From 29cdab640fea67115032a34ce9a5a109ee44b6ee Mon Sep 17 00:00:00 2001 From: Sofia Wallin Date: Wed, 18 Oct 2017 12:43:47 +0200 Subject: Various corrections Adjusted structure and enabled referencing. Change-Id: I23a8afd08ebb013d772314b450497c17bfdfc4fc Signed-off-by: Sofia Wallin (cherry picked from commit e493f6692072574d339972f0db3adb8270bdeccd) --- docs/2015-11-03-meeting-repport.rst | 3 +- docs/2015-11-03.txt | 384 +++++++++++---------- docs/platformoverview/index.rst | 3 +- docs/release/configguide/index.rst | 22 ++ docs/release/configguide/installation.rst | 156 +++++++++ docs/release/installation/index.rst | 20 -- docs/release/installation/installation.md | 160 --------- docs/release/release-notes/index.rst | 8 +- docs/release/release-notes/release-notes.rst | 3 +- docs/release/scenarios/os-odl_l2-moon-ha/index.rst | 16 + .../os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst | 101 ++++++ docs/release/userguide/index.rst | 2 + docs/release/userguide/userguide.md | 114 ------ docs/release/userguide/userguide.rst | 124 +++++++ docs/scenarios/os-odl_l2-moon-ha/index.rst | 14 - .../os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst | 101 ------ 16 files changed, 628 insertions(+), 603 deletions(-) create mode 100644 docs/release/configguide/index.rst create mode 100644 docs/release/configguide/installation.rst delete mode 100644 docs/release/installation/index.rst delete mode 100644 docs/release/installation/installation.md create mode 100644 docs/release/scenarios/os-odl_l2-moon-ha/index.rst create mode 100644 docs/release/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst delete mode 100644 docs/release/userguide/userguide.md create mode 100644 docs/release/userguide/userguide.rst delete mode 100644 docs/scenarios/os-odl_l2-moon-ha/index.rst delete mode 100644 docs/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst diff --git a/docs/2015-11-03-meeting-repport.rst b/docs/2015-11-03-meeting-repport.rst index b915f785..cf4c46d6 100644 --- a/docs/2015-11-03-meeting-repport.rst +++ b/docs/2015-11-03-meeting-repport.rst @@ -50,4 +50,5 @@ attendees * Ashutosh Dutta -* Alioune BA \ No newline at end of file +* Alioune BA + diff --git a/docs/2015-11-03.txt b/docs/2015-11-03.txt index ea18a022..e7d31677 100644 --- a/docs/2015-11-03.txt +++ b/docs/2015-11-03.txt @@ -1,190 +1,194 @@ -(13:00:03) MaximeC left the room (quit: Client Quit). -(13:00:22) MaximeC [c1f83226@gateway/web/freenode/ip.193.248.50.38] entered the room. -(13:01:07) heruan: let's wait 5 mins before starting the meeting -(13:01:36) asteroide: ok -(13:01:54) Nir [c074be92@gateway/web/freenode/ip.192.116.190.146] entered the room. -(13:03:13) alioune [c202ca51@gateway/web/freenode/ip.194.2.202.81] entered the room. -(13:03:27) heruan: Hi all -(13:03:45) heruan: Jamil will join the meeting later -(13:04:24) heruan: in the chat room, there all the moon team from Orange, except Jamil -(13:04:34) heruan: and Nir from Huawei -(13:04:50) heruan: the ordre of today's meeting is: -(13:05:16) heruan: - present opnfv-moon-core release2 and its main feature -(13:05:16) heruan: - present opnfv-moonclient, a cmd line tool to administrate security -(13:05:16) heruan: - present the DevOps environment for code continue integration -(13:05:16) heruan: - present the progress moon-webview, a graphic interface for security management -(13:05:16) heruan: - discussion about the roadmap: provide a demo next year? integration release C or D? which main features to be integrated? -(13:05:16) heruan: - fix a monthly review meeting to follow its dev and establish an acting plan -(13:05:30) heruan: do all of you agree on the schedule? -(13:05:39) asteroide: yes -(13:06:06) MaximeC: That's ok for me -(13:06:17) Nir: me too -(13:06:59) heruan: #present opnfv-moon-cre release2 -(13:07:08) Jamil [a16a0005@gateway/web/freenode/ip.161.106.0.5] entered the room. -(13:07:33) heruan: we started the second release since the beginning of this year -(13:08:16) heruan: the main idea is to refactor the code in order to conform OpenStack's criteria and build a stable policy engine -(13:08:45) heruan: now the core part has almost finished, we on now on the test stage -(13:09:12) heruan: @asteroide, can you talk a little about the ongoing test? -(13:09:18) asteroide: yep -(13:09:36) asteroide: all functionnal tests are OK -(13:09:56) Jamil: What are the main features of this Rel ? -(13:09:59) asteroide: those tests are located in the code of Keystone-moon -(13:10:26) asteroide: and I am testing Moon with moonclient -(13:10:41) asteroide: by adding a test feature inside moonclient -(13:11:19) asteroide: the main feature is the policy engine written in pue python -(13:11:26) asteroide: pure python -(13:11:29) Jamil: waht do you mean by moonclient ? -(13:11:57) heruan: @Jamil, the main features can be found in Jira: https://jira.opnfv.org/browse/MOON-2?jql=project%20%3D%20MOON%20AND%20resolution%20%3D%20Unresolved%20AND%20issuetype%20%3D%20Task%20ORDER%20BY%20priority%20DESChttps://jira.opnfv.org/browse/MOON-2?jql=project%20%3D%20MOON%20AND%20resolution%20%3D%20Unresolved%20AND%20issuetype%20%3D%20Task%20ORDER%20BY%20priority%20DESC -(13:12:07) asteroide: moonclient is a console based client used to configure keystone-moon -(13:12:18) asteroide: through moon API -(13:12:29) alioune left the room (quit: Quit: Page closed). -(13:12:44) heruan: yes, moon has 2 interfaces: moonclient (CLI) and moonwebview (GUI) -(13:12:57) alioune [c202ca51@gateway/web/freenode/ip.194.2.202.81] entered the room. -(13:13:14) asteroide: here is an example of moonclient usage : "moon tenant list" "moon subject add admin --password nomoresecrete", ... -(13:13:37) asteroide: you can add subject object, action, categories rules and so on -(13:13:48) asteroide: on a particular intraextension -(13:14:03) asteroide: on a "selected" intraextension -(13:14:30) heruan: PI: extension in moon is a security manager to protect one tenant -(13:15:09) heruan: in conclusion, now to moon-core, it only lacks tests? -(13:15:39) heruan: @asteroide? -(13:16:06) asteroide: for me, tests in keystone moon are OK in core -(13:16:14) asteroide: but not through moonclient -(13:16:35) heruan: how much time it needs to finish all the tests? -(13:16:45) asteroide: I need to add more test on nova -(13:16:49) asteroide: on swift -(13:17:06) asteroide: and tests with different users (not admin) -(13:17:21) asteroide: all through moonclient -(13:17:34) heruan: yes, the 3 sub-tasks we have listed in Jira -(13:17:39) asteroide: nova tests will be OK at the end of this week -(13:18:17) asteroide: I think that swift and users tests can be done at the end of the next week -(13:18:25) heruan: ok -(13:18:51) heruan: moon core release 2 will be finished in 2 weeks! -(13:19:03) heruan: thank asteroide -(13:19:09) asteroide: :) -(13:19:26) heruan: next topic is about #moonclient -(13:19:37) heruan: since we have already discussed about it -(13:19:56) heruan: my understanding is that moonclient will be finished with moon-core? -(13:20:17) asteroide: yes -(13:20:35) heruan: ok, moonclient will also be finished in 2 weeks!! -(13:20:54) heruan: the 3rd topic is about moonwebview (GUI) -(13:21:01) heruan: @MaximeC? -(13:21:06) MaximeC: Ok, -(13:21:19) Jamil: what are next steps to integrate moon in OPNFV Rel x ? -(13:21:41) heruan: this is the 5th topic -(13:21:41) MaximeC: So, basically, MoonWebUI aims at providing a WebUI for Moon -(13:21:58) Jamil: ok -(13:22:06) MaximeC: to manage tenants, intra-extension & inter-etension -(13:22:19) MaximeC: with an Authc based on Keystone -(13:23:04) MaximeC: This interface is still in development as we refactore the code to be client-side, and independant from Horizon -(13:23:24) MaximeC: This is the actual state of the code: -(13:23:43) MaximeC: * Tenants Management is implemented -(13:24:17) MaximeC: * Intra-etension management is in progress (70% of functionality are working) -(13:24:39) MaximeC: * Inter-extension is not yet developped -(13:24:51) MaximeC: * AuthC dev has just begun -(13:24:51) heruan: inter-extension is not included in release 2 -(13:25:18) heruan: i think maxime needs asteroide's help for a server-side django module -(13:25:34) asteroide: ok no problem -(13:25:45) MaximeC: The WebUI is bound to MoonServer through REST API, so -(13:26:21) MaximeC: even if there are major changes in moon server code, as logn as API will remain the same -(13:26:44) MaximeC: no changes will be due in MoonWebview code -(13:27:00) heruan: Maxime, do you have an idea about the delay? -(13:27:35) MaximeC: To my mind, i think dev will last 1 month -(13:27:58) heruan: ok, 4 weeks for the monwebview -(13:28:00) asteroide: is there a plan to add a link to the log API inside the web client ? -(13:28:14) heruan: not in release 2 -(13:28:28) asteroide: ok -(13:28:50) heruan: the 4th topic is about the dev environment -(13:29:57) heruan: @Nir, it's not so easy to install the whole dev env, so if someone in your team wants, ask him to directly contact us -(13:30:22) heruan: we will try to remotely install all modules for him -(13:31:13) heruan: we switch to the 5th topic -(13:31:28) heruan: moon's roadmap -(13:31:41) Nir: ok, i will inform them -(13:31:46) heruan: @Jamil @Nir, what's your opinion? -(13:32:19) Jamil: its good to have moon in Rel C -(13:32:56) heruan: this depends on @alioune's work on OpenDaylight integration -(13:33:22) Nir: agree, what are we missing to put it into Rel C? -(13:33:56) heruan: we'd like to implement the identity federation use case through moon -(13:34:15) Jamil: my undestanding integration with ODL ID -(13:34:33) heruan: this means that moon at the same time, synchronizes and manages OpenStack's users and OpenDaylight's users -(13:34:54) heruan: to demonstrate that moon is a unified security manager -(13:35:05) Jamil: yes -(13:35:09) heruan: @alioune works on the ODL integration -(13:35:20) heruan: @aliounce, what's your progress? -(13:35:57) heruan: he's maybe offlne -(13:36:34) heruan: my understanding is that the integration will be difficulte to finished for the beginning of 2016 -(13:36:44) Jamil: do we need any support from ODL project ? -(13:36:57) heruan: yes, of cause -(13:37:11) heruan: if we can get some supplementary helps -(13:37:17) Jamil: Rel C will be in Sept 2016 -(13:37:41) heruan: but we should provide a demo at the begining of 2016 -(13:37:46) Jamil: yes I can ask a support -(13:37:51) Nir: I can check if we have someone in Huawei that can help -(13:38:04) heruan: that's great!! -(13:38:07) Nir: Do we have a target date for the demo -(13:38:08) Nir: ? -(13:38:44) heruan: let's fix the date to 15th Jan 2016 -(13:39:36) Nir: OK, I will check internally and update. -(13:39:41) alioune: hi all, currently I am analysing ODL architecture and main used frameworks in the controller -(13:39:43) heruan: thanks -(13:40:28) heruan: so, the roadmap of moon is to push its code to Release C -(13:40:38) Jamil: Jan 2016 will be one month before Rel B -(13:40:52) heruan: we prepare the demo for Jan 2016 -(13:41:15) Jamil: I think Rel c will be discussed in March 2016 -(13:41:33) asteroide: the demo will be on release 2 of Moon or release 3 ? -(13:41:52) heruan: ok, in this case we will have more time -(13:42:04) heruan: the demo will be based on Moon release 2 -(13:42:13) Jamil: for OPNFV, the first integrated code for moon will be the Rel1 for moon -(13:42:13) asteroide: ok -(13:42:45) heruan: release 2 will be ready, son we can directly contribute with release 2 -(13:43:20) heruan: the second sub-topic is about next week's OPNFV summit -(13:43:37) heruan: Jamil will chair a dedicated session on Moon -(13:43:58) heruan: Nir, maybe you can help Jamil for the session? -(13:44:07) Jamil: ODL will be integrated in moon Rel 3 ? -(13:44:13) Nir: I will participate in a security panel presenting Moon in the first day -(13:44:34) Nir: and i have a session about the moon in the theater at teh second day as well -(13:44:41) Nir: :-) -(13:44:46) heruan: great!! -(13:45:11) heruan: @Jamil, ODL doesn't touch Moon-core -(13:45:20) Nir: Unless you think otherwise i recommend to keep all of them so we can reach as many people and increase the community -(13:45:39) Nir: altough we may have some overlap -(13:45:54) heruan: the ecosystem for moon will be important -(13:46:14) heruan: all contributors and commiters will be welcome -(13:46:27) Nir: I am also planning to present moon to TI and Telefonica hoping to get them on board -(13:46:34) asteroide: and all beta-testers also ;) -(13:46:40) Nir: agree :-) -(13:47:11) heruan: we will provide a public testbed of Moon by Descember 2015 -(13:47:35) heruan: based on moon-core release 2 -(13:47:42) Nir: as for our suggestions for Rel 3 I asked my team to analyze Rel 2 and update the offer we have presented on our last meeting -(13:48:10) Jamil: moon session will be Thursday November 12, 2015 12:10pm - 12:30pm -(13:48:25) heruan: yes, some of the issues you mentioned have been already implemented -(13:49:00) heruan: @Jamil, can you annonce Moon's roadmap of OPNFV releaseC integration during your session? -(13:49:29) Jamil: yes It will do -(13:49:58) heruan: ok, i think we finished the fifth topic -(13:49:58) Jamil: I will do -(13:50:19) heruan: last one, I propose to have a monthly moon meeting -(13:50:38) heruan: the last wensday of each month -(13:50:51) heruan: it's ok for everyone? -(13:50:52) Nir: agree -(13:50:56) Jamil: ok -(13:51:01) asteroide: agree -(13:51:02) Jamil: same time ? -(13:51:13) MaximeC: Ok for me -(13:51:32) heruan: at 14h CEST? on hour later -(13:51:38) alioune: ok -(13:52:12) asteroide: ok for 14h CEST -(13:52:30) heruan: @Nir? -(13:52:37) Nir: ok with me -(13:52:41) heruan: ok -(13:52:50) heruan: we finished all