From a363067a1bdf411c28032b926b451fc9d0964dc6 Mon Sep 17 00:00:00 2001 From: WuKong Date: Mon, 12 Oct 2015 14:29:11 +0200 Subject: create scenario test Change-Id: Id392d900583a31fb53a9da5bcb0c47746f34491a Signed-off-by: WuKong --- .../moon/policies/policy_admin/assignment.json | 47 ----------- .../moon/policies/policy_admin/metadata.json | 18 ----- .../moon/policies/policy_admin/metarule.json | 12 --- .../moon/policies/policy_admin/perimeter.json | 41 ---------- .../examples/moon/policies/policy_admin/rule.json | 64 --------------- .../examples/moon/policies/policy_admin/scope.json | 47 ----------- .../moon/policies/policy_mls_authz/assignment.json | 29 +++++++ .../moon/policies/policy_mls_authz/metadata.json | 18 +++++ .../moon/policies/policy_mls_authz/metarule.json | 12 +++ .../moon/policies/policy_mls_authz/perimeter.json | 21 +++++ .../moon/policies/policy_mls_authz/rule.json | 16 ++++ .../moon/policies/policy_mls_authz/scope.json | 26 ++++++ .../policies/policy_rbac_admin/assignment.json | 48 +++++++++++ .../moon/policies/policy_rbac_admin/metadata.json | 18 +++++ .../moon/policies/policy_rbac_admin/metarule.json | 12 +++ .../moon/policies/policy_rbac_admin/perimeter.json | 42 ++++++++++ .../moon/policies/policy_rbac_admin/rule.json | 94 ++++++++++++++++++++++ .../moon/policies/policy_rbac_admin/scope.json | 48 +++++++++++ .../keystone/tests/moon/scenario/test_nova_a.sh | 33 ++++++++ .../keystone/tests/moon/scenario/test_nova_b.sh | 39 +++++++++ .../keystone/tests/moon/scenario/test_nova_c.sh | 37 +++++++++ 21 files changed, 493 insertions(+), 229 deletions(-) delete mode 100644 keystone-moon/examples/moon/policies/policy_admin/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_admin/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_admin/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_admin/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_admin/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_admin/scope.json create mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json create mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json create mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json create mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json create mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/rule.json create mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/scope.json create mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json create mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json create mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json create mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json create mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json create mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json create mode 100644 keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh create mode 100644 keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh create mode 100644 keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json deleted file mode 100644 index 2c339a39..00000000 --- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "subject_assignments": { - "role": { - "admin": ["root_role"] - } - }, - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - "object_assignments": { - "object_id": { - "authz.subjects": ["authz.subjects"], - "authz.objects": ["authz.objects"], - "authz.actions": ["authz.actions"], - "authz.subject_categories": ["authz.subject_categories"], - "authz.object_categories": ["authz.object_categories"], - "authz.action_categories": ["authz.action_categories"], - "authz.subject_scopes": ["authz.subject_scopes"], - "authz.object_scopes": ["authz.object_scopes"], - "authz.action_scopes": ["authz.action_scopes"], - "authz.subject_assignments": ["authz.subject_assignments"], - "authz.object_assignments": ["authz.object_assignments"], - "authz.action_assignments": ["authz.action_assignments"], - "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], - "authz.sub_meta_rules": ["authz.sub_meta_rules"], - "authz.rules": ["authz.rules"], - "admin.subjects": ["admin.subjects"], - "admin.objects": ["admin.objects"], - "admin.actions": ["admin.actions"], - "admin.subject_categories": ["admin.subject_categories"], - "admin.object_categories": ["admin.object_categories"], - "admin.action_categories": ["admin.action_categories"], - "admin.subject_scopes": ["admin.subject_scopes"], - "admin.object_scopes": ["admin.object_scopes"], - "admin.action_scopes": ["admin.action_scopes"], - "admin.subject_assignments": ["admin.subject_assignments"], - "admin.object_assignments": ["admin.object_assignments"], - "admin.action_assignments": ["admin.action_assignments"], - "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], - "admin.sub_meta_rules": ["admin.sub_meta_rules"], - "admin.rules": ["admin.rules"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_admin/metadata.json