core/oc-deploy
6
0
Fork 0
Code Issues 2 Pull Requests Packages Projects Releases 1 Wiki Activity

New Deploy for Demo

Browse Source
This commit is contained in:
mr
2026-04-13 16:35:42 +02:00
parent fdd8c6a50d
commit 34f10565c7
32 changed files with 3630 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
docker/demo/db-1/datas/rule.json Normal file
View File

@@ -0,0 +1,64 @@
[
{
"_id": "rule0001-0000-4000-8000-r00000000001",
"abstractobject": {
"id": "rule0001-0000-4000-8000-r00000000001",
"name": "Sensor data access policy",
"is_draft": false,
"creator_id": "c0cece97-7730-4c2a-8c20-a30944564106",
"creation_date": {"$date": "2026-04-10T00:00:00.000Z"},
"update_date": {"$date": "2026-04-10T00:00:00.000Z"},
"access_mode": 0
},
"description": "Governs access to the road-traffic sensor pipeline. Only members of the sensor-operators or analysts group may schedule or cancel executions of the sensor-data-collector workflow. MQTT topic sensors/camera/vehicle is readable by all default-namespace peers; write access restricted to the Mosquitto processing step running on authorised compute nodes. Violations trigger an audit log entry forwarded to the OpenCloud rule engine.",
"condition": "request.group IN ['sensor-operators', 'analysts'] OR request.resource.type == 'mqtt.subscribe'",
"actions": [
"ALLOW schedule:sensor-data-collector IF group IN [sensor-operators, analysts]",
"ALLOW subscribe:sensors/camera/vehicle FOR *",
"DENY publish:sensors/camera/vehicle UNLESS processing_id == e518d7a4-426a-4900-94e5-300767b1bb31",
"AUDIT ON DENY"
]
},
{
"_id": "rule0002-0000-4000-8000-r00000000002",
"abstractobject": {
"id": "rule0002-0000-4000-8000-r00000000002",
"name": "API logs read-only",
"is_draft": false,
"creator_id": "c0cece97-7730-4c2a-8c20-a30944564106",
"creation_date": {"$date": "2026-04-10T00:00:00.000Z"},
"update_date": {"$date": "2026-04-10T00:00:00.000Z"},
"access_mode": 0
},
"description": "Controls access to the API monitoring pipeline. All collaborative-area members may query the Nginx dashboard endpoint (GET /status) and read Redis-cached API metrics. Triggering a new CURL ingestion run is restricted to peer-1 scheduler principals (peer_id == c0cece97). Direct writes to the Peer2 MinIO /logs bucket are denied to all external actors; only the CURL processing step running on Mundi datacenter is authorised to PUT objects. Ensures observability without allowing log tampering.",
"condition": "request.method == 'GET' OR (request.peer_id == 'c0cece97-7730-4c2a-8c20-a30944564106' AND request.action == 'schedule')",
"actions": [
"ALLOW GET:/status FOR *",
"ALLOW GET:redis.key.api_status FOR *",
"ALLOW schedule:api-monitoring-stack IF peer_id == c0cece97-7730-4c2a-8c20-a30944564106",
"ALLOW PUT:minio:/logs/* IF processing_id == 0d565c87-50ae-4a73-843d-f8b2d4047772",
"DENY PUT:minio:/logs/* FOR *",
"AUDIT ON DENY"
]
},
{
"_id": "rule0003-0000-4000-8000-r00000000003",
"abstractobject": {
"id": "rule0003-0000-4000-8000-r00000000003",
"name": "Cross-peer data retention",
"is_draft": false,
"creator_id": "c0cece97-7730-4c2a-8c20-a30944564106",
"creation_date": {"$date": "2026-04-10T00:00:00.000Z"},
"update_date": {"$date": "2026-04-10T00:00:00.000Z"},
"access_mode": 0
},
"description": "Enforces lifecycle policies for cross-peer shared storage. Objects written to the Peer2 MinIO bucket (ff660006) under the /logs prefix are subject to a 30-day auto-expiry; a daily cron on peer-2 scans for objects older than 30 days and schedules deletion. Objects written to the IRT local file storage (e726020a) under the /tmp prefix expire after 7 days via a nightly cron on peer-1. Compressed daily rotations (.gz) under /logs are exempt from the 7-day rule and follow a 90-day archive policy. This rule is evaluated at write-time to tag objects with the appropriate TTL metadata header (X-Amz-Meta-Expires-At).",
"condition": "resource.path STARTSWITH '/logs' OR resource.path STARTSWITH '/tmp'",
"actions": [
"TAG X-Amz-Meta-Expires-At:+30d IF storage_id == ff660006-ff66-4006-8006-ffffffffffff AND path STARTSWITH /logs AND NOT path ENDSWITH .gz",
"TAG X-Amz-Meta-Expires-At:+90d IF storage_id == ff660006-ff66-4006-8006-ffffffffffff AND path ENDSWITH .gz",
"TAG X-Amz-Meta-Expires-At:+7d IF storage_id == e726020a-b68e-4abc-ab36-c3640ea3f557 AND path STARTSWITH /tmp",
"SCHEDULE purge:expired CRON 0 2 * * *"
]
}
]