the topics -(13:53:03) heruan: do you have anything else to discuss? -(13:53:47) asteroide: nothing to add -(13:54:00) Nir: not on my side. -(13:54:03) heruan: if you don't have anything else, we close today's meeting -(13:54:26) Jamil: have a nice day -(13:54:28) Nir: thanks, and gooddbye everyone -(13:54:34) asteroide: bye! -(13:54:39) heruan: I'll update the meeting report to moon's workspace -(13:54:41) Nir left the room (quit: Quit: Page closed). -(13:54:50) Jamil left the room (quit: Quit: Page closed). -(13:55:03) MaximeC left the room. -(13:55:09) asteroide left the room (quit: Quit: Page closed). \ No newline at end of file +2015-11-03 +========== + + (13:00:03) MaximeC left the room (quit: Client Quit). + (13:00:22) MaximeC [c1f83226@gateway/web/freenode/ip.193.248.50.38] entered the room. + (13:01:07) heruan: let's wait 5 mins before starting the meeting + (13:01:36) asteroide: ok + (13:01:54) Nir [c074be92@gateway/web/freenode/ip.192.116.190.146] entered the room. + (13:03:13) alioune [c202ca51@gateway/web/freenode/ip.194.2.202.81] entered the room. + (13:03:27) heruan: Hi all + (13:03:45) heruan: Jamil will join the meeting later + (13:04:24) heruan: in the chat room, there all the moon team from Orange, except Jamil + (13:04:34) heruan: and Nir from Huawei + (13:04:50) heruan: the ordre of today's meeting is: + (13:05:16) heruan: - present opnfv-moon-core release2 and its main feature + (13:05:16) heruan: - present opnfv-moonclient, a cmd line tool to administrate security + (13:05:16) heruan: - present the DevOps environment for code continue integration + (13:05:16) heruan: - present the progress moon-webview, a graphic interface for security management + (13:05:16) heruan: - discussion about the roadmap: provide a demo next year? integration release C or D? which main features to be integrated? + (13:05:16) heruan: - fix a monthly review meeting to follow its dev and establish an acting plan + (13:05:30) heruan: do all of you agree on the schedule? + (13:05:39) asteroide: yes + (13:06:06) MaximeC: That's ok for me + (13:06:17) Nir: me too + (13:06:59) heruan: #present opnfv-moon-cre release2 + (13:07:08) Jamil [a16a0005@gateway/web/freenode/ip.161.106.0.5] entered the room. + (13:07:33) heruan: we started the second release since the beginning of this year + (13:08:16) heruan: the main idea is to refactor the code in order to conform OpenStack's criteria and build a stable policy engine + (13:08:45) heruan: now the core part has almost finished, we on now on the test stage + (13:09:12) heruan: @asteroide, can you talk a little about the ongoing test? + (13:09:18) asteroide: yep + (13:09:36) asteroide: all functionnal tests are OK + (13:09:56) Jamil: What are the main features of this Rel ? + (13:09:59) asteroide: those tests are located in the code of Keystone-moon + (13:10:26) asteroide: and I am testing Moon with moonclient + (13:10:41) asteroide: by adding a test feature inside moonclient + (13:11:19) asteroide: the main feature is the policy engine written in pue python + (13:11:26) asteroide: pure python + (13:11:29) Jamil: waht do you mean by moonclient ? + (13:11:57) heruan: @Jamil, the main features can be found in Jira: https://jira.opnfv.org/browse/MOON-2?jql=project%20%3D%20MOON%20AND%20resolution%20%3D%20Unresolved%20AND%20issuetype%20%3D%20Task%20ORDER%20BY%20priority%20DESChttps://jira.opnfv.org/browse/MOON-2?jql=project%20%3D%20MOON%20AND%20resolution%20%3D%20Unresolved%20AND%20issuetype%20%3D%20Task%20ORDER%20BY%20priority%20DESC + (13:12:07) asteroide: moonclient is a console based client used to configure keystone-moon + (13:12:18) asteroide: through moon API + (13:12:29) alioune left the room (quit: Quit: Page closed). + (13:12:44) heruan: yes, moon has 2 interfaces: moonclient (CLI) and moonwebview (GUI) + (13:12:57) alioune [c202ca51@gateway/web/freenode/ip.194.2.202.81] entered the room. + (13:13:14) asteroide: here is an example of moonclient usage : "moon tenant list" "moon subject add admin --password nomoresecrete", ... + (13:13:37) asteroide: you can add subject object, action, categories rules and so on + (13:13:48) asteroide: on a particular intraextension + (13:14:03) asteroide: on a "selected" intraextension + (13:14:30) heruan: PI: extension in moon is a security manager to protect one tenant + (13:15:09) heruan: in conclusion, now to moon-core, it only lacks tests? + (13:15:39) heruan: @asteroide? + (13:16:06) asteroide: for me, tests in keystone moon are OK in core + (13:16:14) asteroide: but not through moonclient + (13:16:35) heruan: how much time it needs to finish all the tests? + (13:16:45) asteroide: I need to add more test on nova + (13:16:49) asteroide: on swift + (13:17:06) asteroide: and tests with different users (not admin) + (13:17:21) asteroide: all through moonclient + (13:17:34) heruan: yes, the 3 sub-tasks we have listed in Jira + (13:17:39) asteroide: nova tests will be OK at the end of this week + (13:18:17) asteroide: I think that swift and users tests can be done at the end of the next week + (13:18:25) heruan: ok + (13:18:51) heruan: moon core release 2 will be finished in 2 weeks! + (13:19:03) heruan: thank asteroide + (13:19:09) asteroide: :) + (13:19:26) heruan: next topic is about #moonclient + (13:19:37) heruan: since we have already discussed about it + (13:19:56) heruan: my understanding is that moonclient will be finished with moon-core? + (13:20:17) asteroide: yes + (13:20:35) heruan: ok, moonclient will also be finished in 2 weeks!! + (13:20:54) heruan: the 3rd topic is about moonwebview (GUI) + (13:21:01) heruan: @MaximeC? + (13:21:06) MaximeC: Ok, + (13:21:19) Jamil: what are next steps to integrate moon in OPNFV Rel x ? + (13:21:41) heruan: this is the 5th topic + (13:21:41) MaximeC: So, basically, MoonWebUI aims at providing a WebUI for Moon + (13:21:58) Jamil: ok + (13:22:06) MaximeC: to manage tenants, intra-extension & inter-etension + (13:22:19) MaximeC: with an Authc based on Keystone + (13:23:04) MaximeC: This interface is still in development as we refactore the code to be client-side, and independant from Horizon + (13:23:24) MaximeC: This is the actual state of the code: + (13:23:43) MaximeC: * Tenants Management is implemented + (13:24:17) MaximeC: * Intra-etension management is in progress (70% of functionality are working) + (13:24:39) MaximeC: * Inter-extension is not yet developped + (13:24:51) MaximeC: * AuthC dev has just begun + (13:24:51) heruan: inter-extension is not included in release 2 + (13:25:18) heruan: i think maxime needs asteroide's help for a server-side django module + (13:25:34) asteroide: ok no problem + (13:25:45) MaximeC: The WebUI is bound to MoonServer through REST API, so + (13:26:21) MaximeC: even if there are major changes in moon server code, as logn as API will remain the same + (13:26:44) MaximeC: no changes will be due in