AETHER-2332 REGO RBACO rules for Aether-4.0.0. Also add GUI 4.0.0
Change-Id: I08e96fb8e80af5bd92262a0eba64fb5df4ef5a83
diff --git a/aether-roc-umbrella/Chart.yaml b/aether-roc-umbrella/Chart.yaml
index e48037f..40777f6 100644
--- a/aether-roc-umbrella/Chart.yaml
+++ b/aether-roc-umbrella/Chart.yaml
@@ -7,7 +7,7 @@
description: Aether ROC Umbrella chart to deploy all Aether ROC
kubeVersion: ">=1.18.0"
type: application
-version: 1.4.5
+version: 1.4.6
appVersion: v0.0.0
keywords:
- aether
@@ -52,7 +52,11 @@
- name: aether-roc-gui
condition: import.aether-roc-gui.v3.enabled
repository: "file://../aether-roc-gui"
- version: 3.0.24
+ version: 3.0.25
+ - name: aether-roc-gui-v4
+ condition: import.aether-roc-gui.v4.enabled
+ repository: "file://../aether-roc-gui-v4"
+ version: 4.0.0
- name: sdcore-adapter
condition: import.sdcore-adapter.v3.enabled
repository: "file://../sdcore-adapter"
diff --git a/aether-roc-umbrella/files/opa-rbac/aether-4.0.0.rego b/aether-roc-umbrella/files/opa-rbac/aether-4.0.0.rego
new file mode 100644
index 0000000..b47bc60
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/aether-4.0.0.rego
@@ -0,0 +1,138 @@
+# SPDX-FileCopyrightText: 2021-present Open Networking Foundation <info@opennetworking.org>
+#
+# SPDX-License-Identifier: LicenseRef-ONF-Member-Only-1.0
+
+package aether_4_0_0
+
+echo[config] {
+ config := input
+}
+
+allowed[config] {
+ application := applications # refer to rule below
+ connectivity_service := connectivityservices
+ device_group := devicegroups
+ enterprise := enterprises
+ ip_domain := ip_domains
+ network := networks
+ site := sites
+ template := templates
+ traffic_class := trafficclasses
+ upf := upfs
+ vcs := vcss
+ config := {
+ "application": {
+ "application": [
+ application
+ ]
+ },
+ "connectivity-service": {
+ "connectivity-service": [
+ connectivity_service
+ ]
+ },
+ "device-group": {
+ "device-group": [
+ device_group
+ ]
+ },
+ "enterprise": {
+ "enterprise": [
+ enterprise
+ ]
+ },
+ "ip-domain": {
+ "ip-domain": [
+ ip_domain
+ ]
+ },
+ "network": {
+ "network": [
+ network
+ ]
+ },
+ "site": {
+ "site": [
+ site
+ ]
+ },
+ "template": {
+ "template": [
+ template
+ ]
+ },
+ "traffic_class": {
+ "traffic_class": {
+ traffic_class
+ }
+ },
+ "upf": {
+ "upf": [
+ upf
+ ]
+ },
+ "vcs": {
+ "vcs": [
+ vcs
+ ]
+ }
+ }
+}
+
+applications[application] {
+ application := input.application.application[_]
+ ["AetherROCAdmin", application.enterprise][_] == input.groups[i]
+}
+
+connectivityservices[connectivity_service] {
+ connectivity_service := input.connectivity_service.connectivity_service[_]
+}
+
+devicegroups[device_group] {
+ device_group := input.device_group.device_group[_]
+ site := sites
+ device_group.site == site[_].id # allow only the device_groups of a known site
+}
+
+enterprises[enterprise] {
+ enterprise := input.enterprise.enterprise[_]
+ ["AetherROCAdmin", enterprise.id][_] == input.groups[i]
+}
+
+ip_domains[ip_domain] {
+ ip_domain := input.ip_domain.ip_domain[_]
+ ["AetherROCAdmin", ip_domain.enterprise][_] == input.groups[i]
+}
+
+networks[network] {
+ network := input.network.network[_]
