finish review code

author WuKong <rebirthmonkey@gmail.com>

Wed, 22 Jul 2015 13:36:11 +0000 (15:36 +0200)

committer WuKong <rebirthmonkey@gmail.com>

Wed, 22 Jul 2015 13:39:44 +0000 (15:39 +0200)
author WuKong <rebirthmonkey@gmail.com>
Wed, 22 Jul 2015 13:36:11 +0000 (15:36 +0200)
committer WuKong <rebirthmonkey@gmail.com>
Wed, 22 Jul 2015 13:39:44 +0000 (15:39 +0200)
diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json

index 9b183a3..b77bd81 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/assignment.json
@@ -1,41 +1,47 @@
  {
      "subject_assignments": {
-        "domain":{
-                       "admin": ["ft"],
-                       "demo": ["xx"]
-        },
-               "role": {
-                       "admin": ["admin"]
+        "role": {
+                       "admin": ["root_role"]
                 }
      },
-
      "action_assignments": {
-        "access": {
-                       "read": ["admin", "user"],
-                       "write": ["admin"],
-                       "create": ["admin"],
-                       "delete": ["admin"]
+        "action_id": {
+                       "read": ["read"],
+                       "write": ["write"]
                 }
      },
-
      "object_assignments": {
-        "id": {
-                 "subjects": ["subjects"],
-                 "objects": ["objects"],
-                 "actions": ["actions"],
-                 "subject_categories": ["subject_categories"],
-                 "object_categories": ["object_categories"],
-                 "action_categories": ["action_categories"],
-                 "subject_category_scope": ["subject_category_scope"],
-                 "object_category_scope": ["object_category_scope"],
-                 "action_category_scope": ["action_category_scope"],
-                 "sub_rules": ["sub_rules"],
-                 "sub_meta_rule": ["sub_meta_rule"],
-                 "subject_assignments": ["subject_assignments"],
-                 "object_assignments": ["object_assignments"],
-                 "action_assignments": ["action_assignments"],
-                 "sub_meta_rule_relations": ["sub_meta_rule_relations"],
-                 "aggregation_algorithms": ["aggregation_algorithms"]
+        "object_id": { 
+                       "authz.subjects": ["authz.subjects"],
+            "authz.objects": ["authz.objects"],
+            "authz.actions": ["authz.actions"],
+            "authz.subject_categories": ["authz.subject_categories"],
+            "authz.object_categories": ["authz.object_categories"],
+            "authz.action_categories": ["authz.action_categories"],
+            "authz.subject_category_scopes": ["authz.subject_category_scopes"],
+            "authz.object_category_scopes": ["authz.object_category_scopes"],
+            "authz.action_category_scopes": ["authz.action_category_scopes"],
+            "authz.subject_assignments": ["authz.subject_assignments"],
+            "authz.object_assignments": ["authz.object_assignments"],
+            "authz.action_assignments": ["authz.action_assignments"],
+            "authz.aggregation_algorithm": ["authz.aggregation_algorithm"],
+            "authz.sub_meta_rules": ["authz.sub_meta_rules"],
+            "authz.rules": ["authz.rules"],
+                       "admin.subjects": ["admin.subjects"],
+            "admin.objects": ["admin.objects"],
+            "admin.actions": ["admin.actions"],
+            "admin.subject_categories": ["admin.subject_categories"],
+            "admin.object_categories": ["admin.object_categories"],
+            "admin.action_categories": ["admin.action_categories"],
+            "admin.subject_category_scopes": ["admin.subject_category_scopes"],
+            "admin.object_category_scopes": ["admin.object_category_scopes"],
+            "admin.action_category_scopes": ["admin.action_category_scopes"],
+            "admin.subject_assignments": ["admin.subject_assignments"],
+            "admin.object_assignments": ["admin.object_assignments"],
+            "admin.action_assignments": ["admin.action_assignments"],
+            "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
+            "admin.sub_meta_rules": ["admin.sub_meta_rules"],
+            "admin.rules": ["admin.rules"]
                 }
      }
  }
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metadata.json b/keystone-moon/examples/moon/policies/policy_admin/metadata.json

index 2977067..9ee8a11 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_admin/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/metadata.json
@@ -1,19 +1,18 @@
  {
-    "name": "MLS_metadata",
+    "name": "RBAC Admin Policy",
      "model": "RBAC",
      "genre": "admin",
      "description": "",
  
      "subject_categories": [
-        "domain",
-               "role"
+        "role"
      ],
  
      "action_categories": [
-        "access"
+        "action_id"
      ],
  
      "object_categories": [
-        "id"
+        "object_id"
      ]
  }
diff --git a/keystone-moon/examples/moon/policies/policy_admin/metarule.json b/keystone-moon/examples/moon/policies/policy_admin/metarule.json

index 1cb06eb..86dbfad 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_admin/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/metarule.json
@@ -1,9 +1,9 @@
  {
      "sub_meta_rules": {
                 "rbac_rule": {
-                       "subject_categories": ["role", "domain"],
-                       "action_categories": ["access"],
-                       "object_categories": ["id"],
+                       "subject_categories": ["role"],
+                       "action_categories": ["action_id"],
+                       "object_categories": ["object_id"],
                         "algorithm": "inclusion"
                 }
         },
diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json

index 7716986..a796dae 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
@@ -1,30 +1,41 @@
  {
      "subjects": [
-        "admin",
-        "demo"
+        "admin"
      ],
      "actions": [
          "read",
-        "write",
-        "create",
-        "delete"
+        "write"
      ],
      "objects": [
-        "subjects",
-        "objects",
-        "actions",
-        "subject_categories",
-        "object_categories",
-        "action_categories",
-        "subject_category_scope",
-        "object_category_scope",
-        "action_category_scope",
-        "rules",
-        "subject_assignments",
-        "object_assignments",
-        "action_assignments",
-        "sub_meta_rule_algorithm",
-        "aggregation_algorithm",
-        "sub_meta_rules"
+        "authz.subjects",
+        "authz.objects",
+        "authz.actions",
+        "authz.subject_categories",
+        "authz.object_categories",
+        "authz.action_categories",
+        "authz.subject_category_scopes",
+        "authz.object_category_scopes",
+        "authz.action_category_scopes",
+        "authz.subject_assignments",
+        "authz.object_assignments",
+        "authz.action_assignments",
+        "authz.aggregation_algorithm",
+        "authz.sub_meta_rules",
+        "authz.rules",
+        "admin.subjects",
+        "admin.objects",
+        "admin.actions",
+        "admin.subject_categories",
+        "admin.object_categories",
+        "admin.action_categories",
+        "admin.subject_category_scopes",
+        "admin.object_category_scopes",
+        "admin.action_category_scopes",
+        "admin.subject_assignments",
+        "admin.object_assignments",
+        "admin.action_assignments",
+        "admin.aggregation_algorithm",
+        "admin.sub_meta_rules",
+        "admin.rules"
      ]
  }
diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json

