diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/README.md | 77 | ||||
-rw-r--r-- | tests/functional/scenario_tests/mls.py | 59 | ||||
-rw-r--r-- | tests/functional/scenario_tests/rbac.py | 61 | ||||
-rw-r--r-- | tests/performance/README.md | 121 |
4 files changed, 263 insertions, 55 deletions
diff --git a/tests/README.md b/tests/README.md new file mode 100644 index 00000000..c1437a2d --- /dev/null +++ b/tests/README.md @@ -0,0 +1,77 @@ +# Moon Tests +## Functional Tests +### Test Platform Setup +#### Docker Installation +```bash +apt update +apt install -y docker.io +``` + +#### Kubeadm Installation +see: https://kubernetes.io/docs/setup/independent/install-kubeadm/ +```bash +apt-get update && apt-get install -y apt-transport-https +curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add - +cat <<EOF >/etc/apt/sources.list.d/kubernetes.list +deb http://apt.kubernetes.io/ kubernetes-xenial main +EOF +apt-get update +apt-get install -y kubelet kubeadm kubectl +``` + +#### K8S Initialisation +```bash +cd $MOON_HOME +bash tools/moon_kubernetes/init_k8s.sh +``` + +Wait until all the kubeadm containers are in the `running` state: +```bash +watch kubectl get po --namespace=kube-system +``` + +You must see something like this: + + $ kubectl get po --namespace=kube-system + NAME READY STATUS RESTARTS AGE + calico-etcd-7qgjb 1/1 Running 0 1h + calico-node-f8zvm 2/2 Running 1 1h + calico-policy-controller-59fc4f7888-ns9kv 1/1 Running 0 1h + etcd-varuna 1/1 Running 0 1h + kube-apiserver-varuna 1/1 Running 0 1h + kube-controller-manager-varuna 1/1 Running 0 1h + kube-dns-bfbb49cd7-rgqxn 3/3 Running 0 1h + kube-proxy-x88wg 1/1 Running 0 1h + kube-scheduler-varuna 1/1 Running 0 1h + + +#### Deploy Moon +```bash +cd $MOON_HOME +sudo bash tools/moon_kubernetes/start_moon.sh +``` + +Wait until all the Moon containers are in the `running` state: +```bash +watch kubectl get po --namespace=moon +``` + +You must see something like this: + + $ kubectl get po --namespace=moon + NAME READY STATUS RESTARTS AGE + consul-57b6d66975-9qnfx 1/1 Running 0 52m + db-867f9c6666-bq8cf 1/1 Running 0 52m + gui-bc9878b58-q288x 1/1 Running 0 51m + keystone-7d9cdbb69f-bl6ln 1/1 Running 0 52m + manager-5bfbb96988-2nvhd 1/1 Running 0 51m + manager-5bfbb96988-fg8vj 1/1 Running 0 51m + manager-5bfbb96988-w9wnk 1/1 Running 0 51m + orchestrator-65d8fb4574-tnfx2 1/1 Running 0 51m + wrapper-astonishing-748b7dcc4f-ngsvp 1/1 Running 0 51m + +### Launch Functional for Target Module +```bash +cd $MOON_HOME +sudo bash $TARGET_MODULE/tests/functional_pod/run_functional_tests.sh +``` diff --git a/tests/functional/scenario_tests/mls.py b/tests/functional/scenario_tests/mls.py new file mode 100644 index 00000000..0e6285c9 --- /dev/null +++ b/tests/functional/scenario_tests/mls.py @@ -0,0 +1,59 @@ + +pdp_name = "pdp_mls" +policy_name = "MLS Policy example" +model_name = "MLS" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"subject-security-level": "", } +object_categories = {"object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "adminuser": {"subject-security-level": "high"}, + "user1": {"subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"object-security-level": "medium"}, + "vm1": {"object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "mls": { + "id": "", + "value": ("subject-security-level", + "object-security-level", + "action-type")}, +} + +rules = { + "mls": ( + { + "rule": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + ) +} diff --git a/tests/functional/scenario_tests/rbac.py b/tests/functional/scenario_tests/rbac.py new file mode 100644 index 00000000..1d2cabee --- /dev/null +++ b/tests/functional/scenario_tests/rbac.py @@ -0,0 +1,61 @@ + +pdp_name = "pdp_rbac1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} + +subject_assignments = { + "adminuser": + ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), + "user1": + ({"role": "employee"}, {"role": "*"}), +} +object_assignments = { + "vm0": + ({"id": "vm0"}, {"id": "*"}), + "vm1": + ({"id": "vm1"}, {"id": "*"}) +} +action_assignments = { + "start": + ({"action-type": "vm-action"}, {"action-type": "*"}), + "stop": + ({"action-type": "vm-action"}, {"action-type": "*"}) +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + ) + }, + { + "rule": ("employee", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tests/performance/README.md b/tests/performance/README.md index 52613d2c..fcb80589 100644 --- a/tests/performance/README.md +++ b/tests/performance/README.md @@ -1,69 +1,80 @@ -# Moon Yardstick and Bottlenecks Performance Tests +# Moon Yardstick/Bottlenecks Performance Tests The main objective of this document is to describe the performance tests for the Moon project/module. -Moon is a security managment platform which provides a set of security functions to project the underlying OPNFV infrastructure and/or VNFs. -Moon is consisted of 2 parts: a master and a set of slaves. The master holds all security-related information and each slave only fetches and holds -related informations for its local usage from master. +Moon is a security management platform which provides a set of security functions to project the underlying OPNFV infrastructure and/or VNFs. +It is consisted of 2 parts: a master and a set of slaves. The master holds all security-related information and each slave only fetches and holds +related information for its local usage from master. -## Moon Master Performance Tests -In this test, we should: +## Master Performance Tests +### Pre-requisite - setup a Moon master service on a physical server -- create a tenant/scope through the Moon master service -- create a MSL security policy with 4 subject security levels and 4 object security levels for this tenant +- create a project in OpenStack/Keystone +- create a MSL PDP with a model of 4 subject security levels and 4 object security levels, the MLS policy will be defined later -- increase N to find the limit of the security policy (implemented in format of a Docker) - - create N users and N resources (VMs in our