+ ["AetherROCAdmin", network.enterprise][_] == input.groups[i]
+}
+
+sites[site] {
+ site := input.site.site[_]
+ ["AetherROCAdmin", site.enterprise][_] == input.groups[i]
+}
+
+templates[template] {
+ template := input.template.template[_]
+}
+
+trafficclasses[traffic_class] {
+ traffic_class := input.traffic_class.traffic_class[_]
+}
+
+upfs[upf] {
+ upf := input.upf.upf[_]
+ ["AetherROCAdmin", upf.enterprise][_] == input.groups[i]
+}
+
+vcss[vcs] {
+ vcs := input.vcs.vcs[_]
+ ["AetherROCAdmin", vcs.enterprise][_] == input.groups[i]
+}
+
+can_update_enterprise = true {
+ update_enterprise := input.updates.enterprise.enterprise[_]
+ ["AetherROCAdmin", update_enterprise.id][_] == input.groups[i]
+}
diff --git a/aether-roc-umbrella/files/opa-rbac/test/aether-4.0.0-example-get.json b/aether-roc-umbrella/files/opa-rbac/test/aether-4.0.0-example-get.json
new file mode 100644
index 0000000..7755521
--- /dev/null
+++ b/aether-roc-umbrella/files/opa-rbac/test/aether-4.0.0-example-get.json
@@ -0,0 +1,538 @@
+{
+ "groups": [
+ "mixedGroup",
+ "acme"
+ ],
+ "application": {
+ "application": [
+ {
+ "description": "Network Video Recorder",
+ "display_name": "NVR",
+ "enterprise": "starbucks",
+ "address": "nvr.starbucks.com",
+ "endpoint": [
+ {
+ "name": "rtsp",
+ "port_end": 3330,
+ "port_start": 3316,
+ "protocol": "UDP"
+ }
+ ],
+ "id": "starbucks_nvr"
+ },
+ {
+ "description": "Fidelio POS",
+ "display_name": "Fidelio",
+ "enterprise": "starbucks",
+ "address": "fidelio.starbucks.com",
+ "endpoint": [
+ {
+ "name": "fidelio",
+ "port_end": 7588,
+ "port_start": 7585,
+ "protocol": "TCP"
+ }
+ ],
+ "id": "starbucks_fidelio"
+ },
+ {
+ "description": "Data Acquisition",
+ "display_name": "DA",
+ "enterprise": "acme",
+ "address": "da.acme.com",
+ "endpoint": [
+ {
+ "name": "da",
+ "port_end": 7588,
+ "port_start": 7585,
+ "protocol": "TCP"
+ }
+ ],
+ "id": "acme_dataacquisition"
+ }
+ ]
+ },
+ "connectivity_service": {
+ "connectivity_service": [
+ {
+ "core_5g_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/5g",
+ "description": "5G Test",
+ "display_name": "ROC 5G Test Connectivity Service",
+ "id": "cs5gtest"
+ },
+ {
+ "description": "ROC 4G Test Connectivity Service",
+ "display_name": "4G Test",
+ "hss_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/imsis",
+ "id": "cs4gtest",
+ "pcrf_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config/policies",
+ "spgwc_endpoint": "http://aether_roc_umbrella_sdcore_test_dummy/v1/config"
+ }
+ ]
+ },
+ "device_group": {
+ "device_group": [
+ {
+ "display_name": "Global Default Device Group",
+ "id": "defaultent_defaultsite_default",
+ "ip_domain": "defaultent_defaultip",
+ "site": "defaultent_defaultsite"
+ },
+ {
+ "display_name": "Seattle Default",
+ "id": "starbucks_seattle_default",
+ "ip_domain": "starbucks_seattle",
+ "site": "starbucks_seattle"
+ },
+ {
+ "display_name": "Seattle Cameras",
+ "id": "starbucks_seattle_cameras",
+ "imsis": [
+ {
+ "imsi_range_from": 0,
+ "imsi_range_to": 3,
+ "name": "counters"
+ },
+ {
+ "imsi_range_from": 10,
+ "imsi_range_to": 14,
+ "name": "store"
+ }
+ ],
+ "ip_domain": "starbucks_seattle",
+ "site": "starbucks_seattle"
+ },
+ {
