diff options
Diffstat (limited to 'tests')
18 files changed, 223 insertions, 153 deletions
diff --git a/tests/scenario/delegation.py b/tests/functional/scenario_available/delegation.py index 839e74ce..839e74ce 100644 --- a/tests/scenario/delegation.py +++ b/tests/functional/scenario_available/delegation.py diff --git a/tests/scenario/mls.py b/tests/functional/scenario_available/mls.py index 3a3ded43..0e6285c9 100644 --- a/tests/scenario/mls.py +++ b/tests/functional/scenario_available/mls.py @@ -1,9 +1,10 @@ -pdp_name = "pdp1" +pdp_name = "pdp_mls" policy_name = "MLS Policy example" model_name = "MLS" +policy_genre = "authz" -subjects = {"user0": "", "user1": "", "user2": "", } +subjects = {"adminuser": "", "user1": "", "user2": "", } objects = {"vm0": "", "vm1": "", } actions = {"start": "", "stop": ""} @@ -20,7 +21,7 @@ object_data = { action_data = {"action-type": {"vm-action": "", "storage-action": "", }} subject_assignments = { - "user0": {"subject-security-level": "high"}, + "adminuser": {"subject-security-level": "high"}, "user1": {"subject-security-level": "medium"}, } object_assignments = { @@ -33,21 +34,25 @@ action_assignments = { } meta_rule = { - "mls": {"id": "", "value": ("subject-security-level", "object-security-level", "action-type")}, + "mls": { + "id": "", + "value": ("subject-security-level", + "object-security-level", + "action-type")}, } rules = { "mls": ( { - "rules": ("high", "medium", "vm-action"), + "rule": ("high", "medium", "vm-action"), "instructions": ({"decision": "grant"}) }, { - "rules": ("high", "low", "vm-action"), + "rule": ("high", "low", "vm-action"), "instructions": ({"decision": "grant"}) }, { - "rules": ("medium", "low", "vm-action"), + "rule": ("medium", "low", "vm-action"), "instructions": ({"decision": "grant"}) }, ) diff --git a/tests/scenario/rbac.py b/tests/functional/scenario_available/rbac.py index 89fd7de8..25c010fd 100644 --- a/tests/scenario/rbac.py +++ b/tests/functional/scenario_available/rbac.py @@ -1,10 +1,10 @@ -pdp_name = "pdp1" +pdp_name = "pdp_rbac" policy_name = "RBAC policy example" model_name = "RBAC" policy_genre = "authz" -subjects = {"user0": "", "user1": "", } +subjects = {"adminuser": "", "user1": "", } objects = {"vm0": "", "vm1": "", } actions = {"start": "", "stop": ""} @@ -16,9 +16,24 @@ subject_data = {"role": {"admin": "", "employee": "", "*": ""}} object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} action_data = {"action-type": {"vm-action": "", "*": ""}} -subject_assignments = {"user0": ({"role": "employee"}, {"role": "*"}), "user1": ({"role": "employee"}, {"role": "*"}), } -object_assignments = {"vm0": ({"id": "vm0"}, {"id": "*"}), "vm1": ({"id": "vm1"}, {"id": "*"})} -action_assignments = {"start": ({"action-type": "vm-action"}, {"action-type": "*"}), "stop": ({"action-type": "vm-action"}, {"action-type": "*"})} +subject_assignments = { + "adminuser": + ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), + "user1": + ({"role": "employee"}, {"role": "*"}), +} +object_assignments = { + "vm0": + ({"id": "vm0"}, {"id": "*"}), + "vm1": + ({"id": "vm1"}, {"id": "*"}) +} +action_assignments = { + "start": + ({"action-type": "vm-action"}, {"action-type": "*"}), + "stop": + ({"action-type": "vm-action"}, {"action-type": "*"}) +} meta_rule = { "rbac": {"id": "", "value": ("role", "id", "action-type")}, @@ -29,7 +44,9 @@ rules = { { "rule": ("admin", "vm0", "vm-action"), "instructions": ( - {"decision": "grant"}, # "grant" to immediately exit, "continue" to wait for the result of next policy + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy ) }, { diff --git a/tests/scenario/rbac_custom_100.py b/tests/functional/scenario_available/rbac_custom_100.py index 9ee55dbd..9ee55dbd 100644 --- a/tests/scenario/rbac_custom_100.py +++ b/tests/functional/scenario_available/rbac_custom_100.py diff --git a/tests/scenario/rbac_custom_1000.py b/tests/functional/scenario_available/rbac_custom_1000.py index d6850485..d6850485 100644 --- a/tests/scenario/rbac_custom_1000.py +++ b/tests/functional/scenario_available/rbac_custom_1000.py diff --git a/tests/scenario/rbac_custom_50.py b/tests/functional/scenario_available/rbac_custom_50.py index e1437cf4..e1437cf4 100644 --- a/tests/scenario/rbac_custom_50.py +++ b/tests/functional/scenario_available/rbac_custom_50.py diff --git a/tests/scenario/rbac_large.py b/tests/functional/scenario_available/rbac_large.py index ef5dd9b2..ef5dd9b2 100644 --- a/tests/scenario/rbac_large.py +++ b/tests/functional/scenario_available/rbac_large.py diff --git a/tests/scenario/rbac_mls.py b/tests/functional/scenario_available/rbac_mls.py index 8a5362ea..8a5362ea 100644 --- a/tests/scenario/rbac_mls.py +++ b/tests/functional/scenario_available/rbac_mls.py diff --git a/tests/scenario/session.py b/tests/functional/scenario_available/session.py index 97d7aec3..97d7aec3 100644 --- a/tests/scenario/session.py +++ b/tests/functional/scenario_available/session.py diff --git a/tests/scenario/session_large.py b/tests/functional/scenario_available/session_large.py index 5b4a64b6..5b4a64b6 100644 --- a/tests/scenario/session_large.py +++ b/tests/functional/scenario_available/session_large.py diff --git a/tests/functional/scenario_enabled/mls.py b/tests/functional/scenario_enabled/mls.py new file mode 120000 index 00000000..6acd75ce --- /dev/null +++ b/tests/functional/scenario_enabled/mls.py @@ -0,0 +1 @@ +../scenario_available/mls.py
\ No newline at end of file diff --git a/tests/functional/scenario_enabled/rbac.py b/tests/functional/scenario_enabled/rbac.py new file mode 120000 index 00000000..0edc905a --- /dev/null +++ b/tests/functional/scenario_enabled/rbac.py @@ -0,0 +1 @@ +../scenario_available/rbac.py
\ No newline at end of file diff --git a/tests/functional/scenario_tests/mls.py b/tests/functional/scenario_tests/mls.py new file mode 100644 index 00000000..0e6285c9 --- /dev/null +++ b/tests/functional/scenario_tests/mls.py @@ -0,0 +1,59 @@ + +pdp_name = "pdp_mls" +policy_name = "MLS Policy example" +model_name = "MLS" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", "user2": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"subject-security-level": "", } +object_categories = {"object-security-level": "", } +action_categories = {"action-type": "", } + +subject_data = { + "subject-security-level": {"low": "", "medium": "", "high": ""}, +} +object_data = { + "object-security-level": {"low": "", "medium": "", "high": ""}, +} +action_data = {"action-type": {"vm-action": "", "storage-action": "", }} + +subject_assignments = { + "adminuser": {"subject-security-level": "high"}, + "user1": {"subject-security-level": "medium"}, +} +object_assignments = { + "vm0": {"object-security-level": "medium"}, + "vm1": {"object-security-level": "low"}, +} +action_assignments = { + "start": {"action-type": "vm-action"}, + "stop": {"action-type": "vm-action"} +} + +meta_rule = { + "mls": { + "id": "", + "value": ("subject-security-level", + "object-security-level", + "action-type")}, +} + +rules = { + "mls": ( + { + "rule": ("high", "medium", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("high", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + { + "rule": ("medium", "low", "vm-action"), + "instructions": ({"decision": "grant"}) + }, + ) +} diff --git a/tests/functional/scenario_tests/rbac.py b/tests/functional/scenario_tests/rbac.py new file mode 100644 index 00000000..1d2cabee --- /dev/null +++ b/tests/functional/scenario_tests/rbac.py @@ -0,0 +1,61 @@ + +pdp_name = "pdp_rbac1" +policy_name = "RBAC policy example" +model_name = "RBAC" +policy_genre = "authz" + +subjects = {"adminuser": "", "user1": "", } +objects = {"vm0": "", "vm1": "", } +actions = {"start": "", "stop": ""} + +subject_categories = {"role": "", } +object_categories = {"id": "", } +action_categories = {"action-type": "", } + +subject_data = {"role": {"admin": "", "employee": "", "*": ""}} +object_data = {"id": {"vm0": "", "vm1": "", "*": ""}} +action_data = {"action-type": {"vm-action": "", "*": ""}} + +subject_assignments = { + "adminuser": + ({"role": "admin"}, {"role": "employee"}, {"role": "*"}), + "user1": + ({"role": "employee"}, {"role": "*"}), +} +object_assignments = { + "vm0": + ({"id": "vm0"}, {"id": "*"}), + "vm1": + ({"id": "vm1"}, {"id": "*"}) +} +action_assignments = { + "start": + ({"action-type": "vm-action"}, {"action-type": "*"}), + "stop": + ({"action-type": "vm-action"}, {"action-type": "*"}) +} + +meta_rule = { + "rbac": {"id": "", "value": ("role", "id", "action-type")}, +} + +rules = { + "rbac": ( + { + "rule": ("admin", "vm0", "vm-action"), + "instructions": ( + {"decision": "grant"}, + # "grant" to immediately exit, + # "continue" to wait for the result of next policy + ) + }, + { + "rule": ("employee", "vm1", "vm-action"), + "instructions": ( + {"decision": "grant"}, + ) + }, + ) +} + + diff --git a/tests/get_keystone_projects.py b/tests/get_keystone_projects.py deleted file mode 100644 index 9b5d87cd..00000000 --- a/tests/get_keystone_projects.py +++ /dev/null @@ -1,16 +0,0 @@ -from python_moonclient import parse, models, policies, pdp - - -if __name__ == "__main__": - args = parse.parse() - consul_host = args.consul_host - consul_port = args.consul_port - - models.init(consul_host, consul_port) - policies.init(consul_host, consul_port) - pdp.init(consul_host, consul_port) - - projects = pdp.get_keystone_projects() - - for _project in projects['projects']: - print("{} {}".format(_project['id'], _project['name'])) diff --git a/tests/performance/README.md b/tests/performance/README.md index 52613d2c..fcb80589 100644 --- a/tests/performance/README.md +++ b/tests/performance/README.md @@ -1,69 +1,80 @@ -# Moon Yardstick and Bottlenecks Performance Tests +# Moon Yardstick/Bottlenecks Performance Tests The main objective of this document is to describe the performance tests for the Moon project/module. -Moon is a security managment platform which provides a set of security functions to project the underlying OPNFV infrastructure and/or VNFs. -Moon is consisted of 2 parts: a master and a set of slaves. The master holds all security-related information and each slave only fetches and holds -related informations for its local usage from master. +Moon is a security management platform which provides a set of security functions to project the underlying OPNFV infrastructure and/or VNFs. +It is consisted of 2 parts: a master and a set of slaves. The master holds all security-related information and each slave only fetches and holds +related information for its local usage from master. -## Moon Master Performance Tests -In this test, we should: +## Master Performance Tests +### Pre-requisite - setup a Moon master service on a physical server -- create a tenant/scope through the Moon master service -- create a MSL security policy with 4 subject security levels and 4 object security levels for this tenant +- create a project in OpenStack/Keystone +- create a MSL PDP with a model of 4 subject security levels and 4 object security levels, the MLS policy will be defined later -- increase N to find the limit of the security policy (implemented in format of a Docker) - - create N users and N resources (VMs in our case) in this tenant - - simulate 2 operation requests per user per second to Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, determine the capacity limit for one Docker +### Policy Size Test +Increase the number of users and resources N to find the limit of the security policy +- create N users and N resources (VMs in our case) in this MLS security policy +- sends 5 authz requests/second +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal number of N to support 5 requests/second -- setup 20 user and 20 resources (VMs in our case) for one tenant - - increase the number of tenants to test the maximal number of tenants on the server +### PDP Number Test +- setup 20 user and 20 resources (VMs in our case) for each MLS PDP +- sends 5 authz requests/second for each MLS PDP +- increase the number of PDP to test the maximal number of PDP