop("call_master") + self.slaves[uuid] = ctx + return {"slaves": {uuid: ctx}} + + def get_slaves(self, ctx, args=None): + """Get all the known slaves + + :param ctx: {} + :param args: {} + :return: { + "uuid_of_the_slave": { + "name": "name of the slave", + "description": "description" + } + } + """ + return {"slaves": self.slaves} + + def delete_slave(self, ctx, args=None): + """Delete a previous slave in the global list + + :param ctx: { + "id": "ID of the slave" + } + :param args: {} + :return: None + """ + if "id" in ctx: + if ctx['id'] in self.slaves: + self.slaves.pop(ctx['id']) + return {"slaves": self.slaves} diff --git a/moonv4/moon_orchestrator/moon_orchestrator/dockers.py b/moonv4/moon_orchestrator/moon_orchestrator/dockers.py new file mode 100644 index 00000000..2eecdc0e --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/dockers.py @@ -0,0 +1,191 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import json +import glob +import uuid +import shutil +import errno +from uuid import uuid4 +from oslo_config import cfg +from oslo_log import log as logging +from jinja2 import FileSystemLoader, Environment +from moon_utilities.options import get_docker_template_dir + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +TEMPLATES_FOLDER = get_docker_template_dir() + + +class DockerBase: + + docker = None + image_id = None + tag = 'moon/component' + tmp_dir = os.path.join("/tmp", uuid.uuid4().hex) + name = "" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install --upgrade -r requirements.txt +RUN pip3 install --upgrade . +""" + + def __init__(self, + name, + run_cmd, + host=None, + build_cmd=None, + conf_file="", + id=None, + docker=None, + network_config=None, + tag="", + port=None + ): + self.conf_file = conf_file + self.docker = docker + self.network_config = network_config + self.name = name + self.id = id if id else name + "_" + uuid4().hex + self.tag = "moon/{}".format(name) + self.build_cmd = build_cmd if build_cmd else self.__build + self.run_cmd = run_cmd + self.host = host + self.docker_id = id + self.port = port + containers = self.docker.containers() + if self.id not in map(lambda x: x['Id'], containers): + self.create_container(tag) + self.run_docker() + else: + LOG.info("Component {} already running...".format(name)) + + def create_container(self, container=None): + if not container: + proxy = CONF.proxy + if CONF.proxy: + proxy = "ENV http_proxy {0}\nENV https_proxy {0}\n".format(CONF.proxy) + run = self.build_cmd.format( + py_pkg=self.__get_last_version_of_pkg(self.name).replace(".tar.gz", "").replace("dist/", ""), + port=self.port + ) + docker_str = self.__get_template().render(run=run, cmd=self.run_cmd, proxy=proxy) + self.__create_tmp_dir(docker_str) + self.create_docker(docker_str) + else: + self.tag = container + + def __create_tmp_dir(self, docker_str): + try: + os.mkdir(self.tmp_dir) + except OSError as e: + LOG.warning("Problem when creating temporary directory ({})".format(e)) + + try: + os.mkdir(os.path.join(self.tmp_dir, "dist")) + except OSError as e: + LOG.warning("Problem when creating temporary directory ({})".format(e)) + for _file in glob.glob("{}/*".format(CONF.dist_dir)): + LOG.info("Copying {}".format(_file)) + shutil.copy(_file, os.path.join(self.tmp_dir, "dist")) + + try: + shutil.copytree(os.path.dirname(self.conf_file), os.path.join(self.tmp_dir, "conf")) + except OSError as exc: + if exc.errno == errno.ENOTDIR: + shutil.copy(os.path.dirname(self.conf_file), os.path.join(self.tmp_dir, "conf")) + elif exc.errno == errno.EEXIST: + pass + else: + LOG.info("exc.errno = {}".format(exc.errno)) + raise + + open("{}/Dockerfile".format(self.tmp_dir), "w").write(docker_str) + + def __get_docker_network(self, name="moon"): + if self.host: + return self.docker.create_networking_config({ + name: self.docker.create_endpoint_config( + aliases=[self.id, ], + ipv4_address=self.host, + ) + }) + else: + return self.docker.create_networking_config({ + name: self.docker.create_endpoint_config( + aliases=[self.id, ] + ) + }) + + @staticmethod + def __get_last_version_of_pkg(name): + files = [] + for filename in glob.glob("{}/{}*".format(CONF.dist_dir, name)): + files.append(filename) + files.sort() + try: + return os.path.basename(files[-1]) + except Exception as e: + LOG.error("__get_last_version_of_pkg {}/{}*".format(CONF.dist_dir, name)) + raise e + + def run_docker(self): + LOG.info("run_docker hostname={}".format(self.id.replace("_", "-"))) + if self.port: + host_config = self.docker.create_host_config(port_bindings={ + self.port: self.port + }) + else: + host_config = self.docker.create_host_config() + + output = self.docker.create_container(image=self.tag, + command=list(self.run_cmd), + hostname=str(self.id.replace("_", "-")), + name=str(self.id), + networking_config=self.__get_docker_network(), + host_config=host_config + ) + container_data = self.docker.inspect_container(output['Id']) + name = container_data["Name"] + LOG.info("Running container {} with ID {}".format(self.tag, output)) + LOG.info("output id = {}".format(output['Id'])) + self.docker.start(container=output['Id']) + LOG.info("Running container output {}".format(self.docker.logs( + container=name, + # stdout=True, + # stderr=True + ).decode("utf-8"))) + self.name = name + self.docker_id = output['Id'] + + def create_docker(self, docker_str): + # f = BytesIO(docker_str.encode('utf-8')) + LOG.info("Building {}".format(self.tmp_dir)) + # TODO (dthom): halt on built errors (or emit a log) + _output = self.docker.build(path=self.tmp_dir, rm=True, tag=self.tag) + # _output = self.cli.build(fileobj=f, rm=True, tag=self.tag, stream=True) + for line in _output: + jline = json.loads(line.decode("utf-8")) + if "stream" in jline: + LOG.info("\033[33m" + jline["stream"].strip() + "\033[m") + else: + LOG.info("\033[33m" + str(jline).strip() + "\033[m") + else: + LOG.debug(_output) + LOG.info("tag = {}".format(self.tag)) + LOG.info("images = {}".format(self.docker.images(name=self.tag))) + self.image_id = self.docker.images(name=self.tag)[0]['Id'] + + @staticmethod + def __get_template(filename="template.dockerfile"): + simple_loader = FileSystemLoader(TEMPLATES_FOLDER) + env = Environment(loader=simple_loader) + return env.get_template(filename) diff --git a/moonv4/moon_orchestrator/moon_orchestrator/messenger.py b/moonv4/moon_orchestrator/moon_orchestrator/messenger.py new file mode 100644 index 00000000..6b54255f --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/messenger.py @@ -0,0 +1,84 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from oslo_config import cfg +import oslo_messaging +from oslo_log import log as logging +import time +from moon_utilities.api import APIList +from moon_utilities.security_functions import call +from moon_utilities.exceptions import RootPDPNotInitialized + +from oslo_config import cfg +from moon_orchestrator.api.generic import Status, Logs +# from moon_orchestrator.api.configuration import Configuration +from moon_orchestrator.api.containers import Containers +from moon_orchestrator.api.slaves import Slaves + +TOPIC = "orchestrator" +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + + +class Server: + + def __init__(self, containers, docker_manager, slaves): + self.CONTAINERS = containers + self.transport = oslo_messaging.get_transport(cfg.CONF) + self.target = oslo_messaging.Target(topic=TOPIC, server='server1') + LOG.info("Starting MQ server with topic: {}".format(TOPIC)) + self.docker_manager = docker_manager + for _container in containers: + Status._container = containers[_container] + self.endpoints = [ + APIList((Status, Logs, Containers)), + Status(), + Logs(), + Containers(self.docker_manager), + # Configuration(), + Slaves(slaves) + ] + self.server = oslo_messaging.get_rpc_server(self.transport, self.target, self.endpoints, + executor='threading', + access_policy=oslo_messaging.DefaultRPCAccessPolicy) + + # @staticmethod + # def __check_root_pdp(): + # root_exist = False + # for key, value in call("manager", ctx={"user_id": "admin"}, + # method="get_pdp", args={})["pdp"].items(): + # if value["name"] == CONF.root_policy_directory: + # root_exist = True + # if not root_exist: + # ie = call("manager", ctx={"user_id": "admin"}, method="add_pdp", + # args={ + # "name": "policy_root", + # "model": CONF.root_policy_directory, + # "genre": "admin", + # "description": "policy_root" + # }) + # if "result" in ie and not ie["result"]: + # raise RootPDPNotInitialized + + def run(self): + try: + self.server.start() + # try: + # raise NotImplementedError + # # self.__check_root_pdp() + # except Exception as e: + # LOG.error("Exception occurred when creating Root PDP: {}".format(e)) + while True: + time.sleep(1) + except KeyboardInterrupt: + LOG.warning("Stopping server by crtl+c (please be patient, closing connections...)") + except SystemExit: + LOG.warning("Stopping server (please be patient, closing connections...)") + except Exception as e: + LOG.error("Exception occurred: {}".format(e)) + + self.server.stop() + self.server.wait() + diff --git a/moonv4/moon_orchestrator/moon_orchestrator/scoper.py b/moonv4/moon_orchestrator/moon_orchestrator/scoper.py new file mode 100644 index 00000000..ebfb12f8 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/scoper.py @@ -0,0 +1,40 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + + +class Scoper(DockerBase): + + id = "moon_scoper" + + def __init__(self, conf_file="", docker=None, network_config=None): + super(Scoper, self).__init__( + name="moon_scoper", + id=self.id, + run_cmd=["python3", "-m", "moon_scoper"], + host=CONF.scoper.host, + conf_file=conf_file, + docker=docker, + network_config=network_config, + tag=CONF.scoper.container + ) + + @staticmethod + def get_status(): + transport = oslo_messaging.get_transport(CONF) + target = oslo_messaging.Target(topic='scoper', version='1.0') + client = oslo_messaging.RPCClient(transport, target) + LOG.info("Calling Status on scoper component...") + ret = client.call({"component_id": "scoper"}, 'get_status', args=None) + LOG.info(ret) + return ret diff --git a/moonv4/moon_orchestrator/moon_orchestrator/security_function.py b/moonv4/moon_orchestrator/moon_orchestrator/security_function.py new file mode 100644 index 00000000..1b33ef60 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/security_function.py @@ -0,0 +1,56 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import time +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (dthom): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") + + +class SecurityFunction(DockerBase): + + id = "moon_function" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install -r requirements.txt +RUN pip3 install . +""" + + def __init__(self, intra_extension_id, conf_file="", docker=None, network_config=None): + self.id = "moon_pdp_{}".format(intra_extension_id) + super(SecurityFunction, self).__init__( + name="moon_secfunction", + run_cmd=["python3", "-m", "moon_secfunction", intra_extension_id], + conf_file=conf_file, + docker=docker, + network_config=network_config, + build_cmd=self.__build, + id=self.id, + tag=CONF.security_function.container + ) + # note(asteroide): time to let the new docker boot + time.sleep(3) + self.get_status() + + def get_status(self): + transport = oslo_messaging.get_transport(CONF) + target = oslo_messaging.Target(topic=self.id, version='1.0') + client = oslo_messaging.RPCClient(transport, target) + LOG.info("Calling Status on {}".format(self.id)) + ret = client.call({"component_id": self.id}, 'get_status', args=None) + LOG.info(ret) + return ret diff --git a/moonv4/moon_orchestrator/moon_orchestrator/security_interface.py b/moonv4/moon_orchestrator/moon_orchestrator/security_interface.py new file mode 100644 index 00000000..656c4340 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/security_interface.py @@ -0,0 +1,45 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +from oslo_config import cfg +from oslo_log import log as logging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (dthom): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") + + +class SecurityInterface(DockerBase): + + id = "moon_interface" + __build = """RUN mkdir -p /etc/moon/ + COPY conf /etc/moon/ + ADD dist/{py_pkg}.tar.gz /root + WORKDIR /root/{py_pkg} + RUN pip3 install -r requirements.txt + RUN pip3 install . + EXPOSE {port} + """ + + def __init__(self, conf_file="", docker=None, network_config=None): + super(SecurityInterface, self).