예제 #1
0
  /**
   * Creates a security group with rules to:
   *
   * <ul>
   *   <li>Allow SSH access on port 22 from the world
   *   <li>Allow TCP, UDP and ICMP communication between machines in the same group
   * </ul>
   *
   * It needs to consider locationId as port ranges and groupId are cloud provider-dependent e.g
   * openstack nova wants from 1-65535 while aws-ec2 accepts from 0-65535.
   *
   * @param groupName The name of the security group to create
   * @param location The location in which the security group will be created
   * @param securityApi The API to use to create the security group
   * @return the created security group
   */
  private SecurityGroup createBaseSecurityGroupInLocation(
      String groupName, Location location, SecurityGroupExtension securityApi) {
    SecurityGroup group = addSecurityGroupInLocation(groupName, location, securityApi);

    String groupId = group.getProviderId();
    int fromPort = 0;
    if (isOpenstackNova(location)) {
      groupId = group.getId();
      fromPort = 1;
    }
    // Note: For groupName to work with GCE we also need to tag the machines with the same ID.
    // See sourceTags section at https://developers.google.com/compute/docs/networking#firewalls
    IpPermission.Builder allWithinGroup =
        IpPermission.builder().groupId(groupId).fromPort(fromPort).toPort(65535);
    addPermission(allWithinGroup.ipProtocol(IpProtocol.TCP).build(), group, securityApi);
    addPermission(allWithinGroup.ipProtocol(IpProtocol.UDP).build(), group, securityApi);
    if (!isAzure(location)) {
      addPermission(
          allWithinGroup.ipProtocol(IpProtocol.ICMP).fromPort(-1).toPort(-1).build(),
          group,
          securityApi);
    }

    IpPermission sshPermission =
        IpPermission.builder()
            .fromPort(22)
            .toPort(22)
            .ipProtocol(IpProtocol.TCP)
            .cidrBlock(getBrooklynCidrBlock())
            .build();
    addPermission(sshPermission, group, securityApi);

    return group;
  }
예제 #2
0
 @Override
 public IpPermission apply(IngressRule rule) {
   IpPermission.Builder builder = IpPermission.builder();
   builder.ipProtocol(IpProtocol.fromValue(rule.getProtocol()));
   builder.fromPort(rule.getStartPort());
   builder.toPort(rule.getEndPort());
   if (rule.getCIDR() != null) {
     builder.cidrBlock(rule.getCIDR());
   }
   if (rule.getSecurityGroupName() != null && rule.getAccount() != null) {
     builder.tenantIdGroupNamePair(rule.getAccount(), rule.getSecurityGroupName());
   }
   return builder.build();
 }