on the master -- setup 5 tenants of N users and N resources (VMs in our case) in each tenant - - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, dermine the maximal user/resource number of these 5 tenants/Dockers on the server +### Policy Size Test for 5 PDPs +- setup 5 PDPs of N users and N resources (VMs in our case) +- sends 5 authz requests/second for each MLS PDP +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal user/resource number of these 5 PDPs -- setup 10 tenants of N users and N resources (VMs in our case) in each tenant - - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, dermine the maximal user/resource number of these 10 tenants/Dockers on the server +### Policy Size Test for 10 PDPs +- setup 10 PDPs of N users and N resources (VMs in our case) +- sends 5 authz requests/second for each MLS PDP +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal user/resource number of these 10 PDPs -- setup 20 tenants of N users and N resources (VMs in our case) in each tenant - - increase N by simulating 2 operation requests per user per second to the Moon's authorization endpoint - - gather performance metrics like CPU, memory, network usages - - throught the iteration, dermine the maximal user/resource number of these 20 tenants/Dockers on the server - -## Moon Slave Performace Tests -In this test, we should: -- setup a Moon master service on a physical server -- setup a Moon slave service on a physical server -- create a tenant/scope through the Moon master service -- create a MSL security policy with 4 subject security levels and 4 object security levels for this tenant through the Moon master service +### Policy Size Test for 20 PDPs +- setup 20 PDPs of N users and N resources (VMs in our case) +- sends 5 authz requests/second for each MLS PDP +- gather performance metrics like CPU, memory, network usages +Through the iteration, determine the maximal user/resource number of these 20 PDPs -- increase N to find the limit of the security policy (implemented in format of a Docker) - - create N users and N resources (VMs in our case) in this tenant - - simulate 2 operation requests per user per second to Moon slave's authorizatoin endpoint - - gather performance metrics like CPU, memory, network usages of Moon slave - - throught the iteration, dermine the capacity limit for one Docker of Moon slave - -- setup 20 user and 20 resources (VMs in our case) for one tenant through the Moon slave service - - increate the number of tenants to test the maximal number of tenants on the server of the Moon slave - -- setup 5 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service - - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint - - gather performance metrics like CPU, memory, network usages of both Moon master and Moon slave - - throught the iteration, dermine the maximal user/resource number of these 5 tenants/Dockers on the server of Moon slave -- setup 10 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service - - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint - - gather performance metrics like CPU, memory, network usages of both Moon master and slave - - throught the iteration, dermine the maximal user/resource number of these 10 tenants/Dockers on the server of the Moon slave +## Master-Slave Performance Tests +### Pre-requisite +- setup a Moon master on a physical server +- setup a Moon slave on a physical server +- create a project in OpenStack/Keystone +- create a MSL PDP with a model of 4 subject security levels and 4 object security levels, the MLS policy will be defined later on the master + +### Slave Policy Size Test +Increase the number of users and resources N to find the limit of the security policy +- create N users and N resources (VMs in our case) in this MLS security policy on the master +- sends 5 authz requests/second to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal number of N to support 5 requests/second of the slave + +### Slave PDP Number Test +- setup 20 user and 