__init__( + name="moon_interface", + id=self.id, + run_cmd=["python3", "-m", "moon_interface"], + host=CONF.interface.host, + conf_file=conf_file, + docker=docker, + network_config=network_config, + tag=CONF.interface.container, + build_cmd=self.__build, + port=CONF.interface.port + ) + diff --git a/moonv4/moon_orchestrator/moon_orchestrator/security_manager.py b/moonv4/moon_orchestrator/moon_orchestrator/security_manager.py new file mode 100644 index 00000000..c7dc4c63 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/security_manager.py @@ -0,0 +1,56 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import time +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (dthom): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") + + +class SecurityManager(DockerBase): + + id = "moon_manager" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install -r requirements.txt +RUN pip3 install . +""" + + def __init__(self, conf_file="", docker=None, network_config=None): + self.id = "moon_manager" + super(SecurityManager, self).__init__( + name="moon_manager", + run_cmd=["python3", "-m", "moon_manager"], + conf_file=conf_file, + docker=docker, + network_config=network_config, + build_cmd=self.__build, + id=self.id, + tag=CONF.security_manager.container + ) + # note(asteroide): time to let the new docker boot + time.sleep(3) + self.get_status() + + def get_status(self): + transport = oslo_messaging.get_transport(CONF) + target = oslo_messaging.Target(topic=self.id, version='1.0') + client = oslo_messaging.RPCClient(transport, target) + LOG.info("Calling Status on {}".format(self.id)) + ret = client.call({"component_id": self.id}, 'get_status', args=None) + LOG.info(ret) + return ret diff --git a/moonv4/moon_orchestrator/moon_orchestrator/security_policy.py b/moonv4/moon_orchestrator/moon_orchestrator/security_policy.py new file mode 100644 index 00000000..5cb1d51c --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/security_policy.py @@ -0,0 +1,56 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import time +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (dthom): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") + + +class SecurityPolicy(DockerBase): + + id = "moon_secpolicy" + __build = """RUN mkdir -p /etc/moon/ +COPY conf /etc/moon/ +ADD dist/{py_pkg}.tar.gz /root +WORKDIR /root/{py_pkg} +RUN pip3 install -r requirements.txt +RUN pip3 install . +""" + + def __init__(self, intra_extension_id, conf_file="", docker=None, network_config=None): + self.id = "moon_secpolicy" + intra_extension_id + super(SecurityPolicy, self).__init__( + name="moon_secpolicy", + run_cmd=["python3", "-m", "moon_secpolicy", intra_extension_id], + conf_file=conf_file, + docker=docker, + network_config=network_config, + build_cmd=self.__build, + id="moon_secpolicy_{}".format(intra_extension_id), + tag=CONF.security_policy.container + ) + # note(asteroide): time to let the new docker boot + time.sleep(3) + self.get_status() + + def get_status(self): + transport = oslo_messaging.get_transport(CONF) + target = oslo_messaging.Target(topic=self.id, version='1.0') + client = oslo_messaging.RPCClient(transport, target) + LOG.info("Calling Status on {}".format(self.id)) + ret = client.call({"component_id": self.id}, 'get_status', args=None) + LOG.info(ret) + return ret diff --git a/moonv4/moon_orchestrator/moon_orchestrator/security_router.py