add a new example of policy for release 2 of moon

author WuKong <rebirthmonkey@gmail.com>

Wed, 8 Jul 2015 16:29:07 +0000 (18:29 +0200)

committer WuKong <rebirthmonkey@gmail.com>

Wed, 8 Jul 2015 16:29:07 +0000 (18:29 +0200)
author WuKong <rebirthmonkey@gmail.com>
Wed, 8 Jul 2015 16:29:07 +0000 (18:29 +0200)
committer WuKong <rebirthmonkey@gmail.com>
Wed, 8 Jul 2015 16:29:07 +0000 (18:29 +0200)
diff --git a/keystone-moon/examples/moon/policies/policy_r2/assignment.json b/keystone-moon/examples/moon/policies/policy_r2/assignment.json

new file mode 100644 (file)

index 0000000..f907de5
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/assignment.json
@@ -0,0 +1,70 @@
+{
+    "subject_assignments": {
+        "subject_security_level":{
+                       "user1": ["high"],
+                       "user2": ["medium"],
+                       "user3": ["low"]
+        },
+               "domain":{
+                       "user1": ["ft"],
+                       "user2": ["ft"],
+                       "user3": ["xxx"]
+        },
+               "role": {
+                       "user1": ["admin"],
+                       "user2": ["dev"],
+                       "user3": ["admin", "dev"]
+               }
+    },
+
+    "action_assignments": {
+        "resource_action":{
+                       "pause": ["vm_admin"],
+                       "unpause": ["vm_admin"],
+                       "start": ["vm_admin"],
+                       "stop": ["vm_admin"],
+                       "list": ["vm_access", "vm_admin"],
+                       "create": ["vm_admin"]
+                       "storage_list": ["storage_access"],
+                       "download": ["storage_access"],
+                       "post": ["storage_admin"]
+                       "upload": ["storage_admin"]
+        },
+               "access": {
+                       "pause": ["write"],
+                       "unpause": ["write"],
+                       "start": ["write"],
+                       "stop": ["write"],
+                       "list": ["read"],
+                       "create": ["write"]
+                       "storage_list": ["read"],
+                       "download": ["read"],
+                       "post": ["write"]
+                       "upload": ["write"]
+               }
+    },
+
+    "object_assignments": {
+        "object_security_level": {
+            "servers": ["low"],
+                       "vm1": ["low"],
+                       "vm2": ["medium"],
+                       "file1": ["low"],
+                       "file2": ["medium"]
+        },
+               "type": {
+                       "servers": ["computing"],
+                       "vm1": ["computing"],
+                       "vm2": ["computing"],
+                       "file1": ["storage"],
+                       "file2": ["storage"]
+               },
+               "id": {
+                       "servers": ["servers"],
+                       "vm1": ["vm1"],
+                       "vm2": ["vm2"],
+                       "file1": ["file1"],
+                       "file2": ["file2"]
+               }
+    }
+}
diff --git a/keystone-moon/examples/moon/policies/policy_r2/metadata.json b/keystone-moon/examples/moon/policies/policy_r2/metadata.json

new file mode 100644 (file)

index 0000000..4a5a5a1
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/metadata.json
@@ -0,0 +1,23 @@
+{
+    "name": "MLS_metadata",
+    "model": "MLS",
+    "genre": "authz",
+    "description": "Multi Layer Security authorization policy",
+
+    "subject_categories": [
+        "subject_security_level",
+               "domain",
+               "role"
+    ],
+
+    "action_categories": [
+        "resource_action",
+        "access"
+    ],
+
+    "object_categories": [
+        "object_security_level",
+               "type",
+               "id"
+    ]
+}
diff --git a/keystone-moon/examples/moon/policies/policy_r2/metarule.json b/keystone-moon/examples/moon/policies/policy_r2/metarule.json

new file mode 100644 (file)

index 0000000..df683ca
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/metarule.json
@@ -0,0 +1,24 @@
+{
+    "sub_meta_rules": {
+               "mls_rule": {
+                       "subject_categories": ["subject_security_level"],
+                       "action_categories": ["resource_action"],
+                       "object_categories": ["object_security_level"],
+                       "algorithm": "inclusion"
+               },
+               "dte_rule": {
+                       "subject_categories": ["domain"],
+                       "action_categories": ["access"],
+                       "object_categories": ["type"],
+                       "algorithm": "inclusion"
+               },
+               "rbac_rule": {
+                       "subject_categories": ["role", "domain"],
+                       "action_categories": ["access"],
+                       "object_categories": ["id"],
+                       "algorithm": "inclusion"
+               }
+       },
+       "aggregation": "all_true"
+}
+
diff --git a/keystone-moon/examples/moon/policies/policy_r2/rule.json b/keystone-moon/examples/moon/policies/policy_r2/rule.json

new file mode 100644 (file)

index 0000000..348f6d6
--- /dev/null
+++ b/keystone-moon/examples/moon/policies/policy_r2/rule.json
@@ -0,0 +1,41 @@
+{
+       "mls_rule":[
+               ["high", "vm_admin", "medium"],
+               ["high", "vm_admin", "low"],
+               ["medium", "vm_admin", "low"],
+               ["high", "vm_access", "high"],
+               ["high", "vm_access", "medium"],
+               ["high", "vm_access", "low"],
+               ["medium", "vm_access", "medium"],
+               ["medium", "vm_access", "low"],
+               ["low", "vm_access", "low"]
+       ],
+       "dte_rule":[
+               ["ft", "read", "computing"],
+               ["ft", "write", "computing"],
+               ["ft", "read", "storage"],
+               ["ft", "write", "storage"],
+               ["xxx", "read", "storage"]
+       ],
+       "rbac_rule":[
+               [dev", "xxx", "read", "servers"],
+               ["dev", "xxx", "read", "vm1"],
+               ["dev", "xxx", "read", "vm2"],
+               ["dev", "xxx", "read", "file1"],
+               ["dev", "xxx", "read", "file2"],
+               ["dev", "xxx", "write", "vm1"],
+               ["dev", "xxx", "write", "vm2"],
+               ["dev", "xxx", "write", "file1"],
+               ["dev", "xxx", "write", "file2"],
+               ["admin", "xxx", "read", "servers"],
+               ["admin", "ft", "read", "servers"],
+               ["admin", "ft", "read", "vm1"],
+               ["admin", "ft", "read", "vm2"],
+               ["admin", "ft", "read", "file1"],
+               ["admin", "ft", "read", "file2"],
+               ["admin", "ft", "write", "vm1"],
+               ["admin", "ft", "write", "vm2"],
+               ["admin", "ft", "write", "file1"],
+               ["admin", "ft", "write", "file2"]
+       ],
+}
author	WuKong <rebirthmonkey@gmail.com>
	Wed, 8 Jul 2015 16:29:07 +0000 (18:29 +0200)
committer	WuKong <rebirthmonkey@gmail.com>
	Wed, 8 Jul 2015 16:29:07 +0000 (18:29 +0200)
keystone-moon/examples/moon/policies/policy_r2/assignment.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_r2/metadata.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_r2/metarule.json	[new file with mode: 0644]	patch \| blob
keystone-moon/examples/moon/policies/policy_r2/rule.json	[new file with mode: 0644]	patch \| blob