MoonWebview code + (13:27:00) heruan: Maxime, do you have an idea about the delay? + (13:27:35) MaximeC: To my mind, i think dev will last 1 month + (13:27:58) heruan: ok, 4 weeks for the monwebview + (13:28:00) asteroide: is there a plan to add a link to the log API inside the web client ? + (13:28:14) heruan: not in release 2 + (13:28:28) asteroide: ok + (13:28:50) heruan: the 4th topic is about the dev environment + (13:29:57) heruan: @Nir, it's not so easy to install the whole dev env, so if someone in your team wants, ask him to directly contact us + (13:30:22) heruan: we will try to remotely install all modules for him + (13:31:13) heruan: we switch to the 5th topic + (13:31:28) heruan: moon's roadmap + (13:31:41) Nir: ok, i will inform them + (13:31:46) heruan: @Jamil @Nir, what's your opinion? + (13:32:19) Jamil: its good to have moon in Rel C + (13:32:56) heruan: this depends on @alioune's work on OpenDaylight integration + (13:33:22) Nir: agree, what are we missing to put it into Rel C? + (13:33:56) heruan: we'd like to implement the identity federation use case through moon + (13:34:15) Jamil: my undestanding integration with ODL ID + (13:34:33) heruan: this means that moon at the same time, synchronizes and manages OpenStack's users and OpenDaylight's users + (13:34:54) heruan: to demonstrate that moon is a unified security manager + (13:35:05) Jamil: yes + (13:35:09) heruan: @alioune works on the ODL integration + (13:35:20) heruan: @aliounce, what's your progress? + (13:35:57) heruan: he's maybe offlne + (13:36:34) heruan: my understanding is that the integration will be difficulte to finished for the beginning of 2016 + (13:36:44) Jamil: do we need any support from ODL project ? + (13:36:57) heruan: yes, of cause + (13:37:11) heruan: if we can get some supplementary helps + (13:37:17) Jamil: Rel C will be in Sept 2016 + (13:37:41) heruan: but we should provide a demo at the begining of 2016 + (13:37:46) Jamil: yes I can ask a support + (13:37:51) Nir: I can check if we have someone in Huawei that can help + (13:38:04) heruan: that's great!! + (13:38:07) Nir: Do we have a target date for the demo + (13:38:08) Nir: ? + (13:38:44) heruan: let's fix the date to 15th Jan 2016 + (13:39:36) Nir: OK, I will check internally and update. + (13:39:41) alioune: hi all, currently I am analysing ODL architecture and main used frameworks in the controller + (13:39:43) heruan: thanks + (13:40:28) heruan: so, the roadmap of moon is to push its code to Release C + (13:40:38) Jamil: Jan 2016 will be one month before Rel B + (13:40:52) heruan: we prepare the demo for Jan 2016 + (13:41:15) Jamil: I think Rel c will be discussed in March 2016 + (13:41:33) asteroide: the demo will be on release 2 of Moon or release 3 ? + (13:41:52) heruan: ok, in this case we will have more time + (13:42:04) heruan: the demo will be based on Moon release 2 + (13:42:13) Jamil: for OPNFV, the first integrated code for moon will be the Rel1 for moon + (13:42:13) asteroide: ok + (13:42:45) heruan: release 2 will be ready, son we can directly contribute with release 2 + (13:43:20) heruan: the second sub-topic is about next week's OPNFV summit + (13:43:37) heruan: Jamil will chair a dedicated session on Moon + (13:43:58) heruan: Nir, maybe you can help Jamil for the session? + (13:44:07) Jamil: ODL will be integrated in moon Rel 3 ? + (13:44:13) Nir: I will participate in a security panel presenting Moon in the first day + (13:44:34) Nir: and i have a session about the moon in the theater at teh second day as well + (13:44:41) Nir: :-) + (13:44:46) heruan: great!! + (13:45:11) heruan: @Jamil, ODL doesn't touch Moon-core + (13:45:20) Nir: Unless you think otherwise i recommend to keep all of them so we can reach as many people and increase the community + (13:45:39) Nir: altough we may have some overlap + (13:45:54) heruan: the ecosystem for moon will be important + (13:46:14) heruan: all contributors and commiters will be welcome + (13:46:27) Nir: I am also planning to present moon to TI and Telefonica hoping to get them on board + (13:46:34) asteroide: and all beta-testers also ;) + (13:46:40) Nir: agree :-) + (13:47:11) heruan: we will provide a public testbed of Moon by Descember 2015 + (13:47:35) heruan: based on moon-core release 2 + (13:47:42) Nir: as for our suggestions for Rel 3 I asked my team to analyze Rel 2 and update the offer we have presented on our last meeting + (13:48:10) Jamil: moon session will be Thursday November 12, 2015 12:10pm - 12:30pm + (13:48:25) heruan: yes, some of the issues you mentioned have been already implemented + (13:49:00) heruan: @Jamil, can you annonce Moon's roadmap of OPNFV releaseC integration during your session? + (13:49:29) Jamil: yes It will do + (13:49:58) heruan: ok, i think we finished the fifth topic + (13:49:58) Jamil: I will do + (13:50:19) heruan: last one, I propose to have a monthly moon meeting + (13:50:38) heruan: the last wensday of each month + (13:50:51) heruan: it's ok for everyone? + (13:50:52) Nir: agree + (13:50:56) Jamil: ok + (13:51:01) asteroide: agree + (13:51:02) Jamil: same time ? + (13:51:13) MaximeC: Ok for me + (13:51:32) heruan: at 14h CEST? on hour later + (13:51:38) alioune: ok + (13:52:12) asteroide: ok for 14h CEST + (13:52:30) heruan: @Nir? + (13:52:37) Nir: ok with me + (13:52:41) heruan: ok + (13:52:50) heruan: we finished all the topics + (13:53:03) heruan: do you have anything else to discuss? + (13:53:47) asteroide: nothing to add + (13:54:00) Nir: not on my side. + (13:54:03) heruan: if you don't have anything else, we close today's meeting + (13:54:26) Jamil: have a nice day + (13:54:28) Nir: thanks, and gooddbye everyone + (13:54:34) asteroide: bye! + (13:54:39) heruan: I'll update the meeting report to moon's workspace + (13:54:41) Nir left the room (quit: Quit: Page closed). + (13:54:50) Jamil left the room (quit: Quit: Page closed). + (13:55:03) MaximeC left the room. + (13:55:09) asteroide left the room (quit: Quit: Page closed). + diff --git a/docs/platformoverview/index.rst b/docs/platformoverview/index.rst index 4c942e0b..7ea5d483 100644 --- a/docs/platformoverview/index.rst +++ b/docs/platformoverview/index.rst @@ -149,4 +149,5 @@ See: [OPNFV-MOON] Revision: _sha1_ -Build date: |today| \ No newline at end of file +Build date: |today| + diff --git a/docs/release/configguide/index.rst b/docs/release/configguide/index.rst new file mode 100644 index 00000000..329a7231 --- /dev/null +++ b/docs/release/configguide/index.rst @@ -0,0 +1,22 @@ +.. _moon-configguide: + +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ruan.he@orange.com & thomas.duval@orange.com + + +*********************************************** +Moon installation and configuration instruction +*********************************************** + +.. toctree:: + :numbered: + :maxdepth: 2 + + feature.configuration.rst + + + + + + diff --git a/docs/release/configguide/installation.rst b/docs/release/configguide/installation.rst new file mode 100644 index 00000000..e37193b3 --- /dev/null +++ b/docs/release/configguide/installation.rst @@ -0,0 +1,156 @@ +Build Python Packages and Docker Images +======================================= + +Python Package +-------------- + +pre-requist +~~~~~~~~~~~ + +Get the code + + git clone https://git.opnfv.org/moon + cd moon/moonv4 + export MOON_HOME=$(pwd) + sudo ln -s $(pwd)/conf /etc/moon + + +Install python wheel + + sudo apt install python3-wheel + +Install pip twine + + sudo pip install twine + +Package code, wheel is a new format instead of `tar.gz` + + python setup.py sdist bdist_wheel + +Upload to PyPi + + twine upload dist/moon_xxx-y.y.y.whl + twine upload dist/moon_xxx-y.y.y.tar.gz + +Install a package from PyPi + + sudo pypi install moon_xxx --upgrade + +moon_db +~~~~~~~ + +- change version in `moon_db/__init__.py` +- add `Changelog` + +moon_utilities +~~~~~~~~~~~~~~ + +- change version in `moon_utilities/__init__.py` +- add `Changelog` + +moon_orchestrator +~~~~~~~~~~~~~~~~~ + +- change version in `moon_orchestrator/__init__.py` +- add `Changelog` + + +Build All Pip +~~~~~~~~~~~~~ + + sudo pip3 install pip --upgrade + cd ${MOON_HOME}/bin + source build_all_pip.sh + +Container +--------- + +keystone_mitaka +~~~~~~~~~~~~~~~ + +see `templates/docker/keystone/README.md` to build the `keystone_mitaka` container + + +How to hack the Moon platform +----------------------------- + +Force the build of components +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +If you want to rebuild one or more component, you have to modify the configuration file `moon.conf`. + +For example, if you want to rebuild the moon_interface, got to the `[interface]` section and delete the +value of the container key like this: + + [interface] + host=172.18.0.11 + port=38001 + # Name of the container to download (if empty build from scratch) + # example: container=moon/moon_interface:latest + container= + +You can configure the interface, the router and both the security_function and security_policy. +You can also force the version of the component like this: `container=moon/moon_interface:4.0.0` + +Update the moon_interface +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to the directory `${MOON_HOME}/moon_interface` and update the code accordingly to your needs, +then update the python package. + + cd ${MOON_HOME}/moon_interface + python setup.py sdist + cp dist/moon_interface_* ../moon_orchestrator/dist + # kill moon_orchestrator if needed and restart it + +Update the moon_secrouter +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Go to the directory `${MOON_HOME}/moon_secrouter` and update the code accordingly to your needs, +then update the python package. + + cd ${MOON_HOME}/moon_secrouter + python setup.py sdist + cp dist/moon_secrouter* ../moon_orchestrator/dist + # kill moon_orchestrator if needed and restart it + +Problems that may arise +----------------------- + +If the moon_orchestrator doesn't want to start +(with, for example, the following error: `docker.errors.APIError: 409 Client Error: Conflict`), +check if the router and interface containers still exist and kill and delete them: + + docker kill moon_interface + docker kill moon_router + docker rm moon_interface + docker rm moon_router + +If the moon_orchestrator complains that it cannot request the RabbitMQ server, +check if the messenger server is up and running: + + docker ps + # you must see the messenger running here + # if not, restart it + docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger \ + -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger \ + -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management + +Configure DB +------------ + +Relaunch Keystone docker +~~~~~~~~~~~~~~~~~~~~~~~~ + +If error of `get_keystone_projects()`, then relaunch the Keystone docker, and wait 40 seconds!!! + + docker rm -f keystone + docker run -dti --net moon --name keystone --hostname=keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 keystone:mitaka + +Add default data in DB +~~~~~~~~~~~~~~~~~~~~~~ + +Pre-fill the DB with a RBAC policy + + cd ${MOON_HOME}/moon_interface/tests/apitests + python3 populate_default_values.py scenario/ rbac.py diff --git a/docs/release/installation/index.rst b/docs/release/installation/index.rst deleted file mode 100644 index 1311b248..00000000 --- a/docs/release/installation/index.rst +++ /dev/null @@ -1,20 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ruan.he@orange.com & thomas.duval@orange.com - - -*********************************************** -Moon installation and configuration instruction -*********************************************** - -.. toctree:: - :numbered: - :maxdepth: 2 - - feature.configuration.rst - - - - - - diff --git a/docs/release/installation/installation.md b/docs/release/installation/installation.md deleted file mode 100644 index 70bcc4fc..00000000 --- a/docs/release/installation/installation.md +++ /dev/null @@ -1,160 +0,0 @@ -# Build Python Packages and Docker Images - -## Python Package -### pre-requist -Get the code -```bash -git clone https://git.opnfv.org/moon -cd moon/moonv4 -export MOON_HOME=$(pwd) -sudo ln -s $(pwd)/conf /etc/moon -``` - -Install python wheel -```bash -sudo apt install python3-wheel -``` - -Install pip twine -```bash -sudo pip install twine -``` - -Package code, wheel is a new format instead of `tar.gz` -```bash -python setup.py sdist bdist_wheel -``` - -Upload to PyPi -```bash -twine upload dist/moon_xxx-y.y.y.whl -twine upload dist/moon_xxx-y.y.y.tar.gz -``` - -Install a package from PyPi -```bash -sudo pypi install moon_xxx --upgrade -``` - -### moon_db -- change version in `moon_db/__init__.py` -- add `Changelog` - -### moon_utilities -- change version in `moon_utilities/__init__.py` -- add `Changelog` - -### moon_orchestrator -- change version in `moon_orchestrator/__init__.py` -- add `Changelog` - - -### Build All Pip -```bash -sudo pip3 install pip --upgrade -cd ${MOON_HOME}/bin -source build_all_pip.sh -``` - - -## Container -## keystone_mitaka -see `templates/docker/keystone/README.md` to build the `keystone_mitaka` container - - -### moon_router - - -### moon_interface - - -### moon_manager - - -### moon_authz - - -### moon_gui - - -## How to hack the Moon platform -### Force the build of components - -If you want to rebuild one or more component, you have to modify the configuration file `moon.conf`. - -For example, if you want to rebuild the moon_interface, got to the `[interface]` section and delete the -value of the container key like this: - -``` -[interface] -host=172.18.0.11 -port=38001 -# Name of the container to download (if empty build from scratch) -# example: container=moon/moon_interface:latest -container= -``` - -You can configure the interface, the