incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject firewalls - ec2 security groups - revision 1
Date Mon, 16 May 2011 17:45:09 GMT

first revision of firewalls including suggestions by Michal:

  * in xml output: <rule id="XNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">
rather than <rule> <id> theID </id> ...
  * safely do ... blocks around ec2 invocations in ec2_driver

Also, this version adds the html interface for creating new rules. I copy/paste notes from
original message here for convenience (ammended for the above changes):

This patch implements 'firewalls' - which are ec2 security groups. Some notes:

 * This functionality relies on some modifications to the appoxy aws gem - we have outstanding
pull requests
(earlier one for security groups parser already in
Until these commits are pulled into aws the only way to test is with my branch (

    mkdir delme; cd delme; git clone git:// ; cd aws ; gem build
aws.gemspec;  sudo gem install aws-2.4.5.gem

(ignore the version numbering of the gem - its just a remnant from when I created my fork
- latest from appoxy is 2.5.2)


 * XML looks like:

<firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'>
    <rule id="dXNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">
        <source name='new_firewall' owner='123456789012' type='group'></source>
        <source address='' family='ipv4' prefix='24' type='address'></source>
        <source address='' family='ipv4' prefix='24' type='address'></source>


 * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both html
and xml interfaces), GET/POST/DELETE for firewall rules. You can also use curl rather than
html interface if you prefer:

create firewall rule:
curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=" -F
"ip_address2=" -F "group1=new_group" -F "group1owner=123456789"   --user 'aws_key:aws_secret_key'
(and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner)

list firewalls: curl   --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

create new firewall: curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately"
 --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

delete a firewall: curl -X DELETE  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml

delete firewall rule: curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule_id?format=xml


* Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall rule,
rather each firewall rule is identified by its constituent parts (protocol, from&to ports,
and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule'
type operation I use Base64.encode to encode a unique UID for each rule using 'aws_owner_id
protocol from_port to_port sources' - but this results in rather ugly looking uids... discussion/suggestions

I'm sure theres more but this is already way too long, thanks to anyone brave enough to try
this stuff out,

all the best, marios

View raw message