index 650405a..e80c61c 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_admin/rule.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/rule.json
@@ -1,22 +1,64 @@
  {
-  "rbac_rule":[ 
-    
-    ["admin" , "ft", "admin", "subjects"],
-    ["admin" , "ft", "admin", "objects"],
-    ["admin" , "ft", "admin", "actions"],
-    ["admin" , "ft", "admin", "subject_categories"],
-    ["admin" , "ft", "admin", "object_categories"],
-    ["admin" , "ft", "admin", "action_categories"],
-    ["admin" , "ft", "admin", "subject_category_scope"],
-    ["admin" , "ft", "admin", "object_category_scope"],
-    ["admin" , "ft", "admin", "action_category_scope"],
-    ["admin" , "ft", "admin", "sub_rules"],
-    ["admin" , "ft", "admin", "sub_meta_rule"],
-    ["admin" , "ft", "admin", "subject_assignments"],
-    ["admin" , "ft", "admin", "object_assignments"],
-    ["admin" , "ft", "admin", "action_assignments"],
-    ["admin" , "ft", "admin", "sub_meta_rule_relations"],
-    ["admin" , "ft", "admin", "aggregation_algorithms"]
-    
+  "rbac_rule":[
+    ["root_role" , "read", "authz.subjects"],
+    ["root_role" , "read", "authz.objects"],
+    ["root_role" , "read", "authz.actions"],
+    ["root_role" , "read", "authz.subject_categories"],
+    ["root_role" , "read", "authz.object_categories"],
+    ["root_role" , "read", "authz.action_categories"],
+    ["root_role" , "read", "authz.subject_category_scopes"],
+    ["root_role" , "read", "authz.object_category_scopes"],
+    ["root_role" , "read", "authz.action_category_scopes"],
+    ["root_role" , "read", "authz.subject_assignments"],
+    ["root_role" , "read", "authz.object_assignments"],
+    ["root_role" , "read", "authz.action_assignments"],
+    ["root_role" , "read", "authz.aggregation_algorithm"],
+    ["root_role" , "read", "authz.sub_meta_rules"],    
+    ["root_role" , "read", "authz.rules"],
+    ["root_role" , "write", "authz.subjects"],
+    ["root_role" , "write", "authz.objects"],
+    ["root_role" , "write", "authz.actions"],
+    ["root_role" , "write", "authz.subject_categories"],
+    ["root_role" , "write", "authz.object_categories"],
+    ["root_role" , "write", "authz.action_categories"],
+    ["root_role" , "write", "authz.subject_category_scopes"],
+    ["root_role" , "write", "authz.object_category_scopes"],
+    ["root_role" , "write", "authz.action_category_scopes"],
+    ["root_role" , "write", "authz.subject_assignments"],
+    ["root_role" , "write", "authz.object_assignments"],
+    ["root_role" , "write", "authz.action_assignments"],
+    ["root_role" , "write", "authz.aggregation_algorithm"],
+    ["root_role" , "write", "authz.sub_meta_rules"],    
+    ["root_role" , "write", "authz.rules"], 
+    ["root_role" , "read", "admin.subjects"],
+    ["root_role" , "read", "admin.objects"],
+    ["root_role" , "read", "admin.actions"],
+    ["root_role" , "read", "admin.subject_categories"],
+    ["root_role" , "read", "admin.object_categories"],
+    ["root_role" , "read", "admin.action_categories"],
+    ["root_role" , "read", "admin.subject_category_scopes"],
+    ["root_role" , "read", "admin.object_category_scopes"],
+    ["root_role" , "read", "admin.action_category_scopes"],
+    ["root_role" , "read", "admin.subject_assignments"],
+    ["root_role" , "read", "admin.object_assignments"],
+    ["root_role" , "read", "admin.action_assignments"],
+    ["root_role" , "read", "admin.aggregation_algorithm"],
+    ["root_role" , "read", "admin.sub_meta_rules"],    
+    ["root_role" , "read", "admin.rules"],
+    ["root_role" , "write", "admin.subjects"],
+    ["root_role" , "write", "admin.objects"],
+    ["root_role" , "write", "admin.actions"],
+    ["root_role" , "write", "admin.subject_categories"],
+    ["root_role" , "write", "admin.object_categories"],
+    ["root_role" , "write", "admin.action_categories"],
+    ["root_role" , "write", "admin.subject_category_scopes"],
+    ["root_role" , "write", "admin.object_category_scopes"],
+    ["root_role" , "write", "admin.action_category_scopes"],
+    ["root_role" , "write", "admin.subject_assignments"],
+    ["root_role" , "write", "admin.object_assignments"],
+    ["root_role" , "write", "admin.action_assignments"],
+    ["root_role" , "write", "admin.aggregation_algorithm"],
+    ["root_role" , "write", "admin.sub_meta_rules"],    
+    ["root_role" , "write", "admin.rules"]
    ]
  }
diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json

index 3742a5e..74b1d01 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_admin/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json
@@ -1,39 +1,47 @@
  {
-  "subject_scopes": {
-    "role": [
-      "admin"
-    ],
-    "domain": [
-      "ft",
-      "xx"
-    ]
-  },
-
-  "action_scopes": {
-    "access": [
-      "admin",
-      "user"
-    ]
-  },
-
-  "object_scopes": {
-    "id": [
-        "subjects",
-        "objects",
-        "actions",
-        "subject_categories",
-        "object_categories",
-        "action_categories",
-        "subject_category_scope",
-        "object_category_scope",
-        "action_category_scope",
-        "sub_rules",
-        "sub_meta_rule",
-        "subject_assignments",
-        "object_assignments",
-        "action_assignments",
-        "sub_meta_rule_relations",
-        "aggregation_algorithms"
-      ]
+    "subject_scopes": {
+        "role": [
+            "root_role"
+        ]
+    },
+    "action_scopes": {
+        "action_id": [
+            "read",
+            "write"
+        ]
+    },
+    "object_scopes": {
+        "action_id": [
+            "authz.subjects",
+            "authz.objects",
+            "authz.actions",
+            "authz.subject_categories",
+            "authz.object_categories",
+            "authz.action_categories",
+            "authz.subject_category_scopes",
+            "authz.object_category_scopes",
+            "authz.action_category_scopes",
+            "authz.subject_assignments",
+            "authz.object_assignments",
+            "authz.action_assignments",
+            "authz.aggregation_algorithm",
+            "authz.sub_meta_rules",
+            "authz.rules",
+            "admin.subjects",
+            "admin.objects",
+            "admin.actions",
+            "admin.subject_categories",
+            "admin.object_categories",
+            "admin.action_categories",
+            "admin.subject_category_scopes",
+            "admin.object_category_scopes",
+            "admin.action_category_scopes",
+            "admin.subject_assignments",
+            "admin.object_assignments",
+            "admin.action_assignments",
+            "admin.aggregation_algorithm",
+            "admin.sub_meta_rules",
+            "admin.rules"
+        ]
      }
  }
diff --git a/keystone-moon/examples/moon/policies/policy_authz/assignment.json b/keystone-moon/examples/moon/policies/policy_authz/assignment.json

index ebab0ec..6482830 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_authz/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/assignment.json
@@ -56,7 +56,7 @@
                         "file1": ["storage"],
                         "file2": ["storage"]
                 },
-               "id": {
+               "object_id": {
                         "servers": ["servers"],
                         "vm1": ["vm1"],
                         "vm2": ["vm2"],
diff --git a/keystone-moon/examples/moon/policies/policy_authz/metadata.json b/keystone-moon/examples/moon/policies/policy_authz/metadata.json

index 4a5a5a1..d0db90d 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_authz/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/metadata.json
@@ -1,8 +1,8 @@
  {
-    "name": "MLS_metadata",
-    "model": "MLS",
+    "name": "Multiple_Policy",
+    "model": "Multiple",
      "genre": "authz",
-    "description": "Multi Layer Security authorization policy",
+    "description": "Multiple Security Policies",
  
      "subject_categories": [
          "subject_security_level",
@@ -18,6 +18,6 @@
      "object_categories": [
          "object_security_level",
                 "type",
-               "id"
+               "object_id"
      ]
  }
diff --git a/keystone-moon/examples/moon/policies/policy_authz/metarule.json b/keystone-moon/examples/moon/policies/policy_authz/metarule.json

index df683ca..c9afd6c 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_authz/metarule.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/metarule.json
@@ -15,7 +15,7 @@
                 "rbac_rule": {
                         "subject_categories": ["role", "domain"],
                         "action_categories": ["access"],
-                       "object_categories": ["id"],
+                       "object_categories": ["object_id"],
                         "algorithm": "inclusion"
                 }
         },
diff --git a/keystone-moon/examples/moon/policies/policy_authz/scope.json b/keystone-moon/examples/moon/policies/policy_authz/scope.json

index 4b69e46..9b313da 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_authz/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_authz/scope.json
@@ -38,7 +38,7 @@
        "computing",
        "storage"
      ],
-    "id": [
+    "object_id": [
        "servers",
        "vm1",
        "vm2",
diff --git a/keystone-moon/examples/moon/policies/policy_root/assignment.json b/keystone-moon/examples/moon/policies/policy_root/assignment.json

new file mode 100644 (file)

index 0000000..2852de0
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/assignment.json
@@ -0,0 +1,39 @@
+{
+    "subject_assignments": {
+        "role": {
+                       "admin": ["root_role"]
+               }
+    },
+
+    "action_assignments": {
+        "action_id": {
+                       "read": ["read"],
+                       "write": ["write"]
+               }
+    },
+
+    "object_assignments": {
+        "object_id": {
+            "templates": ["templates"],
+                   "sub_meta_rule_algorithm": ["sub_meta_rule_relations"],
+                   "aggregation_algorithms": ["aggregation_algorithms"],
+            "tenants": ["tenants"],
+            "intra_extensions": ["intra_extensions"],
+            "admin.subjects": ["admin.subjects"],
+            "admin.objects": ["admin.objects"],
+            "admin.actions": ["admin.actions"],
+            "admin.subject_categories": ["admin.subject_categories"],
+            "admin.object_categories": ["admin.object_categories"],
+            "admin.action_categories": ["admin.action_categories"],
+            "admin.subject_category_scopes": ["admin.subject_category_scopes"],
+            "admin.object_category_scopes": ["admin.object_category_scopes"],
+            "admin.action_category_scopes": ["admin.action_category_scopes"],
+            "admin.subject_assignments": ["admin.subject_assignments"],
+            "admin.object_assignments": ["admin.object_assignments"],
+            "admin.action_assignments": ["admin.action_assignments"],
+            "admin.aggregation_algorithm": ["admin.aggregation_algorithm"],
+            "admin.sub_meta_rules": ["admin.sub_meta_rules"],
+            "admin.rules": ["admin.rules"]
+               }
+    }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_super/metadata.json b/keystone-moon/examples/moon/policies/policy_root/metadata.json

similarity index 68%

rename from keystone-moon/examples/moon/policies/policy_super/metadata.json

rename to keystone-moon/examples/moon/policies/policy_root/metadata.json

index a67670e..3e4b0f2 100644 (file)
--- a/keystone-moon/examples/moon/policies/policy_super/metadata.json
+++ b/keystone-moon/examples/moon/policies/policy_root/metadata.json
@@ -1,8 +1,8 @@
  {
-    "name": "Super_Extension",
+    "name": "Root Policy",
      "model": "RBAC",
-    "genre": "authz",
-    "description": "",
+    "genre": "admin",
+    "description": "root extension",
  
