--- /dev/null
+
+ Apache License
+ Version 2.0, January 2004
+ http://www.apache.org/licenses/
+
+ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+ 1. Definitions.
+
+ "License" shall mean the terms and conditions for use, reproduction,
+ and distribution as defined by Sections 1 through 9 of this document.
+
+ "Licensor" shall mean the copyright owner or entity authorized by
+ the copyright owner that is granting the License.
+
+ "Legal Entity" shall mean the union of the acting entity and all
+ other entities that control, are controlled by, or are under common
+ control with that entity. For the purposes of this definition,
+ "control" means (i) the power, direct or indirect, to cause the
+ direction or management of such entity, whether by contract or
+ otherwise, or (ii) ownership of fifty percent (50%) or more of the
+ outstanding shares, or (iii) beneficial ownership of such entity.
+
+ "You" (or "Your") shall mean an individual or Legal Entity
+ exercising permissions granted by this License.
+
+ "Source" form shall mean the preferred form for making modifications,
+ including but not limited to software source code, documentation
+ source, and configuration files.
+
+ "Object" form shall mean any form resulting from mechanical
+ transformation or translation of a Source form, including but
+ not limited to compiled object code, generated documentation,
+ and conversions to other media types.
+
+ "Work" shall mean the work of authorship, whether in Source or
+ Object form, made available under the License, as indicated by a
+ copyright notice that is included in or attached to the work
+ (an example is provided in the Appendix below).
+
+ "Derivative Works" shall mean any work, whether in Source or Object
+ form, that is based on (or derived from) the Work and for which the
+ editorial revisions, annotations, elaborations, or other modifications
+ represent, as a whole, an original work of authorship. For the purposes
+ of this License, Derivative Works shall not include works that remain
+ separable from, or merely link (or bind by name) to the interfaces of,
+ the Work and Derivative Works thereof.
+
+ "Contribution" shall mean any work of authorship, including
+ the original version of the Work and any modifications or additions
+ to that Work or Derivative Works thereof, that is intentionally
+ submitted to Licensor for inclusion in the Work by the copyright owner
+ or by an individual or Legal Entity authorized to submit on behalf of
+ the copyright owner. For the purposes of this definition, "submitted"
+ means any form of electronic, verbal, or written communication sent
+ to the Licensor or its representatives, including but not limited to
+ communication on electronic mailing lists, source code control systems,
+ and issue tracking systems that are managed by, or on behalf of, the
+ Licensor for the purpose of discussing and improving the Work, but
+ excluding communication that is conspicuously marked or otherwise
+ designated in writing by the copyright owner as "Not a Contribution."
+
+ "Contributor" shall mean Licensor and any individual or Legal Entity
+ on behalf of whom a Contribution has been received by Licensor and
+ subsequently incorporated within the Work.
+
+ 2. Grant of Copyright License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ copyright license to reproduce, prepare Derivative Works of,
+ publicly display, publicly perform, sublicense, and distribute the
+ Work and such Derivative Works in Source or Object form.
+
+ 3. Grant of Patent License. Subject to the terms and conditions of
+ this License, each Contributor hereby grants to You a perpetual,
+ worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+ (except as stated in this section) patent license to make, have made,
+ use, offer to sell, sell, import, and otherwise transfer the Work,
+ where such license applies only to those patent claims licensable
+ by such Contributor that are necessarily infringed by their
+ Contribution(s) alone or by combination of their Contribution(s)
+ with the Work to which such Contribution(s) was submitted. If You
+ institute patent litigation against any entity (including a
+ cross-claim or counterclaim in a lawsuit) alleging that the Work
+ or a Contribution incorporated within the Work constitutes direct
+ or contributory patent infringement, then any patent licenses
+ granted to You under this License for that Work shall terminate
+ as of the date such litigation is filed.
+
+ 4. Redistribution. You may reproduce and distribute copies of the
+ Work or Derivative Works thereof in any medium, with or without
+ modifications, and in Source or Object form, provided that You
+ meet the following conditions:
+
+ (a) You must give any other recipients of the Work or
+ Derivative Works a copy of this License; and
+
+ (b) You must cause any modified files to carry prominent notices
+ stating that You changed the files; and
+
+ (c) You must retain, in the Source form of any Derivative Works
+ that You distribute, all copyright, patent, trademark, and
+ attribution notices from the Source form of the Work,
+ excluding those notices that do not pertain to any part of
+ the Derivative Works; and
+
+ (d) If the Work includes a "NOTICE" text file as part of its
+ distribution, then any Derivative Works that You distribute must
+ include a readable copy of the attribution notices contained
+ within such NOTICE file, excluding those notices that do not
+ pertain to any part of the Derivative Works, in at least one
+ of the following places: within a NOTICE text file distributed
+ as part of the Derivative Works; within the Source form or
+ documentation, if provided along with the Derivative Works; or,
+ within a display generated by the Derivative Works, if and
+ wherever such third-party notices normally appear. The contents
+ of the NOTICE file are for informational purposes only and
+ do not modify the License. You may add Your own attribution
+ notices within Derivative Works that You distribute, alongside
+ or as an addendum to the NOTICE text from the Work, provided
+ that such additional attribution notices cannot be construed
+ as modifying the License.
+
+ You may add Your own copyright statement to Your modifications and
+ may provide additional or different license terms and conditions
+ for use, reproduction, or distribution of Your modifications, or
+ for any such Derivative Works as a whole, provided Your use,
+ reproduction, and distribution of the Work otherwise complies with
+ the conditions stated in this License.
+
+ 5. Submission of Contributions. Unless You explicitly state otherwise,
+ any Contribution intentionally submitted for inclusion in the Work
+ by You to the Licensor shall be under the terms and conditions of
+ this License, without any additional terms or conditions.
+ Notwithstanding the above, nothing herein shall supersede or modify
+ the terms of any separate license agreement you may have executed
+ with Licensor regarding such Contributions.
+
+ 6. Trademarks. This License does not grant permission to use the trade
+ names, trademarks, service marks, or product names of the Licensor,
+ except as required for reasonable and customary use in describing the
+ origin of the Work and reproducing the content of the NOTICE file.
+
+ 7. Disclaimer of Warranty. Unless required by applicable law or
+ agreed to in writing, Licensor provides the Work (and each
+ Contributor provides its Contributions) on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+ implied, including, without limitation, any warranties or conditions
+ of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+ PARTICULAR PURPOSE. You are solely responsible for determining the
+ appropriateness of using or redistributing the Work and assume any
+ risks associated with Your exercise of permissions under this License.
+
+ 8. Limitation of Liability. In no event and under no legal theory,
+ whether in tort (including negligence), contract, or otherwise,
+ unless required by applicable law (such as deliberate and grossly
+ negligent acts) or agreed to in writing, shall any Contributor be
+ liable to You for damages, including any direct, indirect, special,
+ incidental, or consequential damages of any character arising as a
+ result of this License or out of the use or inability to use the
+ Work (including but not limited to damages for loss of goodwill,
+ work stoppage, computer failure or malfunction, or any and all
+ other commercial damages or losses), even if such Contributor
+ has been advised of the possibility of such damages.
+
+ 9. Accepting Warranty or Additional Liability. While redistributing
+ the Work or Derivative Works thereof, You may choose to offer,
+ and charge a fee for, acceptance of support, warranty, indemnity,
+ or other liability obligations and/or rights consistent with this
+ License. However, in accepting such obligations, You may act only
+ on Your own behalf and on Your sole responsibility, not on behalf
+ of any other Contributor, and only if You agree to indemnify,
+ defend, and hold each Contributor harmless for any liability
+ incurred by, or claims asserted against, such Contributor by reason
+ of your accepting any such warranty or additional liability.
+
+--- License for python-keystoneclient versions prior to 2.1 ---
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+ 1. Redistributions of source code must retain the above copyright notice,
+ this list of conditions and the following disclaimer.
+
+ 2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+ 3. Neither the name of this project nor the names of its contributors may
+ be used to endorse or promote products derived from this software without
+ specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE
+FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+include README.rst
+include LICENSE
+include setup.py
+include requirements.txt
--- /dev/null
+================================
+Core module for the Moon project
+================================
+
+This package contains the main module for the Moon project
+It is designed to provide the main entry point for the Moon platform.
+
+For any other information, refer to the parent project:
+
+ https://git.opnfv.org/moon
+
+
+Usage
+=====
+
+Get the code
+------------
+
+ git clone https://git.opnfv.org/moon
+ cd moon
+ MOON_HOME=$(pwd)
+
+Create an initial docker
+------------------------
+
+ cd /tmp
+ git clone https://github.com/rebirthmonkey/vmspace.git
+ cd docker/ubuntu_python
+ # Check the proxy settings in Dockerfile
+ docker build ubuntu:python .