+ "display_name": "Seattle POS",
+ "id": "starbucks_seattle_pos",
+ "imsis": [
+ {
+ "imsi_range_from": 20,
+ "imsi_range_to": 22,
+ "name": "tills"
+ },
+ {
+ "imsi_range_from": 30,
+ "imsi_range_to": 34,
+ "name": "store"
+ }
+ ],
+ "ip_domain": "starbucks_seattle",
+ "site": "starbucks_seattle"
+ },
+ {
+ "display_name": "New York Default",
+ "id": "starbucks_newyork_default",
+ "ip_domain": "starbucks_newyork",
+ "site": "starbucks_newyork"
+ },
+ {
+ "display_name": "New York Cameras",
+ "id": "starbucks_newyork_cameras",
+ "imsis": [
+ {
+ "imsi_range_from": 40,
+ "imsi_range_to": 41,
+ "name": "front"
+ },
+ {
+ "imsi_range_from": 50,
+ "imsi_range_to": 55,
+ "name": "store"
+ }
+ ],
+ "ip_domain": "starbucks_newyork",
+ "site": "starbucks_newyork"
+ },
+ {
+ "display_name": "New York POS",
+ "id": "starbucks_newyork_pos",
+ "imsis": [
+ {
+ "imsi_range_from": 60,
+ "imsi_range_to": 61,
+ "name": "tills"
+ },
+ {
+ "imsi_range_from": 70,
+ "imsi_range_to": 73,
+ "name": "store"
+ }
+ ],
+ "ip_domain": "starbucks_newyork",
+ "site": "starbucks_newyork"
+ },
+ {
+ "display_name": "ACME Default",
+ "id": "acme_chicago_default",
+ "ip_domain": "acme_chicago",
+ "site": "acme_chicago"
+ },
+ {
+ "display_name": "ACME Robots",
+ "id": "acme_chicago_robots",
+ "imsis": [
+ {
+ "imsi_range_from": 0,
+ "imsi_range_to": 3,
+ "name": "production"
+ },
+ {
+ "imsi_range_from": 10,
+ "imsi_range_to": 12,
+ "name": "warehouse"
+ }
+ ],
+ "ip_domain": "acme_chicago",
+ "site": "acme_chicago"
+ }
+ ]
+ },
+ "enterprise": {
+ "enterprise": [
+ {
+ "description": "This Enterprise holds discovered IMSIs that cannot be associated elsewhere.",
+ "display_name": "Default Enterprise",
+ "id": "defaultent"
+ },
+ {
+ "connectivity_service": [
+ {
+ "connectivity_service": "cs5gtest",
+ "enabled": true
+ }
+ ],
+ "description": "ACME Corporation",
+ "display_name": "ACME Corp",
+ "id": "acme"
+ },
+ {
+ "connectivity_service": [
+ {
+ "connectivity_service": "cs5gtest",
+ "enabled": true
+ },
+ {
+ "connectivity_service": "cs4gtest",
+ "enabled": false
+ }
+ ],
+ "description": "Starbucks Corporation",
+ "display_name": "Starbucks Inc.",
+ "id": "starbucks"
+ }
+ ]
+ },
+ "ip_domain": {
+ "ip_domain": [
+ {
+ "admin_status": "ENABLE",
+ "description": "Global Default IP Domain",
+ "display_name": "Global Default IP Domain",
+ "dns_primary": "8.8.8.1",
+ "dns_secondary": "8.8.8.2",
+ "id": "defaultent_defaultip",
+ "mtu": 57600,
+ "subnet": "192.168.0.0/24",
+ "enterprise": "defaultent"
+ },
+ {
+ "admin_status": "ENABLE",
+ "description": "New York IP Domain",
+ "display_name": "New York",
+ "dns_primary": "8.8.8.1",
+ "dns_secondary": "8.8.8.2",
+ "id": "starbucks_newyork",
+ "mtu": 57600,
+ "subnet": "254.186.117.251/31",
+ "enterprise": "starbucks"
+ },
+ {
+ "admin_status": "ENABLE",
+ "description": "Seattle IP Domain",
+ "display_name": "Seattle",
+ "dns_primary": "8.8.8.3",
+ "dns_secondary": "8.8.8.3",
+ "id": "starbucks_seattle",
+ "mtu": 12690,
+ "subnet": "196.5.91.0/31",
+ "enterprise": "starbucks"
+ },
+ {
+ "admin_status": "DISABLE",
+ "description": "Chicago IP Domain",
+ "display_name": "Chicago",
