incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mar...@redhat.com
Subject firewalls - ec2 security groups
Date Mon, 16 May 2011 07:06:02 GMT

This patch implements 'firewalls' - which are ec2 security groups. Some notes:

 * This functionality relies on some modifications to the appoxy aws gem - we have outstanding
pull requests https://github.com/appoxy/aws/pull/89
(earlier one for security groups parser already in https://github.com/appoxy/aws/pull/81).
Until these commits are pulled into aws the only way to test is with my branch (https://github.com/marios/aws):

    mkdir delme; cd delme; git clone git://github.com/marios/aws.git ; cd aws ; gem build
aws.gemspec;  sudo gem install aws-2.4.5.gem

(ignore the version numbering of the gem - its just a remnant from when I created my fork
- latest from appoxy is 2.5.2)

=======================================================================

 * XML looks like:

<firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'>
  <name><![CDATA[new_firewall]]></name>
  <description><![CDATA[new_one]]></description>
  <owner_id>297467797945</owner_id>
  <rules>
    <rule>
      <id>dXNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=</id>
      <allow_protocol>tcp</allow_protocol>
      <port_from>0</port_from>
      <port_to>65535</port_to>
      <direction>ingress</direction>
      <sources>
        <source name='new_firewall' owner='297467797945' type='group'></source>
        <source address='10.1.1.1' family='ipv4' prefix='24' type='address'></source>
        <source address='192.168.1.1' family='ipv4' prefix='24' type='address'></source>
      </sources>
    </rule>
  </rules>
</firewall>

=======================================================================

 * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both html
and xml interfaces), GET/POST/DELETE for firewall rules. Only thing not yet finished is the
html interface for creating a firewall rule. Using curl, you can do this with:

curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24" -F
"ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789"   --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/default/rules?format=xml
(and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner)

Other useful curl commands:
list firewalls: curl   --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

create new firewall: curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately"
 --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

delete a firewall: curl -X DELETE  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml

delete firewall rule: curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule_id?format=xml

=======================================================================

* Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall rule,
rather each firewall rule is identified by its constituent parts (protocol, from&to ports,
and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule'
type operation I use Base64.encode to encode a unique UID for each rule using 'aws_owner_id
protocol from_port to_port sources' - but this results in rather ugly looking uids... discussion/suggestions
welcome,

I'm sure theres more but this is already way too long, thanks to anyone brave enough to try
this stuff out,

all the best, marios


Mime
View raw message