+
+Configure the network
+---------------------
+
+ docker network create -d bridge --subnet=172.18.0.0/16 --gateway=172.18.0.1 moon
+ echo "127.0.0.1 messenger db" | sudo tee -a /etc/hosts
+
+Start Rabbitmq
+--------------
+
+ docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management
+
+Start MySQL server
+------------------
+
+ docker run -dti --net=moon --hostname db --name db -e MYSQL_ROOT_PASSWORD=password -p 3306:3306 mysql:8
+ cd $(MOON_HOME)/moon_orchestrator
+ mysql -h db -uroot -ppassword < bin/init_db.sql
+
+Get python packages for all components
+--------------------------------------
+
+ cd $(MOON_HOME)/moon_orchestrator
+ bash bin/build_all.sh
+ mysql -h db -uroot -ppassword < bin/init_db.sql
+
+Start Orchestrator
+------------------
+
+ cd $(MOON_HOME)/moon_orchestrator
+ pyvenv tests/venv
+ . tests/venv/bin/activate
+ pip install -r ../moon_db/requirements.txt
+ pip install -r ../moon_utilities/requirements.txt
+ pip install -r requirements.txt
+ pip install dist/moon_db-0.1.0.tar.gz
+ pip install dist/moon_utilities-0.1.0.tar.gz
+ pip install .
+ # Check the proxy settings in $(MOON_HOME)/moon_orchestrator/conf/moon.conf
+ moon_orchestrator
+
+Get some logs
+-------------
+
+ docker logs messenger
+ docker logs router
+ docker logs interface
+
+Get the API in PDF
+------------------
+
+ cd $(MOON_HOME)/moon_interface/tools
+ sudo pip install requests
+ sudo apt-get install pandoc
+ /usr/bin/python3 api2rst.py
+ pandoc api.rst -o api.pdf
+ evince api.pdf
+
+How to hack the Moon platform
+=============================
+
+Update the moon_interface
+-------------------------
+
+Go to the directory $(MOON_HOME)/moon_interface and update the code accordingly to your needs,
+then update the python package.
+
+ python setup.py sdist
+ cp dist/moon_interface_* ../moon_orchestrator/dist
+ # kill moon_orchestrator if needed and restart it
+
+Update the moon_secrouter
+-------------------------
+
+Go to the directory $(MOON_HOME)/moon_secrouter and update the code accordingly to your needs,
+then update the python package.
+
+ python setup.py sdist
+ cp dist/moon_secrouter* ../moon_orchestrator/dist
+ # kill moon_orchestrator if needed and restart it
+
+Problems that may arise
+=======================
+
+If the moon_orchestrator doesn't want to start
+(with, for example, the following error: `docker.errors.APIError: 409 Client Error: Conflict`),
+check if the router and interface containers still exist and kill and delete them:
+
+ docker kill interface
+ docker kill router
+ docker rm interface
+ docker rm router
+
+If the moon_orchestrator complains that it cannot request the RabbitMQ server,
+check if the messenger server is up and running:
+
+ docker ps
+ # you must see the messenger running here
+ # if not, restart it
+ docker run -dti --net=moon --hostname messenger --name messenger --link messenger:messenger -e RABBITMQ_DEFAULT_USER=moon -e RABBITMQ_DEFAULT_PASS=password -e RABBITMQ_NODENAME=rabbit@messenger -e RABBITMQ_DEFAULT_VHOST=moon -p 5671:5671 -p 5672:5672 rabbitmq:3-management
--- /dev/null
+# Pull base image.
+FROM ubuntu:latest
+
+{{ proxy }}
+
+RUN apt-get update && apt-get install python3.5 python3-pip -y
+
+ADD dist/moon_utilities-0.1.0.tar.gz /root
+WORKDIR /root/moon_utilities-0.1.0
+RUN pip3 install pip --upgrade
+RUN pip3 install --upgrade -r requirements.txt
+RUN pip3 install --upgrade .
+
+ADD dist/moon_db-0.1.0.tar.gz /root
+WORKDIR /root/moon_db-0.1.0
+RUN pip3 install --upgrade -r requirements.txt
+RUN pip3 install --upgrade .
+
+{{ run }}
+
+{% for port in ports %}
+EXPOSE {{ port }}
+{% endfor %}
+
+CMD {{ cmd }}
--- /dev/null
+[DEFAULT]
+# proxy URL
+#proxy=http://172.28.16.30:3128
+proxy=
+transport_url=rabbit://moon:p4sswOrd1@messenger:5672/moon
+#transport_url=rabbit://moon:p4sswOrd@localhost:5672/moon
+
+debug=True
+
+# directory where the python packages can be found
+dist_dir=/home/vdsq3226/projets/opnfv/moonv4/moon_orchestrator/dist
+plugin_dir=/etc/moon/plugins
+
+docker_url=unix://var/run/docker.sock
+
+root_policy_directory=policy_root
+policy_directory=/etc/moon/policies
+
+[slave]
+
+# name of the slave
+# example slave_name=slave1
+slave_name=
+
+# URL of the RabbitMQ bus of the Master
+# example: master_url=rabbit://moon:p4sswOrd1@master_messenger:5672/moon
+master_url=
+
+# login name of the master administrator
+# example: master_login=admin
+master_login=
+
+# password of the master administrator
+# example: master_password=p4ssw0rd
+master_password=
+
+[database]
+
+# Database for that server (may be different from master to slave)
+url=mysql+pymysql://moon:p4sswOrd1@db/moon
+driver=sql
+
+[database_configuration]
+
+# Database for configuration elements (may be different from master to slave)
+driver=memory
+url=
+
+[orchestrator]
+host=127.0.0.1
+port=38002
+container=
+
+[security_router]
+host=172.18.0.10
+
+# Name of the container to download (if empty build from scratch)
+# example: container=moon/moon_secrouter:latest
+container=
+
+[security_manager]
+host=172.18.0.10
+
+# Name of the container to download (if empty build from scratch)
+# example: container=moon/moon_manager:latest
+container=
+
+[interface]
+host=172.18.0.11
+port=38001
+# Name of the container to download (if empty build from scratch)
+# example: container=moon/moon_interface:latest
+container=
+
+[security_function]
+# Name of the container to download (if empty build from scratch)
+# example: container=moon/moon_secfunction:latest
+container=
+
+[keystone]
+url=http://keystone:5000/v3
+user=admin
+password=p4ssw0rd
+domain=default
+project=admin
+check_token=False
+server_crt=False
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+import time
+import hashlib
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+# TODO (asteroide): select the right template folder
+TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
+# TODO (asteroide): add specific configuration options for that plugin
+
+
+class AuthzFunction(DockerBase):
+
+ id = "moon_authz_function"
+ __build = """RUN mkdir -p /etc/moon/
+COPY conf /etc/moon/
+ADD dist/{py_pkg}.tar.gz /root
+WORKDIR /root/{py_pkg}
+RUN pip3 install -r requirements.txt
+RUN pip3 install .