      "subject_categories": [
          "role"
diff --git a/keystone-moon/examples/moon/policies/policy_super/metarule.json b/keystone-moon/examples/moon/policies/policy_root/metarule.json

similarity index 100%

rename from keystone-moon/examples/moon/policies/policy_super/metarule.json

rename to keystone-moon/examples/moon/policies/policy_root/metarule.json
diff --git a/keystone-moon/examples/moon/policies/policy_root/perimeter.json b/keystone-moon/examples/moon/policies/policy_root/perimeter.json

new file mode 100644 (file)

index 0000000..788a27f
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/perimeter.json
@@ -0,0 +1,31 @@
+{
+    "subjects": [
+        "admin"
+    ],
+    "actions": [
+        "read",
+        "write"
+    ],
+    "objects": [
+        "templates",
+        "aggregation_algorithms",
+        "sub_meta_rule_algorithms",
+        "tenants",
+        "intra_extensions",
+        "admin.subjects",
+        "admin.objects",
+        "admin.actions",
+        "admin.subject_categories",
+        "admin.object_categories",
+        "admin.action_categories",
+        "admin.subject_category_scopes",
+        "admin.object_category_scopes",
+        "admin.action_category_scopes",
+        "admin.subject_assignments",
+        "admin.object_assignments",
+        "admin.action_assignments",
+        "admin.aggregation_algorithm",
+        "admin.sub_meta_rules",
+        "admin.rules"
+    ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_root/rule.json b/keystone-moon/examples/moon/policies/policy_root/rule.json

new file mode 100644 (file)

index 0000000..9bbd5e4
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/rule.json
@@ -0,0 +1,44 @@
+{
+    "rbac_rule":[
+        ["root_role" , "read", "templates"],
+        ["root_role" , "read", "aggregation_algorithms"],
+        ["root_role" , "read", "sub_meta_rule_algorithms"],
+        ["root_role" , "read", "tenants"],
+        ["root_role" , "read", "intra_extensions"],
+        ["root_role" , "write", "templates"],
+        ["root_role" , "write", "aggregation_algorithms"],
+        ["root_role" , "write", "sub_meta_rule_algorithms"],
+        ["root_role" , "write", "tenants"],
+        ["root_role" , "write", "intra_extensions"],
+        ["root_role" , "read", "admin.subjects"],
+        ["root_role" , "read", "admin.objects"],
+        ["root_role" , "read", "admin.actions"],
+        ["root_role" , "read", "admin.subject_categories"],
+        ["root_role" , "read", "admin.object_categories"],
+        ["root_role" , "read", "admin.action_categories"],
+        ["root_role" , "read", "admin.subject_category_scopes"],
+        ["root_role" , "read", "admin.object_category_scopes"],
+        ["root_role" , "read", "admin.action_category_scopes"],
+        ["root_role" , "read", "admin.subject_assignments"],
+        ["root_role" , "read", "admin.object_assignments"],
+        ["root_role" , "read", "admin.action_assignments"],
+        ["root_role" , "read", "admin.aggregation_algorithm"],
+        ["root_role" , "read", "admin.sub_meta_rules"],
+        ["root_role" , "read", "admin.rules"],
+        ["root_role" , "write", "admin.subjects"],
+        ["root_role" , "write", "admin.objects"],
+        ["root_role" , "write", "admin.actions"],
+        ["root_role" , "write", "admin.subject_categories"],
+        ["root_role" , "write", "admin.object_categories"],
+        ["root_role" , "write", "admin.action_categories"],
+        ["root_role" , "write", "admin.subject_category_scopes"],
+        ["root_role" , "write", "admin.object_category_scopes"],
+        ["root_role" , "write", "admin.action_category_scopes"],
+        ["root_role" , "write", "admin.subject_assignments"],
+        ["root_role" , "write", "admin.object_assignments"],
+        ["root_role" , "write", "admin.action_assignments"],
+        ["root_role" , "write", "admin.aggregation_algorithm"],
+        ["root_role" , "write", "admin.sub_meta_rules"],
+        ["root_role" , "write", "admin.rules"]
+    ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_root/scope.json b/keystone-moon/examples/moon/policies/policy_root/scope.json

new file mode 100644 (file)

index 0000000..43f9ced
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_root/scope.json
@@ -0,0 +1,39 @@
+{
+  "subject_scopes": {
+    "role": [
+      "root_role"
+    ]
+  },
+
+  "action_scopes": {
+    "action_id": [
+      "read",
+      "write"
+    ]
+  },
+
+  "object_scopes": {
+    "object_id": [
+        "templates",
+        "aggregation_algorithms",
+        "sub_meta_rule_algorithms",
+        "tenants",
+        "intra_extensions",
+        "admin.subjects",
+        "admin.objects",
+        "admin.actions",
+        "admin.subject_categories",
+        "admin.object_categories",
+        "admin.action_categories",
+        "admin.subject_category_scopes",
+        "admin.object_category_scopes",
+        "admin.action_category_scopes",
+        "admin.subject_assignments",
+        "admin.object_assignments",
+        "admin.action_assignments",
+        "admin.aggregation_algorithm",
+        "admin.sub_meta_rules",
+        "admin.rules"
+      ]
+    }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_super/assignment.json b/keystone-moon/examples/moon/policies/policy_super/assignment.json

deleted file mode 100644 (file)

index 352575a..0000000
--- a/keystone-moon/examples/moon/policies/policy_super/assignment.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-    "subject_assignments": {
-        "role": {
-                       "super_admin": ["admin"]
-               }
-    },
-
-    "action_assignments": {
-        "action_id": {
-                       "read": ["read"],
-                       "write": ["write"]
-               }
-    },
-
-    "object_assignments": {
-        "object_id": {
-            "templates": ["templates"],
-                   "sub_meta_rule_algorithm": ["sub_meta_rule_relations"],
-                   "aggregation_algorithms": ["aggregation_algorithms"],
-            "tenants": ["tenants"],
-            "intra_extensions": ["intra_extensions"]
-               }
-    }
-}
diff --git a/keystone-moon/examples/moon/policies/policy_super/perimeter.json b/keystone-moon/examples/moon/policies/policy_super/perimeter.json

deleted file mode 100644 (file)

index 3a7364b..0000000
--- a/keystone-moon/examples/moon/policies/policy_super/perimeter.json
+++ /dev/null
@@ -1,16 +0,0 @@
-{
-    "subjects": [
-        "super_admin"
-    ],
-    "actions": [
-        "read",
-        "write"
-    ],
-    "objects": [
-        "templates",
-        "aggregation_algorithms",
-        "sub_meta_rule_algorithms",
-        "tenants",
-        "intra_extensions"
-    ]
-}
diff --git a/keystone-moon/examples/moon/policies/policy_super/rule.json b/keystone-moon/examples/moon/policies/policy_super/rule.json

deleted file mode 100644 (file)

index b3115a9..0000000
--- a/keystone-moon/examples/moon/policies/policy_super/rule.json
+++ /dev/null
@@ -1,14 +0,0 @@
-{
-    "rbac_rule":[
-        ["admin" , "read", "templates"],
-        ["admin" , "read", "aggregation_algorithms"],
-        ["admin" , "read", "sub_meta_rule_algorithms"],
-        ["admin" , "read", "tenants"],
-        ["admin" , "read", "intra_extensions"],
-        ["admin" , "write", "templates"],
-        ["admin" , "write", "aggregation_algorithms"],
-        ["admin" , "write", "sub_meta_rule_algorithms"],
-        ["admin" , "write", "tenants"],
-        ["admin" , "write", "intra_extensions"]
-    ]
-}
diff --git a/keystone-moon/examples/moon/policies/policy_super/scope.json b/keystone-moon/examples/moon/policies/policy_super/scope.json