router and both the security_function and security_policy. -You can also force the version of the component like this: `container=moon/moon_interface:4.0.0` - -### Update the moon_interface - -Go to the directory `${MOON_HOME}/moon_interface` and update the code accordingly to your needs, -then update the python package. - -```bash -cd ${MOON_HOME}/moon_interface -python setup.py sdist -cp dist/moon_interface_* ../moon_orchestrator/dist -# kill moon_orchestrator if needed and restart it -``` - -### Update the moon_secrouter - -Go to the directory `${MOON_HOME}/moon_secrouter` and update the code accordingly to your needs, -then update the python package. - -```bash -cd ${MOON_HOME}/moon_secrouter -python setup.py sdist -cp dist/moon_secrouter* ../moon_orchestrator/dist -# kill moon_orchestrator if needed and restart it -``` - -## Problems that may arise - -If the moon_orchestrator doesn't want to start -(with, for example, the following error: `docker.errors.APIError: 409 Client Error: Conflict`), -check if the router and interface containers still exist and kill and delete them: - -```bash -docker kill moon_interface -docker kill moon_router -docker rm moon_interface -docker rm moon_router -``` - -If the moon_orchestrator complains that it cannot request the RabbitMQ server, -check if the messenger server is up and running: - -```bash -docker ps -# you must see the messenger running here -# if not, restart it -docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management -``` - -## Configure DB -### Relaunch Keystone docker -If error of `get_keystone_projects()`, then relaunch the Keystone docker, and wait 40 seconds!!! -```bash -docker rm -f keystone -docker run -dti --net moon --name keystone --hostname=keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 keystone:mitaka -``` - -### Add default data in DB -Pre-fill the DB with a RBAC policy -```bash -cd ${MOON_HOME}/moon_interface/tests/apitests -python3 populate_default_values.py scenario/ rbac.py -``` diff --git a/docs/release/release-notes/index.rst b/docs/release/release-notes/index.rst index 83291051..4d5e869a 100644 --- a/docs/release/release-notes/index.rst +++ b/docs/release/release-notes/index.rst @@ -1,3 +1,9 @@ +.. _moon-releasenotes: + +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ruan.he@orange.com & thomas.duval@orange.com + ****************** Moon Release Notes ****************** @@ -12,4 +18,4 @@ Revision: _sha1_ :Author: Ruan He (ruan.he@orange.com) -Build date: |today| \ No newline at end of file +Build date: |today| diff --git a/docs/release/release-notes/release-notes.rst b/docs/release/release-notes/release-notes.rst index a14a6ed7..4823c8a4 100644 --- a/docs/release/release-notes/release-notes.rst +++ b/docs/release/release-notes/release-notes.rst @@ -86,4 +86,5 @@ References For more information on the Moon Colorado release, please see: -https://wiki.opnfv.org/display/moon/ \ No newline at end of file +https://wiki.opnfv.org/display/moon/ + diff --git a/docs/release/scenarios/os-odl_l2-moon-ha/index.rst b/docs/release/scenarios/os-odl_l2-moon-ha/index.rst new file mode 100644 index 00000000..ba990850 --- /dev/null +++ b/docs/release/scenarios/os-odl_l2-moon-ha/index.rst @@ -0,0 +1,16 @@ +.. _os-odl_l2-moon-ha: + +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ruan.he@orange.com & thomas.duval@orange.com + + +****************************************** +os-odl_l2-moon-ha Overview and Description +****************************************** + +.. toctree:: + :numbered: + :maxdepth: 2 + + os-odl_l2-moon-ha.rst diff --git a/docs/release/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst b/docs/release/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst new file mode 100644 index 00000000..11c0eee7 --- /dev/null +++ b/docs/release/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst @@ -0,0 +1,101 @@ +.. This work is licensed under a Creative Commons Attribution 4.0 International License. +.. http://creativecommons.org/licenses/by/4.0 +.. (c) ruan.he@orange.com & thomas.duval@orange.com + + +Introduction +============ + +This guide presents the use of the Moon platform. +The MoonClient script allows the administrator/user to drive the Moon platform and +some parts of the Keystone server itself. + +Scenario components and composition +=================================== + +###Functional architecture +Moon can be considered as a management layer over OpenStack. +We can dynamically create security modules in Moon and assign these modules to protect different +tenants in OpenStack. +![](../img/moon_infra.png) + +###Policy engine +The core part of the security management layer is its policy engine. +The policy engine should be at same time generic to support a large set of security models +used by consumers and robust so that all the manipulations on the policy engine need to be proved correct. +For all these purposes, we designed EMTAC (Extensible Multi-tenancy Access Control) meta-model, +which defines policy specification, policy administration, inter-policy collaboration and administration +over this collaboration. +![](../img/policy_engine.png) + +###User-centric +At the same time, Moon enables administrators or a third-party application to define, configure and manage +its policies. Such a user-centric aspect helps users to define their own manner in using +OpenStack’s resources. + +###Authorization enforcement in OpenStack +As the first step, the security policy in Moon is enforced by authorization mechanism in Keystone and Nova +and Swift. +All the operations in Keystone and Nova and Swift are controlled and validated by Moon. +In OpenStack, we implemented 3 hooks respectively for Keystone and Nova and Swift, the hooks will +redirect all authorization requests to Moon and return decision from Moon. + +###Log System +Traceability and accountability are also handled in Moon, all the operations and interactions +are logged and can be consulted for any purpose. + +###Separation of management layer from OpenStack +The separation of management layer from OpenStack makes the management system totally +independent from OpenStack. We can install Moon in client’s local so that Moon can be +locally administrated by clients and remotely project their data which are hosted in +Cloud Service Provider’s datacenter. + +Scenario usage overview +======================= + +The Moon platform is built on the OpenStack Keystone component. While Keystone manages the identification +and the authentication process, Moon manages the authorisation process for all actions that comes through it. +The current version of Moon can only manage a subset of actions: actions from Nova and Swift. +For example, when a user wanted to stop a virtual machine with Nova, the authorisation for that action of stopping +is delegated through KeystoneMiddleware to the Moon platform. + +The