From 7c5a247eca888a693900bf46c43a3c58cb69c36a Mon Sep 17 00:00:00 2001 From: Ilya Baldin Date: Mon, 19 Dec 2022 17:52:17 -0500 Subject: [PATCH 1/2] Removed Net.Peering tag, replaced it with Net.FABNetv4Ext and Net.FABNetv6Ext and corresponding policy rules. --- .../orchestrator-project-tags.alfa | 16 +- .../alfa/Requests/orchestrator-request.json | 4 +- policies/alfa/fabric-attributes.alfa | 10 +- src-gen/fabricTags.OrchestratorTags.xml | 2 +- test/test-harness.py | 158 +++++++++++++++++- 5 files changed, 179 insertions(+), 11 deletions(-) diff --git a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa index 9e6b9e3..7cd4100 100644 --- a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa +++ b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa @@ -146,12 +146,22 @@ namespace fabricTags { // precise deny permit otherwise apply permitUnlessDeny - rule withPeering { + rule withFABNetv4Ext { deny - condition stringBagSize(Attributes.resourcePeerSite) > 0 && not(Attributes.projectTag == "Net.Peering") + condition stringBagSize(Attributes.resourceFABNetv4ExtSite) > 0 && not(Attributes.projectTag == "Net.FABNetv4Ext") on deny { advice reasonToDeny { - Attributes.message = "Policy Violation: Your project is lacking Net.Peering tag to request a slice with peering." + Attributes.message = "Policy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity." + } + } + } + + rule withFABNetv6Ext { + deny + condition stringBagSize(Attributes.resourceFABNetv6ExtSite) > 0 && not(Attributes.projectTag == "Net.FABNetv6Ext") + on deny { + advice reasonToDeny { + Attributes.message = "Policy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity." } } } diff --git a/policies/alfa/Requests/orchestrator-request.json b/policies/alfa/Requests/orchestrator-request.json index 2583c50..4d89d23 100644 --- a/policies/alfa/Requests/orchestrator-request.json +++ b/policies/alfa/Requests/orchestrator-request.json @@ -43,7 +43,7 @@ "IncludeInResult":false, "AttributeId": "urn:fabric:xacml:attribute:resource-facility-port", "DataType":"http://www.w3.org/2001/XMLSchema#string", - "Value": ["RENC", "UKY"] + "Value": ["UKY", "RENC"] }, { "IncludeInResult":false, @@ -113,7 +113,7 @@ "IncludeInResult":false, "AttributeId":"urn:fabric:xacml:attributes:project-tag", "DataType":"http://www.w3.org/2001/XMLSchema#string", - "Value":["Component.FPGA", "Component.GPU", "VM.NoLimitDisk", "Slice.Multisite", "Net.Peering", "Net.NoLimitBW", "Net.StitchPort.UKY", "Net.StitchPort.RENC", "Slice.Measurements", "VM.NoLimitDisk"] + "Value":["Component.FPGA", "Component.GPU", "VM.NoLimitDisk", "Slice.Multisite", "Net.Peering", "Net.NoLimitBW", "Net.FacilityPort.UKY", "Net.FacilityPort.RENC", "Slice.Measurements", "VM.NoLimitDisk"] } ] } diff --git a/policies/alfa/fabric-attributes.alfa b/policies/alfa/fabric-attributes.alfa index e834938..6658c65 100644 --- a/policies/alfa/fabric-attributes.alfa +++ b/policies/alfa/fabric-attributes.alfa @@ -55,8 +55,14 @@ namespace Attributes { category = resourceCat } - attribute resourcePeerSite { - id = "urn:fabric:xacml:attribute:resource-peersite" + attribute resourceFABNetv4ExtSite { + id = "urn:fabric:xacml:attribute:resource-fabnetv4-ext-site" + type = string + category = resourceCat + } + + attribute resourceFABNetv6ExtSite { + id = "urn:fabric:xacml:attribute:resource-fabnetv6-ext-site" type = string category = resourceCat } diff --git a/src-gen/fabricTags.OrchestratorTags.xml b/src-gen/fabricTags.OrchestratorTags.xml index e9344b4..11d4cde 100644 --- a/src-gen/fabricTags.OrchestratorTags.xml +++ b/src-gen/fabricTags.OrchestratorTags.xml @@ -1 +1 @@ -http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.PeeringPolicy Violation: Your project is lacking Net.Peering tag to request a slice with peering.0Net.PortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a slice with facility ports.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file +http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.PortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a slice with facility ports.