incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Fojtik <mfoj...@redhat.com>
Subject Re: firewalls - ec2 security groups
Date Mon, 16 May 2011 15:45:19 GMT
On May 16, 2011, at 9:06 AM, marios@redhat.com wrote:

Hi,

> This patch implements 'firewalls' - which are ec2 security groups. Some notes:
> 
> * This functionality relies on some modifications to the appoxy aws gem - we have outstanding
pull requests https://github.com/appoxy/aws/pull/89
> (earlier one for security groups parser already in https://github.com/appoxy/aws/pull/81).
Until these commits are pulled into aws the only way to test is with my branch (https://github.com/marios/aws):
> 
>    mkdir delme; cd delme; git clone git://github.com/marios/aws.git ; cd aws ; gem build
aws.gemspec;  sudo gem install aws-2.4.5.gem
> 
> (ignore the version numbering of the gem - its just a remnant from when I created my
fork - latest from appoxy is 2.5.2)
> 
> =======================================================================
> 
> * XML looks like:
> 
> <firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'>
>  <name><![CDATA[new_firewall]]></name>
>  <description><![CDATA[new_one]]></description>
>  <owner_id>297467797945</owner_id>
>  <rules>
>    <rule>
>      <id>dXNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=</id>

I think we can move 'id' to rule attributes, to looks like:

<rule id="XNlciAyOTc0Njc3OTc5NDU6Ojpwcm90b2NvbCB0Y3A6Ojpmcm9tX3BvcnQgMjQ=">

We are following this 'concept' in all our collections/objects and actually I think it's
easiest to parse it through XPath expression (/firewall/rules/rule[@id=XY]).


>      <allow_protocol>tcp</allow_protocol>
>      <port_from>0</port_from>
>      <port_to>65535</port_to>
>      <direction>ingress</direction>
>      <sources>
>        <source name='new_firewall' owner='297467797945' type='group'></source>
>        <source address='10.1.1.1' family='ipv4' prefix='24' type='address'></source>
>        <source address='192.168.1.1' family='ipv4' prefix='24' type='address'></source>
>      </sources>
>    </rule>
>  </rules>
> </firewall>
> 
> =======================================================================
> 
> * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both
html and xml interfaces), GET/POST/DELETE for firewall rules. Only thing not yet finished
is the html interface for creating a firewall rule. Using curl, you can do this with:
> 
> curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24"
-F "ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789"   --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/default/rules?format=xml
> (and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner)
> 
> Other useful curl commands:
> list firewalls: curl   --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml
> 
> create new firewall: curl -F "name=some_new_firewall" -F "description=gonna be deleted
immediately"  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml
> 
> delete a firewall: curl -X DELETE  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml
> 
> delete firewall rule: curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule_id?format=xml
> 
> =======================================================================
> 
> * Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall
rule, rather each firewall rule is identified by its constituent parts (protocol, from&to
ports, and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule'
type operation I use Base64.encode to encode a unique UID for each rule using 'aws_owner_id
protocol from_port to_port sources' - but this results in rather ugly looking uids... discussion/suggestions
welcome,
> 
> I'm sure theres more but this is already way too long, thanks to anyone brave enough
to try this stuff out,

I think this stuff looks really cool and good. I tried it and I was able to create a security
group in
EC2 and open up SSH port.  The only thing we should not forget about is to cover all this
with some sort of
testing.

  -- Michal

------------------------------------------------------
Michal Fojtik, mfojtik@redhat.com
Deltacloud API: http://deltacloud.org


Mime
View raw message