deleted file mode 100644 index 9ee8a11d..00000000 --- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "RBAC Admin Policy", - "model": "RBAC", - "genre": "admin", - "description": "", - - "subject_categories": [ - "role" - ], - - "action_categories": [ - "action_id" - ], - - "object_categories": [ - "object_id" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_admin/metarule.json deleted file mode 100644 index 86dbfad2..00000000 --- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "rbac_rule": { - "subject_categories": ["role"], - "action_categories": ["action_id"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json deleted file mode 100644 index 3fe71bb5..00000000 --- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json +++ /dev/null @@ -1,41 +0,0 @@ -{ - "subjects": [ - "admin" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json deleted file mode 100644 index 020dac41..00000000 --- a/keystone-moon/examples/moon/policies/policy_admin/rule.json +++ /dev/null @@ -1,64 +0,0 @@ -{ - "rbac_rule":[ - ["root_role" , "read", "authz.subjects"], - ["root_role" , "read", "authz.objects"], - ["root_role" , "read", "authz.actions"], - ["root_role" , "read", "authz.subject_categories"], - ["root_role" , "read", "authz.object_categories"], - ["root_role" , "read", "authz.action_categories"], - ["root_role" , "read", "authz.subject_scopes"], - ["root_role" , "read", "authz.object_scopes"], - ["root_role" , "read", "authz.action_scopes"], - ["root_role" , "read", "authz.subject_assignments"], - ["root_role" , "read", "authz.object_assignments"], - ["root_role" , "read", "authz.action_assignments"], - ["root_role" , "read", "authz.aggregation_algorithm"], - ["root_role" , "read", "authz.sub_meta_rules"], - ["root_role" , "read", "authz.rules"], - ["root_role" , "write", "authz.subjects"], - ["root_role" , "write", "authz.objects"], - ["root_role" , "write", "authz.actions"], - ["root_role" , "write", "authz.subject_categories"], - ["root_role" , "write", "authz.object_categories"], - ["root_role" , "write", "authz.action_categories"], - ["root_role" , "write", "authz.subject_scopes"], - ["root_role" , "write", "authz.object_scopes"], - ["root_role" , "write", "authz.action_scopes"], - ["root_role" , "write", "authz.subject_assignments"], - ["root_role" , "write", "authz.object_assignments"], - ["root_role" , "write", "authz.action_assignments"], - ["root_role" , "write", "authz.aggregation_algorithm"], - ["root_role" , "write", "authz.sub_meta_rules"], - ["root_role" , "write", "authz.rules"], - ["root_role" , "read", "admin.subjects"], - ["root_role" , "read", "admin.objects"], - ["root_role" , "read", "admin.actions"], - ["root_role" , "read", "admin.subject_categories"], - ["root_role" , "read", "admin.object_categories"], - ["root_role" , "read", "admin.action_categories"], - ["root_role" , "read", "admin.subject_scopes"], - ["root_role" , "read", "admin.object_scopes"], - ["root_role" , "read", "admin.action_scopes"], - ["root_role" , "read", "admin.subject_assignments"], - ["root_role" , "read", "admin.object_assignments"], - ["root_role" , "read", "admin.action_assignments"], - ["root_role" , "read", "admin.aggregation_algorithm"], - ["root_role" , "read", "admin.sub_meta_rules"], - ["root_role" , "read", "admin.rules"], - ["root_role" , "write", "admin.subjects"], - ["root_role" , "write", "admin.objects"], - ["root_role" , "write", "admin.actions"], - ["root_role" , "write", "admin.subject_categories"], - ["root_role" , "write", "admin.object_categories"], - ["root_role" , "write", "admin.action_categories"], - ["root_role" , "write", "admin.subject_scopes"], - ["root_role" , "write", "admin.object_scopes"], - ["root_role" , "write", "admin.action_scopes"], - ["root_role" , "write", "admin.subject_assignments"], - ["root_role" , "write", "admin.object_assignments"], - ["root_role" , "write", "admin.action_assignments"], - ["root_role" , "write", "admin.aggregation_algorithm"], - ["root_role" , "write", "admin.sub_meta_rules"], - ["root_role" , "write", "admin.rules"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json