+"""
+
+ def __init__(self, uuid, conf_file="", docker=None, network_config=None):
+ self.id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest()
+ super(AuthzFunction, self).__init__(
+ name="moon_authz",
+ run_cmd=["python3", "-m", "moon_authz", uuid],
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ build_cmd=self.__build,
+ id=self.id,
+ tag=""
+ # tag=CONF.security_function.container
+ )
+ # note(asteroide): time to let the new docker boot
+ time.sleep(3)
+ self.get_status()
+
+ def get_status(self):
+ transport = oslo_messaging.get_transport(CONF)
+ target = oslo_messaging.Target(topic=self.id, version='1.0')
+ client = oslo_messaging.RPCClient(transport, target)
+ LOG.info("Calling Status on {}".format(self.id))
+ ret = client.call({"component_id": self.id}, 'get_status', args=None)
+ LOG.info(ret)
+ return ret
+
+
+def run(uuid, conf_file="", docker=None, network_config=None):
+ return AuthzFunction(uuid,
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config)
--- /dev/null
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ "admin": ["high"],
+ "demo": ["medium"]
+ },
+ "domain":{
+ "admin": ["ft"],
+ "demo": ["xx"]
+ },
+ "role": {
+ "admin": ["admin"],
+ "demo": ["dev"]
+ }
+ },
+
+ "action_assignments": {
+ "resource_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"],
+ "storage_list": ["storage_access"],
+ "download": ["storage_access"],
+ "post": ["storage_admin"],
+ "upload": ["storage_admin"]
+ },
+ "access": {
+ "pause": ["write"],
+ "unpause": ["write"],
+ "start": ["write"],
+ "stop": ["write"],
+ "list": ["read"],
+ "create": ["write"],
+ "storage_list": ["read"],
+ "download": ["read"],
+ "post": ["write"],
+ "upload": ["write"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "servers": ["low"]
+ },
+ "type": {
+ "servers": ["computing"]
+ },
+ "object_id": {
+ "servers": ["servers"]
+ }
+ }
+}
--- /dev/null
+{
+ "name": "Simple_Policy",
+ "genre": "authz",
+ "description": "Simple Security Policy",
+ "pdp_pipeline": ["authz:rbac_rule", "authz:mls_rule"],
+
+ "subject_categories": [
+ "subject_security_level",
+ "domain",
+ "role"
+ ],
+
+ "action_categories": [
+ "resource_action",
+ "access"
+ ],
+
+ "object_categories": [
+ "object_security_level",
+ "type",
+ "object_id"
+ ]
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["resource_action"],
+ "object_categories": ["object_security_level"],
+ "algorithm": "inclusion"
+ },
+ "dte_rule": {
+ "subject_categories": ["domain"],
+ "action_categories": ["access"],
+ "object_categories": ["type"],
+ "algorithm": "inclusion"
+ },
+ "rbac_rule": {
+ "subject_categories": ["role", "domain"],
+ "action_categories": ["access"],
+ "object_categories": ["object_id"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
--- /dev/null
+{
+ "subjects": [
+ "admin",
+ "demo"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list",
+ "upload",
+ "download",
+ "post",
+ "storage_list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
--- /dev/null
+{
+ "mls_rule":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "high"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "medium"],
+ ["medium", "vm_access", "low"],
+ ["low", "vm_access", "low"]
+ ],
+ "dte_rule":[
+ ["ft", "read", "computing"],
+ ["ft", "write", "computing"],
+ ["ft", "read", "storage"],
+ ["ft", "write", "storage"],
+ ["xx", "read", "storage"]
+ ],
+ "rbac_rule":[
+ ["dev", "xx", "read", "servers"],
+ ["admin", "xx", "read", "servers"],
+ ["admin", "ft", "read", "servers"]
+ ]
+}
--- /dev/null
+{
+ "subject_scopes": {
+ "role": [
+ "admin",
+ "dev"
+ ],
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ],
+ "domain": [
+ "ft",
+ "xx"
+ ]
+ },
+
+ "action_scopes": {
+ "resource_action": [
+ "vm_admin",
+ "vm_access",
+ "storage_admin",
+ "storage_access"
+ ],
+ "access": [
+ "write",
+ "read"
+ ]
+ },
+
+ "object_scopes": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ],
+ "type": [
+ "computing",
+ "storage"
+ ],
+ "object_id": [
+ "servers",
+ "vm1",
+ "vm2",
+ "file1",
+ "file2"
+ ]
+ }
+}
--- /dev/null
+{
+ "subject_assignments": {},
+
+ "action_assignments": {},
+
+ "object_assignments": {}
+}
--- /dev/null
+{
+ "name": "Empty_Policy",
+ "model": "",
+ "genre": "admin",
+ "description": "Empty Policy",
+
+ "subject_categories": [],
+
+ "action_categories": [],
+
+ "object_categories": []
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": [],
+ "action_categories": [],
+ "object_categories": [],
+ "algorithm": ""
+ }
+ },
+ "aggregation": ""
+}
+
--- /dev/null
+{
+ "subjects": [],
+ "actions": [
+ "read",
+ "write"
+ ],
+ "objects": [
+ "authz.subjects",
+ "authz.objects",
+ "authz.actions",
+ "authz.subject_categories",
+ "authz.object_categories",
+ "authz.action_categories",
+ "authz.subject_scopes",
+ "authz.object_scopes",
+ "authz.action_scopes",
+ "authz.subject_assignments",
+ "authz.object_assignments",
+ "authz.action_assignments",
+ "authz.aggregation_algorithm",
+ "authz.sub_meta_rules",
+ "authz.rules",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_scopes",
+ "admin.object_scopes",
+ "admin.action_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+}
--- /dev/null
+{
+ "mls_rule":[]
+}
--- /dev/null
+{
+ "subject_scopes": {},
+
+ "action_scopes": {},
+
+ "object_scopes": {}
+}
--- /dev/null
+{
+ "subject_assignments": {},
+
+ "action_assignments": {},
+
+ "object_assignments": {}
+}
--- /dev/null
+{
+ "name": "MLS_Policy",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "Multi Level Security Policy",
+
+ "subject_categories": [],
+
+ "action_categories": [],
+
+ "object_categories": []
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": [],
+ "action_categories": [],
+ "object_categories": [],
+ "algorithm": ""
+ }
+ },
+ "aggregation": ""
+}
+
--- /dev/null
+{
+ "subjects": [],
+ "actions": [],
+ "objects": []
+}
--- /dev/null
+{
+ "mls_rule":[]
+}
--- /dev/null
+{
+ "subject_scopes": {},
+
+ "action_scopes": {},
+
+ "object_scopes": {}
+}
--- /dev/null
+{
+ "subject_assignments": {
+ "subject_security_level":{
+ "admin": ["high"],
+ "demo": ["medium"]
+ }
+ },
+
+ "action_assignments": {
+ "resource_action":{
+ "pause": ["vm_admin"],
+ "unpause": ["vm_admin"],
+ "start": ["vm_admin"],
+ "stop": ["vm_admin"],
+ "list": ["vm_access", "vm_admin"],
+ "create": ["vm_admin"],
+ "storage_list": ["storage_access"],
+ "download": ["storage_access"],
+ "post": ["storage_admin"],
+ "upload": ["storage_admin"]
+ }
+ },
+
+ "object_assignments": {
+ "object_security_level": {
+ "servers": ["low"]
+ }
+ }
+}
--- /dev/null
+{
+ "name": "MLS_Policy",
+ "model": "MLS",
+ "genre": "authz",
+ "description": "Multi Level Security Policy",
+
+ "subject_categories": [
+ "subject_security_level"
+ ],
+
+ "action_categories": [
+ "resource_action"
+ ],
+
+ "object_categories": [
+ "object_security_level"
+ ]
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "mls_rule": {
+ "subject_categories": ["subject_security_level"],
+ "action_categories": ["resource_action"],
+ "object_categories": ["object_security_level"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
--- /dev/null
+{
+ "subjects": [
+ "admin",
+ "demo"
+ ],
+ "actions": [
+ "pause",
+ "unpause",
+ "start",
+ "stop",
+ "create",
+ "list",
+ "upload",
+ "download",
+ "post",
+ "storage_list"
+ ],
+ "objects": [
+ "servers"
+ ]
+}
--- /dev/null
+{
+ "mls_rule":[
+ ["high", "vm_admin", "medium"],
+ ["high", "vm_admin", "low"],
+ ["medium", "vm_admin", "low"],
+ ["high", "vm_access", "medium"],
+ ["high", "vm_access", "low"],
+ ["medium", "vm_access", "low"],
+ ["high", "storage_admin", "medium"],
+ ["high", "storage_admin", "low"],
+ ["medium", "storage_admin", "low"],
+ ["high", "storage_access", "medium"],
+ ["high", "storage_access", "low"],
+ ["medium", "storage_access", "low"]
+ ]
+}
--- /dev/null
+{
+ "subject_scopes": {
+ "subject_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ },
+
+ "action_scopes": {
+ "resource_action": [
+ "vm_admin",
+ "vm_access",
+ "storage_admin",
+ "storage_access"
+ ]
+ },
+
+ "object_scopes": {
+ "object_security_level": [
+ "high",
+ "medium",
+ "low"
+ ]
+ }
+}
--- /dev/null
+{
+ "subject_assignments": {
+ "role": {
+ "admin": ["root_role"],
+ "demo": ["dev_role"]
+ }
+ },
+ "action_assignments": {
