--- /dev/null
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ "admin": ["high"],
+ "demo": ["medium"]
+ }
+ },
+
+ "action_assignments": {
+ "resource_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"],
+ "storage_list": ["storage_access"],
+ "download": ["storage_access"],
+ "post": ["storage_admin"],
+ "upload": ["storage_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "servers": ["low"]
+ }
+ }
+}
--- /dev/null
+{
+ "name": "MLS_Policy",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "Multi Level Security Policy",
+
+ "subject_categories": [
+ "subject_security_level"
+ ],
+
+ "action_categories": [
+ "resource_action"
+ ],
+
+ "object_categories": [
+ "object_security_level"
+ ]
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["resource_action"],
+ "object_categories": ["object_security_level"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
--- /dev/null
+{
+ "subjects": [
+ "admin",
+ "demo"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list",
+ "upload",
+ "download",
+ "post",
+ "storage_list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
--- /dev/null
+{
+ "mls_rule":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "low"],
+ ["high", "storage_admin", "medium"],
+ ["high", "storage_admin", "low"],
+ ["medium", "storage_admin", "low"],
+ ["high", "storage_access", "medium"],
+ ["high", "storage_access", "low"],
+ ["medium", "storage_access", "low"]
+ ]
+}
--- /dev/null
+{
+ "subject_scopes": {
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ },
+
+ "action_scopes": {
+ "resource_action": [
+ "vm_admin",
+ "vm_access",
+ "storage_admin",
+ "storage_access"
+ ]
+ },
+
+ "object_scopes": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ }
+}
{
"subject_assignments": {
"role": {
- "admin": ["root_role"]
+ "admin": ["root_role"],
+ "demo": ["dev"]
}
},
"action_assignments": {
{
"subjects": [
- "admin"
+ "admin",
+ "demo"
],
"actions": [
"read",
["root_role" , "write", "admin.action_assignments"],
["root_role" , "write", "admin.aggregation_algorithm"],
["root_role" , "write", "admin.sub_meta_rules"],
- ["root_role" , "write", "admin.rules"]
+ ["root_role" , "write", "admin.rules"],
+ ["dev_role" , "read", "authz.subjects"],
+ ["dev_role" , "read", "authz.objects"],
+ ["dev_role" , "read", "authz.actions"],
+ ["dev_role" , "read", "authz.subject_categories"],
+ ["dev_role" , "read", "authz.object_categories"],
+ ["dev_role" , "read", "authz.action_categories"],
+ ["dev_role" , "read", "authz.subject_scopes"],
+ ["dev_role" , "read", "authz.object_scopes"],
+ ["dev_role" , "read", "authz.action_scopes"],
+ ["dev_role" , "read", "authz.subject_assignments"],
+ ["dev_role" , "read", "authz.object_assignments"],
+ ["dev_role" , "read", "authz.action_assignments"],
+ ["dev_role" , "read", "authz.aggregation_algorithm"],
+ ["dev_role" , "read", "authz.sub_meta_rules"],
+ ["dev_role" , "read", "authz.rules"],
+ ["dev_role" , "read", "admin.subjects"],
+ ["dev_role" , "read", "admin.objects"],
+ ["dev_role" , "read", "admin.actions"],
+ ["dev_role" , "read", "admin.subject_categories"],
+ ["dev_role" , "read", "admin.object_categories"],
+ ["dev_role" , "read", "admin.action_categories"],
+ ["dev_role" , "read", "admin.subject_scopes"],
+ ["dev_role" , "read", "admin.object_scopes"],
+ ["dev_role" , "read", "admin.action_scopes"],
+ ["dev_role" , "read", "admin.subject_assignments"],
+ ["dev_role" , "read", "admin.object_assignments"],
+ ["dev_role" , "read", "admin.action_assignments"],
+ ["dev_role" , "read", "admin.aggregation_algorithm"],
+ ["dev_role" , "read", "admin.sub_meta_rules"],
+ ["dev_role" , "read", "admin.rules"]
]
}
{
"subject_scopes": {
"role": [
- "root_role"
+ "root_role",
+ "dev_role"
]
},
"action_scopes": {
--- /dev/null
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx `demo`
+
+# check that now moon authorizes the manipulation list_servers
+nova list
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `low_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation list_servers
+nova list
+
+# del object assignment for servers
+moon object assignment del `servers_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `servers_uuid` `object_security_level_uuid` `low_uuid`
\ No newline at end of file
--- /dev/null
+#!/usr/bin/env bash
+
+# as user admin
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# create a VM (vm1) in OpenStack
+nova create vm1.....
+
+# add corresponding object in moon
+moon object add vm1
+
+# check that moon blocks the vm1 manipulatin
+nova vm1 suspend ....
+
+# add object assignment for vm1
+moon object assignment `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# check now moon block the manipulation of vm1
+nova vm1 suspend ....
+
+# del object assignment for servers
+moon object assignment del `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# add object assignment for servers
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `low_uuid`
+
+# check now moon unblock the manipulation of vm1
+nova vm1 suspend ....
\ No newline at end of file
--- /dev/null
+#!/usr/bin/env bash
+
+# as user demo
+. openrc demo
+
+# create authz intraextension
+moon intraextension add policy_mls_authz test_authz
+
+# create admin intraextension
+moon intraextension add policy_rbac_admin test_admin
+
+# create tenant
+moon tenant add --authz xxx --admin xxx demo
+
+# select the authz tenant
+moon intraextension select `test_authz_uuid`
+
+# check that moon blocks modification of object assignments
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
+
+# as user admin
+. openrc admin
+
+# select the admin intraextension
+moon intraextension select `test_admin_uuid`
+
+# add write permission to the dev_role user for assignment table
+moon rule add `rbac_rule_uuid` [`dev_role_uuid`, `write_uuid`, `authz.assignment`]
+
+# as user demo
+. openrc demo
+
+# select the authz intraextension
+moon intraextension select `test_authz_uuid`
+
+# check that moon authorizes modification of rule table by demo
+moon object assignment add `vm1_uuid` `object_security_level_uuid` `high_uuid`
Code Review / moon.git / commitdiff