case) in this tenant - - simulate 2 operation requests per user per second to Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, determine the capacity limit for one Docker +### Policy Size Test +Increase the number of users and resources N to find the limit of the security policy +- create N users and N resources (VMs in our case) in this MLS security policy +- sends 5 authz requests/second +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal number of N to support 5 requests/second -- setup 20 user and 20 resources (VMs in our case) for one tenant - - increase the number of tenants to test the maximal number of tenants on the server +### PDP Number Test +- setup 20 user and 20 resources (VMs in our case) for each MLS PDP +- sends 5 authz requests/second for each MLS PDP +- increase the number of PDP to test the maximal number of PDP on the master -- setup 5 tenants of N users and N resources (VMs in our case) in each tenant - - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, dermine the maximal user/resource number of these 5 tenants/Dockers on the server +### Policy Size Test for 5 PDPs +- setup 5 PDPs of N users and N resources (VMs in our case) +- sends 5 authz requests/second for each MLS PDP +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal user/resource number of these 5 PDPs -- setup 10 tenants of N users and N resources (VMs in our case) in each tenant - - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, dermine the maximal user/resource number of these 10 tenants/Dockers on the server +### Policy Size Test for 10 PDPs +- setup 10 PDPs of N users and N resources (VMs in our case) +- sends 5 authz requests/second for each MLS PDP +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal user/resource number of these 10 PDPs -- setup 20 tenants of N users and N resources (VMs in our case) in each tenant - - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, dermine the maximal user/resource number of these 20 tenants/Dockers on the server - -## Moon Slave Performace Tests -In this test, we should: -- setup a Moon master service on a physical server -- setup a Moon slave service on a physical server -- create a tenant/scope through the Moon master service -- create a MSL security policy with 4 subject security levels and 4 object security levels for this tenant through the Moon master service +### Policy Size Test for 20 PDPs +- setup 20 PDPs of N users and N resources (VMs in our case) +- sends 5 authz requests/second for each MLS PDP +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal user/resource number of these 20 PDPs -- increase N to find the limit of the security policy (implemented in format of a Docker) - - create N users and N resources (VMs in our case) in this tenant - - simulate 2 operation requests per user per second to Moon slave's authorizatoin endpoint - - gather performance metrics like CPU, memory, network usages of Moon slave - - throught the iteration, dermine the capacity limit for one Docker of Moon slave - -- setup 20 user and 20 resources (VMs in our case) for one tenant through the Moon slave service - - increate the number of tenants to test the maximal number of tenants on the server of the Moon slave - -- setup 5 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service - - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint - - gather performance metrics like CPU, memory, network usages of both Moon master and Moon slave - - throught the iteration, dermine the maximal user/resource number of these 5 tenants/Dockers on the server of Moon slave -- setup 10 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service - - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint - - gather performance metrics like CPU, memory, network usages of both Moon master and slave - - throught the iteration, dermine the maximal user/resource number of these 10 tenants/Dockers on the server of the Moon slave +## Master-Slave Performance Tests +### Pre-requisite +- setup a Moon master on a physical server +- setup a Moon slave on a physical server +- create a project in OpenStack/Keystone +- create a MSL PDP with a model of 4 subject security levels and 4 object security levels, the MLS policy will be defined later on the master + +### Slave Policy Size Test +Increase the number of users and resources N to find the limit of the security policy +- create N users and N resources (VMs in our case) in this MLS security policy on the master +- sends 5 authz requests/second to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal number of N to support 5 requests/second of the slave + +### Slave PDP Number Test +- setup 20 user and 20 resources (VMs in our case) for each MLS PDP on the master +- sends 5 authz requests/second for each MLS PDP to the slave +Through the iteration, determine the maximal number of PDP to support 5 requests/second of the slave -- setup 20 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service - - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint - - gather performance metrics like CPU, memory, network usages of both Moon master and slave - - throught the iteration, dermine the maximal user/resource number of these 20 tenants/Dockers on the server of the Moon slave +### Slave Policy Size Test for 5 PDPs +- setup 5 PDPs of N users and N resources (VMs in our case) on the master +- sends 5 authz requests/second for each MLS PDP to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal user/resource number of these 5 PDPs +### Slave Policy Size Test for 10 PDPs +- setup 10 PDPs of N users and N resources (VMs in our case) on the master +- sends 5 authz requests/second for each MLS PDP to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal user/resource number of these 10 PDPs +### Slave Policy Size Test for 20 PDPs +- setup 20 PDPs of N users and N resources (VMs in our case) on the master +- sends 5 authz requests/second for each MLS PDP to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal user/resource number of these 20 PDPs |