+ "action_id": {
+ "read": ["read"],
+ "write": ["write"]
+ }
+ },
+ "object_assignments": {
+ "object_id": {
+ "authz.subjects": ["authz.subjects"],
+ "authz.objects": ["authz.objects"],
+ "authz.actions": ["authz.actions"],
+ "authz.subject_categories": ["authz.subject_categories"],
+ "authz.object_categories": ["authz.object_categories"],
+ "authz.action_categories": ["authz.action_categories"],
+ "authz.subject_scopes": ["authz.subject_scopes"],
+ "authz.object_scopes": ["authz.object_scopes"],
+ "authz.action_scopes": ["authz.action_scopes"],
+ "authz.subject_assignments": ["authz.subject_assignments"],
+ "authz.object_assignments": ["authz.object_assignments"],
+ "authz.action_assignments": ["authz.action_assignments"],
+ "authz.aggregation_algorithm": ["authz.aggregation_algorithm"],
+ "authz.sub_meta_rules": ["authz.sub_meta_rules"],
+ "authz.rules": ["authz.rules"],
+ "admin.subjects": ["admin.subjects"],
+ "admin.objects": ["admin.objects"],
+ "admin.actions": ["admin.actions"],
+ "admin.subject_categories": ["admin.subject_categories"],
+ "admin.object_categories": ["admin.object_categories"],
+ "admin.action_categories": ["admin.action_categories"],
+ "admin.subject_scopes": ["admin.subject_scopes"],
+ "admin.object_scopes": ["admin.object_scopes"],
+ "admin.action_scopes": ["admin.action_scopes"],
+ "admin.subject_assignments": ["admin.subject_assignments"],
+ "admin.object_assignments": ["admin.object_assignments"],
+ "admin.action_assignments": ["admin.action_assignments"],
+ "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
+ "admin.sub_meta_rules": ["admin.sub_meta_rules"],
+ "admin.rules": ["admin.rules"]
+ }
+ }
+}
--- /dev/null
+{
+ "name": "RBAC Admin Policy",
+ "model": "RBAC",
+ "genre": "admin",
+ "description": "",
+
+ "subject_categories": [
+ "role"
+ ],
+
+ "action_categories": [
+ "action_id"
+ ],
+
+ "object_categories": [
+ "object_id"
+ ]
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "rbac_rule": {
+ "subject_categories": ["role"],
+ "action_categories": ["action_id"],
+ "object_categories": ["object_id"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
--- /dev/null
+{
+ "subjects": [
+ "admin",
+ "demo"
+ ],
+ "actions": [
+ "read",
+ "write"
+ ],
+ "objects": [
+ "authz.subjects",
+ "authz.objects",
+ "authz.actions",
+ "authz.subject_categories",
+ "authz.object_categories",
+ "authz.action_categories",
+ "authz.subject_scopes",
+ "authz.object_scopes",
+ "authz.action_scopes",
+ "authz.subject_assignments",
+ "authz.object_assignments",
+ "authz.action_assignments",
+ "authz.aggregation_algorithm",
+ "authz.sub_meta_rules",
+ "authz.rules",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_scopes",
+ "admin.object_scopes",
+ "admin.action_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+}
--- /dev/null
+{
+ "rbac_rule":[
+ ["root_role" , "read", "authz.subjects"],
+ ["root_role" , "read", "authz.objects"],
+ ["root_role" , "read", "authz.actions"],
+ ["root_role" , "read", "authz.subject_categories"],
+ ["root_role" , "read", "authz.object_categories"],
+ ["root_role" , "read", "authz.action_categories"],
+ ["root_role" , "read", "authz.subject_scopes"],
+ ["root_role" , "read", "authz.object_scopes"],
+ ["root_role" , "read", "authz.action_scopes"],
+ ["root_role" , "read", "authz.subject_assignments"],
+ ["root_role" , "read", "authz.object_assignments"],
+ ["root_role" , "read", "authz.action_assignments"],
+ ["root_role" , "read", "authz.aggregation_algorithm"],
+ ["root_role" , "read", "authz.sub_meta_rules"],
+ ["root_role" , "read", "authz.rules"],
+ ["root_role" , "write", "authz.subjects"],
+ ["root_role" , "write", "authz.objects"],
+ ["root_role" , "write", "authz.actions"],
+ ["root_role" , "write", "authz.subject_categories"],
+ ["root_role" , "write", "authz.object_categories"],
+ ["root_role" , "write", "authz.action_categories"],
+ ["root_role" , "write", "authz.subject_scopes"],
+ ["root_role" , "write", "authz.object_scopes"],
+ ["root_role" , "write", "authz.action_scopes"],
+ ["root_role" , "write", "authz.subject_assignments"],
+ ["root_role" , "write", "authz.object_assignments"],
+ ["root_role" , "write", "authz.action_assignments"],
+ ["root_role" , "write", "authz.aggregation_algorithm"],
+ ["root_role" , "write", "authz.sub_meta_rules"],
+ ["root_role" , "write", "authz.rules"],
+ ["root_role" , "read", "admin.subjects"],
+ ["root_role" , "read", "admin.objects"],
+ ["root_role" , "read", "admin.actions"],
+ ["root_role" , "read", "admin.subject_categories"],
+ ["root_role" , "read", "admin.object_categories"],
+ ["root_role" , "read", "admin.action_categories"],
+ ["root_role" , "read", "admin.subject_scopes"],
+ ["root_role" , "read", "admin.object_scopes"],
+ ["root_role" , "read", "admin.action_scopes"],
+ ["root_role" , "read", "admin.subject_assignments"],
+ ["root_role" , "read", "admin.object_assignments"],
+ ["root_role" , "read", "admin.action_assignments"],
+ ["root_role" , "read", "admin.aggregation_algorithm"],
+ ["root_role" , "read", "admin.sub_meta_rules"],
+ ["root_role" , "read", "admin.rules"],
+ ["root_role" , "write", "admin.subjects"],
+ ["root_role" , "write", "admin.objects"],
+ ["root_role" , "write", "admin.actions"],
+ ["root_role" , "write", "admin.subject_categories"],
+ ["root_role" , "write", "admin.object_categories"],
+ ["root_role" , "write", "admin.action_categories"],
+ ["root_role" , "write", "admin.subject_scopes"],
+ ["root_role" , "write", "admin.object_scopes"],
+ ["root_role" , "write", "admin.action_scopes"],
+ ["root_role" , "write", "admin.subject_assignments"],
+ ["root_role" , "write", "admin.object_assignments"],
+ ["root_role" , "write", "admin.action_assignments"],
+ ["root_role" , "write", "admin.aggregation_algorithm"],
+ ["root_role" , "write", "admin.sub_meta_rules"],
+ ["root_role" , "write", "admin.rules"],
+ ["dev_role" , "read", "authz.subjects"],
+ ["dev_role" , "read", "authz.objects"],
+ ["dev_role" , "read", "authz.actions"],
+ ["dev_role" , "read", "authz.subject_categories"],
+ ["dev_role" , "read", "authz.object_categories"],
+ ["dev_role" , "read", "authz.action_categories"],
+ ["dev_role" , "read", "authz.subject_scopes"],
+ ["dev_role" , "read", "authz.object_scopes"],
+ ["dev_role" , "read", "authz.action_scopes"],
+ ["dev_role" , "read", "authz.subject_assignments"],
+ ["dev_role" , "read", "authz.object_assignments"],
+ ["dev_role" , "read", "authz.action_assignments"],
+ ["dev_role" , "read", "authz.aggregation_algorithm"],
+ ["dev_role" , "read", "authz.sub_meta_rules"],
+ ["dev_role" , "read", "authz.rules"],
+ ["dev_role" , "read", "admin.subjects"],
+ ["dev_role" , "read", "admin.objects"],
+ ["dev_role" , "read", "admin.actions"],
+ ["dev_role" , "read", "admin.subject_categories"],
+ ["dev_role" , "read", "admin.object_categories"],
+ ["dev_role" , "read", "admin.action_categories"],
+ ["dev_role" , "read", "admin.subject_scopes"],
+ ["dev_role" , "read", "admin.object_scopes"],
+ ["dev_role" , "read", "admin.action_scopes"],
+ ["dev_role" , "read", "admin.subject_assignments"],
+ ["dev_role" , "read", "admin.object_assignments"],
+ ["dev_role" , "read", "admin.action_assignments"],
+ ["dev_role" , "read", "admin.aggregation_algorithm"],
+ ["dev_role" , "read", "admin.sub_meta_rules"],
+ ["dev_role" , "read", "admin.rules"]
+ ]
+}
--- /dev/null
+{
+ "subject_scopes": {
+ "role": [
+ "root_role",
+ "dev_role"
+ ]
+ },
+ "action_scopes": {
+ "action_id": [
+ "read",
+ "write"
+ ]
+ },
+ "object_scopes": {
+ "object_id": [
+ "authz.subjects",
+ "authz.objects",
+ "authz.actions",
+ "authz.subject_categories",
+ "authz.object_categories",
+ "authz.action_categories",
+ "authz.subject_scopes",
+ "authz.object_scopes",
+ "authz.action_scopes",
+ "authz.subject_assignments",
+ "authz.object_assignments",
+ "authz.action_assignments",
+ "authz.aggregation_algorithm",
+ "authz.sub_meta_rules",
+ "authz.rules",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_scopes",
+ "admin.object_scopes",
+ "admin.action_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+ }
+}
--- /dev/null
+{
+ "subject_assignments": {
+ "role": {
+ "admin": ["root_role"]
+ }
+ },
+
+ "action_assignments": {
+ "action_id": {
+ "read": ["read"],
+ "write": ["write"]
