From 8c6291c915bd9f806600642b188f2bbb5fc716bc Mon Sep 17 00:00:00 2001 From: asteroide Date: Fri, 22 Apr 2016 16:06:08 +0200 Subject: Move policy files to a better location for the installation process. Change-Id: If74a878058983df8e432927e87b3da69214d9888 --- keystone-moon/MANIFEST.in | 2 +- .../etc/policies/policy_authz/assignment.json | 55 +++++++++++++ .../etc/policies/policy_authz/metadata.json | 23 ++++++ .../etc/policies/policy_authz/metarule.json | 24 ++++++ .../etc/policies/policy_authz/perimeter.json | 21 +++++ keystone-moon/etc/policies/policy_authz/rule.json | 25 ++++++ keystone-moon/etc/policies/policy_authz/scope.json | 49 +++++++++++ .../policies/policy_empty_admin/assignment.json | 7 ++ .../etc/policies/policy_empty_admin/metadata.json | 12 +++ .../etc/policies/policy_empty_admin/metarule.json | 12 +++ .../etc/policies/policy_empty_admin/perimeter.json | 39 +++++++++ .../etc/policies/policy_empty_admin/rule.json | 3 + .../etc/policies/policy_empty_admin/scope.json | 7 ++ .../policies/policy_empty_authz/assignment.json | 7 ++ .../etc/policies/policy_empty_authz/metadata.json | 12 +++ .../etc/policies/policy_empty_authz/metarule.json | 12 +++ .../etc/policies/policy_empty_authz/perimeter.json | 5 ++ .../etc/policies/policy_empty_authz/rule.json | 3 + .../etc/policies/policy_empty_authz/scope.json | 7 ++ .../etc/policies/policy_mls_authz/assignment.json | 29 +++++++ .../etc/policies/policy_mls_authz/metadata.json | 18 +++++ .../etc/policies/policy_mls_authz/metarule.json | 12 +++ .../etc/policies/policy_mls_authz/perimeter.json | 21 +++++ .../etc/policies/policy_mls_authz/rule.json | 16 ++++ .../etc/policies/policy_mls_authz/scope.json | 26 ++++++ .../etc/policies/policy_rbac_admin/assignment.json | 48 +++++++++++ .../etc/policies/policy_rbac_admin/metadata.json | 18 +++++ .../etc/policies/policy_rbac_admin/metarule.json | 12 +++ .../etc/policies/policy_rbac_admin/perimeter.json | 42 ++++++++++ .../etc/policies/policy_rbac_admin/rule.json | 94 ++++++++++++++++++++++ .../etc/policies/policy_rbac_admin/scope.json | 48 +++++++++++ .../etc/policies/policy_root/assignment.json | 39 +++++++++ .../etc/policies/policy_root/metadata.json | 18 +++++ .../etc/policies/policy_root/metarule.json | 12 +++ .../etc/policies/policy_root/perimeter.json | 31 +++++++ keystone-moon/etc/policies/policy_root/rule.json | 44 ++++++++++ keystone-moon/etc/policies/policy_root/scope.json | 39 +++++++++ keystone-moon/examples/moon/__init__.py | 4 - .../moon/policies/policy_authz/assignment.json | 55 ------------- .../moon/policies/policy_authz/metadata.json | 23 ------ .../moon/policies/policy_authz/metarule.json | 24 ------ .../moon/policies/policy_authz/perimeter.json | 21 ----- .../examples/moon/policies/policy_authz/rule.json | 25 ------ .../examples/moon/policies/policy_authz/scope.json | 49 ----------- .../policies/policy_empty_admin/assignment.json | 7 -- .../moon/policies/policy_empty_admin/metadata.json | 12 --- .../moon/policies/policy_empty_admin/metarule.json | 12 --- .../policies/policy_empty_admin/perimeter.json | 39 --------- .../moon/policies/policy_empty_admin/rule.json | 3 - .../moon/policies/policy_empty_admin/scope.json | 7 -- .../policies/policy_empty_authz/assignment.json | 7 -- .../moon/policies/policy_empty_authz/metadata.json | 12 --- .../moon/policies/policy_empty_authz/metarule.json | 12 --- .../policies/policy_empty_authz/perimeter.json | 5 -- .../moon/policies/policy_empty_authz/rule.json | 3 - .../moon/policies/policy_empty_authz/scope.json | 7 -- .../moon/policies/policy_mls_authz/assignment.json | 29 ------- .../moon/policies/policy_mls_authz/metadata.json | 18 ----- .../moon/policies/policy_mls_authz/metarule.json | 12 --- .../moon/policies/policy_mls_authz/perimeter.json | 21 ----- .../moon/policies/policy_mls_authz/rule.json | 16 ---- .../moon/policies/policy_mls_authz/scope.json | 26 ------ .../policies/policy_rbac_admin/assignment.json | 48 ----------- .../moon/policies/policy_rbac_admin/metadata.json | 18 ----- .../moon/policies/policy_rbac_admin/metarule.json | 12 --- .../moon/policies/policy_rbac_admin/perimeter.json | 42 ---------- .../moon/policies/policy_rbac_admin/rule.json | 94 ---------------------- .../moon/policies/policy_rbac_admin/scope.json | 48 ----------- .../moon/policies/policy_root/assignment.json | 39 --------- .../moon/policies/policy_root/metadata.json | 18 ----- .../moon/policies/policy_root/metarule.json | 12 --- .../moon/policies/policy_root/perimeter.json | 31 ------- .../examples/moon/policies/policy_root/rule.json | 44 ---------- .../examples/moon/policies/policy_root/scope.json | 39 --------- 74 files changed, 891 insertions(+), 895 deletions(-) create mode 100644 keystone-moon/etc/policies/policy_authz/assignment.json create mode 100644 keystone-moon/etc/policies/policy_authz/metadata.json create mode 100644 keystone-moon/etc/policies/policy_authz/metarule.json create mode 100644 keystone-moon/etc/policies/policy_authz/perimeter.json create mode 100644 keystone-moon/etc/policies/policy_authz/rule.json create mode 100644 keystone-moon/etc/policies/policy_authz/scope.json create mode 100644 keystone-moon/etc/policies/policy_empty_admin/assignment.json create mode 100644 keystone-moon/etc/policies/policy_empty_admin/metadata.json create mode 100644 keystone-moon/etc/policies/policy_empty_admin/metarule.json create mode 100644 keystone-moon/etc/policies/policy_empty_admin/perimeter.json create mode 100644 keystone-moon/etc/policies/policy_empty_admin/rule.json create mode 100644 keystone-moon/etc/policies/policy_empty_admin/scope.json create mode 100644 keystone-moon/etc/policies/policy_empty_authz/assignment.json create mode 100644 keystone-moon/etc/policies/policy_empty_authz/metadata.json create mode 100644 keystone-moon/etc/policies/policy_empty_authz/metarule.json create mode 100644 keystone-moon/etc/policies/policy_empty_authz/perimeter.json create mode 100644 keystone-moon/etc/policies/policy_empty_authz/rule.json create mode 100644 keystone-moon/etc/policies/policy_empty_authz/scope.json create mode 100644 keystone-moon/etc/policies/policy_mls_authz/assignment.json create mode 100644 keystone-moon/etc/policies/policy_mls_authz/metadata.json create mode 100644 keystone-moon/etc/policies/policy_mls_authz/metarule.json create mode 100644 keystone-moon/etc/policies/policy_mls_authz/perimeter.json create mode 100644 keystone-moon/etc/policies/policy_mls_authz/rule.json create mode 100644 keystone-moon/etc/policies/policy_mls_authz/scope.json create mode 100644 keystone-moon/etc/policies/policy_rbac_admin/assignment.json create mode 100644 keystone-moon/etc/policies/policy_rbac_admin/metadata.json create mode 100644 keystone-moon/etc/policies/policy_rbac_admin/metarule.json create mode 100644 keystone-moon/etc/policies/policy_rbac_admin/perimeter.json create mode 100644 keystone-moon/etc/policies/policy_rbac_admin/rule.json create mode 100644 keystone-moon/etc/policies/policy_rbac_admin/scope.json create mode 100644 keystone-moon/etc/policies/policy_root/assignment.json create mode 100644 keystone-moon/etc/policies/policy_root/metadata.json create mode 100644 keystone-moon/etc/policies/policy_root/metarule.json create mode 100644 keystone-moon/etc/policies/policy_root/perimeter.json create mode 100644 keystone-moon/etc/policies/policy_root/rule.json create mode 100644 keystone-moon/etc/policies/policy_root/scope.json delete mode 100644 keystone-moon/examples/moon/__init__.py delete mode 100644 keystone-moon/examples/moon/policies/policy_authz/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_authz/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_authz/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_authz/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_authz/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_authz/scope.