On Jun 10, 2011, at 4:43 PM, [email protected] wrote: ACK to whole series, please fix minor formatting issues in 1/1.
-- Michal > > * main change is the way we define rule id (explained in detail below if you > are interested). > > * adds a version constraint for aws 2.5.4 (yet to be released - waiting) > > * addresses comments in response to rev 2 (patches sent 30 May 2011): > > ==> from Michal Fojtik (31 May 2011) > - patch 2/3 fixes the failing cucumber scenarios > - patch 1/3 includes validation of params for the create rule operation > and string descriptions > > ==> from David Lutterkort (03 June 2011) > - patch 3/3 moves the 'improved json support for blobs' into a seperate > patch, > - patch 1/3 changes the way we define the rule_id - no longer using base64 > encoding. A rule id looks like: > "user_id~protocol~from_port~to_port~sources_string" where the format of > sources_string depends on the source types (address vs groups) delimited by > '@'. An example rule id is: > 297467797945~tcp~12~13~@group,297467797945,test@group,297467797945,new_firewall@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16 > - patch 1/3 fixes various other nits identified by David > > > marios > > > ******************************************************************************************* > Original message from rev 2 included below for convenience (amended for the > above changes): > > > This patch implements 'firewalls' - which are ec2 security groups. Some notes: > > * This functionality relies on some modifications to the appoxy aws gem - the > requested changes have been merged into appoxy/aws > https://github.com/appoxy/aws/pull/91 and will be available in the next gem > release (look for aws-2.5.4) > > ======================================================================= > > * XML looks like: > <firewall href='http://localhost:3001/api/firewalls/new_firewall' > id='new_firewall'> > <name><![CDATA[new_firewall]]></name> > <description><![CDATA[new_one]]></description> > <owner_id>297467797945</owner_id> > <rules> > <rule > id='297467797945~tcp~12~13~@group,297467797945,test@address,ipv4,10.0.0.0,0@address,ipv4,192.168.1.1,16'> > <allow_protocol>tcp</allow_protocol> > <port_from>12</port_from> > > <port_to>13</port_to> > <direction>ingress</direction> > <sources> > <source name='test' owner='297467797945' type='group'></source> > <source address='10.0.0.0' family='ipv4' prefix='0' > type='address'></source> > <source address='192.168.1.1' family='ipv4' prefix='16' > type='address'></source> > </sources> > </rule> > > </rules> > </firewall> > > ======================================================================= > > * OPERATIONS: implemented GET/POST/DELETE [list, create, destroy] for > firewalls (both html and xml interfaces), GET/POST/DELETE for firewall rules. > You can also use curl rather than html interface if you prefer: > > > list firewalls: > GET /api/firewalls > GET /api/firewalls/:firewall > curl --user 'aws_key:aws_secret_key' > http://localhost:3001/api/firewalls?format=xml > > create new firewall: > POST /api/firewalls > curl -F "name=some_new_firewall" -F "description=gonna be deleted > immediately" --user 'aws_key:aws_secret_key' > http://localhost:3001/api/firewalls?format=xml > > delete a firewall: > DELETE /api/firewalls/:firewall > curl -X DELETE --user 'aws_key:aws_secret_key' > http://localhost:3001/api/firewalls/some_new_firewall?format=xml > > create firewall rule: > POST /api/firewalls/:firewall/rules > curl -F "protocol=tcp" -F "from_port=22" -F "to_port=22" -F > "ip_address1=192.168.1.1/24" -F "ip_address2=10.1.1.1/24" -F > "group1=new_group" -F "group1owner=123456789" --user > 'aws_key:aws_secret_key' > http://localhost:3001/api/firewalls/default/rules?format=xml > (and can specify additional sources for a given rule using ip_addressN and > groupN/groupNowner) > > delete firewall rule: > DELETE /api/firewalls/:firewall/rule > curl -X DELETE -F "rule_id=:rule_id" --user 'aws_key:aws_secret_key' > http://localhost:3001/api/firewalls/firewall_id/rule?format=xml > > ======================================================================= > > * Firewall rule ids... amazon doesn't have any notion of an 'id' for a single > firewall rule, rather each firewall rule is identified by its constituent > parts (protocol, from&to ports, and sources [groups and ipaddress ranges]). > In order to allow for a 'delete /api/firewalls/:firewall/:rule' type > operation I use "user_id~protocol~from_port~to_port~sources_string" (base64 > encoding made the id 'ugly' and also padding just made it longer). > > I'm sure theres more but this is already way too long, thanks to anyone brave > enough to try this stuff out, > > all the best, marios ------------------------------------------------------ Michal Fojtik, [email protected] Deltacloud API: http://deltacloud.org