+ }
+ },
+
+ "object_assignments": {
+ "object_id": {
+ "templates": ["templates"],
+ "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"],
+ "aggregation_algorithms": ["aggregation_algorithms"],
+ "tenants": ["tenants"],
+ "intra_extensions": ["intra_extensions"],
+ "admin.subjects": ["admin.subjects"],
+ "admin.objects": ["admin.objects"],
+ "admin.actions": ["admin.actions"],
+ "admin.subject_categories": ["admin.subject_categories"],
+ "admin.object_categories": ["admin.object_categories"],
+ "admin.action_categories": ["admin.action_categories"],
+ "admin.subject_category_scopes": ["admin.subject_category_scopes"],
+ "admin.object_category_scopes": ["admin.object_category_scopes"],
+ "admin.action_category_scopes": ["admin.action_category_scopes"],
+ "admin.subject_assignments": ["admin.subject_assignments"],
+ "admin.object_assignments": ["admin.object_assignments"],
+ "admin.action_assignments": ["admin.action_assignments"],
+ "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
+ "admin.sub_meta_rules": ["admin.sub_meta_rules"],
+ "admin.rules": ["admin.rules"]
+ }
+ }
+}
--- /dev/null
+{
+ "name": "Root Policy",
+ "model": "RBAC",
+ "genre": "admin",
+ "description": "root extension",
+ "pdp_pipeline": ["authz:rbac_rule"],
+
+ "subject_categories": [
+ "role"
+ ],
+
+ "action_categories": [
+ "action_id"
+ ],
+
+ "object_categories": [
+ "object_id"
+ ]
+}
--- /dev/null
+{
+ "sub_meta_rules": {
+ "rbac_rule": {
+ "subject_categories": ["role"],
+ "action_categories": ["action_id"],
+ "object_categories": ["object_id"],
+ "algorithm": "inclusion"
+ }
+ },
+ "aggregation": "all_true"
+}
+
--- /dev/null
+{
+ "subjects": [
+ "admin"
+ ],
+ "actions": [
+ "read",
+ "write"
+ ],
+ "objects": [
+ "templates",
+ "aggregation_algorithms",
+ "sub_meta_rule_algorithms",
+ "tenants",
+ "intra_extensions",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_category_scopes",
+ "admin.object_category_scopes",
+ "admin.action_category_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+}
--- /dev/null
+{
+ "rbac_rule":[
+ ["root_role" , "read", "templates"],
+ ["root_role" , "read", "aggregation_algorithms"],
+ ["root_role" , "read", "sub_meta_rule_algorithms"],
+ ["root_role" , "read", "tenants"],
+ ["root_role" , "read", "intra_extensions"],
+ ["root_role" , "write", "templates"],
+ ["root_role" , "write", "aggregation_algorithms"],
+ ["root_role" , "write", "sub_meta_rule_algorithms"],
+ ["root_role" , "write", "tenants"],
+ ["root_role" , "write", "intra_extensions"],
+ ["root_role" , "read", "admin.subjects"],
+ ["root_role" , "read", "admin.objects"],
+ ["root_role" , "read", "admin.actions"],
+ ["root_role" , "read", "admin.subject_categories"],
+ ["root_role" , "read", "admin.object_categories"],
+ ["root_role" , "read", "admin.action_categories"],
+ ["root_role" , "read", "admin.subject_category_scopes"],
+ ["root_role" , "read", "admin.object_category_scopes"],
+ ["root_role" , "read", "admin.action_category_scopes"],
+ ["root_role" , "read", "admin.subject_assignments"],
+ ["root_role" , "read", "admin.object_assignments"],
+ ["root_role" , "read", "admin.action_assignments"],
+ ["root_role" , "read", "admin.aggregation_algorithm"],
+ ["root_role" , "read", "admin.sub_meta_rules"],
+ ["root_role" , "read", "admin.rules"],
+ ["root_role" , "write", "admin.subjects"],
+ ["root_role" , "write", "admin.objects"],
+ ["root_role" , "write", "admin.actions"],
+ ["root_role" , "write", "admin.subject_categories"],
+ ["root_role" , "write", "admin.object_categories"],
+ ["root_role" , "write", "admin.action_categories"],
+ ["root_role" , "write", "admin.subject_category_scopes"],
+ ["root_role" , "write", "admin.object_category_scopes"],
+ ["root_role" , "write", "admin.action_category_scopes"],
+ ["root_role" , "write", "admin.subject_assignments"],
+ ["root_role" , "write", "admin.object_assignments"],
+ ["root_role" , "write", "admin.action_assignments"],
+ ["root_role" , "write", "admin.aggregation_algorithm"],
+ ["root_role" , "write", "admin.sub_meta_rules"],
+ ["root_role" , "write", "admin.rules"]
+ ]
+}
--- /dev/null
+{
+ "subject_scopes": {
+ "role": [
+ "root_role"
+ ]
+ },
+
+ "action_scopes": {
+ "action_id": [
+ "read",
+ "write"
+ ]
+ },
+
+ "object_scopes": {
+ "object_id": [
+ "templates",
+ "aggregation_algorithms",
+ "sub_meta_rule_algorithms",
+ "tenants",
+ "intra_extensions",
+ "admin.subjects",
+ "admin.objects",
+ "admin.actions",
+ "admin.subject_categories",
+ "admin.object_categories",
+ "admin.action_categories",
+ "admin.subject_category_scopes",
+ "admin.object_category_scopes",
+ "admin.action_category_scopes",
+ "admin.subject_assignments",
+ "admin.object_assignments",
+ "admin.action_assignments",
+ "admin.aggregation_algorithm",
+ "admin.sub_meta_rules",
+ "admin.rules"
+ ]
+ }
+}
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+__version__ = "0.1.0"
--- /dev/null
+from moon_orchestrator.server import main
+
+main()
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import json
+from oslo_config import cfg
+from oslo_log import log as logging
+from moon_db.core import IntraExtensionRootManager
+from moon_db.core import ConfigurationManager
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+
+
+class Configuration(object):
+ """
+ Retrieve the global configuration.
+ """
+
+ __version__ = "0.1.0"
+
+ def get_policy_templates(self, ctx, args):
+ """List all policy templates
+
+ :param ctx: {"id": "intra_extension_id"}
+ :param args: {}
+ :return: {
+ "template_id": {
+ "name": "name of the template",
+ "description": "description of the template",
+ }
+ """
+ templates = ConfigurationManager.get_policy_templates_dict(ctx["user_id"])
+ return {"policy_templates": templates}
+
+ def get_aggregation_algorithms(self, ctx, args):
+ """List all aggregation algorithms
+
+ :param ctx: {"id": "intra_extension_id"}
+ :param args: {}
+ :return: {
+ "algorithm_id": {
+ "name": "name of the algorithm",
+ "description": "description of the algorithm",
+ }
+ }
+ """
+ return {'aggregation_algorithms': ConfigurationManager.get_aggregation_algorithms_dict(ctx["user_id"])}
+
+ def get_sub_meta_rule_algorithms(self, ctx, args):
+ """List all sub meta rule algorithms
+
+ :param ctx: {"id": "intra_extension_id"}
+ :param args: {}
+ :return: {
+ "algorithm_id": {
+ "name": "name of the algorithm",
+ "description": "description of the algorithm",
+ }
+ }
+ """
+ return {'sub_meta_rule_algorithms': ConfigurationManager.get_sub_meta_rule_algorithms_dict(ctx["user_id"])}
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import hashlib
+from oslo_config import cfg
+from oslo_log import log as logging
+# from moon_db.core import IntraExtensionRootManager
+# from moon_db.core import ConfigurationManager
+from moon_utilities.security_functions import call
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+
+
+class Containers(object):
+ """
+ Manage containers.
+ """
+
+ __version__ = "0.1.0"
+
+ def __init__(self, docker_manager):
+ self.docker_manager = docker_manager
+ self.components = dict()
+ for pdp_key, pdp_value in call("moon_manager", method="get_pdp",
+ ctx={"user_id": "admin", "id": None})["pdps"].items():
+ self.add_container(ctx={"id": pdp_key, "pipeline": pdp_value["security_pipeline"]})
+
+ # for _ext_id, _ext_value in self.__get_pdp({"user_id": "admin"}, None)["intra_extensions"].items():
+ # self.docker_manager.load(component="policy", uuid=_ext_id)
+ # # FIXME (asteroide): there may be other security_function here (delegation, ...)
+ # LOG.info("ADDING Containers {}".format(_ext_value))
+ # self.docker_manager.load(component="function", uuid="{}_{}_{}".format("authz", "rbac_rule", _ext_id))
+
+ # def __get_pdp(self, ctx, args=None):
+ # """Get information about all pdp
+ #
+ # :param ctx: {
+ # "user_id": "uuid of a user",
+ # "id": "uuid of a tenant or an intra_extension"
+ # }
+ # :param args: {}
+ # :return: {
+ # "intra_extension_id": {
+ # "name": "name of the intra extension",
+ # "model": "model of the intra extension",
+ # "genre": "genre of the intra extension",
+ # "description": "description of the intra-extension"
+ # }
+ # }
+ # """
+ # # TODO (asteroide): check if ctx["id"] is a tenant UUID or an intra_extension UUID.