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_admin/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_admin/scope.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_authz/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_empty_authz/scope.json delete mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_mls_authz/scope.json delete mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json delete mode 100644 keystone-moon/examples/moon/policies/policy_root/assignment.json delete mode 100644 keystone-moon/examples/moon/policies/policy_root/metadata.json delete mode 100644 keystone-moon/examples/moon/policies/policy_root/metarule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_root/perimeter.json delete mode 100644 keystone-moon/examples/moon/policies/policy_root/rule.json delete mode 100644 keystone-moon/examples/moon/policies/policy_root/scope.json (limited to 'keystone-moon') diff --git a/keystone-moon/MANIFEST.in b/keystone-moon/MANIFEST.in index 39db99e6..c810f913 100644 --- a/keystone-moon/MANIFEST.in +++ b/keystone-moon/MANIFEST.in @@ -10,7 +10,7 @@ include run_tests.sh include setup.cfg include setup.py include tox.ini -include etc/* +graft etc include httpd/* graft bin graft doc diff --git a/keystone-moon/etc/policies/policy_authz/assignment.json b/keystone-moon/etc/policies/policy_authz/assignment.json new file mode 100644 index 00000000..7a6c722e --- /dev/null +++ b/keystone-moon/etc/policies/policy_authz/assignment.json @@ -0,0 +1,55 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + }, + "domain":{ + "admin": ["ft"], + "demo": ["xx"] + }, + "role": { + "admin": ["admin"], + "demo": ["dev"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + }, + "access": { + "pause": ["write"], + "unpause": ["write"], + "start": ["write"], + "stop": ["write"], + "list": ["read"], + "create": ["write"], + "storage_list": ["read"], + "download": ["read"], + "post": ["write"], + "upload": ["write"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + }, + "type": { + "servers": ["computing"] + }, + "object_id": { + "servers": ["servers"] + } + } +} diff --git a/keystone-moon/etc/policies/policy_authz/metadata.json b/keystone-moon/etc/policies/policy_authz/metadata.json new file mode 100644 index 00000000..d0db90db --- /dev/null +++ b/keystone-moon/etc/policies/policy_authz/metadata.json @@ -0,0 +1,23 @@ +{ + "name": "Multiple_Policy", + "model": "Multiple", + "genre": "authz", + "description": "Multiple Security Policies", + + "subject_categories": [ + "subject_security_level", + "domain", + "role" + ], + + "action_categories": [ + "resource_action", + "access" + ], + + "object_categories": [ + "object_security_level", + "type", + "object_id" + ] +} diff --git a/keystone-moon/etc/policies/policy_authz/metarule.json b/keystone-moon/etc/policies/policy_authz/metarule.json new file mode 100644 index 00000000..c9afd6c2 --- /dev/null +++ b/keystone-moon/etc/policies/policy_authz/metarule.json @@ -0,0 +1,24 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + }, + "dte_rule": { + "subject_categories": ["domain"], + "action_categories": ["access"], + "object_categories": ["type"], + "algorithm": "inclusion" + }, + "rbac_rule": { + "subject_categories": ["role", "domain"], + "action_categories": ["access"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/etc/policies/policy_authz/perimeter.json b/keystone-moon/etc/policies/policy_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/keystone-moon/etc/policies/policy_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/keystone-moon/etc/policies/policy_authz/rule.json b/keystone-moon/etc/policies/policy_authz/rule.json new file mode 100644 index 00000000..25f9d93a --- /dev/null +++ b/keystone-moon/etc/policies/policy_authz/rule.json @@ -0,0 +1,25 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ], + "dte_rule":[ + ["ft", "read", "computing"], + ["ft", "write", "computing"], + ["ft", "read", "storage"], + ["ft", "write", "storage"], + ["xx", "read", "storage"] + ], + "rbac_rule":[ + ["dev", "xx", "read", "servers"], + ["admin", "xx", "read", "servers"], + ["admin", "ft", "read", "servers"] + ] +} diff --git a/keystone-moon/etc/policies/policy_authz/scope.json b/keystone-moon/etc/policies/policy_authz/scope.json new file mode 100644 index 00000000..9b313daf --- /dev/null +++ b/keystone-moon/etc/policies/policy_authz/scope.json @@ -0,0 +1,49 @@ +{ + "subject_scopes": { + "role": [ + "admin", + "dev" + ], + "subject_security_level": [ + "high", + "medium", + "low" + ], + "domain": [ + "ft", + "xx" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ], + "access": [ + "write", + "read" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ], + "type": [ + "computing", + "storage" + ], + "object_id": [ + "servers", + "vm1", + "vm2", + "file1", + "file2" + ] + } +} diff --git a/keystone-moon/etc/policies/policy_empty_admin/assignment.json b/keystone-moon/etc/policies/policy_empty_admin/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_admin/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/keystone-moon/etc/policies/policy_empty_admin/metadata.json b/keystone-moon/etc/policies/policy_empty_admin/metadata.json new file mode 100644 index 00000000..3c9be2e5 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_admin/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "Empty_Policy", + "model": "", + "genre": "admin", + "description": "Empty Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/keystone-moon/etc/policies/policy_empty_admin/metarule.json b/keystone-moon/etc/policies/policy_empty_admin/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/keystone-moon/etc/policies/policy_empty_admin/perimeter.json b/keystone-moon/etc/policies/policy_empty_admin/perimeter.json new file mode 100644 index 00000000..54dbfc31 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_admin/perimeter.json @@ -0,0 +1,39 @@ +{ + "subjects": [], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/etc/policies/policy_empty_admin/rule.json b/keystone-moon/etc/policies/policy_empty_admin/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_admin/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/keystone-moon/etc/policies/policy_empty_admin/scope.json b/keystone-moon/etc/policies/policy_empty_admin/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_admin/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/keystone-moon/etc/policies/policy_empty_authz/assignment.json b/keystone-moon/etc/policies/policy_empty_authz/assignment.json new file mode 100644 index 00000000..24018a09 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_authz/assignment.json @@ -0,0 +1,7 @@ +{ + "subject_assignments": {}, + + "action_assignments": {}, + + "object_assignments": {} +} diff --git a/keystone-moon/etc/policies/policy_empty_authz/metadata.json b/keystone-moon/etc/policies/policy_empty_authz/metadata.json new file mode 100644 