+ "dns_primary": "8.8.8.4",
+ "dns_secondary": "8.8.8.4",
+ "id": "acme_chicago",
+ "mtu": 12690,
+ "subnet": "163.25.44.0/31",
+ "enterprise": "acme"
+ }
+ ]
+ },
+ "site": {
+ "site": [
+ {
+ "description": "Global Default Site",
+ "display_name": "Global Default Site",
+ "enterprise": "defaultent",
+ "id": "defaultent_defaultsite",
+ "imsi_definition": {
+ "mcc": "000",
+ "mnc": "00",
+ "enterprise": 0,
+ "format": "SSSSSSSSSSSSSSS"
+ }
+ },
+ {
+ "description": "ACME HQ",
+ "display_name": "Chicago",
+ "enterprise": "acme",
+ "id": "acme_chicago",
+ "imsi_definition": {
+ "mcc": "123",
+ "mnc": "456",
+ "enterprise": 1,
+ "format": "CCCNNNEEESSSSSS"
+ },
+ "small_cell": [
+ {
+ "name": "cell1",
+ "address": "ap2.chicago.acme.com",
+ "enable": true,
+ "tac": "8002"
+ }
+ ]
+ },
+ {
+ "description": "Starbucks Corp HQ",
+ "display_name": "Seattle",
+ "enterprise": "starbucks",
+ "id": "starbucks_seattle",
+ "imsi_definition": {
+ "mcc": "265",
+ "mnc": "122",
+ "enterprise": 2,
+ "format": "CCCNNNEEESSSSSS"
+ },
+ "small_cell": [
+ {
+ "name": "cell2",
+ "address": "ap1.seattle.starbucks.com",
+ "enable": true,
+ "tac": "0654"
+ },
+ {
+ "name": "cell3",
+ "address": "ap2.seattle.starbucks.com",
+ "enable": true,
+ "tac": "87475"
+ }
+ ]
+ },
+ {
+ "description": "Starbucks New York",
+ "display_name": "New York",
+ "enterprise": "starbucks",
+ "id": "starbucks_newyork",
+ "imsi_definition": {
+ "mcc": "021",
+ "mnc": "32",
+ "enterprise": 2,
+ "format": "CCCNNNEEESSSSSS"
+ },
+ "small_cell": [
+ {
+ "name": "cell4",
+ "address": "ap2.newyork.starbucks.com",
+ "enable": true,
+ "tac": "8002"
+ }
+ ]
+ }
+ ]
+ },
+ "template": {
+ "template": [
+ {
+ "description": "VCS Template 1",
+ "display_name": "Template 1",
+ "id": "template_1",
+ "sd": 10886763,
+ "sst": 158,
+ "traffic_class": "class_1",
+ "device": {
+ "mbr": {
+ "uplink": 10,
+ "downlink": 5
+ }
+ }
+ },
+ {
+ "description": "VCS Template 2",
+ "display_name": "Template 2",
+ "id": "template_2",
+ "sd": 16619900,
+ "sst": 157,
+ "traffic_class": "class_2",
+ "device": {
+ "mbr": {
+ "uplink": 10,
+ "downlink": 5
+ }
+ }
+ }
+ ]
+ },
+ "traffic_class": {
+ "traffic_class": [
+ {
+ "description": "High Priority TC",
+ "display_name": "Class 1",
+ "id": "class_1",
+ "qci": 10,
+ "arp": 1
+ },
+ {
+ "description": "Medium Priority TC",
+ "display_name": "Class 2",
+ "id": "class_2",
+ "qci": 20,
+ "arp": 1
+ },
+ {
+ "description": "Low Priority TC",
+ "display_name": "Class 3",
+ "id": "class_3",
+ "qci": 30,
+ "arp": 1
+ }
+ ]
+ },
+ "upf": {
+ "upf": [
+ {
+ "address": "seattle.cameras_upf.starbucks.com",
+ "description": "Seattle Cameras UPF",
+ "display_name": "Seattle Cameras",
+ "id": "starbucks_seattle_cameras",
+ "enterprise": "starbucks",
+ "port": 9229
+ },
+ {
+ "address": "newyork.cameras_upf.starbucks.com",
+ "description": "New York Cameras UPF",
+ "display_name": "New York Cameras",
+ "id": "starbucks_newyork_cameras",
+ "enterprise": "starbucks",
+ "port": 6161
+ },
+ {
+ "address": "chicago.robots_upf.acme.com",
+ "description": "Chicago Robots UPF",
+ "display_name": "Chicago Robots",
+ "id": "acme_chicago_robots",
