incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From mar...@redhat.com
Subject firewalls - ec2 security groups - revision 3
Date Fri, 10 Jun 2011 14:43:53 GMT

* main change is the way we define rule id (explained in detail below if you are interested).

* adds a version constraint for aws 2.5.4 (yet to be released - waiting)

* addresses comments in response to rev 2 (patches sent 30 May 2011):

  ==> from Michal Fojtik (31 May 2011) 
    - patch 2/3 fixes the failing cucumber scenarios
    - patch 1/3 includes validation of params for the create rule operation and string descriptions
  
  ==> from David Lutterkort (03 June 2011) 
    - patch 3/3 moves the 'improved json support for blobs' into a seperate patch, 
    - patch 1/3 changes the way we define the rule_id - no longer using base64 encoding. A
rule id looks like: "user_id~protocol~from_port~to_port~sources_string" where the format of
sources_string depends on the source types (address vs groups) delimited by '@'. An example
rule id is: 297467797945~tcp~12~13~@group,297467797945,test@group,297467797945,new_firewall@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16
    - patch 1/3 fixes various other nits identified by David


marios


*******************************************************************************************
Original message from rev 2 included below for convenience (amended for the above changes):


This patch implements 'firewalls' - which are ec2 security groups. Some notes:

 * This functionality relies on some modifications to the appoxy aws gem - the requested changes
have been merged into appoxy/aws https://github.com/appoxy/aws/pull/91 and will be available
in the next gem release (look for aws-2.5.4)

=======================================================================

 * XML looks like:
<firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'>
  <name><![CDATA[new_firewall]]></name>
  <description><![CDATA[new_one]]></description>
  <owner_id>297467797945</owner_id>
  <rules>
    <rule id='297467797945~tcp~12~13~@group,297467797945,test@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16'>
      <allow_protocol>tcp</allow_protocol>
      <port_from>12</port_from>

      <port_to>13</port_to>
      <direction>ingress</direction>
      <sources>
        <source name='test' owner='297467797945' type='group'></source>
        <source address='10.0.0.0' family='ipv4' prefix='0' type='address'></source>
        <source address='192.168.1.1' family='ipv4' prefix='16' type='address'></source>
      </sources>
    </rule>

  </rules>
</firewall>

=======================================================================

 * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both html
and xml interfaces), GET/POST/DELETE for firewall rules. You can also use curl rather than
html interface if you prefer:


list firewalls: 
GET /api/firewalls
GET /api/firewalls/:firewall
curl   --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml

create new firewall:
POST /api/firewalls
curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately"  --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls?format=xml

delete a firewall: 
DELETE /api/firewalls/:firewall
curl -X DELETE  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml

create firewall rule:
POST /api/firewalls/:firewall/rules
curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24" -F
"ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789"   --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/default/rules?format=xml
(and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner)

delete firewall rule:
DELETE /api/firewalls/:firewall/rule
curl -X DELETE -F "rule_id=:rule_id" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule?format=xml

=======================================================================

* Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall rule,
rather each firewall rule is identified by its constituent parts (protocol, from&to ports,
and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule'
type operation I use "user_id~protocol~from_port~to_port~sources_string" (base64 encoding
made the id 'ugly' and also padding just made it longer).

I'm sure theres more but this is already way too long, thanks to anyone brave enough to try
this stuff out,

all the best, marios

Mime
View raw message