index 00000000..4f300d78 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_authz/metadata.json @@ -0,0 +1,12 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [], + + "action_categories": [], + + "object_categories": [] +} diff --git a/keystone-moon/etc/policies/policy_empty_authz/metarule.json b/keystone-moon/etc/policies/policy_empty_authz/metarule.json new file mode 100644 index 00000000..7acd8848 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": [], + "action_categories": [], + "object_categories": [], + "algorithm": "" + } + }, + "aggregation": "" +} + diff --git a/keystone-moon/etc/policies/policy_empty_authz/perimeter.json b/keystone-moon/etc/policies/policy_empty_authz/perimeter.json new file mode 100644 index 00000000..9da8a8c0 --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_authz/perimeter.json @@ -0,0 +1,5 @@ +{ + "subjects": [], + "actions": [], + "objects": [] +} diff --git a/keystone-moon/etc/policies/policy_empty_authz/rule.json b/keystone-moon/etc/policies/policy_empty_authz/rule.json new file mode 100644 index 00000000..fe4fae5a --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_authz/rule.json @@ -0,0 +1,3 @@ +{ + "mls_rule":[] +} diff --git a/keystone-moon/etc/policies/policy_empty_authz/scope.json b/keystone-moon/etc/policies/policy_empty_authz/scope.json new file mode 100644 index 00000000..1efebe6f --- /dev/null +++ b/keystone-moon/etc/policies/policy_empty_authz/scope.json @@ -0,0 +1,7 @@ +{ + "subject_scopes": {}, + + "action_scopes": {}, + + "object_scopes": {} +} diff --git a/keystone-moon/etc/policies/policy_mls_authz/assignment.json b/keystone-moon/etc/policies/policy_mls_authz/assignment.json new file mode 100644 index 00000000..0712dfbc --- /dev/null +++ b/keystone-moon/etc/policies/policy_mls_authz/assignment.json @@ -0,0 +1,29 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + } + } +} diff --git a/keystone-moon/etc/policies/policy_mls_authz/metadata.json b/keystone-moon/etc/policies/policy_mls_authz/metadata.json new file mode 100644 index 00000000..c419c815 --- /dev/null +++ b/keystone-moon/etc/policies/policy_mls_authz/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "resource_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/keystone-moon/etc/policies/policy_mls_authz/metarule.json b/keystone-moon/etc/policies/policy_mls_authz/metarule.json new file mode 100644 index 00000000..e068927c --- /dev/null +++ b/keystone-moon/etc/policies/policy_mls_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/etc/policies/policy_mls_authz/perimeter.json b/keystone-moon/etc/policies/policy_mls_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/keystone-moon/etc/policies/policy_mls_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/keystone-moon/etc/policies/policy_mls_authz/rule.json b/keystone-moon/etc/policies/policy_mls_authz/rule.json new file mode 100644 index 00000000..b17dc822 --- /dev/null +++ b/keystone-moon/etc/policies/policy_mls_authz/rule.json @@ -0,0 +1,16 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "low"], + ["high", "storage_admin", "medium"], + ["high", "storage_admin", "low"], + ["medium", "storage_admin", "low"], + ["high", "storage_access", "medium"], + ["high", "storage_access", "low"], + ["medium", "storage_access", "low"] + ] +} diff --git a/keystone-moon/etc/policies/policy_mls_authz/scope.json b/keystone-moon/etc/policies/policy_mls_authz/scope.json new file mode 100644 index 00000000..6cc1c28e --- /dev/null +++ b/keystone-moon/etc/policies/policy_mls_authz/scope.json @@ -0,0 +1,26 @@ +{ + "subject_scopes": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} diff --git a/keystone-moon/etc/policies/policy_rbac_admin/assignment.json b/keystone-moon/etc/policies/policy_rbac_admin/assignment.json new file mode 100644 index 00000000..f2378333 --- /dev/null +++ b/keystone-moon/etc/policies/policy_rbac_admin/assignment.json @@ -0,0 +1,48 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"], + "demo": ["dev_role"] + } + }, + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + "object_assignments": { + "object_id": { + "authz.subjects": ["authz.subjects"], + "authz.objects": ["authz.objects"], + "authz.actions": ["authz.actions"], + "authz.subject_categories": ["authz.subject_categories"], + "authz.object_categories": ["authz.object_categories"], + "authz.action_categories": ["authz.action_categories"], + "authz.subject_scopes": ["authz.subject_scopes"], + "authz.object_scopes": ["authz.object_scopes"], + "authz.action_scopes": ["authz.action_scopes"], + "authz.subject_assignments": ["authz.subject_assignments"], + "authz.object_assignments": ["authz.object_assignments"], + "authz.action_assignments": ["authz.action_assignments"], + "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], + "authz.sub_meta_rules": ["authz.sub_meta_rules"], + "authz.rules": ["authz.rules"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_scopes": ["admin.subject_scopes"], + "admin.object_scopes": ["admin.object_scopes"], + "admin.action_scopes": ["admin.action_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/keystone-moon/etc/policies/policy_rbac_admin/metadata.json b/keystone-moon/etc/policies/policy_rbac_admin/metadata.json new file mode 100644 index 00000000..9ee8a11d --- /dev/null +++ b/keystone-moon/etc/policies/policy_rbac_admin/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "RBAC Admin Policy", + "model": "RBAC", + "genre": "admin", + "description": "", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/keystone-moon/etc/policies/policy_rbac_admin/metarule.json b/keystone-moon/etc/policies/policy_rbac_admin/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/keystone-moon/etc/policies/policy_rbac_admin/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/etc/policies/policy_rbac_admin/perimeter.json b/keystone-moon/etc/policies/policy_rbac_admin/perimeter.json new file mode 100644 index 00000000..1155533e --- /dev/null +++ b/keystone-moon/etc/policies/policy_rbac_admin/perimeter.json @@ -0,0 +1,42 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/etc/policies/policy_rbac_admin/rule.json b/keystone-moon/etc/policies/policy_rbac_admin/rule.json new file mode 100644 index 00000000..c89ceff3 --- /dev/null +++ b/keystone-moon/etc/policies/policy_rbac_admin/rule.json @@ -0,0 +1,94 