20 resources (VMs in our case) for each MLS PDP on the master +- sends 5 authz requests/second for each MLS PDP to the slave +Through the iteration, determine the maximal number of PDP to support 5 requests/second of the slave -- setup 20 tenants of N users and N resources (VMs in our case) in each tenant through the Moon master service - - increate N by simulating 2 operation requests per user per second to the Moon slave's authorization endpoint - - gather performance metrics like CPU, memory, network usages of both Moon master and slave - - throught the iteration, dermine the maximal user/resource number of these 20 tenants/Dockers on the server of the Moon slave +### Slave Policy Size Test for 5 PDPs +- setup 5 PDPs of N users and N resources (VMs in our case) on the master +- sends 5 authz requests/second for each MLS PDP to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal user/resource number of these 5 PDPs +### Slave Policy Size Test for 10 PDPs +- setup 10 PDPs of N users and N resources (VMs in our case) on the master +- sends 5 authz requests/second for each MLS PDP to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal user/resource number of these 10 PDPs +### Slave Policy Size Test for 20 PDPs +- setup 20 PDPs of N users and N resources (VMs in our case) on the master +- sends 5 authz requests/second for each MLS PDP to the slave +- gather performance metrics like CPU, memory, network usages of the slave +Through the iteration, determine the maximal user/resource number of these 20 PDPs diff --git a/tests/populate_default_values.py b/tests/populate_default_values.py deleted file mode 100644 index d5a5769b..00000000 --- a/tests/populate_default_values.py +++ /dev/null @@ -1,37 +0,0 @@ -import logging -from importlib.machinery import SourceFileLoader -from python_moonclient import parse, models, policies, pdp - -logger = logging.getLogger("moonforming") - - -if __name__ == "__main__": - requests_log = logging.getLogger("requests.packages.urllib3") - requests_log.setLevel(logging.WARNING) - requests_log.propagate = True - - args = parse.parse() - consul_host = args.consul_host - consul_port = args.consul_port - project_id = args.keystone_pid - - models.init(consul_host, consul_port) - policies.init(consul_host, consul_port) - pdp.init(consul_host, consul_port) - - if args.filename: - print("Loading: {}".format(args.filename[0])) - m = SourceFileLoader("scenario", args.filename[0]) - scenario = m.load_module() - - _models = models.check_model() - for _model_id, _model_value in _models['models'].items(): - if _model_value['name'] == scenario.model_name: - model_id = _model_id - meta_rule_list = _model_value['meta_rules'] - models.create_model(scenario, model_id) - break - else: - model_id, meta_rule_list = models.create_model(scenario) - policy_id = policies.create_policy(scenario, model_id, meta_rule_list) - pdp_id = pdp.create_pdp(scenario, policy_id=policy_id, project_id=project_id) diff --git a/tests/send_authz.py b/tests/send_authz.py deleted file mode 100644 index b4ed1d2f..00000000 --- a/tests/send_authz.py +++ /dev/null @@ -1,32 +0,0 @@ -from importlib.machinery import SourceFileLoader -from python_moonclient import config, parse, models, policies, pdp, authz - - -if __name__ == "__main__": - args = parse.parse() - consul_host = args.consul_host - consul_port = args.consul_port - - models.init(consul_host, consul_port) - policies.init(consul_host, consul_port) - pdp.init(consul_host, consul_port) - - if args.filename: - print("Loading: {}".format(args.filename[0])) - m = SourceFileLoader("scenario", args.filename[0]) - scenario = m.load_module() - - keystone_project_id = pdp.get_keystone_id(args.pdp) - time_data = authz.send_requests( - scenario, - args.authz_host, - args.authz_port, - keystone_project_id, - request_second=args.request_second, - limit=args.limit, - dry_run=args.dry_run, - stress_test=args.stress_test, - destination=args.destination - ) - if not args.dry_run: - authz.save_data(args.write, time_data) |