deleted file mode 100644 index c8b4908a..00000000 --- a/keystone-moon/examples/moon/policies/policy_admin/scope.json +++ /dev/null @@ -1,47 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "root_role" - ] - }, - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - "object_scopes": { - "object_id": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] - } -} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json new file mode 100644 index 00000000..0712dfbc --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json @@ -0,0 +1,29 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json new file mode 100644 index 00000000..c419c815 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "resource_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json new file mode 100644 index 00000000..e068927c --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json new file mode 100644 index 00000000..b17dc822 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json @@ -0,0 +1,16 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "low"], + ["high", "storage_admin", "medium"], + ["high", "storage_admin", "low"], + ["medium", "storage_admin", "low"], + ["high", "storage_access", "medium"], + ["high", "storage_access", "low"], + ["medium", "storage_access", "low"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json new file mode 100644 index 00000000..6cc1c28e --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json @@ -0,0 +1,26 @@ +{ + "subject_scopes": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json new file mode 100644 index 00000000..ed1950b0 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json @@ -0,0 +1,48 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"], + "demo": ["dev"] + } + }, + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + "object_assignments": { + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_scopes": ["authz.subject_scopes"], + "authz.object_scopes": ["authz.object_scopes"], + "authz.action_scopes": ["authz.action_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_scopes": ["admin.subject_scopes"], + "admin.object_scopes": ["admin.object_scopes"], + "admin.action_scopes": ["admin.action_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json new file mode 100644 index 00000000..9ee8a11d --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC Admin Policy", + "model": "RBAC", + "genre": "admin", + "description": "", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json new file mode 100644 index 00000000..1155533e --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json @@ -0,0 +1,42 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json new file mode 100644 index 00000000..c89ceff3 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json @@ -0,0 +1,94 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_scopes"], + ["root_role" , "read", "authz.object_scopes"], + ["root_role" , "read", "authz.action_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_scopes"], + ["root_role" , "write", "authz.object_scopes"], + ["root_role" , "write", "authz.action_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_scopes"], + ["root_role" , "read", "admin.object_scopes"], + ["root_role" , "read", "admin.action_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_scopes"], + ["root_role" , "write", "admin.object_scopes"], + ["root_role" , "write", "admin.action_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"], + ["dev_role" , "read", "authz.subjects"], + ["dev_role" , "read", "authz.objects"], + ["dev_role" , "read", "authz.actions"], + ["dev_role" , "read", "authz.subject_categories"], + ["dev_role" , "read", "authz.object_categories"], + ["dev_role" , "read", "authz.action_categories"], + ["dev_role" , "read", "authz.subject_scopes"], + ["dev_role" , "read", "authz.object_scopes"], + ["dev_role" , "read", "authz.action_scopes"], + ["dev_role" , "read", "authz.subject_assignments"], + ["dev_role" , "read", "authz.object_assignments"], + ["dev_role" , "read", "authz.action_assignments"], + ["dev_role" , "read", "authz.aggregation_algorithm"], + ["dev_role" , "read", "authz.sub_meta_rules"], + ["dev_role" , "read", "authz.rules"], + ["dev_role" , "read", "admin.subjects"], + ["dev_role" , "read", "admin.objects"], + ["dev_role" , "read", "admin.actions"], + ["dev_role" , "read", "admin.subject_categories"], + ["dev_role" , "read", "admin.object_categories"], + ["dev_role" , "read", "admin.action_categories"], + ["dev_role" , "read", "admin.subject_scopes"], + ["dev_role" , "read", "admin.object_scopes"], + ["dev_role" , "read", "admin.action_scopes"], + ["dev_role" , "read", "admin.subject_assignments"], + ["dev_role" , "read", "admin.object_assignments"], + ["dev_role" , "read", "admin.action_assignments"], + ["dev_role" , "read", "admin.aggregation_algorithm"], + ["dev_role" , "read", "admin.sub_meta_rules"], + ["dev_role" , "read", "admin.rules"] + ] +} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json