+ # _ext = IntraExtensionRootManager.get_intra_extensions_dict(ctx["user_id"])
+ # if ctx and "id" in ctx and ctx["id"]:
+ # if ctx["id"] in _ext:
+ # return {"pdp": {ctx["id"]: _ext[ctx["id"]]}}
+ # return {"error": "No pdp with id {}".format(ctx["id"])}
+ # return {"pdp": _ext}
+
+ def get_container(self, ctx, args=None):
+ uuid = ctx.get("id")
+ keystone_project_id = ctx.get("keystone_project_id")
+ # _containers = self.docker_manager.get_component(uuid=uuid)
+ # LOG.info("containers={}".format(_containers))
+ if uuid:
+ return self.components[uuid]
+ elif keystone_project_id:
+ for container_id, container_value in self.components.items():
+ if container_value['keystone_project_id'] == keystone_project_id:
+ return {container_id: container_value}
+ else:
+ return {}
+ return {"containers": self.components}
+
+ def add_container(self, ctx, args=None):
+ """Add containers linked to an intra-extension
+
+ :param ctx: {"id": "intra_extension_uuid"}
+ :param args: {}
+ :return: {
+ "container_id1": {"status": True},
+ "container_id2": {"status": True},
+ }
+ """
+ LOG.info("add_container {}".format(ctx))
+ pdp = call("moon_manager", method="get_pdp",
+ ctx={"user_id": "admin", "id": ctx["id"]},
+ args={})["pdps"]
+ pdp_id = list(pdp.keys())[0]
+ if not pdp[pdp_id]["keystone_project_id"]:
+ return {"result": "False", "message": "Cannot find keystone_project_id in pdp"}
+ keystone_project_id = pdp[pdp_id]["keystone_project_id"]
+ self.components[ctx["id"]] = []
+ for policy_key, policy_value in call("moon_manager", method="get_policies",
+ ctx={"user_id": "admin", "id": None},
+ args={})["policies"].items():
+ if policy_key in ctx["pipeline"]:
+ models = call("moon_manager", method="get_models",
+ ctx={"user_id": "admin", "id": None},
+ args={})["models"]
+ for meta_rule in models[policy_value['model_id']]['meta_rules']:
+ genre = policy_value['genre']
+ pre_container_id = "pdp:{}_metarule:{}_project:{}".format(ctx["id"], meta_rule, keystone_project_id)
+ policy_component = self.docker_manager.load(component=genre,
+ uuid=pre_container_id)
+ self.components[ctx["id"]].append({
+ "meta_rule_id": meta_rule,
+ "genre": policy_value['genre'],
+ "keystone_project_id": keystone_project_id,
+ "container_id": "authz_"+hashlib.sha224(pre_container_id.encode("utf-8")).hexdigest()
+ })
+ return {"containers": self.components[ctx["id"]]}
+ # function_components = []
+ # for pdp in ctx['pdp_pipeline']:
+ # key, value = pdp.split(":")
+ # LOG.info("add_container {}:{}".format(key, value))
+ # function_components.append(self.docker_manager.load(component="function",
+ # uuid="{}_{}_{}".format(key, value, ctx["id"])))
+ # containers = dict()
+ # containers[policy_component.id] = policy_component.get_status()
+ # for component in function_components:
+ # containers[component.id] = component.get_status()
+ # return {"containers": containers}
+
+ def delete_container(self, ctx, args=None):
+ """Delete a container
+
+ :param ctx: {"id": "intra_extension_uuid"}
+ :param args: {}
+ :return: {}
+ """
+ try:
+ self.docker_manager.kill(component_id="moon_secpolicy_"+ctx["id"])
+ try:
+ # FIXME (asteroide): need to select other security_function here
+ self.docker_manager.kill(component_id="moon_secfunction_authz_"+ctx["id"])
+ except Exception as e:
+ LOG.error(e, exc_info=True)
+ return {"result": True,
+ "error": {'code': 200, 'title': 'Moon Warning', 'description': str(e)},
+ "intra_extension_id": ctx["id"],
+ "ctx": ctx, "args": args}
+ except Exception as e:
+ LOG.error(e, exc_info=True)
+ return {"result": False,
+ "error": {'code': 500, 'title': 'Moon Error', 'description': str(e)},
+ "intra_extension_id": ctx["id"],
+ "ctx": ctx, "args": args}
+ return {"result": True}
+
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+
+class Status(object):
+ """
+ Retrieve the current status of all components.
+ """
+
+ __version__ = "0.1.0"
+
+ def get_status(self, ctx, args):
+ """Retrieve the current status of all components."""
+ return {"status": "Running"}
+
+
+class Logs(object):
+ """
+ Retrieve the current status of all components.
+ """
+
+ __version__ = "0.1.0"
+
+ def get_logs(self, ctx, args):
+ return {"error": "NotImplemented", "ctx": ctx, "args": args}
+
+
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+from oslo_config import cfg
+from oslo_log import log as logging
+from uuid import uuid4
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+
+
+class Slaves(object):
+ """
+ Manage containers.
+ """
+
+ __version__ = "0.1.0"
+
+ def __init__(self, slaves):
+ self.slaves = slaves
+
+ def add_slave(self, ctx, args=None):
+ """Add a new slave in the global list
+
+ :param ctx: {
+ "name": "name of the slave",
+ "description": "description"
+ }
+ :param args: {}
+ :return: {
+ "uuid_of_the_slave": {
+ "name": "name of the slave",
+ "description": "description"
+ }
+ }
+ """
+ if "name" in ctx:
+ for _id, _dict in self.slaves.items():
+ if _dict['name'] == ctx['name']:
+ LOG.warning("A slave named {} already exists!".format(ctx['name']))
+ return {"slaves": {_id: _dict}}
+ uuid = uuid4().hex
+ ctx.pop("method")
+ ctx.pop("call_master")
+ self.slaves[uuid] = ctx
+ return {"slaves": {uuid: ctx}}
+
+ def get_slaves(self, ctx, args=None):
+ """Get all the known slaves
+
+ :param ctx: {}
+ :param args: {}
+ :return: {
+ "uuid_of_the_slave": {
+ "name": "name of the slave",
+ "description": "description"
+ }
+ }
+ """
+ return {"slaves": self.slaves}
+
+ def delete_slave(self, ctx, args=None):
+ """Delete a previous slave in the global list
+
+ :param ctx: {
+ "id": "ID of the slave"
+ }
+ :param args: {}
+ :return: None
+ """
+ if "id" in ctx:
+ if ctx['id'] in self.slaves:
+ self.slaves.pop(ctx['id'])
+ return {"slaves": self.slaves}
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+import json
+import glob
+import uuid
+import shutil
+import errno
+from uuid import uuid4
+from oslo_config import cfg
+from oslo_log import log as logging
+from jinja2 import FileSystemLoader, Environment
+from moon_utilities.options import get_docker_template_dir
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+TEMPLATES_FOLDER = get_docker_template_dir()
+
+
+class DockerBase:
+
+ docker = None
+ image_id = None
+ tag = 'moon/component'
+ tmp_dir = os.path.join("/tmp", uuid.uuid4().hex)
+ name = ""
+ __build = """RUN mkdir -p /etc/moon/
+COPY conf /etc/moon/
+ADD dist/{py_pkg}.tar.gz /root
+WORKDIR /root/{py_pkg}
+RUN pip3 install --upgrade -r requirements.txt
+RUN pip3 install --upgrade .
+"""
+
+ def __init__(self,
+ name,
+ run_cmd,
+ host=None,
+ build_cmd=None,
+ conf_file="",
+ id=None,
+ docker=None,
+ network_config=None,
+ tag="",
+ port=None
+ ):
+ self.conf_file = conf_file
+ self.docker = docker
+ self.network_config = network_config
+ self.name = name
+ self.id = id if id else name + "_" + uuid4().hex
+ self.tag = "moon/{}".format(name)
+ self.build_cmd = build_cmd if build_cmd else self.__build
+ self.run_cmd = run_cmd
+ self.host = host
+ self.docker_id = id
+ self.port = port
+ containers = self.docker.containers()
+ if self.id not in map(lambda x: x['Id'], containers):
+ self.create_container(tag)
+ self.run_docker()
+ else:
+ LOG.info("Component {} already running...".format(name))
+
+ def create_container(self, container=None):
+ if not container:
+ proxy = CONF.proxy
+ if CONF.proxy:
+ proxy = "ENV http_proxy {0}\nENV https_proxy {0}\n".format(CONF.proxy)
+ run = self.build_cmd.format(
+ py_pkg=self.__get_last_version_of_pkg(self.name).replace(".tar.gz", "").replace("dist/", ""),
+ port=self.port
+ )
+ docker_str = self.__get_template().render(run=run, cmd=self.run_cmd, proxy=proxy)
+ self.__create_tmp_dir(docker_str)
+ self.create_docker(docker_str)
+ else:
+ self.tag = container
+
+ def __create_tmp_dir(self, docker_str):
+ try:
+ os.mkdir(self.tmp_dir)
+ except OSError as e:
+ LOG.warning("Problem when creating temporary directory ({})".format(e))
+
+ try:
+ os.mkdir(os.path.join(self.tmp_dir, "dist"))
+ except OSError as e:
+ LOG.warning("Problem when creating temporary directory ({})".format(e))
+ for _file in glob.glob("{}/*".format(CONF.dist_dir)):
+ LOG.info("Copying {}".format(_file))
+ shutil.copy(_file, os.path.join(self.tmp_dir, "dist"))
+
+ try:
+ shutil.copytree(os.path.dirname(self.conf_file), os.path.join(self.tmp_dir, "conf"))
+ except OSError as exc:
+ if exc.errno == errno.ENOTDIR:
+ shutil.copy(os.path.dirname(self.conf_file), os.path.join(self.tmp_dir, "conf"))
+ elif exc.errno == errno.EEXIST:
+ pass
+ else:
+ LOG.info("exc.errno = {}".format(exc.errno))
+ raise
+
+ open("{}/Dockerfile".format(self.tmp_dir), "w").write(docker_str)