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file diff --git a/test/test-harness.py b/test/test-harness.py index 6df11c0..2d76978 100644 --- a/test/test-harness.py +++ b/test/test-harness.py @@ -22,7 +22,7 @@ NOPDP = 'pdp-no.xml' # make sure the CLI executable and appropriate Java version are available -AUTHZFORCECLI = '../authzforce/authzforce-ce-core-pdp-cli-17.1.2.jar' +AUTHZFORCECLI = '../authzforce/authzforce-ce-core-pdp-cli-20.1.0.jar' PERMIT_REQUESTS = [ '../policies/alfa/Requests/orchestrator-request-simplest.json', '../policies/alfa/Requests/orchestrator-request-simple.json', @@ -35,8 +35,8 @@ def makePDPFile(policyFile, policyID, pdpFile): pdp_file = """ + xmlns="http://authzforce.github.io/core/xmlns/pdp/8" + version="8.0"> @@ -437,3 +437,155 @@ def testModifyFail1(self) -> None: print(f"ModifyFail1: {authz.transform_to_pdp_request()}") self.runOnStringRequest(authz.transform_to_pdp_request(), NOPDP, 'Deny', printResponse=True) + + def testFABNetv4ExtOK(self) -> None: + + """ + Test that adding FABNetv4 with proper tag works + """ + t = fu.ExperimentTopology() + n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) + c1 = n1.add_component(name='c1', model_type=fu.ComponentModelType.SmartNIC_ConnectX_6) + c2 = n1.add_component(name='c2', model_type=fu.ComponentModelType.SharedNIC_ConnectX_6) + n1.add_component(name='c3', model_type=fu.ComponentModelType.NVME_P4510) + n2 = t.add_node(name='n2', site='UKY', capacities=fu.Capacities(core=10, ram=10, disk=35)) + c4 = n2.add_component(name='c4', model_type=fu.ComponentModelType.SmartNIC_ConnectX_5) + s1 = t.add_network_service(name='s1', nstype=fu.ServiceType.FABNetv4Ext, + interfaces=[c1.interface_list[0]]) + s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv4Ext, + interfaces=[c4.interface_list[0]]) + # this sets site property on fabnet, which is a must + t.validate() + + authz = ResourceAuthZAttributes() + + now = datetime.datetime.now(datetime.timezone.utc) + delta = datetime.timedelta(days=13, hours=11, minutes=7, seconds=4, milliseconds=10) + future = now + delta + + authz.collect_resource_attributes(source=t) + authz.set_action('create') + authz.set_lifetime(future) + authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ + 'VM.NoLimit', + 'Component.SmartNIC', 'Component.NVME', 'Net.FABNetv4Ext', + 'Slice.Multisite' + ]) + authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') + + print(f"FABNetv4ExtOK: {authz.transform_to_pdp_request()}") + self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP) + + def testFABNetv4ExtFail(self) -> None: + + """ + Test that adding FABNetv4 with proper tag works + """ + t = fu.ExperimentTopology() + n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) + c1 = n1.add_component(name='c1', model_type=fu.ComponentModelType.SmartNIC_ConnectX_6) + c2 = n1.add_component(name='c2', model_type=fu.ComponentModelType.SharedNIC_ConnectX_6) + n1.add_component(name='c3', model_type=fu.ComponentModelType.NVME_P4510) + n2 = t.add_node(name='n2', site='UKY', capacities=fu.Capacities(core=10, ram=10, disk=35)) + c4 = n2.add_component(name='c4', model_type=fu.ComponentModelType.SmartNIC_ConnectX_5) + s1 = t.add_network_service(name='s1', nstype=fu.ServiceType.FABNetv4Ext, + interfaces=[c1.interface_list[0]]) + s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv4Ext, + interfaces=[c4.interface_list[0]]) + # this sets site property on fabnet, which is a must + t.validate() + + authz = ResourceAuthZAttributes() + + now = datetime.datetime.now(datetime.timezone.utc) + delta = datetime.timedelta(days=13, hours=11, minutes=7, seconds=4, milliseconds=10) + future = now + delta + + authz.collect_resource_attributes(source=t) + authz.set_action('create') + authz.set_lifetime(future) + authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ + 'VM.NoLimit', + 'Component.SmartNIC', 'Component.NVME', + 'Slice.Multisite' + ]) + authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') + + print(f"FABNetv4ExtFail: {authz.transform_to_pdp_request()}") + self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP, 'Deny') + + def testFABNetv6ExtOK(self) -> None: + + """ + Test that adding FABNetv4 with proper tag works + """ + t = fu.ExperimentTopology() + n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) + c1 = n1.add_component(name='c1', model_type=fu.ComponentModelType.SmartNIC_ConnectX_6) + c2 = n1.add_component(name='c2', model_type=fu.ComponentModelType.SharedNIC_ConnectX_6) + n1.add_component(name='c3', model_type=fu.ComponentModelType.NVME_P4510) + n2 = t.add_node(name='n2', site='UKY', capacities=fu.Capacities(core=10, ram=10, disk=35)) + c4 = n2.add_component(name='c4', model_type=fu.ComponentModelType.SmartNIC_ConnectX_5) + s1 = t.add_network_service(name='s1', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c1.interface_list[0]]) + s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c4.interface_list[0]]) + # this