deleted file mode 100644 (file)

index d581c74..0000000
--- a/keystone-moon/examples/moon/policies/policy_super/scope.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-  "subject_scopes": {
-    "role": [
-      "admin"
-    ]
-  },
-
-  "action_scopes": {
-    "action_id": [
-      "read",
-      "write"
-    ]
-  },
-
-  "object_scopes": {
-    "object_id": [
-        "templates",
-        "aggregation_algorithms",
-        "sub_meta_rule_algorithms",
-        "tenants",
-        "intra_extensions"
-      ]
-    }
-}
diff --git a/keystone-moon/examples/moon/super_extension/policy/assignment.json b/keystone-moon/examples/moon/super_extension/policy/assignment.json

deleted file mode 100644 (file)

index 352d392..0000000
--- a/keystone-moon/examples/moon/super_extension/policy/assignment.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-    "subject_category_assignments": {
-        "role":{
-            "admin": [
-                "super_user",
-                "super_admin",
-                "super_root",
-                "inter_extension_user",
-                "inter_extension_admin",
-                "inter_extension_root"
-            ]
-        }
-    },
-    "object_category_assignments": {
-        "action": {
-            "intra_extension": [],
-            "mapping": [],
-            "inter_extension": []
-        },
-        "object_id": {
-            "intra_extension": ["intra_extension"],
-            "mapping": ["mapping"],
-            "inter_extension": ["inter_extension"]
-        }
-    }
-}
diff --git a/keystone-moon/examples/moon/super_extension/policy/configuration.json b/keystone-moon/examples/moon/super_extension/policy/configuration.json

deleted file mode 100644 (file)

index 18918e7..0000000
--- a/keystone-moon/examples/moon/super_extension/policy/configuration.json
+++ /dev/null
@@ -1,43 +0,0 @@
-{
-    "subject_category_values": {
-        "role": [
-            "super_user",
-            "super_admin",
-            "super_root",
-            "inter_extension_user",
-            "inter_extension_admin",
-            "inter_extension_root"
-        ]
-    },
-
-    "object_category_values": {
-        "action": [
-            "list",
-            "create",
-            "destroy",
-            "delegate"
-        ],
-        "object_id": [
-            "intra_extension",
-            "mapping",
-            "inter_extension"
-        ]
-    },
-
-    "rules":{
-        "permission": [
-            ["super_user", "intra_extension", "list"],
-            ["super_admin", "intra_extension", "create"],
-            ["super_admin", "intra_extension", "destroy"],
-            ["super_root", "intra_extension", "delegate"],
-            ["super_user", "mapping", "list"],
-            ["super_admin", "mapping", "create"],
-            ["super_admin", "mapping", "destroy"],
-            ["super_root", "mapping", "delegate"],
-            ["inter_extension_user", "inter_extension", "list"],
-            ["inter_extension_admin", "inter_extension", "create"],
-            ["inter_extension_admin", "inter_extension", "destroy"],
-            ["inter_extension_root", "inter_extension", "delegate"]
-        ]
-    }
-}
-\ No newline at end of file
diff --git a/keystone-moon/examples/moon/super_extension/policy/metadata.json b/keystone-moon/examples/moon/super_extension/policy/metadata.json

deleted file mode 100644 (file)

index 316bfcb..0000000
--- a/keystone-moon/examples/moon/super_extension/policy/metadata.json
+++ /dev/null
@@ -1,26 +0,0 @@
-{
-    "name": "RBAC_metadata",
-    "model": "RBAC",
-    "genre": "super",
-    "description": "",
-
-    "subject_categories": [
-        "role"
-    ],
-
-    "object_categories": [
-        "object_id",
-        "action"
-    ],
-
-    "meta_rule": {
-        "sub_meta_rules": {
-            "permission": {
-                    "subject_categories": ["role"],
-                    "object_categories": ["object_id", "action"],
-                    "relation": "permission"
-                }
-            },
-        "aggregation": "and_true_aggregation"
-    }
-}
diff --git a/keystone-moon/examples/moon/super_extension/policy/perimeter.json b/keystone-moon/examples/moon/super_extension/policy/perimeter.json

deleted file mode 100644 (file)

index 5d51165..0000000
--- a/keystone-moon/examples/moon/super_extension/policy/perimeter.json
+++ /dev/null
@@ -1,10 +0,0 @@
-{
-    "subjects": [
-        "admin"
-    ],
-    "objects": [
-        "intra_extension",
-        "mapping",
-        "inter_extension"
-    ]
-}
-\ No newline at end of file
diff --git a/keystone-moon/keystone/contrib/moon/backends/__init__.py b/keystone-moon/keystone/contrib/moon/backends/__init__.py

index 28b42dd..237bdc3 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/backends/__init__.py
+++ b/keystone-moon/keystone/contrib/moon/backends/__init__.py
@@ -90,6 +90,7 @@ rules = {
      sub_meta_rule_id1: {
          rule_id1: [subject_scope1, subject_scope2, ..., action_scope1, ..., object_scope1, ... ],
          rule_id2: [subject_scope3, subject_scope4, ..., action_scope3, ..., object_scope3, ... ],
+        rule_id3: [thomas, write, admin.subjects]
          ...},
      sub_meta_rule_id2: { },
      ...}
diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py

index ddc0683..b2efb72 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/backends/memory.py
+++ b/keystone-moon/keystone/contrib/moon/backends/memory.py
@@ -36,21 +36,4 @@ class ConfigurationConnector(ConfigurationDriver):
          return self.aggregation_algorithm_dict
  
      def get_sub_meta_rule_algorithm_dict(self):
-        return self.sub_meta_rule_algorithm_dict
-
-# class SuperExtensionConnector(SuperExtensionDriver):
-#
-#     def __init__(self):
-#         super(SuperExtensionConnector, self).__init__()
-#         # Super_Extension is loaded every time the server is started
-#         self.__uuid = uuid4().hex
-#         # self.__super_extension = Extension()
-#         _policy_abs_dir = os.path.join(CONF.moon.super_extension_directory, 'policy')
-#         # self.__super_extension.load_from_json(_policy_abs_dir)
-#
-#     def get_super_extensions(self):
-#         return None
-#
-#     def admin(self, sub, obj, act):
-#         # return self.__super_extension.authz(sub, obj, act)
-#         return True
+        return self.sub_meta_rule_algorithm_dict
+\ No newline at end of file
diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py

index 3b331dd..b2e91db 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/backends/sql.py
+++ b/keystone-moon/keystone/contrib/moon/backends/sql.py
@@ -310,7 +310,6 @@ class Rule(sql.ModelBase, sql.DictBase):
  
  
  __all_objects__ = (
-    IntraExtensionUnknown,
      Tenant,
      Subject,
      Object,
@@ -362,10 +361,7 @@ class TenantConnector(TenantDriver):
              ref = query.first()
              tenant_ref = ref.to_dict()
              tenant_ref.update(tenant_dict)
-            new_tenant = Tenant(
-                id=tenant_id,
-                tenant=tenant_ref
-            )
+            new_tenant = Tenant(id=tenant_id, tenant=tenant_ref)
              for attr in Tenant.attributes:
                  if attr != 'id':
                      setattr(ref, attr, getattr(new_tenant, attr))
@@ -382,8 +378,6 @@ class IntraExtensionConnector(IntraExtensionDriver):
              ref_list = query.all()
              return {_ref.id: _ref.intraextension for _ref in ref_list}
  
-    # TODO (dthom): load_intra_extension(self):
-
      def del_intra_extension(self, intra_extension_id):
          with sql.transaction() as session:
              ref = session.query(IntraExtension).get(intra_extension_id)
diff --git a/keystone-moon/keystone/contrib/moon/controllers.py b/keystone-moon/keystone/contrib/moon/controllers.py

index d8737dd..fadc273 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/controllers.py
+++ b/keystone-moon/keystone/contrib/moon/controllers.py
@@ -94,6 +94,7 @@ class Tenants(controller.V3Controller):
          tenant_id = kw.get("tenant_id", None)
          return self.tenant_api.del_tenant(user_id, tenant_id)
  
