-FROM ubuntu:latest
-
-RUN apt update && apt install python3.5 python3-pip -y
-RUN pip3 install pip --upgrade
+FROM python:3
ADD . /root
WORKDIR /root/
-RUN pip3 install -r requirements.txt --upgrade
-RUN pip3 install /root/dist/* --upgrade
+RUN pip3 install -r requirements.txt
RUN pip3 install .
CMD ["python3", "-m", "moon_authz"]
\ No newline at end of file
-Core module for the Moon project
-================================
+# moon_authz
This package contains the core module for the Moon project
It is designed to provide authorization features to all OpenStack components.
# - call the next security function
# - call the master if an element is absent
-LOG = logging.getLogger("moon.api." + __name__)
+LOG = logging.getLogger("moon.authz.api." + __name__)
class Authz(Resource):
"""
Endpoint for authz requests
"""
+ __version__ = "0.1.0"
__urls__ = (
"/authz",
"/authz/",
- "/authz/<string:uuid>/<string:subject_name>/<string:object_name>/<string:action_name>",
)
- __version__ = "0.1.0"
+
pdp_id = None
meta_rule_id = None
keystone_project_id = None
self.cache = kwargs.get("cache")
self.context = None
- def post(self, uuid=None, subject_name=None, object_name=None, action_name=None):
+ def post(self):
"""Get a response on an authorization request
- :param uuid: uuid of a tenant or an intra_extension
- :param subject_name: name of the subject or the request
- :param object_name: name of the object
- :param action_name: name of the action
+ :request:
+
:return: {
"args": {},
"ctx": {
self.context.current_state = "passed"
LOG.info("__exec_instructions False {}".format(self.context.current_state))
- def __update_current_request(self):
- index = self.payload["authz_context"]["index"]
- current_header_id = self.payload["authz_context"]['headers'][index]
- previous_header_id = self.payload["authz_context"]['headers'][index - 1]
- current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
- previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id)
- # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy
- if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session":
- subject = self.payload["authz_context"]['current_request'].get("subject")
- subject_category_id = None
- role_names = []
- for category_id, category_value in ModelManager.get_subject_categories("admin").items():
- if category_value["name"] == "role":
- subject_category_id = category_id
- break
- for assignment_id, assignment_value in PolicyManager.get_subject_assignments(
- "admin", previous_policy_id, subject, subject_category_id).items():
- for data_id in assignment_value["assignments"]:
- data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id)
- for _data in data:
- for key, value in _data["data"].items():
- role_names.append(value["name"])
- new_role_ids = []
- for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items():
- if perimeter_value["name"] in role_names:
- new_role_ids.append(perimeter_id)
- break
- perimeter_id = None
- for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items():
- if perimeter_value["name"] == "*":
- break
-
- self.payload["authz_context"]['current_request']['object'] = new_role_ids[0]
- self.payload["authz_context"]['current_request']['action'] = perimeter_id
- elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac":
- self.payload["authz_context"]['current_request']['subject'] = \
- self.payload["authz_context"]['initial_request']['subject']
- self.payload["authz_context"]['current_request']['object'] = \
- self.payload["authz_context"]['initial_request']['object']
- self.payload["authz_context"]['current_request']['action'] = \
- self.payload["authz_context"]['initial_request']['action']
+ # def __update_current_request(self):
+ # index = self.payload["authz_context"]["index"]
+ # current_header_id = self.payload["authz_context"]['headers'][index]
+ # previous_header_id = self.payload["authz_context"]['headers'][index - 1]
+ # current_policy_id = PolicyManager.get_policy_from_meta_rules("admin", current_header_id)
+ # previous_policy_id = PolicyManager.get_policy_from_meta_rules("admin", previous_header_id)
+ # # FIXME (asteroide): must change those lines to be ubiquitous against any type of policy
+ # if self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "session":
+ # subject = self.payload["authz_context"]['current_request'].get("subject")
+ # subject_category_id = None
+ # role_names = []
+ # for category_id, category_value in ModelManager.get_subject_categories("admin").items():
+ # if category_value["name"] == "role":
+ # subject_category_id = category_id
+ # break
+ # for assignment_id, assignment_value in PolicyManager.get_subject_assignments(
+ # "admin", previous_policy_id, subject, subject_category_id).items():
+ # for data_id in assignment_value["assignments"]:
+ # data = PolicyManager.get_subject_data("admin", previous_policy_id, data_id, subject_category_id)
+ # for _data in data:
+ # for key, value in _data["data"].items():
+ # role_names.append(value["name"])
+ # new_role_ids = []
+ # for perimeter_id, perimeter_value in PolicyManager.get_objects("admin", current_policy_id).items():
+ # if perimeter_value["name"] in role_names:
+ # new_role_ids.append(perimeter_id)
+ # break
+ # perimeter_id = None
+ # for perimeter_id, perimeter_value in PolicyManager.get_actions("admin", current_policy_id).items():
+ # if perimeter_value["name"] == "*":
+ # break
+ #
+ # self.payload["authz_context"]['current_request']['object'] = new_role_ids[0]
+ # self.payload["authz_context"]['current_request']['action'] = perimeter_id
+ # elif self.payload["authz_context"]['pdp_set'][current_header_id]['meta_rules']['name'] == "rbac":
+ # self.payload["authz_context"]['current_request']['subject'] = \
+ # self.payload["authz_context"]['initial_request']['subject']
+ # self.payload["authz_context"]['current_request']['object'] = \
+ # self.payload["authz_context"]['initial_request']['object']
+ # self.payload["authz_context"]['current_request']['action'] = \
+ # self.payload["authz_context"]['initial_request']['action']
def get_authz(self):
# self.keystone_project_id = payload["id"]
+++ /dev/null
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-"""
-Those API are helping API used to manage the Moon platform.
-"""
-
-from flask_restful import Resource, request
-from oslo_log import log as logging
-import moon_authz.api
-from python_moonutilities.security_functions import check_auth
-
-__version__ = "0.1.0"
-
-LOG = logging.getLogger("moon.authz.api." + __name__)
-
-
-class Status(Resource):
- """
- Endpoint for status requests
- """
-
- __urls__ = ("/status", "/status/", "/status/<string:component_id>")
-
- def get(self, component_id=None):
- """Retrieve status of all components
-
- :return: {
- "orchestrator": {
- "status": "Running"
- },
- "security_router": {
- "status": "Running"
- }
- }
- """
- raise NotImplemented
-
-
-class Logs(Resource):
- """
- Endpoint for logs requests
- """
-
- __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>")
-
- def get(self, component_id=None):
- """Get logs from the Moon platform
-
- :param component_id: the ID of the component your are looking for (optional)
- :return: [
- "2015-04-15-13:45:20
- "2015-04-15-13:45:21
- "2015-04-15-13:45:22
- "2015-04-15-13:45:23
- ]
- """
- filter_str = request.args.get('filter', '')
- from_str = request.args.get('from', '')
- to_str = request.args.get('to', '')
- event_number = request.args.get('event_number', '')
- try:
- event_number = int(event_number)
- except ValueError:
- event_number = None
- args = dict()
- args["filter"] = filter_str
- args["from"] = from_str
- args["to"] = to_str
- args["event_number"] = event_number
-
- raise NotImplemented
-
-
-class API(Resource):
- """
- Endpoint for API requests
- """
-
- __urls__ = (
- "/api",
- "/api/",
- "/api/<string:group_id>",
- "/api/<string:group_id>/",
- "/api/<string:group_id>/<string:endpoint_id>")
-
- @check_auth
- def get(self, group_id="", endpoint_id="", user_id=""):
- """Retrieve all API endpoints or a specific endpoint if endpoint_id is given
-
- :param group_id: the name of one existing group (ie generic, ...)
- :param endpoint_id: the name of one existing component (ie Logs, Status, ...)