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "authz.subjects"], + ["root_role" , "read", "authz.objects"], + ["root_role" , "read", "authz.actions"], + ["root_role" , "read", "authz.subject_categories"], + ["root_role" , "read", "authz.object_categories"], + ["root_role" , "read", "authz.action_categories"], + ["root_role" , "read", "authz.subject_scopes"], + ["root_role" , "read", "authz.object_scopes"], + ["root_role" , "read", "authz.action_scopes"], + ["root_role" , "read", "authz.subject_assignments"], + ["root_role" , "read", "authz.object_assignments"], + ["root_role" , "read", "authz.action_assignments"], + ["root_role" , "read", "authz.aggregation_algorithm"], + ["root_role" , "read", "authz.sub_meta_rules"], + ["root_role" , "read", "authz.rules"], + ["root_role" , "write", "authz.subjects"], + ["root_role" , "write", "authz.objects"], + ["root_role" , "write", "authz.actions"], + ["root_role" , "write", "authz.subject_categories"], + ["root_role" , "write", "authz.object_categories"], + ["root_role" , "write", "authz.action_categories"], + ["root_role" , "write", "authz.subject_scopes"], + ["root_role" , "write", "authz.object_scopes"], + ["root_role" , "write", "authz.action_scopes"], + ["root_role" , "write", "authz.subject_assignments"], + ["root_role" , "write", "authz.object_assignments"], + ["root_role" , "write", "authz.action_assignments"], + ["root_role" , "write", "authz.aggregation_algorithm"], + ["root_role" , "write", "authz.sub_meta_rules"], + ["root_role" , "write", "authz.rules"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_scopes"], + ["root_role" , "read", "admin.object_scopes"], + ["root_role" , "read", "admin.action_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_scopes"], + ["root_role" , "write", "admin.object_scopes"], + ["root_role" , "write", "admin.action_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"], + ["dev_role" , "read", "authz.subjects"], + ["dev_role" , "read", "authz.objects"], + ["dev_role" , "read", "authz.actions"], + ["dev_role" , "read", "authz.subject_categories"], + ["dev_role" , "read", "authz.object_categories"], + ["dev_role" , "read", "authz.action_categories"], + ["dev_role" , "read", "authz.subject_scopes"], + ["dev_role" , "read", "authz.object_scopes"], + ["dev_role" , "read", "authz.action_scopes"], + ["dev_role" , "read", "authz.subject_assignments"], + ["dev_role" , "read", "authz.object_assignments"], + ["dev_role" , "read", "authz.action_assignments"], + ["dev_role" , "read", "authz.aggregation_algorithm"], + ["dev_role" , "read", "authz.sub_meta_rules"], + ["dev_role" , "read", "authz.rules"], + ["dev_role" , "read", "admin.subjects"], + ["dev_role" , "read", "admin.objects"], + ["dev_role" , "read", "admin.actions"], + ["dev_role" , "read", "admin.subject_categories"], + ["dev_role" , "read", "admin.object_categories"], + ["dev_role" , "read", "admin.action_categories"], + ["dev_role" , "read", "admin.subject_scopes"], + ["dev_role" , "read", "admin.object_scopes"], + ["dev_role" , "read", "admin.action_scopes"], + ["dev_role" , "read", "admin.subject_assignments"], + ["dev_role" , "read", "admin.object_assignments"], + ["dev_role" , "read", "admin.action_assignments"], + ["dev_role" , "read", "admin.aggregation_algorithm"], + ["dev_role" , "read", "admin.sub_meta_rules"], + ["dev_role" , "read", "admin.rules"] + ] +} diff --git a/keystone-moon/etc/policies/policy_rbac_admin/scope.json b/keystone-moon/etc/policies/policy_rbac_admin/scope.json new file mode 100644 index 00000000..149056a6 --- /dev/null +++ b/keystone-moon/etc/policies/policy_rbac_admin/scope.json @@ -0,0 +1,48 @@ +{ + "subject_scopes": { + "role": [ + "root_role", + "dev_role" + ] + }, + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + "object_scopes": { + "object_id": [ + "authz.subjects", + "authz.objects", + "authz.actions", + "authz.subject_categories", + "authz.object_categories", + "authz.action_categories", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", + "authz.subject_assignments", + "authz.object_assignments", + "authz.action_assignments", + "authz.aggregation_algorithm", + "authz.sub_meta_rules", + "authz.rules", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/keystone-moon/etc/policies/policy_root/assignment.json b/keystone-moon/etc/policies/policy_root/assignment.json new file mode 100644 index 00000000..e849ae13 --- /dev/null +++ b/keystone-moon/etc/policies/policy_root/assignment.json @@ -0,0 +1,39 @@ +{ + "subject_assignments": { + "role": { + "admin": ["root_role"] + } + }, + + "action_assignments": { + "action_id": { + "read": ["read"], + "write": ["write"] + } + }, + + "object_assignments": { + "object_id": { + "templates": ["templates"], + "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"], + "aggregation_algorithms": ["aggregation_algorithms"], + "tenants": ["tenants"], + "intra_extensions": ["intra_extensions"], + "admin.subjects": ["admin.subjects"], + "admin.objects": ["admin.objects"], + "admin.actions": ["admin.actions"], + "admin.subject_categories": ["admin.subject_categories"], + "admin.object_categories": ["admin.object_categories"], + "admin.action_categories": ["admin.action_categories"], + "admin.subject_category_scopes": ["admin.subject_category_scopes"], + "admin.object_category_scopes": ["admin.object_category_scopes"], + "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_assignments": ["admin.subject_assignments"], + "admin.object_assignments": ["admin.object_assignments"], + "admin.action_assignments": ["admin.action_assignments"], + "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], + "admin.sub_meta_rules": ["admin.sub_meta_rules"], + "admin.rules": ["admin.rules"] + } + } +} diff --git a/keystone-moon/etc/policies/policy_root/metadata.json b/keystone-moon/etc/policies/policy_root/metadata.json new file mode 100644 index 00000000..3e4b0f28 --- /dev/null +++ b/keystone-moon/etc/policies/policy_root/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "Root Policy", + "model": "RBAC", + "genre": "admin", + "description": "root extension", + + "subject_categories": [ + "role" + ], + + "action_categories": [ + "action_id" + ], + + "object_categories": [ + "object_id" + ] +} diff --git a/keystone-moon/etc/policies/policy_root/metarule.json b/keystone-moon/etc/policies/policy_root/metarule.json new file mode 100644 index 00000000..86dbfad2 --- /dev/null +++ b/keystone-moon/etc/policies/policy_root/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "rbac_rule": { + "subject_categories": ["role"], + "action_categories": ["action_id"], + "object_categories": ["object_id"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/keystone-moon/etc/policies/policy_root/perimeter.json b/keystone-moon/etc/policies/policy_root/perimeter.json new file mode 100644 index 00000000..788a27f2 --- /dev/null +++ b/keystone-moon/etc/policies/policy_root/perimeter.json @@ -0,0 +1,31 @@ +{ + "subjects": [ + "admin" + ], + "actions": [ + "read", + "write" + ], + "objects": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] +} diff --git a/keystone-moon/etc/policies/policy_root/rule.json b/keystone-moon/etc/policies/policy_root/rule.json new file mode 100644 index 00000000..9bbd5e4c --- /dev/null +++ b/keystone-moon/etc/policies/policy_root/rule.json @@ -0,0 +1,44 @@ +{ + "rbac_rule":[ + ["root_role" , "read", "templates"], + ["root_role" , "read", "aggregation_algorithms"], + ["root_role" , "read", "sub_meta_rule_algorithms"], + ["root_role" , "read", "tenants"], + ["root_role" , "read", "intra_extensions"], + ["root_role" , "write", "templates"], + ["root_role" , "write", "aggregation_algorithms"], + ["root_role" , "write", "sub_meta_rule_algorithms"], + ["root_role" , "write", "tenants"], + ["root_role" , "write", "intra_extensions"], + ["root_role" , "read", "admin.subjects"], + ["root_role" , "read", "admin.objects"], + ["root_role" , "read", "admin.actions"], + ["root_role" , "read", "admin.subject_categories"], + ["root_role" , "read", "admin.object_categories"], + ["root_role" , "read", "admin.action_categories"], + ["root_role" , "read", "admin.subject_category_scopes"], + ["root_role" , "read", "admin.object_category_scopes"], + ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_assignments"], + ["root_role" , "read", "admin.object_assignments"], + ["root_role" , "read", "admin.action_assignments"], + ["root_role" , "read", "admin.aggregation_algorithm"], + ["root_role" , "read", "admin.sub_meta_rules"], + ["root_role" , "read", "admin.rules"], + ["root_role" , "write", "admin.subjects"], + ["root_role" , "write", "admin.objects"], + ["root_role" , "write", "admin.actions"], + ["root_role" , "write", "admin.subject_categories"], + ["root_role" , "write", "admin.object_categories"], + ["root_role" , "write", "admin.action_categories"], + ["root_role" , "write", "admin.subject_category_scopes"], + ["root_role" , "write", "admin.object_category_scopes"], + ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_assignments"], + ["root_role" , "write", "admin.object_assignments"], + ["root_role" , "write", "admin.action_assignments"], + ["root_role" , "write", "admin.aggregation_algorithm"], + ["root_role" , "write", "admin.sub_meta_rules"], + ["root_role" , "write", "admin.rules"] + ] +} diff --git a/keystone-moon/etc/policies/policy_root/scope.json b/keystone-moon/etc/policies/policy_root/scope.json new file mode 100644 index 00000000..43f9ced8 --- /dev/null +++ b/keystone-moon/etc/policies/policy_root/scope.json @@ -0,0 +1,39 @@ +{ + "subject_scopes": { + "role": [ + "root_role" + ] + }, + + "action_scopes": { + "action_id": [ + "read", + "write" + ] + }, + + "object_scopes": { + "object_id": [ + "templates", + "aggregation_algorithms", + "sub_meta_rule_algorithms", + "tenants", + "intra_extensions", + "admin.subjects", + "admin.objects", + "admin.actions", + "admin.subject_categories", + "admin.object_categories", + "admin.action_categories", + "admin.subject_category_scopes", + "admin.object_category_scopes", + "admin.action_category_scopes", + "admin.subject_assignments", + "admin.object_assignments", + "admin.action_assignments", + "admin.aggregation_algorithm", + "admin.sub_meta_rules", + "admin.rules" + ] + } +} diff --git a/keystone-moon/examples/moon/__init__.py b/keystone-moon/examples/moon/__init__.py deleted file mode 100644 index 1b678d53..00000000 --- a/keystone-moon/examples/moon/__init__.py +++ /dev/null @@ -1,4 +0,0 @@ -# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors -# This software is distributed under the terms and conditions of the 'Apache-2.0' -# license which can be found in the file 'LICENSE' in this package distribution -# or at 'http://www.apache.org/licenses/LICENSE-2.0'. diff --git a/keystone-moon/examples/moon/policies/policy_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_authz/assignment.json deleted file mode 100644 index 7a6c722e..00000000 --- a/keystone-moon/examples/moon/policies/policy_authz/assignment.json +++ /dev/null @@ -1,55 +0,0 @@ -{ - "subject_assignments": { - "subject_security_level":{ - "admin": ["high"], - "demo": ["medium"] - }, - "domain":{ - "admin": ["ft"], - "demo": ["xx"] - }, - "role": { - "admin": ["admin"], - "demo": ["dev"] - } - }, - - "action_assignments": { - "resource_action":{ - "pause": ["vm_admin"], - "unpause": ["vm_admin"], - "start": ["vm_admin"], - "stop": ["vm_admin"], - "list": ["vm_access", "vm_admin"], - "create": ["vm_admin"], - "storage_list": ["storage_access"], - "download": ["storage_access"], - "post": ["storage_admin"], - "upload": ["storage_admin"] - }, - "access": { - "pause": ["write"], - "unpause": ["write"], - "start": ["write"], - "stop": ["write"], - "list": ["read"], - "create": ["write"], - "storage_list": ["read"], - "download": ["read"], - "post": ["write"], - "upload": ["write"] - } - }, - - "object_assignments": { - "object_security_level": { - "servers": ["low"] - }, - "type": { - "servers": ["computing"] - }, - "object_id": { - "servers": ["servers"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_authz/metadata.json deleted file mode 100644 index d0db90db..00000000 --- a/keystone-moon/examples/moon/policies/policy_authz/metadata.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "name": "Multiple_Policy", - "model": "Multiple", - "genre": "authz", - "description": "Multiple Security Policies", - - "subject_categories": [ - "subject_security_level", - "domain", - "role" - ], - - "action_categories": [ - "resource_action", - "access" - ], - - "object_categories": [ - "object_security_level", - "type", - "object_id" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_authz/metarule.json deleted file mode 100644 index c9afd6c2..00000000 --- a/keystone-moon/examples/moon/policies/policy_authz/metarule.json +++ /dev/null @@ -1,24 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": ["subject_security_level"], - "action_categories": ["resource_action"], - "object_categories": ["object_security_level"], - "algorithm": "inclusion" - }, - "dte_rule": { - "subject_categories": ["domain"], - "action_categories": ["access"], - "object_categories": ["type"], - "algorithm": "inclusion" - }, - "rbac_rule": { - "subject_categories": ["role", "domain"], - "action_categories": ["access"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/keystone-moon/examples/moon/policies/policy_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_authz/perimeter.json deleted file mode 100644 index 47a8ee45..00000000 --- a/keystone-moon/examples/moon/policies/policy_authz/perimeter.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "subjects": [ - "admin", - "demo" - ], - "actions": [ - "pause", - "unpause", - "start", - "stop", - "create", - "list", - "upload", - "download", - "post", - "storage_list" - ], - "objects": [ - "servers" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_authz/rule.json b/keystone-moon/examples/moon/policies/policy_authz/rule.json deleted file mode 100644 index 25f9d93a..00000000 --- a/keystone-moon/examples/moon/policies/policy_authz/rule.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "mls_rule":[ - ["high", "vm_admin", "medium"], - ["high", "vm_admin", "low"], - ["medium", "vm_admin", "low"], - ["high", "vm_access", "high"], - ["high", "vm_access", "medium"], - ["high", "vm_access", "low"], - ["medium", "vm_access", "medium"], - ["medium", "vm_access", "low"], - ["low", "vm_access", "low"] - ], - "dte_rule":[ - ["ft", "read", "computing"], - ["ft", "write", "computing"], - ["ft", "read", "storage"], - ["ft", "write", "storage"], - ["xx", "read", "storage"] - ], - "rbac_rule":[ - ["dev", "xx", "read", "servers"], - ["admin", "xx", "read", "servers"], - ["admin", "ft", "read", "servers"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_authz/scope.json b/keystone-moon/examples/moon/policies/policy_authz/scope.json deleted file mode 100644 index 9b313daf..00000000 --- a/keystone-moon/examples/moon/policies/policy_authz/scope.json +++ /dev/null @@ -1,49 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "admin", - "dev" - ], - "subject_security_level": [ - "high", - "medium", - "low" - ], - "domain": [ - "ft", - "xx" - ] - }, - - "action_scopes": { - "resource_action": [ - "vm_admin", - "vm_access", - "storage_admin", - "storage_access" - ], - "access": [ - "write", - "read" - ] - }, - - "object_scopes": { - "object_security_level": [ - "high", - "medium", - "low" - ], - "type": [ - "computing", - "storage" - ], - "object_id": [ - "servers", - "vm1", - "vm2", - "file1", - "file2" - ] - } -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json deleted file mode 100644 index 24018a09..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_admin/assignment.