+    @controller.protected()
      def set_tenant(self, context, **kw):
          user_id = self._get_user_id_from_token(context.get('token_id'))
          tenant_id = kw.get('id', None)
@@ -142,22 +143,25 @@ class IntraExtensions(controller.V3Controller):
      def add_intra_extension(self, context, **kw):
          user_id = self._get_user_id_from_token(context.get('token_id'))
          intra_extension_dict = dict()
-        intra_extension_dict["intra_extension_name"] = kw.get("intra_extension_name", dict())
-        intra_extension_dict["subject_categories"] = kw.get("subject_categories", dict())
-        intra_extension_dict["object_categories"] = kw.get("object_categories", dict())
-        intra_extension_dict["action_categories"] = kw.get("action_categories", dict())
-        intra_extension_dict["subjects"] = kw.get("subjects", dict())
-        intra_extension_dict["objects"] = kw.get("objects", dict())
-        intra_extension_dict["actions"] = kw.get("actions", dict())
-        intra_extension_dict["subject_category_scopes"] = kw.get("subject_category_scopes", dict())
-        intra_extension_dict["object_category_scopes"] = kw.get("object_category_scopes", dict())
-        intra_extension_dict["action_category_scopes"] = kw.get("action_category_scopes", dict())
-        intra_extension_dict["subject_assignments"] = kw.get("subject_assignments", dict())
-        intra_extension_dict["object_assignments"] = kw.get("object_assignments", dict())
-        intra_extension_dict["action_assignments"] = kw.get("action_assignments", dict())
-        intra_extension_dict["aggregation_algorithm"] = kw.get("aggregation_algorithm", dict())
-        intra_extension_dict["sub_meta_rules"] = kw.get("sub_meta_rules", dict())
-        intra_extension_dict["rules"] = kw.get("rules", dict())
+        intra_extension_dict["name"] = kw.get("intra_extension_name", None)
+        intra_extension_dict["model"] = kw.get("intra_extension_model", None)
+        intra_extension_dict["genre"] = kw.get("intra_extension_genre", None)
+        intra_extension_dict["description"] = kw.get("intra_extension_description", None)
+        intra_extension_dict["subject_categories"] = kw.get("intra_extension_subject_categories", dict())
+        intra_extension_dict["object_categories"] = kw.get("intra_extension_object_categories", dict())
+        intra_extension_dict["action_categories"] = kw.get("intra_extension_action_categories", dict())
+        intra_extension_dict["subjects"] = kw.get("intra_extension_subjects", dict())
+        intra_extension_dict["objects"] = kw.get("intra_extension_objects", dict())
+        intra_extension_dict["actions"] = kw.get("intra_extension_actions", dict())
+        intra_extension_dict["subject_category_scopes"] = kw.get("intra_extension_subject_category_scopes", dict())
+        intra_extension_dict["object_category_scopes"] = kw.get("intra_extension_object_category_scopes", dict())
+        intra_extension_dict["action_category_scopes"] = kw.get("intra_extension_action_category_scopes", dict())
+        intra_extension_dict["subject_assignments"] = kw.get("intra_extension_subject_assignments", dict())
+        intra_extension_dict["object_assignments"] = kw.get("intra_extension_object_assignments", dict())
+        intra_extension_dict["action_assignments"] = kw.get("intra_extension_action_assignments", dict())
+        intra_extension_dict["aggregation_algorithm"] = kw.get("intra_extension_aggregation_algorithm", dict())
+        intra_extension_dict["sub_meta_rules"] = kw.get("intra_extension_sub_meta_rules", dict())
+        intra_extension_dict["rules"] = kw.get("intra_extension_rules", dict())
          return self.admin_api.load_intra_extension_dict(user_id, intra_extension_dict)
  
      @controller.protected()
@@ -179,6 +183,7 @@ class IntraExtensions(controller.V3Controller):
          intra_extension_dict = dict()
          intra_extension_dict["name"] = kw.get("intra_extension_name", None)
          intra_extension_dict["model"] = kw.get("intra_extension_model", None)
+        intra_extension_dict["genre"] = kw.get("intra_extension_genre", None)
          intra_extension_dict["description"] = kw.get("intra_extension_description", None)
          return self.admin_api.set_intra_extension_dict(user_id, ie_id, intra_extension_dict)
  
@@ -781,13 +786,6 @@ class InterExtensions(controller.V3Controller):
      #     return self.interextension_api.delete_inter_extension(kw["inter_extension_id"])
  
  
-@dependency.requires('authz_api')
-class SuperExtensions(controller.V3Controller):
-
-    def __init__(self):
-        super(SuperExtensions, self).__init__()
-
-
  @dependency.requires('moonlog_api', 'authz_api')
  class Logs(controller.V3Controller):
  
@@ -803,7 +801,5 @@ class Logs(controller.V3Controller):
      def get_logs(self, context, **kw):
          user_id = self._get_user_id_from_token(context.get('token_id'))
          options = kw.get("options", "")
-        # FIXME (dthom): the authorization for get_logs must be done with an intra_extension
-        #if self.authz_api.admin(user["name"], "logs", "read"):
          return self.moonlog_api.get_logs(user_id, options)
  
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py

index fcb8ebf..7761130 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -25,9 +25,9 @@ from keystone.contrib.moon.algorithms import *
  
  CONF = config.CONF
  LOG = log.getLogger(__name__)
-DEFAULT_USER_ID = uuid4().hex  # default user_id for internal invocation
-SUPER_TENANT_ID = uuid4().hex
-SUPER_EXTENSION_ID = uuid4().hex
+# TODO: call functions to get these 2 variables
+ADMIN_ID = uuid4().hex  # default user_id for internal invocation
+ROOT_EXTENSION_ID = uuid4().hex
  
  
  _OPTS = [
@@ -104,35 +104,54 @@ def filter_input(func_or_str):
  
  def enforce(action_names, object_name, **extra):
      _action_name_list = action_names
+    _object_name = object_name
  
      def wrap(func):
          def wrapped(*args):
              # global actions
              self = args[0]
-            user_name = args[1]
-            intra_extension_id = args[2]
-            if intra_extension_id not in self.admin_api.get_intra_extensions(DEFAULT_USER_ID):
-                raise IntraExtensionUnknown()
-
-            tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID)
+            user_id = args[1]
              intra_admin_extension_id = None
-            tenant_name = None
-            for tenant_id in tenants_dict:
-                if tenants_dict[tenant_id]['intra_authz_extension_id'] is intra_extension_id:
-                    intra_admin_extension_id = tenants_dict[tenant_id]['intra_admin_extension_id']
-                    tenant_name = tenants_dict[tenant_id]['name']
  
+            try:
+                intra_extension_id = args[2]
+            except:
+                intra_admin_extension_id = ROOT_EXTENSION_ID
+
+            intra_extensions_dict = self.admin_api.get_intra_extensions(ADMIN_ID)
+            if intra_extension_id not in intra_extensions_dict:
+                raise IntraExtensionUnknown()
+            tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
+            for _tenant_id in tenants_dict:
+                if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \
+                                tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id:
+                    intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id']
              if not intra_admin_extension_id:
-                args[0].moonlog_api.warning("No admin IntraExtension found, authorization granted by default.")
+                args[0].moonlog_api.warning("No Intra_Admin_Extension found, authorization granted by default.")
                  return func(*args)
              else:
-                authz_result = False
+                objects_dict = self.admin_api.get_objects_dict(ADMIN_ID, intra_admin_extension_id)
+                object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name
+                object_id = None
+                for _object_id in objects_dict:
+                    if objects_dict[_object_id]['name'] is object_name:
+                        object_id = _object_id
+                        break
                  if type(_action_name_list) in (str, unicode):
                      action_name_list = (_action_name_list, )
                  else:
                      action_name_list = _action_name_list
-                for action_name in action_name_list:
-                    if self.authz_api.authz(tenant_name, user_name, object_name, action_name, 'admin'):
+                actions_dict = self.admin_api.get_actions_dict(ADMIN_ID, intra_admin_extension_id)
+                action_id_list = list()
+                for _action_name in action_name_list:
+                    for _action_id in actions_dict:
+                        if actions_dict[_action_id]['name'] is _action_name:
+                            action_id_list.append(_action_id)
+                            break
+
+                authz_result = False
+                for action_id in action_id_list:
+                    if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id):
                          authz_result = True
                      else:
                          authz_result = False
@@ -143,42 +162,6 @@ def enforce(action_names, object_name, **extra):
      return wrap
  