- :return: {
- "group_name": {
- "endpoint_name": {
- "description": "a description",
- "methods": {
- "get": "description of the HTTP method"
- },
- "urls": ('/api', '/api/', '/api/<string:endpoint_id>')
- }
- }
- """
- __methods = ("get", "post", "put", "delete", "options", "patch")
- api_list = filter(lambda x: "__" not in x, dir(moon_authz.api))
- api_desc = dict()
- for api_name in api_list:
- api_desc[api_name] = {}
- group_api_obj = eval("moon_interface.api.{}".format(api_name))
- api_desc[api_name]["description"] = group_api_obj.__doc__
- if "__version__" in dir(group_api_obj):
- api_desc[api_name]["version"] = group_api_obj.__version__
- object_list = list(filter(lambda x: "__" not in x, dir(group_api_obj)))
- for obj in map(lambda x: eval("moon_interface.api.{}.{}".format(api_name, x)), object_list):
- if "__urls__" in dir(obj):
- api_desc[api_name][obj.__name__] = dict()
- api_desc[api_name][obj.__name__]["urls"] = obj.__urls__
- api_desc[api_name][obj.__name__]["methods"] = dict()
- for _method in filter(lambda x: x in __methods, dir(obj)):
- docstring = eval("moon_interface.api.{}.{}.{}.__doc__".format(api_name, obj.__name__, _method))
- api_desc[api_name][obj.__name__]["methods"][_method] = docstring
- api_desc[api_name][obj.__name__]["description"] = str(obj.__doc__)
- if group_id in api_desc:
- if endpoint_id in api_desc[group_id]:
- return {group_id: {endpoint_id: api_desc[group_id][endpoint_id]}}
- elif len(endpoint_id) > 0:
- LOG.error("Unknown endpoint_id {}".format(endpoint_id))
- return {"error": "Unknown endpoint_id {}".format(endpoint_id)}
- return {group_id: api_desc[group_id]}
- return api_desc
from python_moonutilities.cache import Cache
from python_moonutilities import exceptions
-logger = logging.getLogger("moon." + __name__)
+logger = logging.getLogger("moon.authz.http_server")
CACHE = Cache()
CACHE.update()
from moon_authz.http_server import HTTPServer as Server
from python_moonutilities import configuration
-LOG = logging.getLogger("moon.server")
+LOG = logging.getLogger("moon.authz.server")
DOMAIN = "moon_authz"
-__CWD__ = os.path.dirname(os.path.abspath(__file__))
-
def main():
+ configuration.init_logging()
+
component_id = os.getenv("UUID")
component_type = os.getenv("TYPE")
tcp_port = os.getenv("PORT")
pdp_id = os.getenv("PDP_ID")
meta_rule_id = os.getenv("META_RULE_ID")
keystone_project_id = os.getenv("KEYSTONE_PROJECT_ID")
- configuration.init_logging()
LOG.info("component_type={}".format(component_type))
conf = configuration.get_configuration("plugins/{}".format(component_type))
conf["plugins/{}".format(component_type)]['id'] = component_id
description="",
- long_description=open('README.rst').read(),
+ long_description=open('README.md').read(),
# install_requires= ,
FROM python:3
+
WORKDIR /usr/src/app
RUN pip install --no-cache-dir --upgrade requests pyyaml python_moonutilities python_moondb python_moonclient
-FROM ubuntu:latest
-
-RUN apt update && apt install python3.5 python3-pip -y
-RUN pip3 install python_moonutilities python_moondb pip --upgrade
+FROM python:3
ADD . /root
WORKDIR /root/
-RUN pip3 install -r requirements.txt --upgrade
-#RUN pip3 install /root/dist/* --upgrade
+RUN pip3 install -r requirements.txt
RUN pip3 install .
CMD ["python3", "-m", "moon_interface"]
\ No newline at end of file
+++ /dev/null
-all: built run
-
-built:
- docker build -t moon_policy:16.04 .
-
-run:
- docker run -p 8000:8000 moon_policy:16.04
-
-.PHONY: clean
-
-clean:
- find . -name "*.py" -exec echo rm {}\;
-Core module for the Moon project
-================================
+# moon_interface
+
This package contains the core module for the Moon project
It is designed to provide authorization features to all OpenStack components.
__version__ = "0.1.0"
-LOG = logging.getLogger("moon.interface.api." + __name__)
+LOG = logging.getLogger("moon.interface.api.authz." + __name__)
def pdp_in_cache(cache, uuid):
return pdp_in_cache(cache, uuid)
-def container_exist(cache, uuid):
- """Check if a PDP exist with this Keystone Project ID in the Manager component
-
- :param cache: Cache to use
- :param uuid: Keystone Project ID
- :return: True or False
- """
- for key, value in cache.containers.items():
- if "keystone_project_id" not in value:
- continue
- if value["keystone_project_id"] == uuid:
- try:
- req = requests.head("http://{}:{}/".format(
- value.get("hostname"),
- value.get("port")[0].get("PublicPort")))
- LOG.info("container_exist {}".format(req.status_code))
- if req.status_code in (200, 201):
- return value
- return
- except requests.exceptions.ConnectionError:
- pass
- # maybe hostname is not working so trying with IP address
- try:
- req = requests.head("http://{}:{}/".format(
- value.get("ip"),
- value.get("port")[0].get("PublicPort")))
- if req.status_code in (200, 201):
- return value
- return
- except requests.exceptions.ConnectionError:
- return
-
-
def create_authz_request(cache, interface_name, manager_url, uuid, subject_name, object_name, action_name):
"""Create the authorization request and make the first call to the Authz function
+++ /dev/null
-# Copyright 2017 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import docker
-import logging
-import re
-import requests
-import time
-from python_moonutilities import configuration, exceptions
-
-__version__ = "0.1.0"
-
-LOG = logging.getLogger("moon.interface.container")
-
-
-class DockerManager:
-
- def __init__(self):
- docker_conf = configuration.get_configuration("docker")['docker']
- self.docker = docker.DockerClient(base_url=docker_conf['url'])
-
- def create_container(self, data):
- """Create the container through the docker client
-
- :param data: {
- "name": "authz",
- "hostname": "authz123456789",
- "port": {
- "PrivatePort": 8090,
- "Type": "tcp",
- "IP": "0.0.0.0",
- "PublicPort": 8090
- },
- "keystone_project_id": "keystone_project_id1",
- "pdp_id": "123456789",
- "container_name": "wukongsun/moon_authz:v4.1"
- }
- :return: container output
- """
- output = self.docker.containers.run(
- image=data.get("container_name"),
- hostname=data.get("hostname", data.get("name"))[:63],
- name=data.get("name"),
- network='moon',
- ports={'{}/{}'.format(
- data.get("port").get("PrivatePort"),
- data.get("port").get("Type")
- ): int(data.get("port").get("PrivatePort"))},
- environment={
- "UUID": data.get("hostname"),
- "BIND": data.get("port").get("IP"),
- "TYPE": data.get("plugin_name"),
- "PORT": data.get("port").get("PrivatePort"),
- "PDP_ID": data.get("pdp_id"),
- "META_RULE_ID": data.get("meta_rule_id"),
- "KEYSTONE_PROJECT_ID": data.get("keystone_project_id"),
- },
- detach=True
- )
- try:
- req = requests.head("http://{}:{}/".format(data.get("hostname"), data.get("port").get("PublicPort")))
- except requests.exceptions.ConnectionError:
- pass
- else:
- if req.status_code != 200:
- raise exceptions.DockerError("Container {} is not running!".format(data.get("hostname")))
- output.ip = "0.0.0.0"
- return output
-
- # Note: host is not reachable through hostname so trying to find th IP address
- res = output.exec_run("ip addr")
- find = re.findall("inet (\d+\.\d+\.\d+\.\d+)", res.decode("utf-8"))
- ip = "127.0.0.1"
- for ip in find:
- if ip.startswith("127"):
- continue
- break
- cpt = 0
- while True:
- try:
- req = requests.head("http://{}:{}/".format(ip, data.get("port").get("PublicPort")))
- except requests.exceptions.ConnectionError:
- pass
- else:
- if req.status_code not in (200, 201):
- LOG.error("url={}".format("http://{}:{}/".format(ip, data.get("port").get("PublicPort"))))
- LOG.error("req={}".format(req))
- raise exceptions.DockerError("Container {} is not running!".format(data.get("hostname")))
- output.ip = ip
- return output
- finally:
- cpt += 1
- time.sleep(0.1)
- if cpt > 20:
- break
- output.ip = ip
- return output
-
- def delete_container(self, uuid):
- raise NotImplementedError
logger = logging.getLogger("moon.interface.http")
+__API__ = (
+ Status, Logs, API
+ )
+
class Server:
"""Base class for HTTP server"""
def run(self):
raise NotImplementedError()
-__API__ = (
- Status, Logs, API
- )
-
class Root(Resource):
"""
def run(self):
self.app.run(host=self._host, port=self._port) # nosec
- # self.app.run(debug=True, host=self._host, port=self._port) # nosec
-
from python_moonutilities import configuration, exceptions
from moon_interface.http_server import HTTPServer
-LOG = logging.getLogger("moon.interface")
+LOG = logging.getLogger("moon.interface.server")
def main():
port = 80
configuration.add_component(uuid="interface", name=hostname, port=port, bind=bind)
LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind))
- server = HTTPServer(host=bind, port=port)
- # LOG.info("Starting server")
- # server = HTTPServer(host="0.0.0.0", port=8081)
- return server
+ return HTTPServer(host=bind, port=port)
if __name__ == '__main__':
description="",
- long_description=open('README.rst').read(),
+ long_description=open('README.md').read(),
# install_requires= ,
+++ /dev/null
-#!/usr/bin/env bash
-
-http_proxy= /usr/bin/python3 /home/vdsq3226/projets/opnfv/opnfv-moon/moon_interface/tools/api2rst.py
-pandoc api.rst --toc -o api.pdf
-evince api.pdf
-FROM ubuntu:latest
-
-RUN apt update && apt install python3.5 python3-pip -y
-RUN pip3 install pip --upgrade
+FROM python:3
ADD . /root
WORKDIR /root/
RUN pip3 install -r requirements.txt
-#RUN pip3 install /root/dist/* --upgrade
RUN pip3 install .
CMD ["python3", "-m", "moon_manager"]
\ No newline at end of file
-Core module for the Moon project
-================================
+# moon_manager
This package contains the core module for the Moon project
It is designed to provide authorization features to all OpenStack components.
