From 9203c09d4f3cb70903a0ee3146d51fb5180534d5 Mon Sep 17 00:00:00 2001 From: Eric Kao Date: Thu, 20 Jul 2017 22:19:41 -0700 Subject: [PATCH] Add cross project network policy Partial-Bug: 1669948 Change-Id: I5938bde60cd35d6f261e88175e01be3ded0ab99f --- library/cross-project-network.yaml | 86 ++++++++++++++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 library/cross-project-network.yaml diff --git a/library/cross-project-network.yaml b/library/cross-project-network.yaml new file mode 100644 index 000000000..d51bd8863 --- /dev/null +++ b/library/cross-project-network.yaml @@ -0,0 +1,86 @@ +--- +name: CrossProjectNetwork +description: > + Identify cross-project network connections unless the projects are defined as + being in the same group allowing for inter-connectivity. +rules: + - + comment: > + The following rules define by name which projects belong in the same + group, where network inter-connectivity is expected. The use of name to + specify projects works under the assumption of having a single keystone + domain in which project names are unique. If names are unsuitable for + your use case, the policy can be customized to use specify + inter-connectivity groups by ID directly in the project_groups_by_id + table. + + User should customize this. project_groups_by_name(group_id, project_name). + rule: > + project_groups_by_name(1, 'admin') + - + comment: > + User should customize this. project_groups_by_name(group_id, project_name). + rule: > + project_groups_by_name(1, 'service') + - + comment: > + User should customize this. project_groups_by_name(group_id, project_name). + rule: > + project_groups_by_name(2, 'demo') + - + comment: > + User should customize this. project_groups_by_name(group_id, project_name). + rule: > + project_groups_by_name(2, 'alt_demo') + - + comment: > + Translates the project_groups_by_name defined above to + project_groups_by_id. If desired, this rule can be replaced by explicit + definition of the project_groups_by_id table. + rule: > + project_groups_by_id(group_id, project_id) :- + project_groups_by_name(group_id, project_name), + keystonev3:projects(name=project_name, id=project_id) + - + comment: "Define that projects belong to same group of expected inter-connectivity." + rule: > + same_group(project_a, project_b) :- + project_groups_by_id(id=group_id, project_id=project_a), + project_groups_by_id(id=group_id, project_id=project_b) + - + comment: > + Identify servers associated to a port belonging to a different project + not in the same group. + rule: > + unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name) :- + neutronv2:ports(id=port_id, tenant_id=port_project_id, network_id=network_id, device_id=server_id), + nova:servers(id=server_id, name=server_name, tenant_id=server_project_id), + not same_group(port_project_id, server_project_id) + - + comment: > + Identify servers connected to a network belonging to a different project + not in the same group. + rule: > + unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name) :- + neutronv2:ports(id=port_id, network_id=network_id, device_id=server_id), + nova:servers(id=server_id, name=server_name, tenant_id=server_project_id), + neutronv2:networks(id=network_id, tenant_id=network_project_id), + not same_group(server_project_id, network_project_id) + - + comment: > + Warn on servers associated to a port belonging to a different project + not in the same group. + rule: > + warning(server_project_name, server_project_id, port_project_name, port_project_id, server_name, server_id) :- + unexpected_server_to_port(server_project_id, port_project_id, server_id, server_name), + keystonev3:projects(name=server_project_name, id=server_project_id), + keystonev3:projects(name=port_project_id, id=port_project_name) + - + comment: > + Error on servers connected to a network belonging to a different project + not in the same group. + rule: > + error(server_project_name, server_project_id, network_project_name, network_project_id, server_name, server_id) :- + unexpected_server_to_network(server_project_id, network_project_id, server_id, server_name), + keystonev3:projects(name=server_project_name, id=server_project_id), + keystonev3:projects(name=network_project_name, id=network_project_id)