centra/photoncloud-monorepo
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
photoncloud-monorepo/README.md
centra d2149b6249 fix(lightningstor): Fix SigV4 canonicalization for AWS S3 auth 
- Replace form_urlencoded with RFC 3986 compliant URI encoding
- Implement aws_uri_encode() matching AWS SigV4 spec exactly
- Unreserved chars (A-Z,a-z,0-9,-,_,.,~) not encoded
- All other chars percent-encoded with uppercase hex
- Preserve slashes in paths, encode in query params
- Normalize empty paths to '/' per AWS spec
- Fix test expectations (body hash, HMAC values)
- Add comprehensive SigV4 signature determinism test

This fixes the canonicalization mismatch that caused signature
validation failures in T047. Auth can now be enabled for production.

Refs: T058.S1
2025-12-12 06:23:46 +09:00

507 lines
16 KiB
Markdown
Raw Blame History

# PhotonCloud (旧 PlasmaCloud)
**A modern, multi-tenant cloud infrastructure platform built in Rust**
> NOTE: プロジェクトコードネームを PlasmaCloud から PhotonCloud に改称。コンポーネント名も Nightlight → NightLight へ統一済み(詳細は `PROJECT.md` の Recent Changes を参照)。
> 併存する「PlasmaCloud」表記は旧コードネームを指します。PhotonCloud と読み替えてください。
PhotonCloud provides a complete cloud computing stack with strong tenant isolation, role-based access control (RBAC), and seamless integration between compute, networking, and storage services.
## MVP-Beta Status: COMPLETE ✅
The MVP-Beta milestone validates end-to-end tenant isolation and core infrastructure provisioning:
-**IAM**: User authentication, RBAC, multi-tenant isolation
-**PrismNET**: VPC overlay networking with tenant boundaries
-**PlasmaVMC**: VM provisioning with network attachment
-**Integration**: E2E tests validate complete tenant path
**Test Results**: 8/8 integration tests passing
- IAM: 6/6 tenant path tests
- Network+VM: 2/2 integration tests
## Quick Start
### Get Started in 3 Steps
1. **Deploy the Platform**
```bash
# Start IAM service
cd iam && cargo run --bin iam-server -- --port 50080
# Start PrismNET service
cd prismnet && cargo run --bin prismnet-server -- --port 50081
# Start PlasmaVMC service
cd plasmavmc && cargo run --bin plasmavmc-server -- --port 50082
```
2. **Onboard Your First Tenant**
```bash
# Create user, provision network, deploy VM
# See detailed guide below
```
3. **Verify End-to-End**
```bash
# Run integration tests
cd iam && cargo test --test tenant_path_integration
cd plasmavmc && cargo test --test prismnet_integration -- --ignored
```
**For detailed instructions**: [Tenant Onboarding Guide](docs/getting-started/tenant-onboarding.md)
## Architecture Overview
```
┌─────────────────────────────────────────────────────────────┐
│ User / API Client │
└─────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────┐
│ IAM (Identity & Access Management) │
│ • User authentication & JWT tokens │
│ • RBAC with hierarchical scopes (Org → Project) │
│ • Cross-tenant access denial │
└─────────────────────────────────────────────────────────────┘
┌─────────────┴─────────────┐
↓ ↓
┌──────────────────────┐ ┌──────────────────────┐
│ PrismNET │ │ PlasmaVMC │
│ • VPC overlay │────▶│ • VM provisioning │
│ • Subnets + DHCP │ │ • Hypervisor mgmt │
│ • Ports (IP/MAC) │ │ • Network attach │
│ • Security Groups │ │ • KVM, Firecracker │
└──────────────────────┘ └──────────────────────┘
```
**Full Architecture**: [MVP-Beta Tenant Path Architecture](docs/architecture/mvp-beta-tenant-path.md)
## Core Components
### IAM (Identity & Access Management)
**Location**: `/iam`
Multi-tenant identity and access management with comprehensive RBAC.
**Features**:
- User and service account management
- Hierarchical scopes: System → Organization → Project
- Custom role creation with fine-grained permissions
- Policy evaluation with conditional logic
- JWT token issuance with tenant claims
**Services**:
- `IamAdminService`: User, role, and policy management
- `IamAuthzService`: Authorization and permission checks
- `IamTokenService`: Token issuance and validation
**Quick Start**:
```bash
cd iam
cargo build --release
cargo run --bin iam-server -- --port 50080
```
### PrismNET (Network Virtualization)
**Location**: `/prismnet`
VPC-based overlay networking with tenant isolation.