  
-def super_enforce(action_names, object_name, **extra):
-    _action_name_list = action_names
-
-    def wrap(func):
-        def wrapped(*args):
-            # global actions
-            return func(*args)
-            # self = args[0]
-            # user_name = args[1]
-            # intra_extension_id = SUPER_EXTENSION_ID
-            # if intra_extension_id not in self.admin_api.get_intra_extensions_dict(DEFAULT_USER_ID):
-            #     raise IntraExtensionUnknown()
-            #
-            # super_tenant_id = SUPER_TENANT_ID
-            # super_tenant_dict = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, super_tenant_id)
-            #
-            # if not super_tenant_dict:
-            #     raise SuperExtensionUnknown()
-            # else:
-            #     authz_result = False
-            #     if type(_action_name_list) in (str, unicode):
-            #         action_name_list = (_action_name_list, )
-            #     else:
-            #         action_name_list = _action_name_list
-            #     for action_name in action_name_list:
-            #         if self.authz_api.authz(super_tenant_dict['name'], user_name, object_name, action_name, 'authz'):
-            #             authz_result = True
-            #         else:
-            #             authz_result = False
-            #             break
-            #     if authz_result:
-            #         return func(*args)
-        return wrapped
-    return wrap
-
-
  @dependency.provider('configuration_api')
  @dependency.requires('moonlog_api')
  class ConfigurationManager(manager.Manager):
@@ -186,7 +169,7 @@ class ConfigurationManager(manager.Manager):
      def __init__(self):
          super(ConfigurationManager, self).__init__(CONF.moon.configuration_driver)
  
-    @super_enforce("read", "templates")
+    @enforce("read", "templates")
      def get_policy_templates_dict(self, user_id):
          """
          Return a dictionary of all policy templates
@@ -194,7 +177,7 @@ class ConfigurationManager(manager.Manager):
          """
          return self.driver.get_policy_templates_dict()
  
-    @super_enforce("read", "templates")
+    @enforce("read", "templates")
      def get_policy_template_id_from_name(self, user_id, policy_template_name):
          policy_template_dict = self.driver.get_policy_templates_dict()
          for policy_template_id in policy_template_dict:
@@ -202,7 +185,7 @@ class ConfigurationManager(manager.Manager):
                  return policy_template_id
          return None
  
-    @super_enforce("read", "aggregation_algorithms")
+    @enforce("read", "aggregation_algorithms")
      def get_aggregation_algorithms_dict(self, user_id):
          """
          Return a dictionary of all aggregation algorithm
@@ -210,7 +193,7 @@ class ConfigurationManager(manager.Manager):
          """
          return self.driver.get_aggregation_algorithms_dict()
  
-    @super_enforce("read", "aggregation_algorithms")
+    @enforce("read", "aggregation_algorithms")
      def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name):
          aggregation_algorithm_dict = self.driver.get_aggregation_algorithms_dict()
          for aggregation_algorithm_id in aggregation_algorithm_dict:
@@ -218,7 +201,7 @@ class ConfigurationManager(manager.Manager):
                  return aggregation_algorithm_id
          return None
  
-    @super_enforce("read", "sub_meta_rule_algorithms")
+    @enforce("read", "sub_meta_rule_algorithms")
      def get_sub_meta_rule_algorithms_dict(self, user_id):
          """
          Return a dictionary of sub_meta_rule algorithm
@@ -226,7 +209,7 @@ class ConfigurationManager(manager.Manager):
          """
          return self.driver.get_sub_meta_rule_algorithms_dict()
  
-    @super_enforce("read", "sub_meta_rule_algorithms")
+    @enforce("read", "sub_meta_rule_algorithms")
      def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name):
          sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithms_dict()
          for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict:
@@ -242,7 +225,7 @@ class TenantManager(manager.Manager):
      def __init__(self):
          super(TenantManager, self).__init__(CONF.moon.tenant_driver)
  
-    @super_enforce("read", "tenants")
+    @enforce("read", "tenants")
      def get_tenants_dict(self, user_id):
          """
          Return a dictionary with all tenants
@@ -259,31 +242,60 @@ class TenantManager(manager.Manager):
          """
          return self.driver.get_tenants_dict()
  
-    @super_enforce(("read", "write"), "tenants")
+    @enforce(("read", "write"), "tenants")
      def add_tenant_dict(self, user_id, tenant_dict):
          tenants_dict = self.driver.get_tenants_dict()
          for tenant_id in tenants_dict:
              if tenants_dict[tenant_id]['name'] is tenant_dict['name']:
                  raise TenantAddedNameExisting()
+
+        # Sync users between intra_authz_extension and intra_admin_extension
+        if tenant_dict['intra_admin_extension']:
+            if not tenant_dict['intra_authz_extension']:
+                raise TenantNoIntraAuthzExtension
+            else:
+                authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
+                admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+                for _subject_id in authz_subjects_dict:
+                    if _subject_id not in admin_subjects_dict:
+                        self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+                for _subject_id in admin_subjects_dict:
+                    if _subject_id not in authz_subjects_dict:
+                        self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
          return self.driver.add_tenant_dict(uuid4().hex, tenant_dict)
  
-    @super_enforce("read", "tenants")
+    @enforce("read", "tenants")
      def get_tenant_dict(self, user_id, tenant_id):
          tenants_dict = self.driver.get_tenants_dict()
          if tenant_id not in tenants_dict:
              raise TenantUnknown()
          return tenants_dict[tenant_id]
  
-    @super_enforce(("read", "write"), "tenants")
+    @enforce(("read", "write"), "tenants")
      def del_tenant(self, user_id, tenant_id):
          if tenant_id not in self.driver.get_tenants_dict():
              raise TenantUnknown()
          self.driver.del_tenant(tenant_id)
  
-    @super_enforce(("read", "write"), "tenants")
+    @enforce(("read", "write"), "tenants")
      def set_tenant_dict(self, user_id, tenant_id, tenant_dict):
-        if tenant_id not in self.driver.get_tenants_dict():
+        tenants_dict = self.driver.get_tenants_dict()
+        if tenant_id not in tenants_dict:
              raise TenantUnknown()
+
+        # Sync users between intra_authz_extension and intra_admin_extension
+        if tenant_dict['intra_admin_extension']:
+            if not tenant_dict['intra_authz_extension']:
+                raise TenantNoIntraAuthzExtension
+            else:
+                authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
+                admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+                for _subject_id in authz_subjects_dict:
+                    if _subject_id not in admin_subjects_dict:
+                        self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+                for _subject_id in admin_subjects_dict:
+                    if _subject_id not in authz_subjects_dict:
+                        self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
          return self.driver.set_tenant_dict(tenant_id, tenant_dict)
  
  
@@ -291,7 +303,6 @@ class TenantManager(manager.Manager):
  class IntraExtensionManager(manager.Manager):
  
      def __init__(self):
-        self.__genre__ = None
          driver = CONF.moon.intraextension_driver
          super(IntraExtensionManager, self).__init__(driver)
  
@@ -335,9 +346,9 @@ class IntraExtensionManager(manager.Manager):
          for category in meta_data_dict["action_categories"]:
              action_assignment_dict[category] = self.driver.get_action_assignment_list(
                  intra_extension_id, action_id)[category]
-        authz_buffer['subject_attributes'] = dict()
-        authz_buffer['object_attributes'] = dict()
-        authz_buffer['action_attributes'] = dict()
+        authz_buffer['subject_assignments'] = dict()
+        authz_buffer['object_assignments'] = dict()
+        authz_buffer['action_assignments'] = dict()
          for _subject_category in meta_data_dict['subject_categories']:
              authz_buffer['subject_assignments'][_subject_category] = subject_assignment_dict[_subject_category]
          for _object_category in meta_data_dict['object_categories']:
@@ -385,7 +396,7 @@ class IntraExtensionManager(manager.Manager):
  
          return False
  
-    @super_enforce("read", "intra_extensions")
+    @enforce("read", "intra_extensions")
      def get_intra_extensions_dict(self, user_id):
          """
          :param user_id:
@@ -647,13 +658,13 @@ class IntraExtensionManager(manager.Manager):
                  rules[sub_rule_id].append(subrule)
              self.driver.set_rule_dict(intra_extension_dict["id"], sub_rule_id, uuid4().hex, rules)
  
-    @super_enforce(("read", "write"), "intra_extensions")
+    @enforce(("read", "write"), "intra_extensions")
      def load_intra_extension_dict(self, user_id, intra_extension_dict):
          ie_dict = dict()
-        # TODO: clean some values
          ie_dict['id'] = uuid4().hex
          ie_dict["name"] = filter_input(intra_extension_dict["name"])
-        ie_dict["model"] = filter_input(intra_extension_dict["policymodel"])
+        ie_dict["model"] = filter_input(intra_extension_dict["model"])
+        ie_dict["genre"] = filter_input(intra_extension_dict["genre"])
          ie_dict["description"] = filter_input(intra_extension_dict["description"])
          ref = self.driver.set_intra_extension_dict(ie_dict['id'], ie_dict)
          self.moonlog_api.debug("Creation of IE: {}".format(ref))
@@ -667,7 +678,7 @@ class IntraExtensionManager(manager.Manager):
          self.__load_rule_file(ie_dict, policy_dir)
          return ref
  