MoonClient script helps administrators to configure the Moon platform and the authorisation rules. +It can be used like the OpenStack client with the same environment variables. + +Each OpenStack project (or tenant) car be mapped to an intra-extension. +That intra-extension will contain the configuration for the authorisation process for that tenant. +Each intra-extension is configured with subjects, objects and actions. A subject makes an action on an object. +Those elements can be placed into categories, for example a subject can have a value on the role category. +Those values are saved into the scope element. +For example, the subject (which is also called user) "admin" can have the role "admin" and "dev" on the project "admin". +The same mapping applies to the object and the action element. +For example, the action "stop a VM" can be place in a particular category "access" with the scope "write". +The action "stop a VM" is considered as the user has a write access to the VM. + +In order to grant or not an action in the system, Moon uses rules built with the scope values. +If we consider that a rule is constituted with a role for the subject category, +an ID and a security level for the object category and an access value for the action category, we can built rules +with values like the following ones: + +- admin, id1, level_high, write +- admin, id1, level_low, read +- dev, id2, level_high, read + +All configuration can be done with the MoonClient script. +If a project is not mapped to a intra-extension, it can be used as if the Moon platform doesn't exist. + +Limitations, Issues and Workarounds +=================================== + +The Moon platform can only be used to authorize Nova and Swift actions. In future releases, it could manage +more OpenStack components like Neutron, Glance, ... + +References +========== + +For more information on the OPNFV Colorado release, please visit +http://www.opnfv.org/colorado + +Revision: _sha1_ + +Build date: |today| diff --git a/docs/release/userguide/index.rst b/docs/release/userguide/index.rst index 501a5ef5..aa568017 100644 --- a/docs/release/userguide/index.rst +++ b/docs/release/userguide/index.rst @@ -1,3 +1,5 @@ +.. _moon-userguide: + .. This work is licensed under a Creative Commons Attribution 4.0 International License. .. http://creativecommons.org/licenses/by/4.0 .. (c) ruan.he@orange.com & thomas.duval@orange.com diff --git a/docs/release/userguide/userguide.md b/docs/release/userguide/userguide.md deleted file mode 100644 index 6c65320c..00000000 --- a/docs/release/userguide/userguide.md +++ /dev/null @@ -1,114 +0,0 @@ -# Moon Version 4 - -This directory contains all the modules for MoonV4 - - -## Installation -### Prerequisite -```bash -sudo apt install python3-dev python3-pip -sudo pip3 install pip --upgrade -sudo apt -y install docker-engine # ([Get Docker](https://docs.docker.com/engine/installation/)) -echo 127.0.0.1 messenger db keystone interface manager | sudo tee -a /etc/hosts -``` - - -### Docker Engine Configuration -```bash -cat </dev/null -docker container rm -f messenger db keystone consul 2>/dev/null -``` - - -### Internal Network Creation -Create an internal Docker network called `moon` -```bash -docker network create -d bridge --subnet=172.88.88.0/16 --gateway=172.88.88.1 moon -``` - -### Install Moon_DB -Install the moon_db library -```bash -sudo pip3 install moon_db -``` - -## Starting containers manually - -### MySql -Run the standard `MySql` container in the `moon` network and configure it -```bash -docker container run -dti --net=moon --hostname db --name db -e MYSQL_ROOT_PASSWORD=p4sswOrd1 -e MYSQL_DATABASE=moon -e MYSQL_USER=moon -e MYSQL_PASSWORD=p4sswOrd1 -p 3306:3306 mysql:latest -moon_db_manager upgrade -``` - -### moon_keystone -Run the `keystone` container (created by the `Moon` project) in the `moon` network -```bash -docker container run -dti --net moon --hostname keystone --name keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 wukongsun/moon_keystone:ocata -``` - -### Consul -Run the standard `Consul` container in the `moon` network -```bash -docker run -d --net=moon --name=consul --hostname=consul -p 8500:8500 consul -``` - -### Moon platform - -```bash -docker container run -dti --net moon --hostname manager --name manager wukongsun/moon_manager:v4.1 -docker container run -dti --net moon --hostname interface --name interface wukongsun/moon_interface:v4.1 -``` - -## Starting containers automatically - -To start the `Moon` framework, you only have to run the `bootstrap` script -```bash -python3 bin/bootstrap.py -``` -The script will ask you to start one or more Moon containers - -### Tests -```bash -sudo pip3 install pytest -cd tests -pytest -``` - -### Run scenario -```bash -sudo pip3 install requests -cd tests -python3 populate_default_values.py -v scenario/rbac.py -python3 send_authz.py -v scenario/rbac.py -``` - - - -## Log -### Get some logs -```bash -docker container ps -docker logs db -docker logs messenger -docker logs keystone -docker logs router -docker logs manager -docker logs interface -``` diff --git a/docs/release/userguide/userguide.rst b/docs/release/userguide/userguide.rst new file mode 100644 index 00000000..dee626c8 --- /dev/null +++ b/docs/release/userguide/userguide.rst @@ -0,0 +1,124 @@ +Moon Version 4 +============== + +This directory contains all the modules for MoonV4 + +Installation +------------ + +Prerequisite +~~~~~~~~~~~~ + + sudo apt install python3-dev python3-pip + sudo pip3 install pip --upgrade + sudo apt -y install docker-engine # ([Get Docker](https://docs.docker.com/engine/installation/)) + echo 127.0.0.1 messenger db keystone interface manager | sudo tee -a /etc/hosts + +Docker Engine Configuration +~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + cat </dev/null + docker container rm -f messenger db keystone consul 2>/dev/null + + +Internal Network Creation +~~~~~~~~~~~~~~~~~~~~~~~~~ + +Create an internal Docker network called `moon` + + docker network create -d bridge --subnet=172.88.88.0/16 --gateway=172.88.88.1 moon + +Install Moon_DB +--------------- + +Install the moon_db library + + sudo pip3 install moon_db + +Starting containers manually +---------------------------- + +MySql +~~~~~ + +Run the standard `MySql` container in the `moon` network and configure it + + docker container run -dti --net=moon --hostname db --name db -e MYSQL_ROOT_PASSWORD=p4sswOrd1 -e MYSQL_DATABASE=moon -e MYSQL_USER=moon -e MYSQL_PASSWORD=p4sswOrd1 -p 3306:3306 mysql:latest + moon_db_manager upgrade + +moon_keystone +~~~~~~~~~~~~~ + +Run the `keystone` container (created by the `Moon` project) in the `moon` network + + docker container run -dti --net moon --hostname keystone --name keystone -e DB_HOST=db -e DB_PASSWORD_ROOT=p4sswOrd1 -p 35357:35357 -p 5000:5000 wukongsun/moon_keystone:ocata + +Consul +~~~~~~ + +Run the