+++ /dev/null
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-"""
-PDP are Policy Decision Point.
-
-"""
-
-import copy
-from docker import Client
-from flask import request
-from flask_restful import Resource
-from oslo_log import log as logging
-from python_moonutilities.security_functions import check_auth
-from python_moonutilities import configuration
-
-docker_conf = configuration.get_configuration("docker")['docker']
-docker = Client(base_url=docker_conf['url'])
-
-__version__ = "0.1.0"
-
-LOG = logging.getLogger("moon.manager.api." + __name__)
-
-
-class Container(Resource):
- """
- Endpoint for container requests
- """
-
- __urls__ = (
- "/containers",
- "/containers/",
- "/containers/<string:uuid>",
- "/containers/<string:uuid>/",
- )
-
- def __init__(self):
- self.containers = {}
- self.update()
-
- def update(self):
- for _container in docker.containers():
- if _container['Id'] not in self.containers:
- self.containers[_container['Id']] = {
- "name": _container["Names"],
- "port": _container["Ports"],
- }
-
- @check_auth
- def get(self, uuid=None, user_id=None):
- """Retrieve all containers
-
- :param uuid: uuid of the container
- :param user_id: user ID who do the request
- :return: {
- "containers": {
- "da0fd80fc1dc146e1b...a2e07d240cde09f0a": {
- "name": [
- "/wrapper"
- ],
- "port": [
- {
- "PrivatePort": 8080,
- "Type": "tcp",
- "IP": "0.0.0.0",
- "PublicPort": 8080
- }
- ]
- },
- }
- }
- :internal_api: get_containers
- """
- # try:
- # data = [{"name": item["Names"], "port": item["Ports"], } for item in docker.containers()]
- # except Exception as e:
- # LOG.error(e, exc_info=True)
- # return {"result": False,
- # "error": str(e)}
- return {"containers": self.containers}
-
- @check_auth
- def post(self, uuid=None, user_id=None):
- """Add a new container.
-
- :param uuid: uuid of the pdp (not used here)
- :param user_id: user ID who do the request
- :request body: {
- "id": "id of the new container",
- "name": "name of the new container",
- "hostname": "hostname of the new container",
- "port": {
- "PrivatePort": 8080,
- "Type": "tcp",
- "IP": "0.0.0.0",
- "PublicPort": 8080
- },
- "keystone_project_id": "keystone_project_id1",
- "pdp_id": "PDP UUID",
- "container_name": "wukongsun/moon_authz:v4.1"
- }
- :return: {
- "containers": {
- "da0fd80fc1dc146e1b...a2e07d240cde09f0a": {
- "name": [
- "/wrapper"
- ],
- "port": [
- {
- "PrivatePort": 8080,
- "Type": "tcp",
- "IP": "0.0.0.0",
- "PublicPort": 8080
- }
- ]
- },
- }
- }
- :internal_api: add_container
- """
- try:
- self.update()
- self.containers[request.json.get('id')] = copy.deepcopy(request.json)
- LOG.info("Added a new container {}".format(request.json.get('name')))
- except Exception as e:
- LOG.error(e, exc_info=True)
- return {"result": False,
- "error": str(e)}, 500
- return {"containers": self.containers}
-
- @check_auth
- def delete(self, uuid=None, user_id=None):
- """Delete a pdp
-
- :param uuid: uuid of the pdp to delete
- :param user_id: user ID who do the request
- :return: {
- "result": "True or False",
- "message": "optional message"
- }
- :internal_api: delete_pdp
- """
- # try:
- # data = PDPManager.delete_pdp(user_id=user_id, pdp_id=uuid)
- # except Exception as e:
- # LOG.error(e, exc_info=True)
- # return {"result": False,
- # "error": str(e)}
- # return {"result": True}
- raise NotImplementedError
-
- @check_auth
- def patch(self, uuid=None, user_id=None):
- """Update a pdp
-
- :param uuid: uuid of the pdp to update
- :param user_id: user ID who do the request
- :return: {
- "pdp_id1": {
- "name": "...",
- "security_pipeline": [...],
- "keystone_project_id": "keystone_project_id1",
- "description": "...",
- }
- }
- :internal_api: update_pdp
- """
- # try:
- # data = PDPManager.update_pdp(user_id=user_id, pdp_id=uuid, value=request.json)
- # add_container(uuid=uuid, pipeline=data[uuid]['security_pipeline'])
- # except Exception as e:
- # LOG.error(e, exc_info=True)
- # return {"result": False,
- # "error": str(e)}
- # return {"pdps": data}
- raise NotImplementedError
-
Endpoint for status requests
"""
- __urls__ = ("/status", "/status/", "/status/<string:component_id>")
+ __urls__ = (
+ "/status",
+ "/status/",
+ "/status/<string:component_id>"
+ )
def get(self, component_id=None):
"""Retrieve status of all components
Endpoint for logs requests
"""
- __urls__ = ("/logs", "/logs/", "/logs/<string:component_id>")
+ __urls__ = (
+ "/logs",
+ "/logs/",
+ "/logs/<string:component_id>"
+ )
def get(self, component_id=None):
"""Get logs from the Moon platform
"/api/",
"/api/<string:group_id>",
"/api/<string:group_id>/",
- "/api/<string:group_id>/<string:endpoint_id>")
+ "/api/<string:group_id>/<string:endpoint_id>"
+ )
@check_auth
def get(self, group_id="", endpoint_id="", user_id=""):
Endpoint for meta rules requests
"""
- __urls__ = ("/meta_rules",
- "/meta_rules/",
- "/meta_rules/<string:meta_rule_id>",
- "/meta_rules/<string:meta_rule_id>/")
+ __urls__ = (
+ "/meta_rules",
+ "/meta_rules/",
+ "/meta_rules/<string:meta_rule_id>",
+ "/meta_rules/<string:meta_rule_id>/"
+ )
@check_auth
def get(self, meta_rule_id=None, user_id=None):
from moon_manager.api.data import SubjectData, ObjectData, ActionData
from moon_manager.api.assignments import SubjectAssignments, ObjectAssignments, ActionAssignments
from moon_manager.api.rules import Rules
-# from moon_manager.api.containers import Container
from python_moonutilities import configuration, exceptions
from python_moondb.core import PDPManager
-LOG = logging.getLogger("moon.manager.http")
+LOG = logging.getLogger("moon.manager.http_server")
+
+__API__ = (
+ Status, Logs, API,
+ MetaRules, SubjectCategories, ObjectCategories, ActionCategories,
+ Subjects, Objects, Actions, Rules,
+ SubjectAssignments, ObjectAssignments, ActionAssignments,
+ SubjectData, ObjectData, ActionData,
+ Models, Policies, PDP
+ )
class Server:
def run(self):
raise NotImplementedError()
-__API__ = (
- Status, Logs, API,
- MetaRules, SubjectCategories, ObjectCategories, ActionCategories,
- Subjects, Objects, Actions,
- SubjectAssignments, ObjectAssignments, ActionAssignments,
- SubjectData, ObjectData, ActionData,
- Rules, #Container,
- Models, Policies, PDP
- )
-
class Root(Resource):
"""
conf = configuration.get_configuration("components/manager")
self.manager_hostname = conf["components/manager"].get("hostname", "manager")
self.manager_port = conf["components/manager"].get("port", 80)
- #Todo : specify only few urls instead of *
+ # TODO : specify only few urls instead of *
CORS(self.app)
self.api = Api(self.app)
self.__set_route()
def __set_route(self):
self.api.add_resource(Root, '/')
- for api in __API__:
- self.api.add_resource(api, *api.__urls__)
+ for _api in __API__:
+ self.api.add_resource(_api, *_api.__urls__)
@staticmethod
def __check_if_db_is_up():
def run(self):
self.__check_if_db_is_up()
self.app.run(debug=True, host=self._host, port=self._port) # nosec
-
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-import os
from oslo_config import cfg
from oslo_log import log as logging
from python_moonutilities import configuration, exceptions
from moon_manager.http_server import HTTPServer
-LOG = logging.getLogger("moon.manager")
+LOG = logging.getLogger("moon.manager.server")
CONF = cfg.CONF
DOMAIN = "moon_manager"
-__CWD__ = os.path.dirname(os.path.abspath(__file__))
-
def main():
configuration.init_logging()
port = 80
configuration.add_component(uuid="manager", name=hostname, port=port, bind=bind)
LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind))
- server = HTTPServer(host=bind, port=port)
- return server
+ return HTTPServer(host=bind, port=port)
if __name__ == '__main__':
flask_cors
python_moonutilities
python_moondb
-docker-py
description="",
- long_description=open('README.rst').read(),
+ long_description=open('README.md').read(),
# install_requires= ,
-FROM ubuntu:latest
-
-ENV CONSUL_HOST=consul
-ENV CONSUL_PORT=8500
-
-RUN apt update && apt install python3.5 python3-pip python3-mysql.connector -y
-RUN pip3 install pip --upgrade
+FROM python:3
ADD . /root
WORKDIR /root/
-RUN pip3 install -r requirements.txt --upgrade
-#RUN pip3 install /root/dist/* --upgrade
-RUN pip3 install . --upgrade
+RUN pip3 install -r requirements.txt
+RUN pip3 install .