-    @super_enforce("read", "intra_extensions")
+    @enforce("read", "intra_extensions")
      def get_intra_extension_dict(self, user_id, intra_extension_id):
          """
          :param user_id:
@@ -677,13 +688,13 @@ class IntraExtensionManager(manager.Manager):
              raise IntraExtensionUnknown()
          return self.driver.get_intra_extensions_dict()[intra_extension_id]
  
-    @super_enforce(("read", "write"), "intra_extensions")
+    @enforce(("read", "write"), "intra_extensions")
      def del_intra_extension(self, user_id, intra_extension_id):
          if intra_extension_id not in self.driver.get_intra_extensions_dict():
              raise IntraExtensionUnknown()
          return self.driver.del_intra_extension(intra_extension_id)
  
-    @super_enforce(("read", "write"), "intra_extensions")
+    @enforce(("read", "write"), "intra_extensions")
      def set_intra_extension_dict(self, user_id, intra_extension_id, intra_extension_dict):
          if intra_extension_id not in self.driver.get_intra_extensions_dict():
              raise IntraExtensionUnknown()
@@ -1306,7 +1317,7 @@ class IntraExtensionManager(manager.Manager):
      @enforce(("read", "write"), "aggregation_algorithm")
      def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
          if aggregation_algorithm_id:
-            if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(DEFAULT_USER_ID):
+            if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(ROOT_ID):
                  raise AggregationAlgorithmUnknown()
          else:
              aggregation_algorithm_id = uuid4().hex
@@ -1455,11 +1466,9 @@ class IntraExtensionManager(manager.Manager):
  
  
  @dependency.provider('authz_api')
-@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
  class IntraExtensionAuthzManager(IntraExtensionManager):
  
      def __init__(self):
-        self.__genre__ = "authz"
          super(IntraExtensionAuthzManager, self).__init__()
  
      def authz(self, tenant_name, subject_name, object_name, action_name, genre="authz"):
@@ -1467,14 +1476,14 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
          """Check authorization for a particular action.
          :return: True or False or raise an exception
          """
-        tenants_dict = self.tenant_api.get_tenants_dict(DEFAULT_USER_ID)
+        tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
          tenant_id = None
          for _tenant_id in tenants_dict:
              if tenants_dict[_tenant_id] is tenant_name:
                  tenant_id = _tenant_id
                  break
  
-        intra_extension_id = self.tenant_api.get_tenant_dict(DEFAULT_USER_ID, tenant_id)[genre]
+        intra_extension_id = self.tenant_api.get_tenant_dict(ADMIN_ID, tenant_id)[genre]
          if not intra_extension_id:
              raise TenantNoIntraExtension()
  
@@ -1501,15 +1510,57 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
              raise ActionUnknown()
          return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id)
  
+    def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
+        # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+        return
+
+    def del_subject(self, user_id, intra_extension_id, subject_id):
+        # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+        pass
+
+    def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
+        # TODO: sync with intra_admin_extension subjects table, need double check in both authz and admin
+        return
+
+    # TODO: for other no heritaged functions, add raise AuthzException()
+
  
  @dependency.provider('admin_api')
-@dependency.requires('identity_api', 'tenant_api', 'moonlog_api')
  class IntraExtensionAdminManager(IntraExtensionManager):
  
      def __init__(self):
-        self.__genre__ = "admin"
          super(IntraExtensionAdminManager, self).__init__()
  
+    def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
+        # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+        return
+
+    def del_subject(self, user_id, intra_extension_id, subject_id):
+        # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+        pass
+
+    def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
+        # TODO: sync with intra_authz_extension subjects table, need double check in both authz and admin
+        return
+
+    def add_object_dict(self, user_id, intra_extension_id, object_name):
+        raise ObjectsWriteNoAuthorized()
+
+    def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict):
+        raise ObjectsWriteNoAuthorized()
+
+    def del_object(self, user_id, intra_extension_id, object_id):
+        raise ObjectsWriteNoAuthorized()
+
+    def add_action_dict(self, user_id, intra_extension_id, action_name):
+        raise ActionsWriteNoAuthorized()
+
+    def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict):
+        raise ActionsWriteNoAuthorized()
+
+    def del_action(self, user_id, intra_extension_id, action_id):
+        raise ActionsWriteNoAuthorized()
+
  
  @dependency.provider('moonlog_api')
  class LogManager(manager.Manager):
@@ -1741,10 +1792,6 @@ class IntraExtensionDriver(object):
      def get_intra_extensions_dict(self):
          raise exception.NotImplemented()  # pragma: no cover
  
-    # TODO: check with load
-    # def add_intra_extensions_dict(self):
-    #     raise exception.NotImplemented()  # pragma: no cover
-
      def del_intra_extension(self, intra_extension_id):
          raise exception.NotImplemented()  # pragma: no cover
  
@@ -1979,18 +2026,6 @@ class LogDriver(object):
          raise exception.NotImplemented()  # pragma: no cover
  
  
-# @dependency.provider('superextension_api')
-# class SuperExtensionManager(manager.Manager):
-#
-#     def __init__(self):
-#         driver = CONF.moon.superextension_driver
-#         super(SuperExtensionManager, self).__init__(driver)
-#
-#     def authz(self, sub, obj, act):
-#         #return self.driver.admin(sub, obj, act)
-#         return True
-
-
  # @dependency.provider('interextension_api')
  # @dependency.requires('identity_api')
  # class InterExtensionManager(manager.Manager):
@@ -2028,26 +2063,6 @@ class LogDriver(object):
  #         return ref
  #
  #
-# class SuperExtensionDriver(object):
-#
-#     def __init__(self):
-#         self.__super_extension = None
-#
-#     def admin(self, sub, obj, act):
-#         return self.__super_extension.authz(sub, obj, act)
-#
-#     def delegate(self, delegating_uuid, delegated_uuid, privilege):  # TODO later
-#         pass
-#
-#     # Getter and Setter for SuperExtensions
-#
-#     def get_super_extensions(self):
-#         raise exception.NotImplemented()  # pragma: no cover
-#
-#     def create_super_extensions(self, super_id, super_extension):
-#         raise exception.NotImplemented()  # pragma: no cover
-#
-#
  # class InterExtensionDriver(object):
  #
  #     # Getter and Setter for InterExtensions
diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py

index 37116d6..d2e6703 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/exception.py
+++ b/keystone-moon/keystone/contrib/moon/exception.py
@@ -69,6 +69,12 @@ class TenantNoIntraExtension(TenantException):
      logger = "ERROR"
  
  
+class TenantNoIntraAuthzExtension(TenantNoIntraExtension):
+    message_format = _("The tenant has not intra_admin_extension.")
+    code = 400
+    title = 'Tenant No Intra_Admin_Extension'
+    logger = "ERROR"
+
  # Exceptions for IntraExtension
  
  
@@ -230,6 +236,20 @@ class ActionNameExisting(AdminPerimeter):
      logger = "ERROR"
  
  
+class ObjectsWriteNoAuthorized(AdminPerimeter):
+    message_format = _("The modification on Objects is not authorized.")
+    code = 400
+    title = 'Objects Write No Authorized'
+    logger = "AUTHZ"
+
+
+class ActionsWriteNoAuthorized(AdminPerimeter):
+    message_format = _("The modification on Actions is not authorized.")
+    code = 400
+    title = 'Actions Write No Authorized'
+    logger = "AUTHZ"
+
+
  class SubjectScopeUnknown(AdminScope):
      message_format = _("The given subject scope is unknown.")
      code = 400
diff --git a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py

index a49ca20..352b69a 100644 (file)
--- a/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
+++ b/keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py
@@ -12,156 +12,183 @@ def upgrade(migrate_engine):
      meta.bind = migrate_engine
  
      intra_extension_table = sql.Table(
-        'intra_extension',
+        'intra_extensions',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('name', sql.String(64), nullable=False),
-        sql.Column('model', sql.String(64), nullable=True),
-        sql.Column('description', sql.Text(), nullable=True),
+        sql.Column('intra_extension', k_sql.JsonBlob(), nullable=True),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
      intra_extension_table.create(migrate_engine, checkfirst=True)
  
-    subjects_table = sql.Table(
-        'subject',
+    tenant_table = sql.Table(
+        'tenants',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('subjects', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('tenant', k_sql.JsonBlob(), nullable=True),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    subjects_table.create(migrate_engine, checkfirst=True)
+    tenant_table.create(migrate_engine, checkfirst=True)
  
-    objects_table = sql.Table(
-        'object',
+    subject_categories_table = sql.Table(
+        'subject_categories',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('objects', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('subject_category', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    objects_table.create(migrate_engine, checkfirst=True)
+    subject_categories_table.create(migrate_engine, checkfirst=True)
  