b/moonv4/moon_orchestrator/moon_orchestrator/security_router.py new file mode 100644 index 00000000..290ab111 --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/security_router.py @@ -0,0 +1,52 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import os +import json +import glob +import uuid +import shutil +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from io import BytesIO +from docker import Client +from jinja2 import FileSystemLoader, Environment +from moon_orchestrator.dockers import DockerBase + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF +DOMAIN = "moon_orchestrator" + +__CWD__ = os.path.dirname(os.path.abspath(__file__)) +# TODO (dthom): select the right template folder +TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers") + + +class SecurityRouter(DockerBase): + + id = "moon_router" + + def __init__(self, conf_file="", docker=None, network_config=None): + super(SecurityRouter, self).__init__( + name="moon_secrouter", + id=self.id, + run_cmd=["python3", "-m", "moon_secrouter"], + host=CONF.security_router.host, + conf_file=conf_file, + docker=docker, + network_config=network_config, + tag=CONF.security_router.container + ) + + @staticmethod + def get_status(): + transport = oslo_messaging.get_transport(CONF) + target = oslo_messaging.Target(topic='security_router', version='1.0') + client = oslo_messaging.RPCClient(transport, target) + LOG.info("Calling Status on security_server...") + ret = client.call({"component_id": "security_router"}, 'get_status', args=None) + LOG.info(ret) + return ret diff --git a/moonv4/moon_orchestrator/moon_orchestrator/server.py b/moonv4/moon_orchestrator/moon_orchestrator/server.py new file mode 100644 index 00000000..4fc9d5fd --- /dev/null +++ b/moonv4/moon_orchestrator/moon_orchestrator/server.py @@ -0,0 +1,140 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +import sys +import os +import hashlib +from oslo_config import cfg +from oslo_log import log as logging +import oslo_messaging +from docker import Client +import docker.errors as docker_errors +from importlib.machinery import SourceFileLoader +from moon_utilities import options +from moon_orchestrator.security_router import SecurityRouter +from moon_orchestrator.security_interface import SecurityInterface +from moon_orchestrator.security_manager import SecurityManager +from moon_orchestrator.security_function import SecurityFunction +# from moon_orchestrator.security_policy import SecurityPolicy +# from moon_orchestrator.security_function import SecurityFunction +from moon_orchestrator import messenger + +LOG = logging.getLogger(__name__) +CONF = cfg.CONF + +CONTAINERS = {} +SLAVES = {} +docker = Client(base_url=CONF.docker_url) + + +# def get_template(filename="template.dockerfile"): +# simple_loader = FileSystemLoader(TEMPLATES_FOLDER) +# env = Environment(loader=simple_loader) +# return env.get_template(filename) + + +def create_docker_network(name="moon"): + + return docker.create_networking_config({ + name: docker.create_endpoint_config(), + 'aliases': ['orchestrator', ] + }) + + +def load_plugin(plugname): + try: + m = SourceFileLoader("scenario", os.path.join(CONF.plugin_dir, plugname+".py")) + return m.load_module() + except ImportError as e: + LOG.error("Error in importing plugin {}".format(plugname)) + LOG.error("{}".format(e)) + + +class DockerManager: + + @staticmethod + def load(component, uuid): + """Load a new docker mapping the component given + + :param component: the name of the component (policy or function) + :param uuid: the uuid of the intra_extension linked to that component + :return: the created component + """ + component_id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest() + if component_id not in CONTAINERS: + plug = load_plugin(component) + LOG.info("Creating {} with id {}".format(component, uuid)) + component = plug.run(uuid, options.filename, docker=docker, network_config=create_docker_network()) + CONTAINERS[component_id] = component + return component + + @staticmethod + def get_component(uuid=None): + if uuid: + return CONTAINERS.get(uuid, None) + return CONTAINERS + + @staticmethod + def kill(component_id, delete=True): + LOG.info("Killing container {}".format(component_id)) + docker.kill(container=component_id) + if delete: + docker.remove_container(container=component_id) + + +def _exit(exit_number=0, docker=None, error=None): + for _container in CONTAINERS: + LOG.warning("Deleting containers named {}...".format(_container)) + # print(40 * "-" + _container) + try: + # print(docker.logs(container=_container).decode("utf-8")) + docker.kill(container=_container) + except docker_errors.NotFound: + LOG.error("The container {} was not found".format(_container)) + except docker_errors.APIError as e: + LOG.error(e) + else: + docker.remove_container(container=_container) + + # TODO (dthom): put in the debug log + if error: + LOG.info(str(error)) + sys.exit(exit_number) + + +def main(): + # conf_file = options.configure(DOMAIN) + LOG.info("Starting server with IP {}".format(CONF.orchestrator.host)) + + docker_manager = DockerManager() + + network_config = create_docker_network() + + LOG.info("Creating Security Router") + router = SecurityRouter(options.filename, docker=docker, network_config=network_config) + CONTAINERS[router.id] = router + + LOG.info("Creating Manager") + manager = SecurityManager(options.filename, docker=docker, network_config=network_config) + CONTAINERS[manager.id] = manager + + LOG.info("Creating Security Interface") + interface = SecurityInterface(options.filename, docker=docker, network_config=network_config) + CONTAINERS[interface.id] = interface + + try: + router.get_status() + except oslo_messaging.rpc.client.RemoteError as e: + LOG.error("Cannot check status of remote container!") + _exit(1, docker, e) + serv = messenger.Server(containers=CONTAINERS, docker_manager=docker_manager, slaves=SLAVES) + try: + serv.run() + finally: + _exit(0, docker) + + +if __name__ == '__main__': + main() diff --git a/moonv4/moon_orchestrator/reinstall.sh b/moonv4/moon_orchestrator/reinstall.sh new file mode 100644 index 00000000..0649a378 --- /dev/null +++ b/moonv4/moon_orchestrator/reinstall.sh @@ -0,0 +1,8 @@ +pip install -r requirements.txt +pip install dist/moon_utilities-0.1.0.tar.gz +pip install dist/moon_db-0.1.0.tar.gz +pip install -r ../moon_utilities/requirements.txt +pip install -r ../moon_db/requirements.txt +python setup.py develop +docker rm -f moon_interface moon_router +docker ps diff --git a/moonv4/moon_orchestrator/requirements.txt b/moonv4/moon_orchestrator/requirements.txt new file mode 100644 index 00000000..ef41155c --- /dev/null +++ b/moonv4/moon_orchestrator/requirements.txt @@ -0,0 +1,10 @@ +docker-py +kombu !=4.0.1,!=4.0.0 +oslo.messaging !=5.14.0,!=5.13.0 +oslo.config +oslo.log +vine +jinja2 +sqlalchemy +pymysql +werkzeug
\ No newline at end of file diff --git a/moonv4/moon_orchestrator/setup.py b/moonv4/moon_orchestrator/setup.py new file mode 100644 index 00000000..b4983e93 --- /dev/null +++ b/moonv4/moon_orchestrator/setup.py @@ -0,0 +1,47 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +from setuptools import setup, find_packages +import moon_orchestrator + + +setup( + + name='moon_orchestrator', + + version=moon_orchestrator.__version__, + + packages=find_packages(), + + author="Thomas Duval", + + author_email="thomas.duval@orange.com", + + description="", + + long_description=open('README.rst').read(), + + # install_requires= , + + include_package_data=True, + + url='https://git.opnfv.org/cgit/moon/', + + classifiers=[ + "Programming Language :: Python", + "Development Status :: 1 - Planning", + "License :: OSI Approved", + "Natural Language :: French", + "Operating System :: OS Independent", + "Programming Language :: Python :: 3", + ], + + entry_points={ + 'console_scripts': [ + 'moon_orchestrator = moon_orchestrator.server:main', + ], + } + +) |