+
+ def __get_docker_network(self, name="moon"):
+ if self.host:
+ return self.docker.create_networking_config({
+ name: self.docker.create_endpoint_config(
+ aliases=[self.id, ],
+ ipv4_address=self.host,
+ )
+ })
+ else:
+ return self.docker.create_networking_config({
+ name: self.docker.create_endpoint_config(
+ aliases=[self.id, ]
+ )
+ })
+
+ @staticmethod
+ def __get_last_version_of_pkg(name):
+ files = []
+ for filename in glob.glob("{}/{}*".format(CONF.dist_dir, name)):
+ files.append(filename)
+ files.sort()
+ try:
+ return os.path.basename(files[-1])
+ except Exception as e:
+ LOG.error("__get_last_version_of_pkg {}/{}*".format(CONF.dist_dir, name))
+ raise e
+
+ def run_docker(self):
+ LOG.info("run_docker hostname={}".format(self.id.replace("_", "-")))
+ if self.port:
+ host_config = self.docker.create_host_config(port_bindings={
+ self.port: self.port
+ })
+ else:
+ host_config = self.docker.create_host_config()
+
+ output = self.docker.create_container(image=self.tag,
+ command=list(self.run_cmd),
+ hostname=str(self.id.replace("_", "-")),
+ name=str(self.id),
+ networking_config=self.__get_docker_network(),
+ host_config=host_config
+ )
+ container_data = self.docker.inspect_container(output['Id'])
+ name = container_data["Name"]
+ LOG.info("Running container {} with ID {}".format(self.tag, output))
+ LOG.info("output id = {}".format(output['Id']))
+ self.docker.start(container=output['Id'])
+ LOG.info("Running container output {}".format(self.docker.logs(
+ container=name,
+ # stdout=True,
+ # stderr=True
+ ).decode("utf-8")))
+ self.name = name
+ self.docker_id = output['Id']
+
+ def create_docker(self, docker_str):
+ # f = BytesIO(docker_str.encode('utf-8'))
+ LOG.info("Building {}".format(self.tmp_dir))
+ # TODO (dthom): halt on built errors (or emit a log)
+ _output = self.docker.build(path=self.tmp_dir, rm=True, tag=self.tag)
+ # _output = self.cli.build(fileobj=f, rm=True, tag=self.tag, stream=True)
+ for line in _output:
+ jline = json.loads(line.decode("utf-8"))
+ if "stream" in jline:
+ LOG.info("\033[33m" + jline["stream"].strip() + "\033[m")
+ else:
+ LOG.info("\033[33m" + str(jline).strip() + "\033[m")
+ else:
+ LOG.debug(_output)
+ LOG.info("tag = {}".format(self.tag))
+ LOG.info("images = {}".format(self.docker.images(name=self.tag)))
+ self.image_id = self.docker.images(name=self.tag)[0]['Id']
+
+ @staticmethod
+ def __get_template(filename="template.dockerfile"):
+ simple_loader = FileSystemLoader(TEMPLATES_FOLDER)
+ env = Environment(loader=simple_loader)
+ return env.get_template(filename)
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+from oslo_config import cfg
+import oslo_messaging
+from oslo_log import log as logging
+import time
+from moon_utilities.api import APIList
+from moon_utilities.security_functions import call
+from moon_utilities.exceptions import RootPDPNotInitialized
+
+from oslo_config import cfg
+from moon_orchestrator.api.generic import Status, Logs
+# from moon_orchestrator.api.configuration import Configuration
+from moon_orchestrator.api.containers import Containers
+from moon_orchestrator.api.slaves import Slaves
+
+TOPIC = "orchestrator"
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+
+
+class Server:
+
+ def __init__(self, containers, docker_manager, slaves):
+ self.CONTAINERS = containers
+ self.transport = oslo_messaging.get_transport(cfg.CONF)
+ self.target = oslo_messaging.Target(topic=TOPIC, server='server1')
+ LOG.info("Starting MQ server with topic: {}".format(TOPIC))
+ self.docker_manager = docker_manager
+ for _container in containers:
+ Status._container = containers[_container]
+ self.endpoints = [
+ APIList((Status, Logs, Containers)),
+ Status(),
+ Logs(),
+ Containers(self.docker_manager),
+ # Configuration(),
+ Slaves(slaves)
+ ]
+ self.server = oslo_messaging.get_rpc_server(self.transport, self.target, self.endpoints,
+ executor='threading',
+ access_policy=oslo_messaging.DefaultRPCAccessPolicy)
+
+ # @staticmethod
+ # def __check_root_pdp():
+ # root_exist = False
+ # for key, value in call("manager", ctx={"user_id": "admin"},
+ # method="get_pdp", args={})["pdp"].items():
+ # if value["name"] == CONF.root_policy_directory:
+ # root_exist = True
+ # if not root_exist:
+ # ie = call("manager", ctx={"user_id": "admin"}, method="add_pdp",
+ # args={
+ # "name": "policy_root",
+ # "model": CONF.root_policy_directory,
+ # "genre": "admin",
+ # "description": "policy_root"
+ # })
+ # if "result" in ie and not ie["result"]:
+ # raise RootPDPNotInitialized
+
+ def run(self):
+ try:
+ self.server.start()
+ # try:
+ # raise NotImplementedError
+ # # self.__check_root_pdp()
+ # except Exception as e:
+ # LOG.error("Exception occurred when creating Root PDP: {}".format(e))
+ while True:
+ time.sleep(1)
+ except KeyboardInterrupt:
+ LOG.warning("Stopping server by crtl+c (please be patient, closing connections...)")
+ except SystemExit:
+ LOG.warning("Stopping server (please be patient, closing connections...)")
+ except Exception as e:
+ LOG.error("Exception occurred: {}".format(e))
+
+ self.server.stop()
+ self.server.wait()
+
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+
+class Scoper(DockerBase):
+
+ id = "moon_scoper"
+
+ def __init__(self, conf_file="", docker=None, network_config=None):
+ super(Scoper, self).__init__(
+ name="moon_scoper",
+ id=self.id,
+ run_cmd=["python3", "-m", "moon_scoper"],
+ host=CONF.scoper.host,
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ tag=CONF.scoper.container
+ )
+
+ @staticmethod
+ def get_status():
+ transport = oslo_messaging.get_transport(CONF)
+ target = oslo_messaging.Target(topic='scoper', version='1.0')
+ client = oslo_messaging.RPCClient(transport, target)
+ LOG.info("Calling Status on scoper component...")
+ ret = client.call({"component_id": "scoper"}, 'get_status', args=None)
+ LOG.info(ret)
+ return ret
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+import time
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+# TODO (dthom): select the right template folder
+TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
+
+
+class SecurityFunction(DockerBase):
+
+ id = "moon_function"
+ __build = """RUN mkdir -p /etc/moon/
+COPY conf /etc/moon/
+ADD dist/{py_pkg}.tar.gz /root
+WORKDIR /root/{py_pkg}
+RUN pip3 install -r requirements.txt
+RUN pip3 install .
+"""
+
+ def __init__(self, intra_extension_id, conf_file="", docker=None, network_config=None):
+ self.id = "moon_pdp_{}".format(intra_extension_id)
+ super(SecurityFunction, self).__init__(
+ name="moon_secfunction",
+ run_cmd=["python3", "-m", "moon_secfunction", intra_extension_id],
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ build_cmd=self.__build,
+ id=self.id,
+ tag=CONF.security_function.container
+ )
+ # note(asteroide): time to let the new docker boot
+ time.sleep(3)
+ self.get_status()
+
+ def get_status(self):
+ transport = oslo_messaging.get_transport(CONF)
+ target = oslo_messaging.Target(topic=self.id, version='1.0')
+ client = oslo_messaging.RPCClient(transport, target)
+ LOG.info("Calling Status on {}".format(self.id))
+ ret = client.call({"component_id": self.id}, 'get_status', args=None)
+ LOG.info(ret)
+ return ret
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+from oslo_config import cfg
+from oslo_log import log as logging
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+# TODO (dthom): select the right template folder
+TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
+
+
+class SecurityInterface(DockerBase):
+
+ id = "moon_interface"
+ __build = """RUN mkdir -p /etc/moon/
+ COPY conf /etc/moon/
+ ADD dist/{py_pkg}.tar.gz /root
+ WORKDIR /root/{py_pkg}
+ RUN pip3 install -r requirements.txt
+ RUN pip3 install .
+ EXPOSE {port}
+ """
+
+ def __init__(self, conf_file="", docker=None, network_config=None):
+ super(SecurityInterface, self).__init__(
+ name="moon_interface",
+ id=self.id,
+ run_cmd=["python3", "-m", "moon_interface"],
+ host=CONF.interface.host,
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ tag=CONF.interface.container,
+ build_cmd=self.__build,
+ port=CONF.interface.port
+ )
+
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+import time
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+# TODO (dthom): select the right template folder
+TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
+
+
+class SecurityManager(DockerBase):
+
+ id = "moon_manager"
+ __build = """RUN mkdir -p /etc/moon/
+COPY conf /etc/moon/
+ADD dist/{py_pkg}.tar.gz /root
+WORKDIR /root/{py_pkg}
+RUN pip3 install -r requirements.txt
+RUN pip3 install .