standard `Consul` container in the `moon` network + + docker run -d --net=moon --name=consul --hostname=consul -p 8500:8500 consul + +Moon platform +~~~~~~~~~~~~~ + + docker container run -dti --net moon --hostname manager --name manager wukongsun/moon_manager:v4.1 + docker container run -dti --net moon --hostname interface --name interface wukongsun/moon_interface:v4.1 + +Starting containers automatically +--------------------------------- + +To start the `Moon` framework, you only have to run the `bootstrap` script + + python3 bin/bootstrap.py + +The script will ask you to start one or more Moon containers + +Tests +~~~~~ + + sudo pip3 install pytest + cd tests + pytest + +Run scenario +~~~~~~~~~~~~ + + sudo pip3 install requests + cd tests + python3 populate_default_values.py -v scenario/rbac.py + python3 send_authz.py -v scenario/rbac.py + +Log +--- + +Get some logs +~~~~~~~~~~~~~ + + docker container ps + docker logs db + docker logs messenger + docker logs keystone + docker logs router + docker logs manager + docker logs interface diff --git a/docs/scenarios/os-odl_l2-moon-ha/index.rst b/docs/scenarios/os-odl_l2-moon-ha/index.rst deleted file mode 100644 index 1b9a4bc0..00000000 --- a/docs/scenarios/os-odl_l2-moon-ha/index.rst +++ /dev/null @@ -1,14 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ruan.he@orange.com & thomas.duval@orange.com - - -****************************************** -os-odl_l2-moon-ha Overview and Description -****************************************** - -.. toctree:: - :numbered: - :maxdepth: 2 - - os-odl_l2-moon-ha.rst diff --git a/docs/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst b/docs/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst deleted file mode 100644 index 11c0eee7..00000000 --- a/docs/scenarios/os-odl_l2-moon-ha/os-odl_l2-moon-ha.rst +++ /dev/null @@ -1,101 +0,0 @@ -.. This work is licensed under a Creative Commons Attribution 4.0 International License. -.. http://creativecommons.org/licenses/by/4.0 -.. (c) ruan.he@orange.com & thomas.duval@orange.com - - -Introduction -============ - -This guide presents the use of the Moon platform. -The MoonClient script allows the administrator/user to drive the Moon platform and -some parts of the Keystone server itself. - -Scenario components and composition -=================================== - -###Functional architecture -Moon can be considered as a management layer over OpenStack. -We can dynamically create security modules in Moon and assign these modules to protect different -tenants in OpenStack. -![](../img/moon_infra.png) - -###Policy engine -The core part of the security management layer is its policy engine. -The policy engine should be at same time generic to support a large set of security models -used by consumers and robust so that all the manipulations on the policy engine need to be proved correct. -For all these purposes, we designed EMTAC (Extensible Multi-tenancy Access Control) meta-model, -which defines policy specification, policy administration, inter-policy collaboration and administration -over this collaboration. -![](../img/policy_engine.png) - -###User-centric -At the same time, Moon enables administrators or a third-party application to define, configure and manage -its policies. Such a user-centric aspect helps users to define their own manner in using -OpenStack’s resources. - -###Authorization enforcement in OpenStack -As the first step, the security policy in Moon is enforced by authorization mechanism in Keystone and Nova -and Swift. -All the operations in Keystone and Nova and Swift are controlled and validated by Moon. -In OpenStack, we implemented 3 hooks respectively for Keystone and Nova and Swift, the hooks will -redirect all authorization requests to Moon and return decision from Moon. - -###Log System -Traceability and accountability are also handled in Moon, all the operations and interactions -are logged and can be consulted for any purpose. - -###Separation of management layer from OpenStack -The separation of management layer from OpenStack makes the management system totally -independent from OpenStack. We can install Moon in client’s local so that Moon can be -locally administrated by clients and remotely project their data which are hosted in -Cloud Service Provider’s datacenter. - -Scenario usage overview -======================= - -The Moon platform is built on the OpenStack Keystone component. While Keystone manages the identification -and the authentication process, Moon manages the authorisation process for all actions that comes through it. -The current version of Moon can only manage a subset of actions: actions from Nova and Swift. -For example, when a user wanted to stop a virtual machine with Nova, the authorisation for that action of stopping -is delegated through KeystoneMiddleware to the Moon platform. - -The MoonClient script helps administrators to configure the Moon platform and the authorisation rules. -It can be used like the OpenStack client with the same environment variables. - -Each OpenStack project (or tenant) car be mapped to an intra-extension. -That intra-extension will contain the configuration for the authorisation process for that tenant. -Each intra-extension is configured with subjects, objects and actions. A subject makes an action on an object. -Those elements can be placed into categories, for example a subject can have a value on the role category. -Those values are saved into the scope element. -For example, the subject (which is also called user) "admin" can have the role "admin" and "dev" on the project "admin". -The same mapping applies to the object and the action element. -For example, the action "stop a VM" can be place in a particular category "access" with the scope "write". -The action "stop a VM" is considered as the user has a write access to the VM. - -In order to grant or not an action in the system, Moon uses rules built with the scope values. -If we consider that a rule is constituted with a role for the subject category, -an ID and a security level for the object category and an access value for the action category, we can built rules -with values like the following ones: - -- admin, id1, level_high, write -- admin, id1, level_low, read -- dev, id2, level_high, read - -All configuration can be done with the MoonClient script. -If a project is not mapped to a intra-extension, it can be used as if the Moon platform doesn't exist. - -Limitations, Issues and Workarounds -=================================== - -The Moon platform can only be used to authorize Nova and Swift actions. In future releases, it could manage -more OpenStack components like Neutron, Glance, ... - -References -========== - -For more information on the OPNFV Colorado release, please visit -http://www.opnfv.org/colorado - -Revision: _sha1_ - -Build date: |today| -- cgit 1.2.3-korg