From d285ffba7b9e2af55cf7765963764d2acd616a24 Mon Sep 17 00:00:00 2001 From: asteroide Date: Mon, 24 Apr 2017 11:37:15 +0200 Subject: Add the moon_orchestrator element. Change-Id: I09712c0b6e8e7d17a765829a981280ca5fd8af75 --- .../conf/policies/policy_mls_authz/assignment.json | 29 ++++++++++++++++++++++ .../conf/policies/policy_mls_authz/metadata.json | 18 ++++++++++++++ .../conf/policies/policy_mls_authz/metarule.json | 12 +++++++++ .../conf/policies/policy_mls_authz/perimeter.json | 21 ++++++++++++++++ .../conf/policies/policy_mls_authz/rule.json | 16 ++++++++++++ .../conf/policies/policy_mls_authz/scope.json | 26 +++++++++++++++++++ 6 files changed, 122 insertions(+) create mode 100644 moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json create mode 100644 moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json create mode 100644 moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json create mode 100644 moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json create mode 100644 moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json create mode 100644 moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json (limited to 'moonv4/moon_orchestrator/conf/policies/policy_mls_authz') diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json new file mode 100644 index 00000000..0712dfbc --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/assignment.json @@ -0,0 +1,29 @@ +{ + "subject_assignments": { + "subject_security_level":{ + "admin": ["high"], + "demo": ["medium"] + } + }, + + "action_assignments": { + "resource_action":{ + "pause": ["vm_admin"], + "unpause": ["vm_admin"], + "start": ["vm_admin"], + "stop": ["vm_admin"], + "list": ["vm_access", "vm_admin"], + "create": ["vm_admin"], + "storage_list": ["storage_access"], + "download": ["storage_access"], + "post": ["storage_admin"], + "upload": ["storage_admin"] + } + }, + + "object_assignments": { + "object_security_level": { + "servers": ["low"] + } + } +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json new file mode 100644 index 00000000..c419c815 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metadata.json @@ -0,0 +1,18 @@ +{ + "name": "MLS_Policy", + "model": "MLS", + "genre": "authz", + "description": "Multi Level Security Policy", + + "subject_categories": [ + "subject_security_level" + ], + + "action_categories": [ + "resource_action" + ], + + "object_categories": [ + "object_security_level" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json new file mode 100644 index 00000000..e068927c --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/metarule.json @@ -0,0 +1,12 @@ +{ + "sub_meta_rules": { + "mls_rule": { + "subject_categories": ["subject_security_level"], + "action_categories": ["resource_action"], + "object_categories": ["object_security_level"], + "algorithm": "inclusion" + } + }, + "aggregation": "all_true" +} + diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json new file mode 100644 index 00000000..47a8ee45 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/perimeter.json @@ -0,0 +1,21 @@ +{ + "subjects": [ + "admin", + "demo" + ], + "actions": [ + "pause", + "unpause", + "start", + "stop", + "create", + "list", + "upload", + "download", + "post", + "storage_list" + ], + "objects": [ + "servers" + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json new file mode 100644 index 00000000..b17dc822 --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/rule.json @@ -0,0 +1,16 @@ +{ + "mls_rule":[ + ["high", "vm_admin", "medium"], + ["high", "vm_admin", "low"], + ["medium", "vm_admin", "low"], + ["high", "vm_access", "medium"], + ["high", "vm_access", "low"], + ["medium", "vm_access", "low"], + ["high", "storage_admin", "medium"], + ["high", "storage_admin", "low"], + ["medium", "storage_admin", "low"], + ["high", "storage_access", "medium"], + ["high", "storage_access", "low"], + ["medium", "storage_access", "low"] + ] +} diff --git a/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json new file mode 100644 index 00000000..6cc1c28e --- /dev/null +++ b/moonv4/moon_orchestrator/conf/policies/policy_mls_authz/scope.json @@ -0,0 +1,26 @@ +{ + "subject_scopes": { + "subject_security_level": [ + "high", + "medium", + "low" + ] + }, + + "action_scopes": { + "resource_action": [ + "vm_admin", + "vm_access", + "storage_admin", + "storage_access" + ] + }, + + "object_scopes": { + "object_security_level": [ + "high", + "medium", + "low" + ] + } +} -- cgit 1.2.3-korg