incubator-deltacloud-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Michal Fojtik <mfoj...@redhat.com>
Subject Re: firewalls - ec2 security groups - revision 3
Date Wed, 15 Jun 2011 13:24:29 GMT
On Jun 10, 2011, at 4:43 PM, marios@redhat.com wrote:

ACK to whole series, please fix minor formatting issues in 1/1.

  -- Michal

> 
> * main change is the way we define rule id (explained in detail below if you are interested).
> 
> * adds a version constraint for aws 2.5.4 (yet to be released - waiting)
> 
> * addresses comments in response to rev 2 (patches sent 30 May 2011):
> 
>  ==> from Michal Fojtik (31 May 2011) 
>    - patch 2/3 fixes the failing cucumber scenarios
>    - patch 1/3 includes validation of params for the create rule operation and string
descriptions
> 
>  ==> from David Lutterkort (03 June 2011) 
>    - patch 3/3 moves the 'improved json support for blobs' into a seperate patch, 
>    - patch 1/3 changes the way we define the rule_id - no longer using base64 encoding.
A rule id looks like: "user_id~protocol~from_port~to_port~sources_string" where the format
of sources_string depends on the source types (address vs groups) delimited by '@'. An example
rule id is: 297467797945~tcp~12~13~@group,297467797945,test@group,297467797945,new_firewall@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16
>    - patch 1/3 fixes various other nits identified by David
> 
> 
> marios
> 
> 
> *******************************************************************************************
> Original message from rev 2 included below for convenience (amended for the above changes):
> 
> 
> This patch implements 'firewalls' - which are ec2 security groups. Some notes:
> 
> * This functionality relies on some modifications to the appoxy aws gem - the requested
changes have been merged into appoxy/aws https://github.com/appoxy/aws/pull/91 and will be
available in the next gem release (look for aws-2.5.4)
> 
> =======================================================================
> 
> * XML looks like:
> <firewall href='http://localhost:3001/api/firewalls/new_firewall' id='new_firewall'>
>  <name><![CDATA[new_firewall]]></name>
>  <description><![CDATA[new_one]]></description>
>  <owner_id>297467797945</owner_id>
>  <rules>
>    <rule id='297467797945~tcp~12~13~@group,297467797945,test@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16'>
>      <allow_protocol>tcp</allow_protocol>
>      <port_from>12</port_from>
> 
>      <port_to>13</port_to>
>      <direction>ingress</direction>
>      <sources>
>        <source name='test' owner='297467797945' type='group'></source>
>        <source address='10.0.0.0' family='ipv4' prefix='0' type='address'></source>
>        <source address='192.168.1.1' family='ipv4' prefix='16' type='address'></source>
>      </sources>
>    </rule>
> 
>  </rules>
> </firewall>
> 
> =======================================================================
> 
> * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both
html and xml interfaces), GET/POST/DELETE for firewall rules. You can also use curl rather
than html interface if you prefer:
> 
> 
> list firewalls: 
> GET /api/firewalls
> GET /api/firewalls/:firewall
> curl   --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml
> 
> create new firewall:
> POST /api/firewalls
> curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately"  --user
'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml
> 
> delete a firewall: 
> DELETE /api/firewalls/:firewall
> curl -X DELETE  --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml
> 
> create firewall rule:
> POST /api/firewalls/:firewall/rules
> curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24"
-F "ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789"   --user 'aws_key:aws_secret_key'
http://localhost:3001/api/firewalls/default/rules?format=xml
> (and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner)
> 
> delete firewall rule:
> DELETE /api/firewalls/:firewall/rule
> curl -X DELETE -F "rule_id=:rule_id" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule?format=xml
> 
> =======================================================================
> 
> * Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall
rule, rather each firewall rule is identified by its constituent parts (protocol, from&to
ports, and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule'
type operation I use "user_id~protocol~from_port~to_port~sources_string" (base64 encoding
made the id 'ugly' and also padding just made it longer).
> 
> I'm sure theres more but this is already way too long, thanks to anyone brave enough
to try this stuff out,
> 
> all the best, marios

------------------------------------------------------
Michal Fojtik, mfojtik@redhat.com
Deltacloud API: http://deltacloud.org


Mime
View raw message