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_assignments": {}, - - "action_assignments": {}, - - "object_assignments": {} -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json deleted file mode 100644 index 3c9be2e5..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_admin/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "Empty_Policy", - "model": "", - "genre": "admin", - "description": "Empty Policy", - - "subject_categories": [], - - "action_categories": [], - - "object_categories": [] -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json deleted file mode 100644 index 7acd8848..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_admin/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": [], - "action_categories": [], - "object_categories": [], - "algorithm": "" - } - }, - "aggregation": "" -} - diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json deleted file mode 100644 index 54dbfc31..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_admin/perimeter.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "subjects": [], - "actions": [ - "read", - "write" - ], - "objects": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/rule.json b/keystone-moon/examples/moon/policies/policy_empty_admin/rule.json deleted file mode 100644 index fe4fae5a..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_admin/rule.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mls_rule":[] -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_admin/scope.json b/keystone-moon/examples/moon/policies/policy_empty_admin/scope.json deleted file mode 100644 index 1efebe6f..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_admin/scope.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_scopes": {}, - - "action_scopes": {}, - - "object_scopes": {} -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json deleted file mode 100644 index 24018a09..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_authz/assignment.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_assignments": {}, - - "action_assignments": {}, - - "object_assignments": {} -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json deleted file mode 100644 index 4f300d78..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_authz/metadata.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "name": "MLS_Policy", - "model": "MLS", - "genre": "authz", - "description": "Multi Level Security Policy", - - "subject_categories": [], - - "action_categories": [], - - "object_categories": [] -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json deleted file mode 100644 index 7acd8848..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_authz/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": [], - "action_categories": [], - "object_categories": [], - "algorithm": "" - } - }, - "aggregation": "" -} - diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json deleted file mode 100644 index 9da8a8c0..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_authz/perimeter.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "subjects": [], - "actions": [], - "objects": [] -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/rule.json b/keystone-moon/examples/moon/policies/policy_empty_authz/rule.json deleted file mode 100644 index fe4fae5a..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_authz/rule.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mls_rule":[] -} diff --git a/keystone-moon/examples/moon/policies/policy_empty_authz/scope.json b/keystone-moon/examples/moon/policies/policy_empty_authz/scope.json deleted file mode 100644 index 1efebe6f..00000000 --- a/keystone-moon/examples/moon/policies/policy_empty_authz/scope.json +++ /dev/null @@ -1,7 +0,0 @@ -{ - "subject_scopes": {}, - - "action_scopes": {}, - - "object_scopes": {} -} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json deleted file mode 100644 index 0712dfbc..00000000 --- a/keystone-moon/examples/moon/policies/policy_mls_authz/assignment.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "subject_assignments": { - "subject_security_level":{ - "admin": ["high"], - "demo": ["medium"] - } - }, - - "action_assignments": { - "resource_action":{ - "pause": ["vm_admin"], - "unpause": ["vm_admin"], - "start": ["vm_admin"], - "stop": ["vm_admin"], - "list": ["vm_access", "vm_admin"], - "create": ["vm_admin"], - "storage_list": ["storage_access"], - "download": ["storage_access"], - "post": ["storage_admin"], - "upload": ["storage_admin"] - } - }, - - "object_assignments": { - "object_security_level": { - "servers": ["low"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json deleted file mode 100644 index c419c815..00000000 --- a/keystone-moon/examples/moon/policies/policy_mls_authz/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "MLS_Policy", - "model": "MLS", - "genre": "authz", - "description": "Multi Level Security Policy", - - "subject_categories": [ - "subject_security_level" - ], - - "action_categories": [ - "resource_action" - ], - - "object_categories": [ - "object_security_level" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json deleted file mode 100644 index e068927c..00000000 --- a/keystone-moon/examples/moon/policies/policy_mls_authz/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "mls_rule": { - "subject_categories": ["subject_security_level"], - "action_categories": ["resource_action"], - "object_categories": ["object_security_level"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json b/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json deleted file mode 100644 index 47a8ee45..00000000 --- a/keystone-moon/examples/moon/policies/policy_mls_authz/perimeter.json +++ /dev/null @@ -1,21 +0,0 @@ -{ - "subjects": [ - "admin", - "demo" - ], - "actions": [ - "pause", - "unpause", - "start", - "stop", - "create", - "list", - "upload", - "download", - "post", - "storage_list" - ], - "objects": [ - "servers" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json b/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json deleted file mode 100644 index b17dc822..00000000 --- a/keystone-moon/examples/moon/policies/policy_mls_authz/rule.json +++ /dev/null @@ -1,16 +0,0 @@ -{ - "mls_rule":[ - ["high", "vm_admin", "medium"], - ["high", "vm_admin", "low"], - ["medium", "vm_admin", "low"], - ["high", "vm_access", "medium"], - ["high", "vm_access", "low"], - ["medium", "vm_access", "low"], - ["high", "storage_admin", "medium"], - ["high", "storage_admin", "low"], - ["medium", "storage_admin", "low"], - ["high", "storage_access", "medium"], - ["high", "storage_access", "low"], - ["medium", "storage_access", "low"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json b/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json deleted file mode 100644 index 6cc1c28e..00000000 --- a/keystone-moon/examples/moon/policies/policy_mls_authz/scope.json +++ /dev/null @@ -1,26 +0,0 @@ -{ - "subject_scopes": { - "subject_security_level": [ - "high", - "medium", - "low" - ] - }, - - "action_scopes": { - "resource_action": [ - "vm_admin", - "vm_access", - "storage_admin", - "storage_access" - ] - }, - - "object_scopes": { - "object_security_level": [ - "high", - "medium", - "low" - ] - } -} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json deleted file mode 100644 index f2378333..00000000 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/assignment.