new file mode 100644 index 00000000..149056a6 --- /dev/null +++ b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json @@ -0,0 +1,48 @@ +{ + "subject_scopes": { + "role": [ + "root_role", + "dev_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "object_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh new file mode 100644 index 00000000..36afd5a1 --- /dev/null +++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_a.sh @@ -0,0 +1,33 @@ +#!/usr/bin/env bash + +# as user admin + +# create authz intraextension +moon intraextension add policy_mls_authz test_authz + +# create admin intraextension +moon intraextension add policy_rbac_admin test_admin + +# create tenant +moon tenant add --authz xxx --admin xxx `demo` + +# check that now moon authorizes the manipulation list_servers +nova list + +# select the authz intraextension +moon intraextension select `test_authz_uuid` + +# del object assignment for servers +moon object assignment del `servers_uuid` `object_security_level_uuid` `low_uuid` + +# add object assignment for servers +moon object assignment add `servers_uuid` `object_security_level_uuid` `high_uuid` + +# check now moon block the manipulation list_servers +nova list + +# del object assignment for servers +moon object assignment del `servers_uuid` `object_security_level_uuid` `high_uuid` + +# add object assignment for servers +moon object assignment add `servers_uuid` `object_security_level_uuid` `low_uuid` \ No newline at end of file diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh new file mode 100644 index 00000000..f2c0e4fc --- /dev/null +++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_b.sh @@ -0,0 +1,39 @@ +#!/usr/bin/env bash + +# as user admin + +# create authz intraextension +moon intraextension add policy_mls_authz test_authz + +# create admin intraextension +moon intraextension add policy_rbac_admin test_admin + +# create tenant +moon tenant add --authz xxx --admin xxx demo + +# select the authz tenant +moon intraextension select `test_authz_uuid` + +# create a VM (vm1) in OpenStack +nova create vm1..... + +# add corresponding object in moon +moon object add vm1 + +# check that moon blocks the vm1 manipulatin +nova vm1 suspend .... + +# add object assignment for vm1 +moon object assignment `vm1_uuid` `object_security_level_uuid` `high_uuid` + +# check now moon block the manipulation of vm1 +nova vm1 suspend .... + +# del object assignment for servers +moon object assignment del `vm1_uuid` `object_security_level_uuid` `high_uuid` + +# add object assignment for servers +moon object assignment add `vm1_uuid` `object_security_level_uuid` `low_uuid` + +# check now moon unblock the manipulation of vm1 +nova vm1 suspend .... \ No newline at end of file diff --git a/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh new file mode 100644 index 00000000..bf4bd3c8 --- /dev/null +++ b/keystone-moon/keystone/tests/moon/scenario/test_nova_c.sh @@ -0,0 +1,37 @@ +#!/usr/bin/env bash + +# as user demo +. openrc demo + +# create authz intraextension +moon intraextension add policy_mls_authz test_authz + +# create admin intraextension +moon intraextension add policy_rbac_admin test_admin + +# create tenant +moon tenant add --authz xxx --admin xxx demo + +# select the authz tenant +moon intraextension select `test_authz_uuid` + +# check that moon blocks modification of object assignments +moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid` + +# as user admin +. openrc admin + +# select the admin intraextension +moon intraextension select `test_admin_uuid` + +# add write permission to the dev_role user for assignment table +moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`] + +# as user demo +. openrc demo + +# select the authz intraextension +moon intraextension select `test_authz_uuid` + +# check that moon authorizes modification of rule table by demo +moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid` -- cgit 1.2.3-korg