From aa70ec0095fbfdb535c21599aec4c7f3215b3ba6 Mon Sep 17 00:00:00 2001 From: WuKong Date: Wed, 1 Jul 2015 11:08:04 +0200 Subject: create a sub-dir for moon's doc Change-Id: I06b66843f4bef550c6312a5f668f47d6861d6369 Signed-off-by: WuKong --- keystone-moon/doc/source/extensions/moon.rst | 145 ----- keystone-moon/doc/source/extensions/moon/moon.rst | 145 +++++ .../doc/source/extensions/moon/moon_api.rst | 628 +++++++++++++++++++++ keystone-moon/doc/source/extensions/moon_api.rst | 628 --------------------- 4 files changed, 773 insertions(+), 773 deletions(-) delete mode 100644 keystone-moon/doc/source/extensions/moon.rst create mode 100644 keystone-moon/doc/source/extensions/moon/moon.rst create mode 100644 keystone-moon/doc/source/extensions/moon/moon_api.rst delete mode 100644 keystone-moon/doc/source/extensions/moon_api.rst (limited to 'keystone-moon') diff --git a/keystone-moon/doc/source/extensions/moon.rst b/keystone-moon/doc/source/extensions/moon.rst deleted file mode 100644 index fc862675..00000000 --- a/keystone-moon/doc/source/extensions/moon.rst +++ /dev/null @@ -1,145 +0,0 @@ -.. - Copyright 2015 Orange - All Rights Reserved. - - Licensed under the Apache License, Version 2.0 (the "License"); you may - not use this file except in compliance with the License. You may obtain - a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -============ -Moon backend -============ - -Before doing anything, you must test your installation and check that your infrastructure is working. -For example, check that you can create new virtual machines with admin and demo login. - -Configuration -------------- - -Moon is a contribute backend so you have to enable it by modifying /etc/keystone/keystone-paste.ini, like this: - -.. code-block:: ini - - [filter:moon] - paste.filter_factory = keystone.contrib.moon.routers:Admin.factory - - ... - - [pipeline:public_api] - # The last item in this pipeline must be public_service or an equivalent - # application. It cannot be a filter. - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension moon public_service - - [pipeline:admin_api] - # The last item in this pipeline must be admin_service or an equivalent - # application. It cannot be a filter. - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension moon admin_service - - [pipeline:api_v3] - # The last item in this pipeline must be service_v3 or an equivalent - # application. It cannot be a filter. - pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension moon service_v3 - - ... - -You must modify /etc/keystone/keystone.conf as you need (see at the end of the file) and copy the following directories: - -.. code-block:: sh - - cp -R /opt/stack/keystone/examples/moon/policies/ /etc/keystone/ - cp -R /opt/stack/keystone/examples/moon/super_extension/ /etc/keystone/ - -You can now update the Keystone database and create the directory for logs and restart the Keystone service: - -.. code-block:: sh - - cd /opt/stack/keystone - ./bin/keystone-manage db_sync --extension moon - sudo mkdir /var/log/moon/ - sudo chown vagrant /var/log/moon/ - sudo service apache2 restart - -You have to install our version of keystonemiddleware https://github.com/rebirthmonkey/keystonemiddleware : - -.. code-block:: sh - - cd - git clone https://github.com/rebirthmonkey/keystonemiddleware.git - cd keystonemiddleware - sudo python setup.py install - -At this time, the only method to configure Moon is to use the python-moonclient which is a console based client: - -.. code-block:: sh - - cd - git clone https://github.com/rebirthmonkey/moonclient.git - cd moonclient - sudo python setup.py install - -If afterwards, you have some problem restarting nova-api, try removing the package python-six: - -.. code-block:: sh - - sudo apt-get remove python-six - - -Nova must be configured to send request to Keystone, you have to modify /etc/nova/api-paste.ini : - -.. code-block:: ini - - ... - - [composite:openstack_compute_api_v2] - use = call:nova.api.auth:pipeline_factory - noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 - noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2 - keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon ratelimit osapi_compute_app_v2 - keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v2 - - [composite:openstack_compute_api_v21] - use = call:nova.api.auth:pipeline_factory_v21 - noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21 - noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 - keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v21 - - [composite:openstack_compute_api_v3] - use = call:nova.api.auth:pipeline_factory_v21 - noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 - noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 - keystone = request_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v3 - - ... - - [filter:moon] - paste.filter_factory = keystonemiddleware.authz:filter_factory - -If Swift is also installed, you have to configured it, in /etc/swift/proxy-server.conf : - -.. code-block:: ini - - ... - - [pipeline:main] - pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit crossdomain authtoken keystoneauth tempauth formpost staticweb container-quotas account-quotas slo dlo proxy-logging moon proxy-server - - ... - - [filter:moon] - paste.filter_factory = keystonemiddleware.authz:filter_factory - -Nova and Swift must be restarted after that, depending on your configuration, you will have to use 'screen' (if using devstack) -or 'service' on those daemons : nova-api and swift-proxy - -Usage ------ - -TODO \ No newline at end of file diff --git a/keystone-moon/doc/source/extensions/moon/moon.rst b/keystone-moon/doc/source/extensions/moon/moon.rst new file mode 100644 index 00000000..fc862675 --- /dev/null +++ b/keystone-moon/doc/source/extensions/moon/moon.rst @@ -0,0 +1,145 @@ +.. + Copyright 2015 Orange + All Rights Reserved. + + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +============ +Moon backend +============ + +Before doing anything, you must test your installation and check that your infrastructure is working. +For example, check that you can create new virtual machines with admin and demo login. + +Configuration +------------- + +Moon is a contribute backend so you have to enable it by modifying /etc/keystone/keystone-paste.ini, like this: + +.. code-block:: ini + + [filter:moon] + paste.filter_factory = keystone.contrib.moon.routers:Admin.factory + + ... + + [pipeline:public_api] + # The last item in this pipeline must be public_service or an equivalent + # application. It cannot be a filter. + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension moon public_service + + [pipeline:admin_api] + # The last item in this pipeline must be admin_service or an equivalent + # application. It cannot be a filter. + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension moon admin_service + + [pipeline:api_v3] + # The last item in this pipeline must be service_v3 or an equivalent + # application. It cannot be a filter. + pipeline = sizelimit url_normalize build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension moon service_v3 + + ... + +You must modify /etc/keystone/keystone.conf as you need (see at the end of the file) and copy the following directories: + +.. code-block:: sh + + cp -R /opt/stack/keystone/examples/moon/policies/ /etc/keystone/ + cp -R /opt/stack/keystone/examples/moon/super_extension/ /etc/keystone/ + +You can now update the Keystone database and create the directory for logs and restart the Keystone service: + +.. code-block:: sh + + cd /opt/stack/keystone + ./bin/keystone-manage db_sync --extension moon + sudo mkdir /var/log/moon/ + sudo chown vagrant /var/log/moon/ + sudo service apache2 restart + +You have to install our version of keystonemiddleware https://github.com/rebirthmonkey/keystonemiddleware : + +.. code-block:: sh + + cd + git clone https://github.com/rebirthmonkey/keystonemiddleware.git + cd keystonemiddleware + sudo python setup.py install + +At this time, the only method to configure Moon is to use the python-moonclient which is a console based client: + +.. code-block:: sh + + cd + git clone https://github.com/rebirthmonkey/moonclient.git + cd moonclient + sudo python setup.py install + +If afterwards, you have some problem restarting nova-api, try removing the package python-six: + +.. code-block:: sh + + sudo apt-get remove python-six + + +Nova must be configured to send request to Keystone, you have to modify /etc/nova/api-paste.ini : + +.. code-block:: ini + + ... + + [composite:openstack_compute_api_v2] + use = call:nova.api.auth:pipeline_factory + noauth = compute_req_id faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 + noauth2 = compute_req_id faultwrap sizelimit noauth2 ratelimit osapi_compute_app_v2 + keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon ratelimit osapi_compute_app_v2 + keystone_nolimit = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v2 + + [composite:openstack_compute_api_v21] + use = call:nova.api.auth:pipeline_factory_v21 + noauth = compute_req_id faultwrap sizelimit noauth osapi_compute_app_v21 + noauth2 = compute_req_id faultwrap sizelimit noauth2 osapi_compute_app_v21 + keystone = compute_req_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v21 + + [composite:openstack_compute_api_v3] + use = call:nova.api.auth:pipeline_factory_v21 + noauth = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 + noauth2 = request_id faultwrap sizelimit noauth_v3 osapi_compute_app_v3 + keystone = request_id faultwrap sizelimit authtoken keystonecontext moon osapi_compute_app_v3 + + ... + + [filter:moon] + paste.filter_factory = keystonemiddleware.authz:filter_factory + +If Swift is also installed, you have to configured it, in /etc/swift/proxy-server.conf : + +.. code-block:: ini + + ... + + [pipeline:main] + pipeline = catch_errors gatekeeper healthcheck proxy-logging cache container_sync bulk tempurl ratelimit crossdomain authtoken keystoneauth tempauth formpost staticweb container-quotas account-quotas slo dlo proxy-logging moon proxy-server + + ... + + [filter:moon] + paste.filter_factory = keystonemiddleware.authz:filter_factory + +Nova and Swift must be restarted after that, depending on your configuration, you will have to use 'screen' (if using devstack) +or 'service' on those daemons : nova-api and swift-proxy + +Usage +----- + +TODO \ No newline at end of file diff --git a/keystone-moon/doc/source/extensions/moon/moon_api.rst b/keystone-moon/doc/source/extensions/moon/moon_api.rst new file mode 100644 index 00000000..1f7ad10b --- /dev/null +++ b/keystone-moon/doc/source/extensions/moon/moon_api.rst @@ -0,0 +1,628 @@ +Moon API +======== + +Here are Moon API with some examples of posted data and returned data. + +Intra-Extension API +------------------- + +Authz +~~~~~ + +* ``GET /OS-MOON/authz/{tenant_id}/{subject_id}/{object_id}/{action_id}`` + +.. code-block:: json + + return = { + "authz": "OK/KO/OutOfScope", + "tenant_id": "tenant_id", + "subject_id": "subject_id", + "object_id": "object_id", + "action_id": "action_id" + } + +Intra_Extension +~~~~~~~~~~~~~~~ + +* ``GET /OS-MOON/authz_policies`` + +.. code-block:: json + + return = { + "authz_policies": ["policy_name1", "policy_name2"] + } + +* ``GET /OS-MOON/intra_extensions`` + +.. code-block:: json + + return = { + "intra_extensions": ["ie_uuid1", "ie_uuid2"] + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}`` + +.. code-block:: json + + return = { + "intra_extensions": { + "id": "uuid1", + "description": "", + "tenant": "tenant_uuid", + "model": "", + "genre": "", + "authz": {}, + "admin": {} + } + } + +* ``POST /OS-MOON/intra_extensions`` + +.. code-block:: json + + post = { + "name" : "", + "policymodel": "", + "description": "" + } + return = { + "id": "uuid1", + "description": "", + "tenant": "tenant_uuid", + "model": "", + "genre": "", + "authz": {}, + "admin": {} + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/tenant`` + +.. code-block:: json + + return = { + "tenant": "tenant_id" + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/tenant`` + +.. code-block:: json + + post = { + "tenant_id": "tenant_id" + } + return = { + "tenant": "tenant_id" + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/tenant/{tenant_id}`` + +Perimeter +~~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subjects`` + +.. code-block:: json + + return = { + "subjects": ["sub_uuid1", "sub_uuid2"] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subjects`` + +.. code-block:: json + + post = { + "subject_id" : "" + } + return = { + "subjects": ["sub_uuid1", "sub_uuid2"] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject/{subject_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/objects`` + +.. code-block:: json + + return = { + "objects": ["obj_uuid1", "obj_uuid2"] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/objects`` + +.. code-block:: json + + post = { + "object_id" : "" + } + return = { + "objects": ["obj_uuid1", "obj_uuid2"] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object/{object_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/actions`` + +.. code-block:: json + + return = { + "actions": ["act_uuid1", "act_uuid2"] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/actions`` + +.. code-block:: json + + post = { + "action_id" : "" + } + return = { + "actions": ["act_uuid1", "act_uuid2"] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/actions/{action_id}`` + +Assignment +~~~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments`` + +.. code-block:: json + + return = { + "subject_assignments": { + "subject_security_level":{ + "user1": ["low"], + "user2": ["medium"], + "user3": ["high"] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments`` + +.. code-block:: json + + post = { + "subject_id" : "", + "subject_category_id" : "", + "subject_category_scope_id" : "" + } + return = { + "subject_assignments": { + "subject_security_level":{ + "user1": ["low"], + "user2": ["medium"], + "user3": ["high"] + } + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments/{subject_category}/{subject_id}/{subject_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments`` + +.. code-block:: json + + return = { + "object_assignments": { + "object_security_level":{ + "vm1": ["low"], + "vm2": ["medium"], + "vm3": ["high"] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments`` + +.. code-block:: json + + post = { + "object_id" : "", + "object_category_id" : "", + "object_category_scope_id" : "" + } + return = { + "object_assignments": { + "object_security_level":{ + "vm1": ["low"], + "vm2": ["medium"], + "vm3": ["high"] + } + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments/{object_category}/{object_id}/{object_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments`` + +.. code-block:: json + + return = { + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments`` + +.. code-block:: json + + post = { + "action_id" : "", + "action_category_id" : "", + "action_category_scope_id" : "" + } + return = { + "action_assignments": { + "computing_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"] + } + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments/{action_category}/{action_id}/{action_scope}`` + +Metadata +~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories`` + +.. code-block:: json + + return = { + "subject_categories": [ "subject_security_level" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories`` + +.. code-block:: json + + post = { + "subject_category_id" : "" + } + return = { + "subject_categories": [ "subject_security_level" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories/{subject_category_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories`` + +.. code-block:: json + + return = { + "object_categories": [ "object_security_level" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories`` + +.. code-block:: json + + post = { + "object_category_id" : "" + } + return = { + "object_categories": [ "object_security_level" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories/{object_category_id}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories`` + +.. code-block:: json + + return = { + "action_categories": [ "computing_action" ] + } + + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories`` + +.. code-block:: json + + post = { + "action_category_id" : "" + } + return = { + "action_categories": [ "computing_action" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories/{action_category_id}`` + +Scope +~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope`` + +.. code-block:: json + + return = { + "subject_security_level": [ "high", "medium", "low" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope`` + +.. code-block:: json + + post = { + "subject_category_id" : "", + "subject_category_scope_id" : "" + } + return = { + "subject_security_level": [ "high", "medium", "low" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope/{subject_category}/{subject_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope`` + +.. code-block:: json + + return = { + "object_security_level": [ "high", "medium", "low" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope`` + +.. code-block:: json + + post = { + "object_category_id" : "", + "object_category_scope_id" : "" + } + return = { + "object_security_level": [ "high", "medium", "low" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope/{object_category}/{object_scope}`` + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope`` + +.. code-block:: json + + return = { + "computing_action": [ "vm_admin", "vm_access" ] + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope`` + +.. code-block:: json + + post = { + "action_id" : "", + "action_category_id" : "", + "action_category_scope_id" : "" + } + return = { + "computing_action": [ "vm_admin", "vm_access" ] + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope/{action_category}/{action_scope}`` + +Metarule +~~~~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithms`` + +.. code-block:: json + + return = { + "aggregation_algorithms": [ "and_true_aggregation", "..."] + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithm`` + +.. code-block:: json + + return = { + "aggregation_algorithm": "and_true_aggregation" + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithm`` + +.. code-block:: json + + post = { + "aggregation": "and_true_aggregation" + } + return = { + "aggregation_algorithm": "and_true_aggregation" + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule`` + +.. code-block:: json + + return = { + "sub_meta_rule": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule`` + +.. code-block:: json + + post = { + "relation_super": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + } + } + return = { + "sub_meta_rule": { + "subject_categories": ["role"], + "action_categories": ["ie_action"], + "object_categories": ["id"], + "relation": "relation_super" + } + } + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule_relations`` + +.. code-block:: json + + return = { + "sub_meta_rule_relations": ["relation_super", ] + } + +Rules +~~~~~ + +* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules`` + +.. code-block:: json + + return = { + "sub_rules": { + "relation_super": [ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "high"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "medium"], + ["medium", "vm_access", "low"], + ["low", "vm_access", "low"] + ] + } + } + +* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules`` + +.. code-block:: json + + post = { + "rules": ["admin", "vm_admin", "servers"], + "relation": "relation_super" + } + +* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules/{relation_name}/{rule}`` + + +Tenant mapping API +------------------ + +* ``GET /OS-MOON/tenants`` + +.. code-block:: json + + return = { + "tenant": { + "uuid1": { + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + }, + "uuid2": { + "name": "tenant2", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + } + } + +* ``GET /OS-MOON/tenant/{tenant_uuid}`` + +.. code-block:: json + + return = { + "tenant": { + "uuid": { + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + } + } + +* ``POST /OS-MOON/tenant`` + +.. code-block:: json + + post = { + "id": "uuid", + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + return = { + "tenant": { + "uuid": { + "name": "tenant1", + "authz": "intra_extension_uuid1", + "admin": "intra_extension_uuid2" + } + } + } + +* ``DELETE /OS-MOON/tenant/{tenant_uuid}/{intra_extension_uuid}`` + +.. code-block:: json + + return = {} + +Logs API +-------- + +* ``GET /OS-MOON/logs`` + +InterExtension API +------------------ + +* ``GET /OS-MOON/inter_extensions`` + +.. code-block:: json + + return = { + "inter_extensions": ["ie_uuid1", "ie_uuid2"] + } + +* ``GET /OS-MOON/inter_extensions/{inter_extensions_id}`` + +.. code-block:: json + + return = { + "inter_extensions": { + "id": "uuid1", + "description": "", + "requesting_intra_extension_uuid": "uuid1", + "requested_intra_extension_uuid": "uuid2", + "genre": "trust_OR_coordinate", + "virtual_entity_uuid": "ve_uuid1" + } + } + +* ``POST /OS-MOON/inter_extensions`` + +.. code-block:: json + + post = { + "description": "", + "requesting_intra_extension_uuid": uuid1, + "requested_intra_extension_uuid": uuid2, + "genre": "trust_OR_coordinate", + "virtual_entity_uuid": "ve_uuid1" + } + return = { + "id": "uuid1", + "description": "", + "requesting_intra_extension_uuid": uuid1, + "requested_intra_extension_uuid": uuid2, + "genre": "trust_OR_coordinate", + "virtual_entity_uuid": "ve_uuid1" + } + +* ``DELETE /OS-MOON/inter_extensions/{inter_extensions_id}`` + diff --git a/keystone-moon/doc/source/extensions/moon_api.rst b/keystone-moon/doc/source/extensions/moon_api.rst deleted file mode 100644 index 1f7ad10b..00000000 --- a/keystone-moon/doc/source/extensions/moon_api.rst +++ /dev/null @@ -1,628 +0,0 @@ -Moon API -======== - -Here are Moon API with some examples of posted data and returned data. - -Intra-Extension API -------------------- - -Authz -~~~~~ - -* ``GET /OS-MOON/authz/{tenant_id}/{subject_id}/{object_id}/{action_id}`` - -.. code-block:: json - - return = { - "authz": "OK/KO/OutOfScope", - "tenant_id": "tenant_id", - "subject_id": "subject_id", - "object_id": "object_id", - "action_id": "action_id" - } - -Intra_Extension -~~~~~~~~~~~~~~~ - -* ``GET /OS-MOON/authz_policies`` - -.. code-block:: json - - return = { - "authz_policies": ["policy_name1", "policy_name2"] - } - -* ``GET /OS-MOON/intra_extensions`` - -.. code-block:: json - - return = { - "intra_extensions": ["ie_uuid1", "ie_uuid2"] - } - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}`` - -.. code-block:: json - - return = { - "intra_extensions": { - "id": "uuid1", - "description": "", - "tenant": "tenant_uuid", - "model": "", - "genre": "", - "authz": {}, - "admin": {} - } - } - -* ``POST /OS-MOON/intra_extensions`` - -.. code-block:: json - - post = { - "name" : "", - "policymodel": "", - "description": "" - } - return = { - "id": "uuid1", - "description": "", - "tenant": "tenant_uuid", - "model": "", - "genre": "", - "authz": {}, - "admin": {} - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/tenant`` - -.. code-block:: json - - return = { - "tenant": "tenant_id" - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/tenant`` - -.. code-block:: json - - post = { - "tenant_id": "tenant_id" - } - return = { - "tenant": "tenant_id" - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/tenant/{tenant_id}`` - -Perimeter -~~~~~~~~~ - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subjects`` - -.. code-block:: json - - return = { - "subjects": ["sub_uuid1", "sub_uuid2"] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subjects`` - -.. code-block:: json - - post = { - "subject_id" : "" - } - return = { - "subjects": ["sub_uuid1", "sub_uuid2"] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject/{subject_id}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/objects`` - -.. code-block:: json - - return = { - "objects": ["obj_uuid1", "obj_uuid2"] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/objects`` - -.. code-block:: json - - post = { - "object_id" : "" - } - return = { - "objects": ["obj_uuid1", "obj_uuid2"] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object/{object_id}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/actions`` - -.. code-block:: json - - return = { - "actions": ["act_uuid1", "act_uuid2"] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/actions`` - -.. code-block:: json - - post = { - "action_id" : "" - } - return = { - "actions": ["act_uuid1", "act_uuid2"] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/actions/{action_id}`` - -Assignment -~~~~~~~~~~ - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments`` - -.. code-block:: json - - return = { - "subject_assignments": { - "subject_security_level":{ - "user1": ["low"], - "user2": ["medium"], - "user3": ["high"] - } - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments`` - -.. code-block:: json - - post = { - "subject_id" : "", - "subject_category_id" : "", - "subject_category_scope_id" : "" - } - return = { - "subject_assignments": { - "subject_security_level":{ - "user1": ["low"], - "user2": ["medium"], - "user3": ["high"] - } - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_assignments/{subject_category}/{subject_id}/{subject_scope}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments`` - -.. code-block:: json - - return = { - "object_assignments": { - "object_security_level":{ - "vm1": ["low"], - "vm2": ["medium"], - "vm3": ["high"] - } - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments`` - -.. code-block:: json - - post = { - "object_id" : "", - "object_category_id" : "", - "object_category_scope_id" : "" - } - return = { - "object_assignments": { - "object_security_level":{ - "vm1": ["low"], - "vm2": ["medium"], - "vm3": ["high"] - } - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_assignments/{object_category}/{object_id}/{object_scope}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments`` - -.. code-block:: json - - return = { - "action_assignments": { - "computing_action":{ - "pause": ["vm_admin"], - "unpause": ["vm_admin"], - "start": ["vm_admin"], - "stop": ["vm_admin"] - } - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments`` - -.. code-block:: json - - post = { - "action_id" : "", - "action_category_id" : "", - "action_category_scope_id" : "" - } - return = { - "action_assignments": { - "computing_action":{ - "pause": ["vm_admin"], - "unpause": ["vm_admin"], - "start": ["vm_admin"], - "stop": ["vm_admin"] - } - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_assignments/{action_category}/{action_id}/{action_scope}`` - -Metadata -~~~~~~~~ - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories`` - -.. code-block:: json - - return = { - "subject_categories": [ "subject_security_level" ] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories`` - -.. code-block:: json - - post = { - "subject_category_id" : "" - } - return = { - "subject_categories": [ "subject_security_level" ] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_categories/{subject_category_id}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories`` - -.. code-block:: json - - return = { - "object_categories": [ "object_security_level" ] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories`` - -.. code-block:: json - - post = { - "object_category_id" : "" - } - return = { - "object_categories": [ "object_security_level" ] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_categories/{object_category_id}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories`` - -.. code-block:: json - - return = { - "action_categories": [ "computing_action" ] - } - - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories`` - -.. code-block:: json - - post = { - "action_category_id" : "" - } - return = { - "action_categories": [ "computing_action" ] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_categories/{action_category_id}`` - -Scope -~~~~~ - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope`` - -.. code-block:: json - - return = { - "subject_security_level": [ "high", "medium", "low" ] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope`` - -.. code-block:: json - - post = { - "subject_category_id" : "", - "subject_category_scope_id" : "" - } - return = { - "subject_security_level": [ "high", "medium", "low" ] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/subject_category_scope/{subject_category}/{subject_scope}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope`` - -.. code-block:: json - - return = { - "object_security_level": [ "high", "medium", "low" ] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope`` - -.. code-block:: json - - post = { - "object_category_id" : "", - "object_category_scope_id" : "" - } - return = { - "object_security_level": [ "high", "medium", "low" ] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/object_category_scope/{object_category}/{object_scope}`` - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope`` - -.. code-block:: json - - return = { - "computing_action": [ "vm_admin", "vm_access" ] - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope`` - -.. code-block:: json - - post = { - "action_id" : "", - "action_category_id" : "", - "action_category_scope_id" : "" - } - return = { - "computing_action": [ "vm_admin", "vm_access" ] - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/action_category_scope/{action_category}/{action_scope}`` - -Metarule -~~~~~~~~ - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithms`` - -.. code-block:: json - - return = { - "aggregation_algorithms": [ "and_true_aggregation", "..."] - } - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithm`` - -.. code-block:: json - - return = { - "aggregation_algorithm": "and_true_aggregation" - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/aggregation_algorithm`` - -.. code-block:: json - - post = { - "aggregation": "and_true_aggregation" - } - return = { - "aggregation_algorithm": "and_true_aggregation" - } - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule`` - -.. code-block:: json - - return = { - "sub_meta_rule": { - "subject_categories": ["role"], - "action_categories": ["ie_action"], - "object_categories": ["id"], - "relation": "relation_super" - } - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule`` - -.. code-block:: json - - post = { - "relation_super": { - "subject_categories": ["role"], - "action_categories": ["ie_action"], - "object_categories": ["id"], - } - } - return = { - "sub_meta_rule": { - "subject_categories": ["role"], - "action_categories": ["ie_action"], - "object_categories": ["id"], - "relation": "relation_super" - } - } - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_meta_rule_relations`` - -.. code-block:: json - - return = { - "sub_meta_rule_relations": ["relation_super", ] - } - -Rules -~~~~~ - -* ``GET /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules`` - -.. code-block:: json - - return = { - "sub_rules": { - "relation_super": [ - ["high", "vm_admin", "medium"], - ["high", "vm_admin", "low"], - ["medium", "vm_admin", "low"], - ["high", "vm_access", "high"], - ["high", "vm_access", "medium"], - ["high", "vm_access", "low"], - ["medium", "vm_access", "medium"], - ["medium", "vm_access", "low"], - ["low", "vm_access", "low"] - ] - } - } - -* ``POST /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules`` - -.. code-block:: json - - post = { - "rules": ["admin", "vm_admin", "servers"], - "relation": "relation_super" - } - -* ``DELETE /OS-MOON/intra_extensions/{intra_extensions_id}/sub_rules/{relation_name}/{rule}`` - - -Tenant mapping API ------------------- - -* ``GET /OS-MOON/tenants`` - -.. code-block:: json - - return = { - "tenant": { - "uuid1": { - "name": "tenant1", - "authz": "intra_extension_uuid1", - "admin": "intra_extension_uuid2" - }, - "uuid2": { - "name": "tenant2", - "authz": "intra_extension_uuid1", - "admin": "intra_extension_uuid2" - } - } - } - -* ``GET /OS-MOON/tenant/{tenant_uuid}`` - -.. code-block:: json - - return = { - "tenant": { - "uuid": { - "name": "tenant1", - "authz": "intra_extension_uuid1", - "admin": "intra_extension_uuid2" - } - } - } - -* ``POST /OS-MOON/tenant`` - -.. code-block:: json - - post = { - "id": "uuid", - "name": "tenant1", - "authz": "intra_extension_uuid1", - "admin": "intra_extension_uuid2" - } - return = { - "tenant": { - "uuid": { - "name": "tenant1", - "authz": "intra_extension_uuid1", - "admin": "intra_extension_uuid2" - } - } - } - -* ``DELETE /OS-MOON/tenant/{tenant_uuid}/{intra_extension_uuid}`` - -.. code-block:: json - - return = {} - -Logs API --------- - -* ``GET /OS-MOON/logs`` - -InterExtension API ------------------- - -* ``GET /OS-MOON/inter_extensions`` - -.. code-block:: json - - return = { - "inter_extensions": ["ie_uuid1", "ie_uuid2"] - } - -* ``GET /OS-MOON/inter_extensions/{inter_extensions_id}`` - -.. code-block:: json - - return = { - "inter_extensions": { - "id": "uuid1", - "description": "", - "requesting_intra_extension_uuid": "uuid1", - "requested_intra_extension_uuid": "uuid2", - "genre": "trust_OR_coordinate", - "virtual_entity_uuid": "ve_uuid1" - } - } - -* ``POST /OS-MOON/inter_extensions`` - -.. code-block:: json - - post = { - "description": "", - "requesting_intra_extension_uuid": uuid1, - "requested_intra_extension_uuid": uuid2, - "genre": "trust_OR_coordinate", - "virtual_entity_uuid": "ve_uuid1" - } - return = { - "id": "uuid1", - "description": "", - "requesting_intra_extension_uuid": uuid1, - "requested_intra_extension_uuid": uuid2, - "genre": "trust_OR_coordinate", - "virtual_entity_uuid": "ve_uuid1" - } - -* ``DELETE /OS-MOON/inter_extensions/{inter_extensions_id}`` - -- cgit 1.2.3-korg