CMD ["python3", "-m", "moon_orchestrator"]
\ No newline at end of file
-# Moon Orchestrator
+# moon_orchestrator
+
Internal orchestrator used for the Moon framework
+++ /dev/null
-# Pull base image.
-FROM ubuntu:latest
-
-{{ proxy }}
-
-RUN apt-get update && apt-get install python3.5 python3-pip -y
-
-ADD dist/moon_utilities-0.1.0.tar.gz /root
-WORKDIR /root/moon_utilities-0.1.0
-RUN pip3 install pip --upgrade
-RUN pip3 install --upgrade -r requirements.txt
-RUN pip3 install --upgrade .
-
-ADD dist/moon_db-0.1.0.tar.gz /root
-WORKDIR /root/moon_db-0.1.0
-RUN pip3 install --upgrade -r requirements.txt
-RUN pip3 install --upgrade .
-
-{{ run }}
-
-{% for port in ports %}
-EXPOSE {{ port }}
-{% endfor %}
-
-CMD {{ cmd }}
+++ /dev/null
-database:
- url: mysql+pymysql://moon:p4sswOrd1@db/moon
- driver: sql
-
-messenger:
- url: rabbit://moon:p4sswOrd1@messenger:5672/moon
-
-docker:
- url: tcp://172.88.88.1:2376
- network: moon
-
-slave:
- name:
- master:
- url:
- login:
- password:
-
-openstack:
- keystone:
- url: http://keystone:5000/v3
- user: admin
- password: p4ssw0rd
- domain: default
- project: admin
- check_token: false
- certificate: false
-
-plugins:
- authz:
- container: wukongsun/moon_authz:v4.1
- session:
- container: asteroide/session:latest
-
-components:
- interface:
- port: 8081
- hostname: interface
- bind: 0.0.0.0
- container: wukongsun/moon_interface:v4.1
- router:
- container: wukongsun/moon_router:v4.1
- hostname: router
- manager:
- container: wukongsun/moon_manager:v4.1
- hostname: manager
- orchestrator:
- container: wukongsun/moon_orchestrator:v4.1
- hostname: orchestrator
- port_start: 38001
-
-logging:
- version: 1
-
- formatters:
- brief:
- format: "%(levelname)s %(name)s %(message)-30s"
- custom:
- format: "%(asctime)-15s %(levelname)s %(name)s %(message)s"
-
- handlers:
- console:
- class : logging.StreamHandler
- formatter: brief
- level : INFO
- stream : ext://sys.stdout
- file:
- class : logging.handlers.RotatingFileHandler
- formatter: custom
- level : DEBUG
- filename: /tmp/moon.log
- maxBytes: 1048576
- backupCount: 3
-
- loggers:
- moon:
- level: DEBUG
- handlers: [console, file]
- propagate: no
-
- root:
- level: ERROR
- handlers: [console]
-
+++ /dev/null
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import os
-import time
-import hashlib
-from oslo_config import cfg
-from oslo_log import log as logging
-import oslo_messaging
-from moon_orchestrator.dockers import DockerBase
-
-LOG = logging.getLogger(__name__)
-CONF = cfg.CONF
-DOMAIN = "moon_orchestrator"
-
-__CWD__ = os.path.dirname(os.path.abspath(__file__))
-# TODO (asteroide): select the right template folder
-TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
-# TODO (asteroide): add specific configuration options for that plugin
-
-
-class AuthzFunction(DockerBase):
-
- id = "moon_authz_function"
- __build = """RUN mkdir -p /etc/moon/
-COPY conf /etc/moon/
-ADD dist/{py_pkg}.tar.gz /root
-WORKDIR /root/{py_pkg}
-RUN pip3 install -r requirements.txt
-RUN pip3 install .
-"""
-
- def __init__(self, uuid, conf_file="", docker=None, network_config=None):
- self.id = "authz_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest()
- super(AuthzFunction, self).__init__(
- name="moon_authz",
- run_cmd=["python3", "-m", "moon_authz", uuid],
- conf_file=conf_file,
- docker=docker,
- network_config=network_config,
- build_cmd=self.__build,
- id=self.id,
- tag=""
- # tag=CONF.security_function.container
- )
- # note(asteroide): time to let the new docker boot
- time.sleep(3)
- # self.get_status()
-
- def get_status(self):
- return True
- # transport = oslo_messaging.get_transport(CONF)
- # target = oslo_messaging.Target(topic=self.id, version='1.0')
- # client = oslo_messaging.RPCClient(transport, target)
- # LOG.info("Calling Status on {}".format(self.id))
- # ret = client.call({"component_id": self.id}, 'get_status', args=None)
- # LOG.info(ret)
- # return ret
-
-
-def run(uuid, conf_file="", docker=None, network_config=None):
- return AuthzFunction(uuid,
- conf_file=conf_file,
- docker=docker,
- network_config=network_config)
+++ /dev/null
-# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
-# This software is distributed under the terms and conditions of the 'Apache-2.0'
-# license which can be found in the file 'LICENSE' in this package distribution
-# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
-
-import os
-import time
-import hashlib
-from oslo_config import cfg
-from oslo_log import log as logging
-import oslo_messaging
-from moon_orchestrator.dockers import DockerBase
-
-LOG = logging.getLogger(__name__)
-CONF = cfg.CONF
-DOMAIN = "moon_orchestrator"
-
-__CWD__ = os.path.dirname(os.path.abspath(__file__))
-# TODO (asteroide): select the right template folder
-TEMPLATES_FOLDER = os.path.join(__CWD__, "..", "conf", "dockers")
-# TODO (asteroide): add specific configuration options for that plugin
-
-
-class AuthzFunction(DockerBase):
-
- id = "moon_session_function"
- __build = """RUN mkdir -p /etc/moon/
-COPY conf /etc/moon/
-ADD dist/{py_pkg}.tar.gz /root
-WORKDIR /root/{py_pkg}
-RUN pip3 install -r requirements.txt
-RUN pip3 install .
-"""
-
- def __init__(self, uuid, conf_file="", docker=None, network_config=None):
- self.id = "session_"+hashlib.sha224(uuid.encode("utf-8")).hexdigest()
- super(AuthzFunction, self).__init__(
- name="moon_authz",
- run_cmd=["python3", "-m", "moon_authz", uuid],
- conf_file=conf_file,
- docker=docker,
- network_config=network_config,
- build_cmd=self.__build,
- id=self.id,
- tag=""
- # tag=CONF.security_function.container
- )
- # note(asteroide): time to let the new docker boot
- time.sleep(3)
- # self.get_status()
-
- def get_status(self):
- return True
- # transport = oslo_messaging.get_transport(CONF)
- # target = oslo_messaging.Target(topic=self.id, version='1.0')
- # client = oslo_messaging.RPCClient(transport, target)
- # LOG.info("Calling Status on {}".format(self.id))
- # ret = client.call({"component_id": self.id}, 'get_status', args=None)
- # LOG.info(ret)
- # return ret
-
-
-def run(uuid, conf_file="", docker=None, network_config=None):
- return AuthzFunction(uuid,
- conf_file=conf_file,
- docker=docker,
- network_config=network_config)
+++ /dev/null
-{
- "subject_assignments": {
- "subject_security_level":{
- "admin": ["high"],
- "demo": ["medium"]
- },
- "domain":{
- "admin": ["ft"],
- "demo": ["xx"]
- },
- "role": {
- "admin": ["admin"],
- "demo": ["dev"]
- }
- },
-
- "action_assignments": {
- "resource_action":{
- "pause": ["vm_admin"],
- "unpause": ["vm_admin"],
- "start": ["vm_admin"],
- "stop": ["vm_admin"],
- "list": ["vm_access", "vm_admin"],
- "create": ["vm_admin"],
- "storage_list": ["storage_access"],
- "download": ["storage_access"],
- "post": ["storage_admin"],
- "upload": ["storage_admin"]
- },
- "access": {
- "pause": ["write"],
- "unpause": ["write"],
- "start": ["write"],
- "stop": ["write"],
- "list": ["read"],
- "create": ["write"],
- "storage_list": ["read"],
- "download": ["read"],
- "post": ["write"],
- "upload": ["write"]
- }
- },
-
- "object_assignments": {
- "object_security_level": {
- "servers": ["low"]
- },
- "type": {
- "servers": ["computing"]
- },
- "object_id": {
- "servers": ["servers"]
- }
- }
-}
+++ /dev/null
-{
- "name": "Simple_Policy",
- "genre": "authz",
- "description": "Simple Security Policy",
- "pdp_pipeline": ["authz:rbac_rule", "authz:mls_rule"],
-
- "subject_categories": [
- "subject_security_level",
- "domain",
- "role"
- ],
-
- "action_categories": [
- "resource_action",
- "access"
- ],
-
- "object_categories": [
- "object_security_level",
- "type",
- "object_id"
- ]
-}
+++ /dev/null
-{
- "sub_meta_rules": {
- "mls_rule": {
- "subject_categories": ["subject_security_level"],
- "action_categories": ["resource_action"],
- "object_categories": ["object_security_level"],
- "algorithm": "inclusion"
- },
- "dte_rule": {
- "subject_categories": ["domain"],
- "action_categories": ["access"],
- "object_categories": ["type"],
- "algorithm": "inclusion"
- },
