From 4f9375bfbf1a5bb5e8368f57aa0be2c1b11d2d1b Mon Sep 17 00:00:00 2001 From: Komal Thareja Date: Sat, 28 Dec 2024 14:43:02 -0500 Subject: [PATCH 1/2] add policy for P4 switch --- .../orchestrator-project-tags.alfa | 44 +++++++++---------- src-gen/fabricTags.OrchestratorTags.xml | 2 +- 2 files changed, 23 insertions(+), 23 deletions(-) diff --git a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa index 40907cc..bf0329f 100644 --- a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa +++ b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa @@ -18,27 +18,6 @@ namespace fabricTags { clause Attributes.actionId == "create" apply permitUnlessDeny - // Each of the following policies must explicitly say 'permit' or else the policy fails - policyset createSwitch = "urn:fabric:authz:xacml:orchestrator:tags:create:switch" { - target clause Attributes.resourceType == "sliver" - apply denyUnlessPermit - - policy createSwitchPolicy = "urn:fabric:authz:xacml:orchestrator:tags:create:switch:requireP4" { - target clause Attributes.resourceType == "sliver" - apply permitUnlessDeny - - rule requireSwitchP4Tag { - deny - condition not(Attributes.projectTag == "Switch.P4") - on deny { - advice reasonToDeny { - Attributes.message = "Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch." - } - } - } - } - } - // Each of the following policies must explicitly say 'permit' or else the policy fails policyset createVM = "urn:fabric:authz:xacml:orchestrator:tags:create:vm" { target clause Attributes.resourceType == "sliver" @@ -157,6 +136,27 @@ namespace fabricTags { } } + // Each of the following policies must explicitly say 'permit' or else the policy fails + policyset createSwitch = "urn:fabric:authz:xacml:orchestrator:tags:create:switch" { + target clause Attributes.resourceType == "switch-p4" + apply denyUnlessPermit + + policy createSwitchPolicy = "urn:fabric:authz:xacml:orchestrator:tags:create:switch:requireP4" { + target clause Attributes.resourceType == "switch-p4" + apply permitUnlessDeny + + rule requireSwitchP4Tag { + deny + condition not(Attributes.projectTag == "Switch.P4") + on deny { + advice reasonToDeny { + Attributes.message = "Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch." + } + } + } + } + } + // this is for network policyset net = "urn:fabric:authz:xacml:orchestrator:tags:create:net" { target clause Attributes.resourceType == "sliver" @@ -189,7 +189,7 @@ namespace fabricTags { rule withMirroring { deny - condition stringBagSize(Attributes.resourceMirrorSite) > 0 && not(Attributes.projectTag == "Net.PortMirroring") + condition stringBagSize(Attributes.resourceMirrorSite) > 0 && not(Attributes.projectTag == "Net.InfrastructurePortMirroring") on deny { advice reasonToDeny { Attributes.message = "Policy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring." diff --git a/src-gen/fabricTags.OrchestratorTags.xml b/src-gen/fabricTags.OrchestratorTags.xml index 12b2f09..4dc7558 100644 --- a/src-gen/fabricTags.OrchestratorTags.xml +++ b/src-gen/fabricTags.OrchestratorTags.xml @@ -1 +1 @@ -http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverSwitch.P4Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.PortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.EDUKYSlice.OnlyEDUKYPolicy Violation: Your project is tagged as OnlyEDUKY and cannot use resources on sites other than EDUKY.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a connection to one or more of the facilities.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file +http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116switch-p4http://www.w3.org/TR/1999/REC-xpath-19991116switch-p4Switch.P4Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.InfrastructurePortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.EDUKYSlice.OnlyEDUKYPolicy Violation: Your project is tagged as OnlyEDUKY and cannot use resources on sites other than EDUKY.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a connection to one or more of the facilities.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file From 790591821b0390e124254f9c0f4b1722f8b096b4 Mon Sep 17 00:00:00 2001 From: Komal Thareja Date: Sat, 28 Dec 2024 15:25:17 -0500 Subject: [PATCH 2/2] updated PDP policy for PortMirroring --- .../orchestrator-project-tags.alfa | 2 +- src-gen/fabricTags.OrchestratorTags.xml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa index bf0329f..cb16735 100644 --- a/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa +++ b/policies/alfa/FabricOrchestratorProjectTags/orchestrator-project-tags.alfa @@ -189,7 +189,7 @@ namespace fabricTags { rule withMirroring { deny - condition stringBagSize(Attributes.resourceMirrorSite) > 0 && not(Attributes.projectTag == "Net.InfrastructurePortMirroring") + condition stringBagSize(Attributes.resourceMirrorSite) > 0 && not(Attributes.projectTag == "Net.PortMirroring") on deny { advice reasonToDeny { Attributes.message = "Policy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring." diff --git a/src-gen/fabricTags.OrchestratorTags.xml b/src-gen/fabricTags.OrchestratorTags.xml index 4dc7558..868028b 100644 --- a/src-gen/fabricTags.OrchestratorTags.xml +++ b/src-gen/fabricTags.OrchestratorTags.xml @@ -1 +1 @@ -http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116switch-p4http://www.w3.org/TR/1999/REC-xpath-19991116switch-p4Switch.P4Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.InfrastructurePortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.EDUKYSlice.OnlyEDUKYPolicy Violation: Your project is tagged as OnlyEDUKY and cannot use resources on sites other than EDUKY.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a connection to one or more of the facilities.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file +http://www.w3.org/TR/1999/REC-xpath-19991116http://www.w3.org/TR/1999/REC-xpath-19991116createhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver2VM.NoLimitCPUPolicy Violation: Your project is lacking VM.NoLimitCPU or VM.NoLimit tag to provision VM with more than 2 cores.Policy Violation: Policy returned deny for an unknown reason. This is an internal error.10VM.NoLimitDiskPolicy Violation: Your project is lacking VM.NoLimitDisk or VM.NoLimit tag to provision VM with disk over 10GB.10VM.NoLimitRAMPolicy Violation: Your project is lacking VM.NoLimitRAM or VM.NoLimit tag to provision VM with more than 10GB of RAM.http://www.w3.org/TR/1999/REC-xpath-19991116sliver21010VM.NoLimithttp://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverGPUComponent.GPUPolicy Violation: Your project is lacking Component.GPU tag to provision a VM with GPU.SmartNICComponent.SmartNICPolicy Violation: Your project is lacking Component.SmartNIC tag to provision a VM with SmartNIC.StorageComponent.StoragePolicy Violation: Your project is lacking Component.Storage tag to provision a VM with attached storage.FPGAComponent.FPGAPolicy Violation: Your project is lacking Component.FPGA tag to provision a VM with FPGA.NVMEComponent.NVMEPolicy Violation: Your project is lacking Component.NVME tag to provision a VM with NVME.http://www.w3.org/TR/1999/REC-xpath-19991116switch-p4http://www.w3.org/TR/1999/REC-xpath-19991116switch-p4Switch.P4Policy Violation: Your project is lacking Switch.P4 tag to provision a P4 switch.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116sliver0Net.FABNetv4ExtPolicy Violation: Your project is lacking Net.FABNetv4Ext tag to request a slice with external IPv4 connectivity.0Net.FABNetv6ExtPolicy Violation: Your project is lacking Net.FABNetv6Ext tag to request a slice with external IPv6 connectivity.0Net.PortMirroringPolicy Violation: Your project is lacking Net.PortMirroring tag to request a slice that uses port mirroring.1Slice.MultisitePolicy Violation: Your project is lacking Slice.Multisite tag to request a slice spanning multiple sites.EDUKYSlice.OnlyEDUKYPolicy Violation: Your project is tagged as OnlyEDUKY and cannot use resources on sites other than EDUKY.10Net.NoLimitBWPolicy Violation: Your project is lacking Net.NoLimitBW tag to request links with bandwidth over 10Gbps.0Net.FacilityPort.Policy Violation: Your project is lacking Net.FacilityPort.<facility-port-name> tag to request a connection to one or more of the facilities.http://www.w3.org/TR/1999/REC-xpath-19991116sliverhttp://www.w3.org/TR/1999/REC-xpath-19991116slivertrueSlice.MeasurementsPolicy Violation: Your project is lacking Slice.Measurements tag to request measurement resources.P14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot request resource lifetime longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116modifyhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot modify it.http://www.w3.org/TR/1999/REC-xpath-19991116deletehttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and cannot delete it.http://www.w3.org/TR/1999/REC-xpath-19991116renewhttp://www.w3.org/TR/1999/REC-xpath-19991116sliverPolicy Violation: You are not the creator of this resource and not the member of the same project so you cannot renew it.http://www.w3.org/TR/1999/REC-xpath-19991116sliverP14DT5MSlice.NoLimitLifetimePolicy Violation: Your project is lacking Slice.NoLimitLifetime tag so you cannot renew resource lifetime by longer than two weeks.http://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquishhttp://www.w3.org/TR/1999/REC-xpath-19991116querystatusredeemPOAdemandupdatecloseclaimreclaimticketextendrelinquish \ No newline at end of file