-    actions_table = sql.Table(
-        'action',
+    object_categories_table = sql.Table(
+        'object_categories',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('actions', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('object_category', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    actions_table.create(migrate_engine, checkfirst=True)
+    object_categories_table.create(migrate_engine, checkfirst=True)
  
-    subject_categories_table = sql.Table(
-        'subject_category',
+    action_categories_table = sql.Table(
+        'action_categories',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('subject_categories', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('action_category', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    subject_categories_table.create(migrate_engine, checkfirst=True)
+    action_categories_table.create(migrate_engine, checkfirst=True)
  
-    object_categories_table = sql.Table(
-        'object_category',
+    subjects_table = sql.Table(
+        'subjects',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('object_categories', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('subject', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    object_categories_table.create(migrate_engine, checkfirst=True)
+    subjects_table.create(migrate_engine, checkfirst=True)
  
-    action_categories_table = sql.Table(
-        'action_category',
+    objects_table = sql.Table(
+        'objects',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('action_categories', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('object', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    action_categories_table.create(migrate_engine, checkfirst=True)
+    objects_table.create(migrate_engine, checkfirst=True)
  
-    subject_category_values_table = sql.Table(
-        'subject_category_scope',
+    actions_table = sql.Table(
+        'actions',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('subject_category_scope', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('action', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    subject_category_values_table.create(migrate_engine, checkfirst=True)
+    actions_table.create(migrate_engine, checkfirst=True)
  
-    object_category_values_table = sql.Table(
-        'object_category_scope',
+    subject_scopes_table = sql.Table(
+        'subject_scopes',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('object_category_scope', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('subject_scope', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    object_category_values_table.create(migrate_engine, checkfirst=True)
+    subject_scopes_table.create(migrate_engine, checkfirst=True)
  
-    action_category_values_table = sql.Table(
-        'action_category_scope',
+    object_scopes_table = sql.Table(
+        'object_scopes',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('action_category_scope', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('object_scope', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    action_category_values_table.create(migrate_engine, checkfirst=True)
+    object_scopes_table.create(migrate_engine, checkfirst=True)
  
-    subject_category_assignments_table = sql.Table(
-        'subject_category_assignment',
+    action_scopes_table = sql.Table(
+        'action_category_scopes',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('subject_category_assignments', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('action_scope', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    subject_category_assignments_table.create(migrate_engine, checkfirst=True)
+    action_scopes_table.create(migrate_engine, checkfirst=True)
  
-    object_category_assignments_table = sql.Table(
-        'object_category_assignment',
+    subject_assignments_table = sql.Table(
+        'subject_assignments',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('object_category_assignments', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('subject_category_assignment', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        sql.Column('subject_id', sql.ForeignKey("subjects.id"), nullable=False),
+        sql.Column('subject_category_id', sql.ForeignKey("subject_categories.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    object_category_assignments_table.create(migrate_engine, checkfirst=True)
+    subject_assignments_table.create(migrate_engine, checkfirst=True)
  
-    action_category_assignments_table = sql.Table(
-        'action_category_assignment',
+    object_assignments_table = sql.Table(
+        'object_assignments',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('action_category_assignments', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('object_assignments', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        sql.Column('object_id', sql.ForeignKey("objects.id"), nullable=False),
+        sql.Column('object_category_id', sql.ForeignKey("object_categories.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    action_category_assignments_table.create(migrate_engine, checkfirst=True)
+    object_assignments_table.create(migrate_engine, checkfirst=True)
  
-    meta_rule_table = sql.Table(
-        'metarule',
+    action_assignments_table = sql.Table(
+        'action_assignments',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('sub_meta_rules', k_sql.JsonBlob(), nullable=True),
-        sql.Column('aggregation', sql.Text(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('action_assignment', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        sql.Column('action_id', sql.ForeignKey("actions.id"), nullable=False),
+        sql.Column('action_category_id', sql.ForeignKey("action_categories.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    meta_rule_table.create(migrate_engine, checkfirst=True)
+    action_assignments_table.create(migrate_engine, checkfirst=True)
  
-    rule_table = sql.Table(
-        'rule',
+    aggregation_algorithm_table = sql.Table(
+        'aggregation_algorithm',
          meta,
          sql.Column('id', sql.String(64), primary_key=True),
-        sql.Column('rules', k_sql.JsonBlob(), nullable=True),
-        sql.Column('intra_extension_uuid', sql.ForeignKey("intra_extension.id"), nullable=False),
+        sql.Column('aggregation_algorithm', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
          mysql_engine='InnoDB',
          mysql_charset='utf8')
-    rule_table.create(migrate_engine, checkfirst=True)
+    aggregation_algorithm_table.create(migrate_engine, checkfirst=True)
+
+    sub_meta_rules_table = sql.Table(
+        'sub_meta_rules',
+        meta,
+        sql.Column('id', sql.String(64), primary_key=True),
+        sql.Column('sub_meta_rule', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        mysql_engine='InnoDB',
+        mysql_charset='utf8')
+    sub_meta_rules_table.create(migrate_engine, checkfirst=True)
+
+    rules_table = sql.Table(
+        'rules',
+        meta,
+        sql.Column('id', sql.String(64), primary_key=True),
+        sql.Column('rule', k_sql.JsonBlob(), nullable=True),
+        sql.Column('intra_extension_id', sql.ForeignKey("intra_extensions.id"), nullable=False),
+        mysql_engine='InnoDB',
+        mysql_charset='utf8')
+    rules_table.create(migrate_engine, checkfirst=True)
+
+    # TODO: load root_extension
  
  
  def downgrade(migrate_engine):
@@ -169,21 +196,22 @@ def downgrade(migrate_engine):
      meta.bind = migrate_engine
  
      for _table in (
-        'subject',
-        'object',
-        'action',
-        'subject_category',
-        'object_category',
-        'action_category',
-        'subject_category_scope',
-        'object_category_scope',
-        'action_category_scope',
-        'subject_category_assignment',
-        'object_category_assignment',
-        'action_category_assignment',
-        'metarule',
-        'rule',
-        'intra_extension',
+        'rules',
+        'sub_meta_rules',
+        'action_category_assignments',
+        'object_category_assignments',
+        'subject_category_assignments',
+        'action_category_scopes',
+        'object_category_scopes',
+        'subject_category_scopes',
+        'actions',
+        'objects',
+        'subjects',
+        'action_categories',
+        'object_categories',
+        'subject_categories',
+        'tenants',
+        'intra_extensions'
      ):
          try:
              table = sql.Table(_table, meta, autoload=True)
author	WuKong <rebirthmonkey@gmail.com>
	Wed, 22 Jul 2015 13:36:11 +0000 (15:36 +0200)
committer	WuKong <rebirthmonkey@gmail.com>
	Wed, 22 Jul 2015 13:39:44 +0000 (15:39 +0200)
keystone-moon/examples/moon/policies/policy_admin/assignment.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_admin/metadata.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_admin/metarule.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_admin/perimeter.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_admin/rule.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_admin/scope.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_authz/assignment.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_authz/metadata.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_authz/metarule.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_authz/scope.json		patch \| blob \| history
keystone-moon/examples/moon/policies/policy_root/assignment.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_root/metadata.json	[moved from keystone-moon/examples/moon/policies/policy_super/metadata.json with 68% similarity]	patch \| blob \| history
keystone-moon/examples/moon/policies/policy_root/metarule.json	[moved from keystone-moon/examples/moon/policies/policy_super/metarule.json with 100% similarity]	patch \| blob \| history
keystone-moon/examples/moon/policies/policy_root/perimeter.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_root/rule.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_root/scope.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_super/assignment.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/policies/policy_super/perimeter.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/policies/policy_super/rule.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/policies/policy_super/scope.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/super_extension/policy/assignment.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/super_extension/policy/configuration.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/super_extension/policy/metadata.json	[deleted file]	patch \| blob \| history
keystone-moon/examples/moon/super_extension/policy/perimeter.json	[deleted file]	patch \| blob \| history
keystone-moon/keystone/contrib/moon/backends/__init__.py		patch \| blob \| history
keystone-moon/keystone/contrib/moon/backends/memory.py		patch \| blob \| history
keystone-moon/keystone/contrib/moon/backends/sql.py		patch \| blob \| history
keystone-moon/keystone/contrib/moon/controllers.py		patch \| blob \| history
keystone-moon/keystone/contrib/moon/core.py		patch \| blob \| history
keystone-moon/keystone/contrib/moon/exception.py		patch \| blob \| history
keystone-moon/keystone/contrib/moon/migrate_repo/versions/001_moon.py		patch \| blob \| history