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "subject_assignments": { - "role": { - "admin": ["root_role"], - "demo": ["dev_role"] - } - }, - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - "object_assignments": { - "object_id": { - "authz.subjects": ["authz.subjects"], - "authz.objects": ["authz.objects"], - "authz.actions": ["authz.actions"], - "authz.subject_categories": ["authz.subject_categories"], - "authz.object_categories": ["authz.object_categories"], - "authz.action_categories": ["authz.action_categories"], - "authz.subject_scopes": ["authz.subject_scopes"], - "authz.object_scopes": ["authz.object_scopes"], - "authz.action_scopes": ["authz.action_scopes"], - "authz.subject_assignments": ["authz.subject_assignments"], - "authz.object_assignments": ["authz.object_assignments"], - "authz.action_assignments": ["authz.action_assignments"], - "authz.aggregation_algorithm": ["authz.aggregation_algorithm"], - "authz.sub_meta_rules": ["authz.sub_meta_rules"], - "authz.rules": ["authz.rules"], - "admin.subjects": ["admin.subjects"], - "admin.objects": ["admin.objects"], - "admin.actions": ["admin.actions"], - "admin.subject_categories": ["admin.subject_categories"], - "admin.object_categories": ["admin.object_categories"], - "admin.action_categories": ["admin.action_categories"], - "admin.subject_scopes": ["admin.subject_scopes"], - "admin.object_scopes": ["admin.object_scopes"], - "admin.action_scopes": ["admin.action_scopes"], - "admin.subject_assignments": ["admin.subject_assignments"], - "admin.object_assignments": ["admin.object_assignments"], - "admin.action_assignments": ["admin.action_assignments"], - "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], - "admin.sub_meta_rules": ["admin.sub_meta_rules"], - "admin.rules": ["admin.rules"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json deleted file mode 100644 index 9ee8a11d..00000000 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "RBAC Admin Policy", - "model": "RBAC", - "genre": "admin", - "description": "", - - "subject_categories": [ - "role" - ], - - "action_categories": [ - "action_id" - ], - - "object_categories": [ - "object_id" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json deleted file mode 100644 index 86dbfad2..00000000 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "rbac_rule": { - "subject_categories": ["role"], - "action_categories": ["action_id"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json deleted file mode 100644 index 1155533e..00000000 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/perimeter.json +++ /dev/null @@ -1,42 +0,0 @@ -{ - "subjects": [ - "admin", - "demo" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json deleted file mode 100644 index c89ceff3..00000000 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/rule.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "rbac_rule":[ - ["root_role" , "read", "authz.subjects"], - ["root_role" , "read", "authz.objects"], - ["root_role" , "read", "authz.actions"], - ["root_role" , "read", "authz.subject_categories"], - ["root_role" , "read", "authz.object_categories"], - ["root_role" , "read", "authz.action_categories"], - ["root_role" , "read", "authz.subject_scopes"], - ["root_role" , "read", "authz.object_scopes"], - ["root_role" , "read", "authz.action_scopes"], - ["root_role" , "read", "authz.subject_assignments"], - ["root_role" , "read", "authz.object_assignments"], - ["root_role" , "read", "authz.action_assignments"], - ["root_role" , "read", "authz.aggregation_algorithm"], - ["root_role" , "read", "authz.sub_meta_rules"], - ["root_role" , "read", "authz.rules"], - ["root_role" , "write", "authz.subjects"], - ["root_role" , "write", "authz.objects"], - ["root_role" , "write", "authz.actions"], - ["root_role" , "write", "authz.subject_categories"], - ["root_role" , "write", "authz.object_categories"], - ["root_role" , "write", "authz.action_categories"], - ["root_role" , "write", "authz.subject_scopes"], - ["root_role" , "write", "authz.object_scopes"], - ["root_role" , "write", "authz.action_scopes"], - ["root_role" , "write", "authz.subject_assignments"], - ["root_role" , "write", "authz.object_assignments"], - ["root_role" , "write", "authz.action_assignments"], - ["root_role" , "write", "authz.aggregation_algorithm"], - ["root_role" , "write", "authz.sub_meta_rules"], - ["root_role" , "write", "authz.rules"], - ["root_role" , "read", "admin.subjects"], - ["root_role" , "read", "admin.objects"], - ["root_role" , "read", "admin.actions"], - ["root_role" , "read", "admin.subject_categories"], - ["root_role" , "read", "admin.object_categories"], - ["root_role" , "read", "admin.action_categories"], - ["root_role" , "read", "admin.subject_scopes"], - ["root_role" , "read", "admin.object_scopes"], - ["root_role" , "read", "admin.action_scopes"], - ["root_role" , "read", "admin.subject_assignments"], - ["root_role" , "read", "admin.object_assignments"], - ["root_role" , "read", "admin.action_assignments"], - ["root_role" , "read", "admin.aggregation_algorithm"], - ["root_role" , "read", "admin.sub_meta_rules"], - ["root_role" , "read", "admin.rules"], - ["root_role" , "write", "admin.subjects"], - ["root_role" , "write", "admin.objects"], - ["root_role" , "write", "admin.actions"], - ["root_role" , "write", "admin.subject_categories"], - ["root_role" , "write", "admin.object_categories"], - ["root_role" , "write", "admin.action_categories"], - ["root_role" , "write", "admin.subject_scopes"], - ["root_role" , "write", "admin.object_scopes"], - ["root_role" , "write", "admin.action_scopes"], - ["root_role" , "write", "admin.subject_assignments"], - ["root_role" , "write", "admin.object_assignments"], - ["root_role" , "write", "admin.action_assignments"], - ["root_role" , "write", "admin.aggregation_algorithm"], - ["root_role" , "write", "admin.sub_meta_rules"], - ["root_role" , "write", "admin.rules"], - ["dev_role" , "read", "authz.subjects"], - ["dev_role" , "read", "authz.objects"], - ["dev_role" , "read", "authz.actions"], - ["dev_role" , "read", "authz.subject_categories"], - ["dev_role" , "read", "authz.object_categories"], - ["dev_role" , "read", "authz.action_categories"], - ["dev_role" , "read", "authz.subject_scopes"], - ["dev_role" , "read", "authz.object_scopes"], - ["dev_role" , "read", "authz.action_scopes"], - ["dev_role" , "read", "authz.subject_assignments"], - ["dev_role" , "read", "authz.object_assignments"], - ["dev_role" , "read", "authz.action_assignments"], - ["dev_role" , "read", "authz.aggregation_algorithm"], - ["dev_role" , "read", "authz.sub_meta_rules"], - ["dev_role" , "read", "authz.rules"], - ["dev_role" , "read", "admin.subjects"], - ["dev_role" , "read", "admin.objects"], - ["dev_role" , "read", "admin.actions"], - ["dev_role" , "read", "admin.subject_categories"], - ["dev_role" , "read", "admin.object_categories"], - ["dev_role" , "read", "admin.action_categories"], - ["dev_role" , "read", "admin.subject_scopes"], - ["dev_role" , "read", "admin.object_scopes"], - ["dev_role" , "read", "admin.action_scopes"], - ["dev_role" , "read", "admin.subject_assignments"], - ["dev_role" , "read", "admin.object_assignments"], - ["dev_role" , "read", "admin.action_assignments"], - ["dev_role" , "read", "admin.aggregation_algorithm"], - ["dev_role" , "read", "admin.sub_meta_rules"], - ["dev_role" , "read", "admin.rules"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json