- "rbac_rule": {
- "subject_categories": ["role", "domain"],
- "action_categories": ["access"],
- "object_categories": ["object_id"],
- "algorithm": "inclusion"
- }
- },
- "aggregation": "all_true"
-}
-
+++ /dev/null
-{
- "subjects": [
- "admin",
- "demo"
- ],
- "actions": [
- "pause",
- "unpause",
- "start",
- "stop",
- "create",
- "list",
- "upload",
- "download",
- "post",
- "storage_list"
- ],
- "objects": [
- "servers"
- ]
-}
+++ /dev/null
-{
- "mls_rule":[
- ["high", "vm_admin", "medium"],
- ["high", "vm_admin", "low"],
- ["medium", "vm_admin", "low"],
- ["high", "vm_access", "high"],
- ["high", "vm_access", "medium"],
- ["high", "vm_access", "low"],
- ["medium", "vm_access", "medium"],
- ["medium", "vm_access", "low"],
- ["low", "vm_access", "low"]
- ],
- "dte_rule":[
- ["ft", "read", "computing"],
- ["ft", "write", "computing"],
- ["ft", "read", "storage"],
- ["ft", "write", "storage"],
- ["xx", "read", "storage"]
- ],
- "rbac_rule":[
- ["dev", "xx", "read", "servers"],
- ["admin", "xx", "read", "servers"],
- ["admin", "ft", "read", "servers"]
- ]
-}
+++ /dev/null
-{
- "subject_scopes": {
- "role": [
- "admin",
- "dev"
- ],
- "subject_security_level": [
- "high",
- "medium",
- "low"
- ],
- "domain": [
- "ft",
- "xx"
- ]
- },
-
- "action_scopes": {
- "resource_action": [
- "vm_admin",
- "vm_access",
- "storage_admin",
- "storage_access"
- ],
- "access": [
- "write",
- "read"
- ]
- },
-
- "object_scopes": {
- "object_security_level": [
- "high",
- "medium",
- "low"
- ],
- "type": [
- "computing",
- "storage"
- ],
- "object_id": [
- "servers",
- "vm1",
- "vm2",
- "file1",
- "file2"
- ]
- }
-}
+++ /dev/null
-{
- "subject_assignments": {},
-
- "action_assignments": {},
-
- "object_assignments": {}
-}
+++ /dev/null
-{
- "name": "Empty_Policy",
- "model": "",
- "genre": "admin",
- "description": "Empty Policy",
-
- "subject_categories": [],
-
- "action_categories": [],
-
- "object_categories": []
-}
+++ /dev/null
-{
- "sub_meta_rules": {
- "mls_rule": {
- "subject_categories": [],
- "action_categories": [],
- "object_categories": [],
- "algorithm": ""
- }
- },
- "aggregation": ""
-}
-
+++ /dev/null
-{
- "subjects": [],
- "actions": [
- "read",
- "write"
- ],
- "objects": [
- "authz.subjects",
- "authz.objects",
- "authz.actions",
- "authz.subject_categories",
- "authz.object_categories",
- "authz.action_categories",
- "authz.subject_scopes",
- "authz.object_scopes",
- "authz.action_scopes",
- "authz.subject_assignments",
- "authz.object_assignments",
- "authz.action_assignments",
- "authz.aggregation_algorithm",
- "authz.sub_meta_rules",
- "authz.rules",
- "admin.subjects",
- "admin.objects",
- "admin.actions",
- "admin.subject_categories",
- "admin.object_categories",
- "admin.action_categories",
- "admin.subject_scopes",
- "admin.object_scopes",
- "admin.action_scopes",
- "admin.subject_assignments",
- "admin.object_assignments",
- "admin.action_assignments",
- "admin.aggregation_algorithm",
- "admin.sub_meta_rules",
- "admin.rules"
- ]
-}
+++ /dev/null
-{
- "mls_rule":[]
-}
+++ /dev/null
-{
- "subject_scopes": {},
-
- "action_scopes": {},
-
- "object_scopes": {}
-}
+++ /dev/null
-{
- "subject_assignments": {},
-
- "action_assignments": {},
-
- "object_assignments": {}
-}
+++ /dev/null
-{
- "name": "MLS_Policy",
- "model": "MLS",
- "genre": "authz",
- "description": "Multi Level Security Policy",
-
- "subject_categories": [],
-
- "action_categories": [],
-
- "object_categories": []
-}
+++ /dev/null
-{
- "sub_meta_rules": {
- "mls_rule": {
- "subject_categories": [],
- "action_categories": [],
- "object_categories": [],
- "algorithm": ""
- }
- },
- "aggregation": ""
-}
-
+++ /dev/null
-{
- "subjects": [],
- "actions": [],
- "objects": []
-}
+++ /dev/null
-{
- "mls_rule":[]
-}
+++ /dev/null
-{
- "subject_scopes": {},
-
- "action_scopes": {},
-
- "object_scopes": {}
-}
+++ /dev/null
-{
- "subject_assignments": {
- "subject_security_level":{
- "admin": ["high"],
- "demo": ["medium"]
- }
- },
-
- "action_assignments": {
- "resource_action":{
- "pause": ["vm_admin"],
- "unpause": ["vm_admin"],
- "start": ["vm_admin"],
- "stop": ["vm_admin"],
- "list": ["vm_access", "vm_admin"],
- "create": ["vm_admin"],
- "storage_list": ["storage_access"],
- "download": ["storage_access"],
- "post": ["storage_admin"],
- "upload": ["storage_admin"]
- }
- },
-
- "object_assignments": {
- "object_security_level": {
- "servers": ["low"]
- }
- }
-}
+++ /dev/null
-{
- "name": "MLS_Policy",
- "model": "MLS",
- "genre": "authz",
- "description": "Multi Level Security Policy",
-
- "subject_categories": [
- "subject_security_level"
- ],
-
- "action_categories": [
- "resource_action"
- ],
-
- "object_categories": [
- "object_security_level"
- ]
-}
+++ /dev/null
-{
- "sub_meta_rules": {
- "mls_rule": {
- "subject_categories": ["subject_security_level"],
- "action_categories": ["resource_action"],
- "object_categories": ["object_security_level"],
- "algorithm": "inclusion"
- }
- },
- "aggregation": "all_true"
-}
-
+++ /dev/null
-{
- "subjects": [
- "admin",
- "demo"
- ],
- "actions": [
- "pause",
- "unpause",
- "start",
- "stop",
- "create",
- "list",
- "upload",
- "download",
- "post",
- "storage_list"
- ],
- "objects": [
- "servers"
- ]
-}
+++ /dev/null
-{
- "mls_rule":[
- ["high", "vm_admin", "medium"],
- ["high", "vm_admin", "low"],
- ["medium", "vm_admin", "low"],
- ["high", "vm_access", "medium"],
- ["high", "vm_access", "low"],
- ["medium", "vm_access", "low"],
- ["high", "storage_admin", "medium"],
- ["high", "storage_admin", "low"],
- ["medium", "storage_admin", "low"],
- ["high", "storage_access", "medium"],
- ["high", "storage_access", "low"],
- ["medium", "storage_access", "low"]
- ]
-}
+++ /dev/null
-{
- "subject_scopes": {
- "subject_security_level": [
- "high",
- "medium",
- "low"
- ]
- },
-
- "action_scopes": {
- "resource_action": [
- "vm_admin",
- "vm_access",
- "storage_admin",
- "storage_access"
- ]
- },
-
- "object_scopes": {
- "object_security_level": [
- "high",
- "medium",
- "low"
- ]
- }
-}
+++ /dev/null
-{
- "subject_assignments": {
- "role": {
- "admin": ["root_role"],
- "demo": ["dev_role"]
- }
- },
- "action_assignments": {
- "action_id": {
- "read": ["read"],
- "write": ["write"]
- }
- },
- "object_assignments": {
- "object_id": {
- "authz.subjects": ["authz.subjects"],
- "authz.objects": ["authz.objects"],
- "authz.actions": ["authz.actions"],
- "authz.subject_categories": ["authz.subject_categories"],
- "authz.object_categories": ["authz.object_categories"],
- "authz.action_categories": ["authz.action_categories"],
- "authz.subject_scopes": ["authz.subject_scopes"],
- "authz.object_scopes": ["authz.object_scopes"],
- "authz.action_scopes": ["authz.action_scopes"],
- "authz.subject_assignments": ["authz.subject_assignments"],
- "authz.object_assignments": ["authz.object_assignments"],
- "authz.action_assignments": ["authz.action_assignments"],
- "authz.aggregation_algorithm": ["authz.aggregation_algorithm"],
- "authz.sub_meta_rules": ["authz.sub_meta_rules"],
- "authz.rules": ["authz.rules"],
- "admin.subjects": ["admin.subjects"],
- "admin.objects": ["admin.objects"],
- "admin.actions": ["admin.actions"],
- "admin.subject_categories": ["admin.subject_categories"],
- "admin.object_categories": ["admin.object_categories"],
- "admin.action_categories": ["admin.action_categories"],
- "admin.subject_scopes": ["admin.subject_scopes"],
- "admin.object_scopes": ["admin.object_scopes"],
- "admin.action_scopes": ["admin.action_scopes"],
- "admin.subject_assignments": ["admin.subject_assignments"],
- "admin.object_assignments": ["admin.object_assignments"],
- "admin.action_assignments": ["admin.action_assignments"],
- "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
- "admin.sub_meta_rules": ["admin.sub_meta_rules"],
- "admin.rules": ["admin.rules"]
- }
- }
-}
+++ /dev/null
-{
- "name": "RBAC Admin Policy",
- "model": "RBAC",
- "genre": "admin",
- "description": "",
-
- "subject_categories": [
- "role"
- ],
-
- "action_categories": [
- "action_id"
- ],
