openstack
/
congress
Code Issues Proposed changes

Add cross project network policy 

Partial-Bug: 1669948

Change-Id: I5938bde60cd35d6f261e88175e01be3ded0ab99f
This commit is contained in:
Eric Kao 2017-07-20 22:19:41 -07:00
parent 596a42e317
commit 9203c09d4f
1 changed files with 86 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
library/cross-project-network.yaml Normal file
View File

@ -0,0 +1,86 @@
---
name: CrossProjectNetwork
description: >
Identify cross-project network connections unless the projects are defined as
being in the same group allowing for inter-connectivity.
rules:
-
comment: >
The following rules define by name which projects belong in the same
group, where network inter-connectivity is expected. The use of name to
specify projects works under the assumption of having a single keystone
domain in which project names are unique. If names are unsuitable for
your use case, the policy can be customized to use specify
inter-connectivity groups by ID directly in the project_groups_by_id
table.
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(1, 'admin')
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(1, 'service')
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(2, 'demo')
-
comment: >
User should customize this. project_groups_by_name(group_id, project_name).
rule: >
project_groups_by_name(2, 'alt_demo')
-
comment: >
Translates the project_groups_by_name defined above to
project_groups_by_id. If desired, this rule can be replaced by explicit
definition of the project_groups_by_id table.
rule: >
project_groups_by_id(group_id, project_id) :-
project_groups_by_name(group_id, project_name),
keystonev3:projects(name=project_name, id=project_id)
-
comment: "Define that projects belong to same group of expected inter-connectivity."
rule: >
same_group(project_a, project_b) :-
project_groups_by_id(id=group_id, project_id=project_a),
project_groups_by_id(id=group_id, project_id=project_b)
-
comment: >
Identify servers associated to a port belonging to a different project
not in the same group.
rule: >
unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name) :-
neutronv2:ports(id=port_id, tenant_id=port_project_id, network_id=network_id, device_id=server_id),
nova:servers(id=server_id, name=server_name, tenant_id=server_project_id),
not same_group(port_project_id, server_project_id)
-
comment: >
Identify servers connected to a network belonging to a different project
not in the same group.
rule: >
unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name) :-
neutronv2:ports(id=port_id, network_id=network_id, device_id=server_id),
nova:servers(id=server_id, name=server_name, tenant_id=server_project_id),
neutronv2:networks(id=network_id, tenant_id=network_project_id),
not same_group(server_project_id, network_project_id)
-
comment: >
Warn on servers associated to a port belonging to a different project
not in the same group.
rule: >
warning(server_project_name, server_project_id, port_project_name, port_project_id, server_name, server_id) :-
unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name),
keystonev3:projects(name=server_project_name, id=server_project_id),
keystonev3:projects(name=port_project_id, id=port_project_name)
-
comment: >
Error on servers connected to a network belonging to a different project
not in the same group.
rule: >
error(server_project_name, server_project_id, network_project_name, network_project_id, server_name, server_id) :-
unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name),
keystonev3:projects(name=server_project_name, id=server_project_id),
keystonev3:projects(name=network_project_name, id=network_project_id)