b/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json deleted file mode 100644 index 149056a6..00000000 --- a/keystone-moon/examples/moon/policies/policy_rbac_admin/scope.json +++ /dev/null @@ -1,48 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "root_role", - "dev_role" - ] - }, - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - "object_scopes": { - "object_id": [ - "authz.subjects", - "authz.objects", - "authz.actions", - "authz.subject_categories", - "authz.object_categories", - "authz.action_categories", - "authz.subject_scopes", - "authz.object_scopes", - "authz.action_scopes", - "authz.subject_assignments", - "authz.object_assignments", - "authz.action_assignments", - "authz.aggregation_algorithm", - "authz.sub_meta_rules", - "authz.rules", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_scopes", - "admin.object_scopes", - "admin.action_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] - } -} diff --git a/keystone-moon/examples/moon/policies/policy_root/assignment.json b/keystone-moon/examples/moon/policies/policy_root/assignment.json deleted file mode 100644 index e849ae13..00000000 --- a/keystone-moon/examples/moon/policies/policy_root/assignment.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "subject_assignments": { - "role": { - "admin": ["root_role"] - } - }, - - "action_assignments": { - "action_id": { - "read": ["read"], - "write": ["write"] - } - }, - - "object_assignments": { - "object_id": { - "templates": ["templates"], - "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"], - "aggregation_algorithms": ["aggregation_algorithms"], - "tenants": ["tenants"], - "intra_extensions": ["intra_extensions"], - "admin.subjects": ["admin.subjects"], - "admin.objects": ["admin.objects"], - "admin.actions": ["admin.actions"], - "admin.subject_categories": ["admin.subject_categories"], - "admin.object_categories": ["admin.object_categories"], - "admin.action_categories": ["admin.action_categories"], - "admin.subject_category_scopes": ["admin.subject_category_scopes"], - "admin.object_category_scopes": ["admin.object_category_scopes"], - "admin.action_category_scopes": ["admin.action_category_scopes"], - "admin.subject_assignments": ["admin.subject_assignments"], - "admin.object_assignments": ["admin.object_assignments"], - "admin.action_assignments": ["admin.action_assignments"], - "admin.aggregation_algorithm": ["admin.aggregation_algorithm"], - "admin.sub_meta_rules": ["admin.sub_meta_rules"], - "admin.rules": ["admin.rules"] - } - } -} diff --git a/keystone-moon/examples/moon/policies/policy_root/metadata.json b/keystone-moon/examples/moon/policies/policy_root/metadata.json deleted file mode 100644 index 3e4b0f28..00000000 --- a/keystone-moon/examples/moon/policies/policy_root/metadata.json +++ /dev/null @@ -1,18 +0,0 @@ -{ - "name": "Root Policy", - "model": "RBAC", - "genre": "admin", - "description": "root extension", - - "subject_categories": [ - "role" - ], - - "action_categories": [ - "action_id" - ], - - "object_categories": [ - "object_id" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_root/metarule.json b/keystone-moon/examples/moon/policies/policy_root/metarule.json deleted file mode 100644 index 86dbfad2..00000000 --- a/keystone-moon/examples/moon/policies/policy_root/metarule.json +++ /dev/null @@ -1,12 +0,0 @@ -{ - "sub_meta_rules": { - "rbac_rule": { - "subject_categories": ["role"], - "action_categories": ["action_id"], - "object_categories": ["object_id"], - "algorithm": "inclusion" - } - }, - "aggregation": "all_true" -} - diff --git a/keystone-moon/examples/moon/policies/policy_root/perimeter.json b/keystone-moon/examples/moon/policies/policy_root/perimeter.json deleted file mode 100644 index 788a27f2..00000000 --- a/keystone-moon/examples/moon/policies/policy_root/perimeter.json +++ /dev/null @@ -1,31 +0,0 @@ -{ - "subjects": [ - "admin" - ], - "actions": [ - "read", - "write" - ], - "objects": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_category_scopes", - "admin.object_category_scopes", - "admin.action_category_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_root/rule.json b/keystone-moon/examples/moon/policies/policy_root/rule.json deleted file mode 100644 index 9bbd5e4c..00000000 --- a/keystone-moon/examples/moon/policies/policy_root/rule.json +++ /dev/null @@ -1,44 +0,0 @@ -{ - "rbac_rule":[ - ["root_role" , "read", "templates"], - ["root_role" , "read", "aggregation_algorithms"], - ["root_role" , "read", "sub_meta_rule_algorithms"], - ["root_role" , "read", "tenants"], - ["root_role" , "read", "intra_extensions"], - ["root_role" , "write", "templates"], - ["root_role" , "write", "aggregation_algorithms"], - ["root_role" , "write", "sub_meta_rule_algorithms"], - ["root_role" , "write", "tenants"], - ["root_role" , "write", "intra_extensions"], - ["root_role" , "read", "admin.subjects"], - ["root_role" , "read", "admin.objects"], - ["root_role" , "read", "admin.actions"], - ["root_role" , "read", "admin.subject_categories"], - ["root_role" , "read", "admin.object_categories"], - ["root_role" , "read", "admin.action_categories"], - ["root_role" , "read", "admin.subject_category_scopes"], - ["root_role" , "read", "admin.object_category_scopes"], - ["root_role" , "read", "admin.action_category_scopes"], - ["root_role" , "read", "admin.subject_assignments"], - ["root_role" , "read", "admin.object_assignments"], - ["root_role" , "read", "admin.action_assignments"], - ["root_role" , "read", "admin.aggregation_algorithm"], - ["root_role" , "read", "admin.sub_meta_rules"], - ["root_role" , "read", "admin.rules"], - ["root_role" , "write", "admin.subjects"], - ["root_role" , "write", "admin.objects"], - ["root_role" , "write", "admin.actions"], - ["root_role" , "write", "admin.subject_categories"], - ["root_role" , "write", "admin.object_categories"], - ["root_role" , "write", "admin.action_categories"], - ["root_role" , "write", "admin.subject_category_scopes"], - ["root_role" , "write", "admin.object_category_scopes"], - ["root_role" , "write", "admin.action_category_scopes"], - ["root_role" , "write", "admin.subject_assignments"], - ["root_role" , "write", "admin.object_assignments"], - ["root_role" , "write", "admin.action_assignments"], - ["root_role" , "write", "admin.aggregation_algorithm"], - ["root_role" , "write", "admin.sub_meta_rules"], - ["root_role" , "write", "admin.rules"] - ] -} diff --git a/keystone-moon/examples/moon/policies/policy_root/scope.json b/keystone-moon/examples/moon/policies/policy_root/scope.json deleted file mode 100644 index 43f9ced8..00000000 --- a/keystone-moon/examples/moon/policies/policy_root/scope.json +++ /dev/null @@ -1,39 +0,0 @@ -{ - "subject_scopes": { - "role": [ - "root_role" - ] - }, - - "action_scopes": { - "action_id": [ - "read", - "write" - ] - }, - - "object_scopes": { - "object_id": [ - "templates", - "aggregation_algorithms", - "sub_meta_rule_algorithms", - "tenants", - "intra_extensions", - "admin.subjects", - "admin.objects", - "admin.actions", - "admin.subject_categories", - "admin.object_categories", - "admin.action_categories", - "admin.subject_category_scopes", - "admin.object_category_scopes", - "admin.action_category_scopes", - "admin.subject_assignments", - "admin.object_assignments", - "admin.action_assignments", - "admin.aggregation_algorithm", - "admin.sub_meta_rules", - "admin.rules" - ] - } -} -- cgit 1.2.3-korg