-
- "object_categories": [
- "object_id"
- ]
-}
+++ /dev/null
-{
- "sub_meta_rules": {
- "rbac_rule": {
- "subject_categories": ["role"],
- "action_categories": ["action_id"],
- "object_categories": ["object_id"],
- "algorithm": "inclusion"
- }
- },
- "aggregation": "all_true"
-}
-
+++ /dev/null
-{
- "subjects": [
- "admin",
- "demo"
- ],
- "actions": [
- "read",
- "write"
- ],
- "objects": [
- "authz.subjects",
- "authz.objects",
- "authz.actions",
- "authz.subject_categories",
- "authz.object_categories",
- "authz.action_categories",
- "authz.subject_scopes",
- "authz.object_scopes",
- "authz.action_scopes",
- "authz.subject_assignments",
- "authz.object_assignments",
- "authz.action_assignments",
- "authz.aggregation_algorithm",
- "authz.sub_meta_rules",
- "authz.rules",
- "admin.subjects",
- "admin.objects",
- "admin.actions",
- "admin.subject_categories",
- "admin.object_categories",
- "admin.action_categories",
- "admin.subject_scopes",
- "admin.object_scopes",
- "admin.action_scopes",
- "admin.subject_assignments",
- "admin.object_assignments",
- "admin.action_assignments",
- "admin.aggregation_algorithm",
- "admin.sub_meta_rules",
- "admin.rules"
- ]
-}
+++ /dev/null
-{
- "rbac_rule":[
- ["root_role" , "read", "authz.subjects"],
- ["root_role" , "read", "authz.objects"],
- ["root_role" , "read", "authz.actions"],
- ["root_role" , "read", "authz.subject_categories"],
- ["root_role" , "read", "authz.object_categories"],
- ["root_role" , "read", "authz.action_categories"],
- ["root_role" , "read", "authz.subject_scopes"],
- ["root_role" , "read", "authz.object_scopes"],
- ["root_role" , "read", "authz.action_scopes"],
- ["root_role" , "read", "authz.subject_assignments"],
- ["root_role" , "read", "authz.object_assignments"],
- ["root_role" , "read", "authz.action_assignments"],
- ["root_role" , "read", "authz.aggregation_algorithm"],
- ["root_role" , "read", "authz.sub_meta_rules"],
- ["root_role" , "read", "authz.rules"],
- ["root_role" , "write", "authz.subjects"],
- ["root_role" , "write", "authz.objects"],
- ["root_role" , "write", "authz.actions"],
- ["root_role" , "write", "authz.subject_categories"],
- ["root_role" , "write", "authz.object_categories"],
- ["root_role" , "write", "authz.action_categories"],
- ["root_role" , "write", "authz.subject_scopes"],
- ["root_role" , "write", "authz.object_scopes"],
- ["root_role" , "write", "authz.action_scopes"],
- ["root_role" , "write", "authz.subject_assignments"],
- ["root_role" , "write", "authz.object_assignments"],
- ["root_role" , "write", "authz.action_assignments"],
- ["root_role" , "write", "authz.aggregation_algorithm"],
- ["root_role" , "write", "authz.sub_meta_rules"],
- ["root_role" , "write", "authz.rules"],
- ["root_role" , "read", "admin.subjects"],
- ["root_role" , "read", "admin.objects"],
- ["root_role" , "read", "admin.actions"],
- ["root_role" , "read", "admin.subject_categories"],
- ["root_role" , "read", "admin.object_categories"],
- ["root_role" , "read", "admin.action_categories"],
- ["root_role" , "read", "admin.subject_scopes"],
- ["root_role" , "read", "admin.object_scopes"],
- ["root_role" , "read", "admin.action_scopes"],
- ["root_role" , "read", "admin.subject_assignments"],
- ["root_role" , "read", "admin.object_assignments"],
- ["root_role" , "read", "admin.action_assignments"],
- ["root_role" , "read", "admin.aggregation_algorithm"],
- ["root_role" , "read", "admin.sub_meta_rules"],
- ["root_role" , "read", "admin.rules"],
- ["root_role" , "write", "admin.subjects"],
- ["root_role" , "write", "admin.objects"],
- ["root_role" , "write", "admin.actions"],
- ["root_role" , "write", "admin.subject_categories"],
- ["root_role" , "write", "admin.object_categories"],
- ["root_role" , "write", "admin.action_categories"],
- ["root_role" , "write", "admin.subject_scopes"],
- ["root_role" , "write", "admin.object_scopes"],
- ["root_role" , "write", "admin.action_scopes"],
- ["root_role" , "write", "admin.subject_assignments"],
- ["root_role" , "write", "admin.object_assignments"],
- ["root_role" , "write", "admin.action_assignments"],
- ["root_role" , "write", "admin.aggregation_algorithm"],
- ["root_role" , "write", "admin.sub_meta_rules"],
- ["root_role" , "write", "admin.rules"],
- ["dev_role" , "read", "authz.subjects"],
- ["dev_role" , "read", "authz.objects"],
- ["dev_role" , "read", "authz.actions"],
- ["dev_role" , "read", "authz.subject_categories"],
- ["dev_role" , "read", "authz.object_categories"],
- ["dev_role" , "read", "authz.action_categories"],
- ["dev_role" , "read", "authz.subject_scopes"],
- ["dev_role" , "read", "authz.object_scopes"],
- ["dev_role" , "read", "authz.action_scopes"],
- ["dev_role" , "read", "authz.subject_assignments"],
- ["dev_role" , "read", "authz.object_assignments"],
- ["dev_role" , "read", "authz.action_assignments"],
- ["dev_role" , "read", "authz.aggregation_algorithm"],
- ["dev_role" , "read", "authz.sub_meta_rules"],
- ["dev_role" , "read", "authz.rules"],
- ["dev_role" , "read", "admin.subjects"],
- ["dev_role" , "read", "admin.objects"],
- ["dev_role" , "read", "admin.actions"],
- ["dev_role" , "read", "admin.subject_categories"],
- ["dev_role" , "read", "admin.object_categories"],
- ["dev_role" , "read", "admin.action_categories"],
- ["dev_role" , "read", "admin.subject_scopes"],
- ["dev_role" , "read", "admin.object_scopes"],
- ["dev_role" , "read", "admin.action_scopes"],
- ["dev_role" , "read", "admin.subject_assignments"],
- ["dev_role" , "read", "admin.object_assignments"],
- ["dev_role" , "read", "admin.action_assignments"],
- ["dev_role" , "read", "admin.aggregation_algorithm"],
- ["dev_role" , "read", "admin.sub_meta_rules"],
- ["dev_role" , "read", "admin.rules"]
- ]
-}
+++ /dev/null
-{
- "subject_scopes": {
- "role": [
- "root_role",
- "dev_role"
- ]
- },
- "action_scopes": {
- "action_id": [
- "read",
- "write"
- ]
- },
- "object_scopes": {
- "object_id": [
- "authz.subjects",
- "authz.objects",
- "authz.actions",
- "authz.subject_categories",
- "authz.object_categories",
- "authz.action_categories",
- "authz.subject_scopes",
- "authz.object_scopes",
- "authz.action_scopes",
- "authz.subject_assignments",
- "authz.object_assignments",
- "authz.action_assignments",
- "authz.aggregation_algorithm",
- "authz.sub_meta_rules",
- "authz.rules",
- "admin.subjects",
- "admin.objects",
- "admin.actions",
- "admin.subject_categories",
- "admin.object_categories",
- "admin.action_categories",
- "admin.subject_scopes",
- "admin.object_scopes",
- "admin.action_scopes",
- "admin.subject_assignments",
- "admin.object_assignments",
- "admin.action_assignments",
- "admin.aggregation_algorithm",
- "admin.sub_meta_rules",
- "admin.rules"
- ]
- }
-}
+++ /dev/null
-{
- "subject_assignments": {
- "role": {
- "admin": ["root_role"]
- }
- },
-
- "action_assignments": {
- "action_id": {
- "read": ["read"],
- "write": ["write"]
- }
- },
-
- "object_assignments": {
- "object_id": {
- "templates": ["templates"],
- "sub_meta_rule_algorithms": ["sub_meta_rule_algorithms"],
- "aggregation_algorithms": ["aggregation_algorithms"],
- "tenants": ["tenants"],
- "intra_extensions": ["intra_extensions"],
- "admin.subjects": ["admin.subjects"],
- "admin.objects": ["admin.objects"],
- "admin.actions": ["admin.actions"],
- "admin.subject_categories": ["admin.subject_categories"],
- "admin.object_categories": ["admin.object_categories"],
- "admin.action_categories": ["admin.action_categories"],
- "admin.subject_category_scopes": ["admin.subject_category_scopes"],
- "admin.object_category_scopes": ["admin.object_category_scopes"],
- "admin.action_category_scopes": ["admin.action_category_scopes"],
- "admin.subject_assignments": ["admin.subject_assignments"],
- "admin.object_assignments": ["admin.object_assignments"],
- "admin.action_assignments": ["admin.action_assignments"],
- "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
- "admin.sub_meta_rules": ["admin.sub_meta_rules"],
- "admin.rules": ["admin.rules"]
- }
- }
-}
+++ /dev/null
-{
- "name": "Root Policy",
