SIOS PDP service for Openstack
This service will act as a Policy Decision Point (PDP) for any OpenStack service.
A OpenStack service's Policy Enforcement engine will make a REST call to SIOS PDP service for a Policy Decision.
The SIOS PDP service will always respond with a 'True' of 'False' as a result of the Policy Query.
In addition to the standard OpenStack HTTP headers, the follwing two HTTP headers are required by SIOS PDP api:
- 'X-Action'
- 'X-Target'
First you will need to download the sios project:
a.) cd /opt/stack
b.) git clone https://github.com/UTSA-ICS/sios.git
c.) sudo mkdir /etc/sios/
To be able to use this service do the following:
1.) Copy sios/etc to /etc/sios
sudo cp /opt/stack/sios/etc/* /etc/sios/.
2.) Create a directory called /var/cache/sios and give it 777 permission
sudo mkdir /var/cache/sios
sudo chmod 777 /var/cache/sios
3.) Create a user [sios] with password [admin] in the service tenant with 'admin' role
keystone user-create --name sios --pass admin --enabled true
keystone user-role-add --user sios --role admin --tenant service
4.) Create a service called 'sios' in Keystone
keystone service-create --type pdp --name sios --description "PIP, PAP and PDP"
5.) Update the policy.py file for glance service to use sios PDP api for Policy Decisions:
wget -O /opt/stack/glance/glance/api/policy.py https://raw.github.com/fpatwa/sios/master/external_service_policy_files/glance/policy.py
6.) Update the policy.py file for nova service to use sios PDP api for Policy Decisions:
wget -O /opt/stack/nova/nova/policy.py https://raw.github.com/fpatwa/sios/master/external_service_policy_files/nova/policy.py
7.) To start the SIOS service run the following commands:
cd /opt/stack; sudo pip install -e sios
cd /opt/stack/sios/bin
./start_sios_screen.sh
8.) Restart nova api and glance api services (from screen)
- Run nova commands (e.g. nova list)
- Run glance commands (e.g glance image-list)