+"""
+
+ def __init__(self, conf_file="", docker=None, network_config=None):
+ self.id = "moon_manager"
+ super(SecurityManager, self).__init__(
+ name="moon_manager",
+ run_cmd=["python3", "-m", "moon_manager"],
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ build_cmd=self.__build,
+ id=self.id,
+ tag=CONF.security_manager.container
+ )
+ # note(asteroide): time to let the new docker boot
+ time.sleep(3)
+ self.get_status()
+
+ def get_status(self):
+ transport = oslo_messaging.get_transport(CONF)
+ target = oslo_messaging.Target(topic=self.id, version='1.0')
+ client = oslo_messaging.RPCClient(transport, target)
+ LOG.info("Calling Status on {}".format(self.id))
+ ret = client.call({"component_id": self.id}, 'get_status', args=None)
+ LOG.info(ret)
+ return ret
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+import time
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+# TODO (dthom): select the right template folder
+TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
+
+
+class SecurityPolicy(DockerBase):
+
+ id = "moon_secpolicy"
+ __build = """RUN mkdir -p /etc/moon/
+COPY conf /etc/moon/
+ADD dist/{py_pkg}.tar.gz /root
+WORKDIR /root/{py_pkg}
+RUN pip3 install -r requirements.txt
+RUN pip3 install .
+"""
+
+ def __init__(self, intra_extension_id, conf_file="", docker=None, network_config=None):
+ self.id = "moon_secpolicy" + intra_extension_id
+ super(SecurityPolicy, self).__init__(
+ name="moon_secpolicy",
+ run_cmd=["python3", "-m", "moon_secpolicy", intra_extension_id],
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ build_cmd=self.__build,
+ id="moon_secpolicy_{}".format(intra_extension_id),
+ tag=CONF.security_policy.container
+ )
+ # note(asteroide): time to let the new docker boot
+ time.sleep(3)
+ self.get_status()
+
+ def get_status(self):
+ transport = oslo_messaging.get_transport(CONF)
+ target = oslo_messaging.Target(topic=self.id, version='1.0')
+ client = oslo_messaging.RPCClient(transport, target)
+ LOG.info("Calling Status on {}".format(self.id))
+ ret = client.call({"component_id": self.id}, 'get_status', args=None)
+ LOG.info(ret)
+ return ret
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import os
+import json
+import glob
+import uuid
+import shutil
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from io import BytesIO
+from docker import Client
+from jinja2 import FileSystemLoader, Environment
+from moon_orchestrator.dockers import DockerBase
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+DOMAIN = "moon_orchestrator"
+
+__CWD__ = os.path.dirname(os.path.abspath(__file__))
+# TODO (dthom): select the right template folder
+TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
+
+
+class SecurityRouter(DockerBase):
+
+ id = "moon_router"
+
+ def __init__(self, conf_file="", docker=None, network_config=None):
+ super(SecurityRouter, self).__init__(
+ name="moon_secrouter",
+ id=self.id,
+ run_cmd=["python3", "-m", "moon_secrouter"],
+ host=CONF.security_router.host,
+ conf_file=conf_file,
+ docker=docker,
+ network_config=network_config,
+ tag=CONF.security_router.container
+ )
+
+ @staticmethod
+ def get_status():
+ transport = oslo_messaging.get_transport(CONF)
+ target = oslo_messaging.Target(topic='security_router', version='1.0')
+ client = oslo_messaging.RPCClient(transport, target)
+ LOG.info("Calling Status on security_server...")
+ ret = client.call({"component_id": "security_router"}, 'get_status', args=None)
+ LOG.info(ret)
+ return ret
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+import sys
+import os
+import hashlib
+from oslo_config import cfg
+from oslo_log import log as logging
+import oslo_messaging
+from docker import Client
+import docker.errors as docker_errors
+from importlib.machinery import SourceFileLoader
+from moon_utilities import options
+from moon_orchestrator.security_router import SecurityRouter
+from moon_orchestrator.security_interface import SecurityInterface
+from moon_orchestrator.security_manager import SecurityManager
+from moon_orchestrator.security_function import SecurityFunction
+# from moon_orchestrator.security_policy import SecurityPolicy
+# from moon_orchestrator.security_function import SecurityFunction
+from moon_orchestrator import messenger
+
+LOG = logging.getLogger(__name__)
+CONF = cfg.CONF
+
+CONTAINERS = {}
+SLAVES = {}
+docker = Client(base_url=CONF.docker_url)
+
+
+# def get_template(filename="template.dockerfile"):
+# simple_loader = FileSystemLoader(TEMPLATES_FOLDER)
+# env = Environment(loader=simple_loader)
+# return env.get_template(filename)
+
+
+def create_docker_network(name="moon"):
+
+ return docker.create_networking_config({
+ name: docker.create_endpoint_config(),
+ 'aliases': ['orchestrator', ]
+ })
+
+
+def load_plugin(plugname):
+ try:
+ m = SourceFileLoader("scenario", os.path.join(CONF.plugin_dir, plugname+".py"))
+ return m.load_module()
+ except ImportError as e:
+ LOG.error("Error in importing plugin {}".format(plugname))
+ LOG.error("{}".format(e))
+
+
+class DockerManager:
+
+ @staticmethod
+ def load(component, uuid):
+ """Load a new docker mapping the component given
+
+ :param component: the name of the component (policy or function)
+ :param uuid: the uuid of the intra_extension linked to that component
+ :return: the created component
+ """
+ component_id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest()
+ if component_id not in CONTAINERS:
+ plug = load_plugin(component)
+ LOG.info("Creating {} with id {}".format(component, uuid))
+ component = plug.run(uuid, options.filename, docker=docker, network_config=create_docker_network())
+ CONTAINERS[component_id] = component
+ return component
+
+ @staticmethod
+ def get_component(uuid=None):
+ if uuid:
+ return CONTAINERS.get(uuid, None)
+ return CONTAINERS
+
+ @staticmethod
+ def kill(component_id, delete=True):
+ LOG.info("Killing container {}".format(component_id))
+ docker.kill(container=component_id)
+ if delete:
+ docker.remove_container(container=component_id)
+
+
+def _exit(exit_number=0, docker=None, error=None):
+ for _container in CONTAINERS:
+ LOG.warning("Deleting containers named {}...".format(_container))
+ # print(40 * "-" + _container)
+ try:
+ # print(docker.logs(container=_container).decode("utf-8"))
+ docker.kill(container=_container)
+ except docker_errors.NotFound:
+ LOG.error("The container {} was not found".format(_container))
+ except docker_errors.APIError as e:
+ LOG.error(e)
+ else:
+ docker.remove_container(container=_container)
+
+ # TODO (dthom): put in the debug log
+ if error:
+ LOG.info(str(error))
+ sys.exit(exit_number)
+
+
+def main():
+ # conf_file = options.configure(DOMAIN)
+ LOG.info("Starting server with IP {}".format(CONF.orchestrator.host))
+
+ docker_manager = DockerManager()
+
+ network_config = create_docker_network()
+
+ LOG.info("Creating Security Router")
+ router = SecurityRouter(options.filename, docker=docker, network_config=network_config)
+ CONTAINERS[router.id] = router
+
+ LOG.info("Creating Manager")
+ manager = SecurityManager(options.filename, docker=docker, network_config=network_config)
+ CONTAINERS[manager.id] = manager
+
+ LOG.info("Creating Security Interface")
+ interface = SecurityInterface(options.filename, docker=docker, network_config=network_config)
+ CONTAINERS[interface.id] = interface
+
+ try:
+ router.get_status()
+ except oslo_messaging.rpc.client.RemoteError as e:
+ LOG.error("Cannot check status of remote container!")
+ _exit(1, docker, e)
+ serv = messenger.Server(containers=CONTAINERS, docker_manager=docker_manager, slaves=SLAVES)
+ try:
+ serv.run()
+ finally:
+ _exit(0, docker)
+
+
+if __name__ == '__main__':
+ main()
--- /dev/null
+pip install -r requirements.txt
+pip install dist/moon_utilities-0.1.0.tar.gz
+pip install dist/moon_db-0.1.0.tar.gz
+pip install -r ../moon_utilities/requirements.txt
+pip install -r ../moon_db/requirements.txt
+python setup.py develop
+docker rm -f moon_interface moon_router
+docker ps
--- /dev/null
+docker-py
+kombu !=4.0.1,!=4.0.0
+oslo.messaging !=5.14.0,!=5.13.0
+oslo.config
+oslo.log
+vine
+jinja2
+sqlalchemy
+pymysql
+werkzeug
\ No newline at end of file
--- /dev/null
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+from setuptools import setup, find_packages
+import moon_orchestrator
+
+
+setup(
+
+ name='moon_orchestrator',
+
+ version=moon_orchestrator.__version__,
+
+ packages=find_packages(),
+
+ author="Thomas Duval",
+
+ author_email="thomas.duval@orange.com",
+
+ description="",
+
+ long_description=open('README.rst').read(),
+
+ # install_requires= ,
+
+ include_package_data=True,
+
+ url='https://git.opnfv.org/cgit/moon/',
+
+ classifiers=[
+ "Programming Language :: Python",
+ "Development Status :: 1 - Planning",
+ "License :: OSI Approved",
+ "Natural Language :: French",
+ "Operating System :: OS Independent",
+ "Programming Language :: Python :: 3",
+ ],
+
+ entry_points={
+ 'console_scripts': [
+ 'moon_orchestrator = moon_orchestrator.server:main',
+ ],
+ }
+
+)
Code Review / moon.git / commitdiff