- "model": "RBAC",
- "genre": "admin",
- "description": "root extension",
- "pdp_pipeline": ["authz:rbac_rule"],
-
- "subject_categories": [
- "role"
- ],
-
- "action_categories": [
- "action_id"
- ],
-
- "object_categories": [
- "object_id"
- ]
-}
+++ /dev/null
-{
- "sub_meta_rules": {
- "rbac_rule": {
- "subject_categories": ["role"],
- "action_categories": ["action_id"],
- "object_categories": ["object_id"],
- "algorithm": "inclusion"
- }
- },
- "aggregation": "all_true"
-}
-
+++ /dev/null
-{
- "subjects": [
- "admin"
- ],
- "actions": [
- "read",
- "write"
- ],
- "objects": [
- "templates",
- "aggregation_algorithms",
- "sub_meta_rule_algorithms",
- "tenants",
- "intra_extensions",
- "admin.subjects",
- "admin.objects",
- "admin.actions",
- "admin.subject_categories",
- "admin.object_categories",
- "admin.action_categories",
- "admin.subject_category_scopes",
- "admin.object_category_scopes",
- "admin.action_category_scopes",
- "admin.subject_assignments",
- "admin.object_assignments",
- "admin.action_assignments",
- "admin.aggregation_algorithm",
- "admin.sub_meta_rules",
- "admin.rules"
- ]
-}
+++ /dev/null
-{
- "rbac_rule":[
- ["root_role" , "read", "templates"],
- ["root_role" , "read", "aggregation_algorithms"],
- ["root_role" , "read", "sub_meta_rule_algorithms"],
- ["root_role" , "read", "tenants"],
- ["root_role" , "read", "intra_extensions"],
- ["root_role" , "write", "templates"],
- ["root_role" , "write", "aggregation_algorithms"],
- ["root_role" , "write", "sub_meta_rule_algorithms"],
- ["root_role" , "write", "tenants"],
- ["root_role" , "write", "intra_extensions"],
- ["root_role" , "read", "admin.subjects"],
- ["root_role" , "read", "admin.objects"],
- ["root_role" , "read", "admin.actions"],
- ["root_role" , "read", "admin.subject_categories"],
- ["root_role" , "read", "admin.object_categories"],
- ["root_role" , "read", "admin.action_categories"],
- ["root_role" , "read", "admin.subject_category_scopes"],
- ["root_role" , "read", "admin.object_category_scopes"],
- ["root_role" , "read", "admin.action_category_scopes"],
- ["root_role" , "read", "admin.subject_assignments"],
- ["root_role" , "read", "admin.object_assignments"],
- ["root_role" , "read", "admin.action_assignments"],
- ["root_role" , "read", "admin.aggregation_algorithm"],
- ["root_role" , "read", "admin.sub_meta_rules"],
- ["root_role" , "read", "admin.rules"],
- ["root_role" , "write", "admin.subjects"],
- ["root_role" , "write", "admin.objects"],
- ["root_role" , "write", "admin.actions"],
- ["root_role" , "write", "admin.subject_categories"],
- ["root_role" , "write", "admin.object_categories"],
- ["root_role" , "write", "admin.action_categories"],
- ["root_role" , "write", "admin.subject_category_scopes"],
- ["root_role" , "write", "admin.object_category_scopes"],
- ["root_role" , "write", "admin.action_category_scopes"],
- ["root_role" , "write", "admin.subject_assignments"],
- ["root_role" , "write", "admin.object_assignments"],
- ["root_role" , "write", "admin.action_assignments"],
- ["root_role" , "write", "admin.aggregation_algorithm"],
- ["root_role" , "write", "admin.sub_meta_rules"],
- ["root_role" , "write", "admin.rules"]
- ]
-}
+++ /dev/null
-{
- "subject_scopes": {
- "role": [
- "root_role"
- ]
- },
-
- "action_scopes": {
- "action_id": [
- "read",
- "write"
- ]
- },
-
- "object_scopes": {
- "object_id": [
- "templates",
- "aggregation_algorithms",
- "sub_meta_rule_algorithms",
- "tenants",
- "intra_extensions",
- "admin.subjects",
- "admin.objects",
- "admin.actions",
- "admin.subject_categories",
- "admin.object_categories",
- "admin.action_categories",
- "admin.subject_category_scopes",
- "admin.object_category_scopes",
- "admin.action_category_scopes",
- "admin.subject_assignments",
- "admin.object_assignments",
- "admin.action_assignments",
- "admin.aggregation_algorithm",
- "admin.sub_meta_rules",
- "admin.rules"
- ]
- }
-}
from python_moonutilities.misc import get_random_name
from moon_orchestrator.drivers import get_driver
-LOG = logging.getLogger("moon.orchestrator.http")
+LOG = logging.getLogger("moon.orchestrator.http_server")
+
+__API__ = (
+ Status, Logs
+ )
class Server:
def run(self):
raise NotImplementedError()
-__API__ = (
- Status, Logs
- )
-
class Root(Resource):
"""
from python_moonutilities import configuration, exceptions
from moon_orchestrator.http_server import HTTPServer
-LOG = logging.getLogger("moon.orchestrator")
+LOG = logging.getLogger("moon.orchestrator.server")
DOMAIN = "moon_orchestrator"
-__CWD__ = os.path.dirname(os.path.abspath(__file__))
-
def main():
configuration.init_logging()
port = 80
configuration.add_component(uuid="orchestrator", name=hostname, port=port, bind=bind)
LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind))
- server = HTTPServer(host=bind, port=port)
- return server
+ return HTTPServer(host=bind, port=port)
if __name__ == '__main__':
-FROM ubuntu:latest
-
-RUN apt update && apt install python3.5 python3-pip -y
-RUN pip3 install pip --upgrade
+FROM python:3
ADD . /root
WORKDIR /root/
-RUN pip3 install -r requirements.txt --upgrade
-RUN pip3 install /root/dist/* --upgrade
+RUN pip3 install -r requirements.txt
RUN pip3 install .
CMD ["python3", "-m", "moon_wrapper"]
-Wrapper module for the Moon project
-===================================
+# moon_wrapper
This package contains the core module for the Moon project
It is designed to provide authorization features to all OpenStack components.
LOG = logging.getLogger("moon.wrapper.api." + __name__)
-class Wrapper(Resource):
+class OsloWrapper(Resource):
"""
Endpoint for authz requests
"""
__urls__ = (
- "/authz",
- "/authz/",
+ "/authz/oslo",
+ "/authz/oslo/",
)
def __init__(self, **kwargs):
self.CACHE = kwargs.get("cache", {})
self.TIMEOUT = 5
- # def get(self):
- # LOG.info("GET")
- # return self.manage_data()
-
def post(self):
LOG.debug("POST {}".format(request.form))
response = flask.make_response("False")
rule = data.get('rule', "")
_subject = self.__get_subject(target, credentials)
_object = self.__get_object(target, credentials)
+ _action = rule
_project_id = self.__get_project_id(target, credentials)
LOG.debug("POST with args project={} / "
"subject={} - object={} - action={}".format(
_project_id,
_subject,
_object,
- rule
+ _action
))
LOG.debug("Get interface {}".format(req.text))
if req.status_code == 200:
import logging
from moon_wrapper import __version__
from moon_wrapper.api.generic import Status, Logs, API
-from moon_wrapper.api.wrapper import Wrapper
+from moon_wrapper.api.oslowrapper import OsloWrapper
from python_moonutilities.cache import Cache
from python_moonutilities import configuration, exceptions
-logger = logging.getLogger("moon.wrapper.http")
+logger = logging.getLogger("moon.wrapper.http_server")
CACHE = Cache()
+__API__ = (
+ Status, Logs, API
+ )
+
class Server:
"""Base class for HTTP server"""
def run(self):
raise NotImplementedError()
-__API__ = (
- Status, Logs, API
- )
-
class Root(Resource):
"""
for api in __API__:
self.api.add_resource(api, *api.__urls__)
- self.api.add_resource(Wrapper, *Wrapper.__urls__,
+ self.api.add_resource(OsloWrapper, *OsloWrapper.__urls__,
resource_class_kwargs={
"orchestrator_url": self.orchestrator_url,
"cache": CACHE,
def run(self):
self.app.run(host=self._host, port=self._port) # nosec
- # self.app.run(debug=True, host=self._host, port=self._port) # nosec
from python_moonutilities import configuration, exceptions
from moon_wrapper.http_server import HTTPServer
-LOG = logging.getLogger("moon.wrapper")
+LOG = logging.getLogger("moon.wrapper.server")
def main():
port = 80
configuration.add_component(uuid="wrapper", name=hostname, port=port, bind=bind)
LOG.info("Starting server with IP {} on port {} bind to {}".format(hostname, port, bind))
- server = HTTPServer(host=bind, port=port)
- return server
+ return HTTPServer(host=bind, port=port)
if __name__ == '__main__':
-# python-moonclient Package
+# python-moonclient
This package contains the core module for the Moon project.
