Return-Path: X-Original-To: apmail-incubator-deltacloud-dev-archive@minotaur.apache.org Delivered-To: apmail-incubator-deltacloud-dev-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id F0EAC4554 for ; Fri, 10 Jun 2011 14:44:41 +0000 (UTC) Received: (qmail 91609 invoked by uid 500); 10 Jun 2011 14:44:41 -0000 Delivered-To: apmail-incubator-deltacloud-dev-archive@incubator.apache.org Received: (qmail 91589 invoked by uid 500); 10 Jun 2011 14:44:41 -0000 Mailing-List: contact deltacloud-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: deltacloud-dev@incubator.apache.org Delivered-To: mailing list deltacloud-dev@incubator.apache.org Received: (qmail 91581 invoked by uid 99); 10 Jun 2011 14:44:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jun 2011 14:44:39 +0000 X-ASF-Spam-Status: No, hits=-5.0 required=5.0 tests=RCVD_IN_DNSWL_HI,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of marios@redhat.com designates 209.132.183.28 as permitted sender) Received: from [209.132.183.28] (HELO mx1.redhat.com) (209.132.183.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 10 Jun 2011 14:44:35 +0000 Received: from int-mx09.intmail.prod.int.phx2.redhat.com (int-mx09.intmail.prod.int.phx2.redhat.com [10.5.11.22]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p5AEiE1C012967 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Fri, 10 Jun 2011 10:44:14 -0400 Received: from name.redhat.com (vpn2-8-77.ams2.redhat.com [10.36.8.77]) by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p5AEiBUH011438 for ; Fri, 10 Jun 2011 10:44:12 -0400 From: marios@redhat.com To: deltacloud-dev@incubator.apache.org Subject: firewalls - ec2 security groups - revision 3 Date: Fri, 10 Jun 2011 17:43:53 +0300 Message-Id: <1307717036-23761-1-git-send-email-marios@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.22 * main change is the way we define rule id (explained in detail below if you are interested). * adds a version constraint for aws 2.5.4 (yet to be released - waiting) * addresses comments in response to rev 2 (patches sent 30 May 2011): ==> from Michal Fojtik (31 May 2011) - patch 2/3 fixes the failing cucumber scenarios - patch 1/3 includes validation of params for the create rule operation and string descriptions ==> from David Lutterkort (03 June 2011) - patch 3/3 moves the 'improved json support for blobs' into a seperate patch, - patch 1/3 changes the way we define the rule_id - no longer using base64 encoding. A rule id looks like: "user_id~protocol~from_port~to_port~sources_string" where the format of sources_string depends on the source types (address vs groups) delimited by '@'. An example rule id is: 297467797945~tcp~12~13~@group,297467797945,test@group,297467797945,new_firewall@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16 - patch 1/3 fixes various other nits identified by David marios ******************************************************************************************* Original message from rev 2 included below for convenience (amended for the above changes): This patch implements 'firewalls' - which are ec2 security groups. Some notes: * This functionality relies on some modifications to the appoxy aws gem - the requested changes have been merged into appoxy/aws https://github.com/appoxy/aws/pull/91 and will be available in the next gem release (look for aws-2.5.4) ======================================================================= * XML looks like: 297467797945 tcp 12 13 ingress ======================================================================= * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for firewalls (both html and xml interfaces), GET/POST/DELETE for firewall rules. You can also use curl rather than html interface if you prefer: list firewalls: GET /api/firewalls GET /api/firewalls/:firewall curl --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml create new firewall: POST /api/firewalls curl -F "name=some_new_firewall" -F "description=gonna be deleted immediately" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls?format=xml delete a firewall: DELETE /api/firewalls/:firewall curl -X DELETE --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/some_new_firewall?format=xml create firewall rule: POST /api/firewalls/:firewall/rules curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F "ip_address1=192.168.1.1/24" -F "ip_address2=10.1.1.1/24" -F "group1=new_group" -F "group1owner=123456789" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/default/rules?format=xml (and can specify additional sources for a given rule using ip_addressN and groupN/groupNowner) delete firewall rule: DELETE /api/firewalls/:firewall/rule curl -X DELETE -F "rule_id=:rule_id" --user 'aws_key:aws_secret_key' http://localhost:3001/api/firewalls/firewall_id/rule?format=xml ======================================================================= * Firewall rule ids... amazon doesn't have any notion of an 'id' for a single firewall rule, rather each firewall rule is identified by its constituent parts (protocol, from&to ports, and sources [groups and ipaddress ranges]). In order to allow for a 'delete /api/firewalls/:firewall/:rule' type operation I use "user_id~protocol~from_port~to_port~sources_string" (base64 encoding made the id 'ugly' and also padding just made it longer). I'm sure theres more but this is already way too long, thanks to anyone brave enough to try this stuff out, all the best, marios