sets site property on fabnet, which is a must + t.validate() + + authz = ResourceAuthZAttributes() + + now = datetime.datetime.now(datetime.timezone.utc) + delta = datetime.timedelta(days=13, hours=11, minutes=7, seconds=4, milliseconds=10) + future = now + delta + + authz.collect_resource_attributes(source=t) + authz.set_action('create') + authz.set_lifetime(future) + authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ + 'VM.NoLimit', + 'Component.SmartNIC', 'Component.NVME', 'Net.FABNetv6Ext', + 'Slice.Multisite' + ]) + authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') + + print(f"FABNetv6ExtOK: {authz.transform_to_pdp_request()}") + self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP) + + def testFABNetv6ExtFail(self) -> None: + + """ + Test that adding FABNetv4 with proper tag works + """ + t = fu.ExperimentTopology() + n1 = t.add_node(name='n1', site='RENC', capacities=fu.Capacities(core=1, ram=10, disk=25)) + c1 = n1.add_component(name='c1', model_type=fu.ComponentModelType.SmartNIC_ConnectX_6) + c2 = n1.add_component(name='c2', model_type=fu.ComponentModelType.SharedNIC_ConnectX_6) + n1.add_component(name='c3', model_type=fu.ComponentModelType.NVME_P4510) + n2 = t.add_node(name='n2', site='UKY', capacities=fu.Capacities(core=10, ram=10, disk=35)) + c4 = n2.add_component(name='c4', model_type=fu.ComponentModelType.SmartNIC_ConnectX_5) + s1 = t.add_network_service(name='s1', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c1.interface_list[0]]) + s2 = t.add_network_service(name='s2', nstype=fu.ServiceType.FABNetv6Ext, + interfaces=[c4.interface_list[0]]) + # this sets site property on fabnet, which is a must + t.validate() + + authz = ResourceAuthZAttributes() + + now = datetime.datetime.now(datetime.timezone.utc) + delta = datetime.timedelta(days=13, hours=11, minutes=7, seconds=4, milliseconds=10) + future = now + delta + + authz.collect_resource_attributes(source=t) + authz.set_action('create') + authz.set_lifetime(future) + authz.set_subject_attributes(subject_id='user@google.com', project='MyProject', project_tag=[ + 'VM.NoLimit', + 'Component.SmartNIC', 'Component.NVME', + 'Slice.Multisite' + ]) + authz.set_resource_subject_and_project(subject_id='user@google.com', project='MyProject') + + print(f"FABNetv4ExtFail: {authz.transform_to_pdp_request()}") + self.runOnStringRequest(authz.transform_to_pdp_request(), TAGPDP, 'Deny') \ No newline at end of file From ea4b6e5e038c093edade6c5071bae803aa6e4189 Mon Sep 17 00:00:00 2001 From: Ilya Baldin Date: Tue, 20 Dec 2022 10:07:38 -0500 Subject: [PATCH 2/2] Removing mentions of Net.Peering --- README.md | 3 ++- policies/alfa/Requests/orchestrator-request.json | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 24ab89b..c5e26b5 100644 --- a/README.md +++ b/README.md @@ -106,7 +106,8 @@ The following is an incomplete list of possible project tag values: - Component.Storage - allows to create and attach rotating storage - Component.NVME - allows to provision and attach NVME components - Net.NoLimitBW - allows to provision links over 10 Gbps -- Net.Peering - allows to create slices with public peering +- Net.FABNetv4Ext - allows to create slices with public connectivity over IPv4 +- Net.FABNetv6Ext - allows to create slices with public connectivity over IPv6 - Net.PortMirroring - allows to create slices that include port mirroring - Net.FacilityPort.XXX - allows to create slices with stitch port with short name XXX - Net.AllFacilityPorts - allows to create slices with any stitchport diff --git a/policies/alfa/Requests/orchestrator-request.json b/policies/alfa/Requests/orchestrator-request.json index 4d89d23..7bcfdcf 100644 --- a/policies/alfa/Requests/orchestrator-request.json +++ b/policies/alfa/Requests/orchestrator-request.json @@ -113,7 +113,7 @@ "IncludeInResult":false, "AttributeId":"urn:fabric:xacml:attributes:project-tag", "DataType":"http://www.w3.org/2001/XMLSchema#string", - "Value":["Component.FPGA", "Component.GPU", "VM.NoLimitDisk", "Slice.Multisite", "Net.Peering", "Net.NoLimitBW", "Net.FacilityPort.UKY", "Net.FacilityPort.RENC", "Slice.Measurements", "VM.NoLimitDisk"] + "Value":["Component.FPGA", "Component.GPU", "VM.NoLimitDisk", "Slice.Multisite", "Net.FABNetv4Ext", "Net.NoLimitBW", "Net.FacilityPort.UKY", "Net.FacilityPort.RENC", "Slice.Measurements", "VM.NoLimitDisk"] } ] }