It is designed to provide authorization feature to all OpenStack components.
## Build
### Build Python Package
```bash
-cd ${MOON_HOME}/moonv4/python_moonclient
+cd ${MOON_HOME}/python_moonclient
python3 setup.py sdist bdist_wheel
```
### Push Python Package to PIP
```bash
-cd ${MOON_HOME}/moonv4/python_moonclient
+cd ${MOON_HOME}/python_moonclient
gpg --detach-sign -u "${GPG_ID}" -a dist/python_moonclient-X.Y.Z-py3-none-any.whl
gpg --detach-sign -u "${GPG_ID}" -a dist/python_moonclient-X.Y.Z.tar.gz
twine upload dist/python_moonclient-X.Y.Z-py3-none-any.whl dist/python_moonclient-X.Y.Z-py3-none-any.whl.asc
### Python Unit Test
launch Docker for Python unit tests
```bash
-cd ${MOON_HOME}/moonv4/python_moonclient
+cd ${MOON_HOME}/python_moonclient
docker run --rm --volume $(pwd):/data wukongsun/moon_python_unit_test:latest
```
PORT_KEYSTONE = None
lock = threading.Lock()
-logger = logging.getLogger(__name__)
+logger = logging.getLogger("moonclient.authz")
def _construct_payload(creds, current_rule, enforcer, target):
while request_cpt < limit:
rule = (random.choice(SUBJECTS), random.choice(OBJECTS), random.choice(ACTIONS))
if destination.lower() == "wrapper":
- url = "http://{}:{}/authz".format(authz_host, authz_port)
+ url = "http://{}:{}/authz/oslo".format(authz_host, authz_port)
data = {
'target': {
"user_id": random.choice(SUBJECTS),
import argparse
-logger = logging.getLogger("python_moonclient.utils.parse")
+logger = logging.getLogger("python_moonclient.parse")
def parse():
import requests
from python_moonclient import config
-logger = logging.getLogger("python_moonclient.utils.pdp")
+logger = logging.getLogger("python_moonclient.pdp")
+
URL = None
HEADERS = None
KEYSTONE_USER = None
KEYSTONE_PROJECT = None
KEYSTONE_SERVER = None
-# config = utils.config.get_config_data()
-
pdp_template = {
"name": "test_pdp",
import requests
from . import config, models
-logger = logging.getLogger("moonclient.models")
+logger = logging.getLogger("moonclient.policies")
URL = None
HEADERS = None
-FILE = open("/tmp/test.log", "w")
-logger = logging.getLogger("utils.policies")
policy_template = {
"name": "test_policy",
from . import parse, models, policies, pdp, authz
-logger = logging.getLogger("python_moonclient.scripts")
+logger = logging.getLogger("moonclient.scripts")
def get_keystone_projects():
with open('requirements.txt') as f:
required = f.read().splitlines()
+
setup(
name='python-moonclient',
entry_points={
'console_scripts': [
'moon_get_keystone_projects = python_moonclient.scripts:get_keystone_projects',
- 'moon_create_pdp = python_moonclient.scripts:create_pdp',
'moon_get_pdp = python_moonclient.scripts:get_pdp',
- 'moon_send_authz_to_wrapper = python_moonclient.scripts:send_authz_to_wrapper',
+ 'moon_create_pdp = python_moonclient.scripts:create_pdp',
'moon_delete_pdp = python_moonclient.scripts:delete_pdp',
'moon_delete_policy = python_moonclient.scripts:delete_policy',
- 'moon_map_pdp_to_project = python_moonclient.scripts:map_pdp_to_project'
+ 'moon_map_pdp_to_project = python_moonclient.scripts:map_pdp_to_project',
+ 'moon_send_authz_to_wrapper = python_moonclient.scripts:send_authz_to_wrapper'
],
}
class SQLConnector(PDPConnector, PolicyConnector, ModelConnector):
pass
-
-# class InterExtension(Base):
-# __tablename__ = 'inter_extension'
-# attributes = [
-# 'id',
-# 'requesting_intra_extension_id',
-# 'requested_intra_extension_id',
-# 'virtual_entity_uuid',
-# 'genre',
-# 'description',
-# ]
-# id = sql.Column(sql.String(64), primary_key=True)
-# requesting_intra_extension_id = sql.Column(sql.String(64))
-# requested_intra_extension_id = sql.Column(sql.String(64))
-# virtual_entity_uuid = sql.Column(sql.String(64))
-# genre = sql.Column(sql.String(64))
-# description = sql.Column(sql.Text())
-#
-# @classmethod
-# def from_dict(cls, d):
-# """Override parent from_dict() method with a simpler implementation.
-# """
-# new_d = d.copy()
-# return cls(**new_d)
-#
-# def to_dict(self):
-# """Override parent to_dict() method with a simpler implementation.
-# """
-# return dict(six.iteritems(self))
-#
-#
-# class InterExtensionBaseConnector(InterExtensionDriver):
-#
-# def get_inter_extensions(self):
-# with self.get_session_for_read() as session:
-# query = session.query(InterExtension.id)
-# interextensions = query.all()
-# return [interextension.id for interextension in interextensions]
-#
-# def create_inter_extensions(self, inter_id, inter_extension):
-# with self.get_session_for_read() as session:
-# ie_ref = InterExtension.from_dict(inter_extension)
-# session.add(ie_ref)
-# return InterExtension.to_dict(ie_ref)
-#
-# def get_inter_extension(self, uuid):
-# with self.get_session_for_read() as session:
-# query = session.query(InterExtension)
-# query = query.filter_by(id=uuid)
-# ref = query.first()
-# if not ref:
-# raise exception.NotFound
-# return ref.to_dict()
-#
-# def delete_inter_extensions(self, inter_extension_id):
-# with self.get_session_for_read() as session:
-# ref = session.query(InterExtension).get(inter_extension_id)
-# session.delete(ref)
conf = configuration.get_configuration("database")['database']
+
KeystoneManager = keystone.KeystoneManager(
KeystoneDriver(conf['driver'], conf['url'])
)
PDPManager = pdp.PDPManager(
PDPDriver(conf['driver'], conf['url'])
)
-
-
-# class LogDriver(object):
-#
-# def authz(self, message):
-# """Log authorization message
-#
-# :param message: the message to log
-# :type message: string
-# :return: None
-# """
-# raise NotImplementedError() # pragma: no cover
-#
-# def debug(self, message):
-# """Log debug message
-#
-# :param message: the message to log
-# :type message: string
-# :return: None
-# """
-# raise NotImplementedError() # pragma: no cover
-#
-# def info(self, message):
-# """Log informational message
-#
-# :param message: the message to log
-# :type message: string
-# :return: None
-# """
-# raise NotImplementedError() # pragma: no cover
-#
-# def warning(self, message):
-# """Log warning message
-#
-# :param message: the message to log
-# :type message: string
-# :return: None
-# """
-# raise NotImplementedError() # pragma: no cover
-#
-# def error(self, message):
-# """Log error message
-#
-# :param message: the message to log
-# :type message: string
-# :return: None
-# """
-# raise NotImplementedError() # pragma: no cover
-#
-# def critical(self, message):
-# """Log critical message
-#
-# :param message: the message to log
-# :type message: string
-# :return: None
-# """
-# raise NotImplementedError() # pragma: no cover
-#
-# def get_logs(self, options):
-# """Get logs
-#
-# :param options: options to filter log events
-# :type options: string eg: "event_number=10,from=2014-01-01-10:10:10,to=2014-01-01-12:10:10,filter=expression"
-# :return: a list of log events
-#
-# TIME_FORMAT is '%Y-%m-%d-%H:%M:%S'
-# """
-# raise NotImplementedError() # pragma: no cover
# Automated Tools/Scripts
-## moon_utilities_update
-- update moon_utilities to PIP: `./moon_utilities_update.sh upload`
-- locally update moon_utilities for each moon Python package: `./moon_utilities_update.sh copy`
\ No newline at end of file
+## api2pdf
+```bash
+python3 $MOON_HOME/tools/bin/api2rst.py
+pandoc api.rst --toc -o api.pdf
+evince api.pdf
+```
kubectl create -n moon -f tools/moon_kubernetes/templates/moon_gui.yaml
+# load moon_wrapper on both master and slaves
+# moon_create_wrapper
Code Review / moon.git / commitdiff