incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mar...@redhat.com
Subject firewalls - ec2 security groups - revision 1
Date Mon, 16 May 2011 17:45:09 GMT

first revision of firewalls including suggestions by Michal:

  * in xml output: <rule id="XNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">
rather than <rule> <id> theID </id> ...
  * safely do ... blocks around ec2 invocations in ec2_driver

Also, this version adds the html interface for creating new rules. I copy/paste notes from
original message here for convenience (ammended for the above changes):


This patch implements 'firewalls' - which are ec2 security groups. Some notes:

 * This functionality relies on some modifications to the appoxy aws gem - we have outstanding
pull requests https://github.com/appoxy/aws/pull/89
(earlier one for security groups parser already in https://github.com/appoxy/aws/pull/81).
Until these commits are pulled into aws the only way to test is with my branch (https://github.com/marios/aws):

    mkdir delme; cd delme; git clone git://github.com/marios/aws.git ; cd aws ; gem build
aws.gemspec;  sudo gem install aws-2.4.5.gem

(ignore the version numbering of the gem - its just a remnant from when I created my fork
- latest from appoxy is 2.5.2)

=======================================================================

 * XML looks like:

<firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'>
  <name><![CDATA[new_firewall]]></name>
  <description><![CDATA[new_one]]></description>
  <owner_id>297467797945</owner_id>
  <rules>
    <rule id="dXNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">
      <allow_protocol>tcp</allow_protocol>
      <port_from>0</port_from>
      <port_to>65535</port_to>
      <direction>ingress</direction>
      <sources>
        <source name='new_firewall' owner='123456789012' type='group'></source>
        <source address='10.1.1.1' family='ipv4' prefix='24' type='address'></source>
        <source address='192.168.1.1' family='ipv4' prefix='24' type='address'></source>
      </sources>
    </rule>
  </rules>
</firewall>

=======================================================================

 * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both html
and xml interfaces), GET/POST/DELETE for firewall rules. You can also use curl rather than
html interface if you prefer:

create firewall rule:
curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24" -F
"ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789"   --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/default/rules?format=xml
(and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner)

list firewalls: curl   --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

create new firewall: curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately"
 --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

delete a firewall: curl -X DELETE  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml

delete firewall rule: curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule_id?format=xml

=======================================================================

* Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall rule,
rather each firewall rule is identified by its constituent parts (protocol, from&to ports,
and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule'
type operation I use Base64.encode to encode a unique UID for each rule using 'aws_owner_id
protocol from_port to_port sources' - but this results in rather ugly looking uids... discussion/suggestions
welcome,

I'm sure theres more but this is already way too long, thanks to anyone brave enough to try
this stuff out,

all the best, marios

Mime
View raw message