+ "enterprise": "acme",
+ "port": 6161
+ },
+ {
+ "address": "newyork.pos_upf.starbucks.com",
+ "description": "NewYork POS UPF",
+ "display_name": "NewYork POS",
+ "id": "starbucks_newyork_pos",
+ "enterprise": "starbucks",
+ "port": 6161
+ }
+ ]
+ },
+ "vcs": {
+ "vcs": [
+ {
+ "filter": [
+ {
+ "allow": true,
+ "application": "starbucks_nvr"
+ }
+ ],
+ "description": "New York Cameras",
+ "device_group": [
+ { "enable": true,
+ "device_group": "starbucks_newyork_cameras"
+ }
+ ],
+ "display_name": "NY Cams",
+ "enterprise": "starbucks",
+ "id": "starbucks_newyork_cameras",
+ "sd": 8284729,
+ "sst": 127,
+ "template": "template_1",
+ "traffic_class": "class_1",
+ "upf": "starbucks_newyork_cameras",
+ "device": {
+ "mbr": {
+ "downlink": 10,
+ "uplink": 10
+ }
+ }
+ },
+ {
+ "filter": [
+ {
+ "allow": false,
+ "application": "starbucks_nvr"
+ }
+ ],
+ "description": "Seattle Cameras",
+ "device_group": [
+ { "enable": true,
+ "device_group": "starbucks_seattle_cameras"
+ }
+ ],
+ "display_name": "Seattle Cams",
+ "enterprise": "starbucks",
+ "id": "starbucks_seattle_cameras",
+ "sd": 2973238,
+ "sst": 79,
+ "template": "template_2",
+ "traffic_class": "class_2",
+ "upf": "starbucks_seattle_cameras",
+ "device": {
+ "mbr": {
+ "downlink": 10,
+ "uplink": 5
+ }
+ }
+ },
+ {
+ "filter": [
+ {
+ "allow": false,
+ "application": "acme_dataacquisition"
+ }
+ ],
+ "description": "Chicago Robots",
+ "device_group": [
+ { "enable": true,
+ "device_group": "acme_chicago_robots"
+ }
+ ],
+ "display_name": "Chicago Robots VCS",
+ "enterprise": "acme",
+ "id": "acme_chicago_robots",
+ "sd": 2973238,
+ "sst": 79,
+ "template": "template_2",
+ "traffic_class": "class_2",
+ "upf": "acme_chicago_robots",
+ "device": {
+ "mbr": {
+ "downlink": 10,
+ "uplink": 5
+ }
+ }
+ }
+ ]
+ }
+
+}
diff --git a/aether-roc-umbrella/templates/NOTES.txt b/aether-roc-umbrella/templates/NOTES.txt
index e7d3256..4dc61a3 100644
--- a/aether-roc-umbrella/templates/NOTES.txt
+++ b/aether-roc-umbrella/templates/NOTES.txt
@@ -18,7 +18,7 @@
* Aether Portal at http://<server_IP>:31190
If you are using KinD as a Kubernetes server, you will have to use a "port-forward" to access the Aether ROC GUI e.g.
-$ kubectl -n {{.Release.Namespace}} port-forward $(kubectl -n {{.Release.Namespace}} get pods -l type=arg -o name) 8183:80
+$ kubectl -n {{.Release.Namespace}} port-forward service/aether-roc-gui 8183:80
and then access the GUI at
* http://localhost:8183
diff --git a/aether-roc-umbrella/values.yaml b/aether-roc-umbrella/values.yaml
index e82ef74..c1d470b 100644
--- a/aether-roc-umbrella/values.yaml
+++ b/aether-roc-umbrella/values.yaml
@@ -47,7 +47,7 @@
v3:
enabled: true
v4:
- enabled: true
+ enabled: false
sdcore-adapter:
v3:
enabled: true
@@ -86,6 +86,16 @@
proxyEnabled: true
service: aether-roc-umbrella-prometheus-server
+aether-roc-gui-v4:
+ websocket:
+ proxyEnabled: true
+ grafana:
+ proxyEnabled: true
+ service: aether-roc-umbrella-grafana # the grafana hostname - use FQDN for other namespaces
+ prometheus:
+ proxyEnabled: true
+ service: aether-roc-umbrella-prometheus-server
+
# SD-Core Adapter
sdcore-adapter:
nameOverride: sdcore-adapter-v3