**Features**:
- Virtual Private Cloud (VPC) provisioning
- Subnet management with CIDR allocation
- Port allocation with IP/MAC assignment
- DHCP server integration
- Security group enforcement
- OVN integration for production networking
**Services**:
- `VpcService`: VPC lifecycle management
- `SubnetService`: Subnet CRUD operations
- `PortService`: Port allocation and attachment
- `SecurityGroupService`: Firewall rule management
**Quick Start**:
```bash
cd prismnet
export IAM_ENDPOINT=http://localhost:50080
cargo build --release
cargo run --bin prismnet-server -- --port 50081
```
### PlasmaVMC (VM Provisioning & Management)
**Location**: `/plasmavmc`
Virtual machine lifecycle management with hypervisor abstraction.
**Features**:
- VM provisioning with tenant scoping
- Hypervisor abstraction (KVM, Firecracker)
- Network attachment via PrismNET ports
- CPU, memory, and disk configuration
- VM metadata persistence (ChainFire)
- Live migration support (planned)
**Services**:
- `VmService`: VM lifecycle (create, start, stop, delete)
**Quick Start**:
```bash
cd plasmavmc
export NOVANET_ENDPOINT=http://localhost:50081
export IAM_ENDPOINT=http://localhost:50080
cargo build --release
cargo run --bin plasmavmc-server -- --port 50082
```
## Future Components (Roadmap)
### FlashDNS (DNS Service)
**Status**: Planned for next milestone
DNS resolution within tenant VPCs with automatic record creation.
**Features** (Planned):
- Tenant-scoped DNS zones
- Automatic hostname assignment for VMs
- DNS record lifecycle tied to resources
- Integration with PrismNET for VPC resolution
### FiberLB (Load Balancing)
**Status**: Planned for next milestone
Layer 4/7 load balancing with tenant isolation.
**Features** (Planned):
- Load balancer provisioning within VPCs
- Backend pool management (VM targets)
- VIP allocation from tenant subnets
- Health checks and failover
### LightningStor (Block Storage)
**Status**: Planned for next milestone
Distributed block storage with snapshot support.
**Features** (Planned):
- Volume creation and attachment to VMs
- Snapshot lifecycle management
- Replication and high availability
- Integration with ChainFire for immutable logs
## Testing
### Integration Test Suite
PlasmaCloud includes comprehensive integration tests validating the complete E2E tenant path.
**IAM Tests** (6 tests, 778 LOC):
```bash
cd iam
cargo test --test tenant_path_integration
# Tests:
# ✅ test_tenant_setup_flow
# ✅ test_cross_tenant_denial
# ✅ test_rbac_project_scope
# ✅ test_hierarchical_scope_inheritance
# ✅ test_custom_role_fine_grained_permissions
# ✅ test_multiple_role_bindings
```
**Network + VM Tests** (2 tests, 570 LOC):
```bash
cd plasmavmc
cargo test --test prismnet_integration -- --ignored
# Tests:
# ✅ prismnet_port_attachment_lifecycle
# ✅ test_network_tenant_isolation
```
**Coverage**: 8/8 tests passing (100% success rate)
See [E2E Test Documentation](docs/por/T023-e2e-tenant-path/e2e_test.md) for detailed test descriptions.
## Documentation
### Getting Started
- **[Tenant Onboarding Guide](docs/getting-started/tenant-onboarding.md)**: Complete walkthrough of deploying your first tenant
### Architecture
- **[MVP-Beta Tenant Path](docs/architecture/mvp-beta-tenant-path.md)**: Complete system architecture with diagrams
- **[Component Integration](docs/architecture/mvp-beta-tenant-path.md#component-boundaries)**: How services communicate
### Testing & Validation
- **[E2E Test Documentation](docs/por/T023-e2e-tenant-path/e2e_test.md)**: Comprehensive test suite description
- **[T023 Summary](docs/por/T023-e2e-tenant-path/SUMMARY.md)**: MVP-Beta deliverables and test results
### Component Specifications
- [IAM Specification](specifications/iam.md)
- [PrismNET Specification](specifications/prismnet.md)
- [PlasmaVMC Specification](specifications/plasmavmc.md)
## Tenant Isolation Model
PlasmaCloud enforces tenant isolation at three layers:
### Layer 1: IAM Policy Enforcement
Every API call is validated against the user's JWT token:
- Token includes `org_id` and `project_id` claims
- Resources are scoped as: `org/{org_id}/project/{project_id}/{resource_type}/{id}`
- RBAC policies enforce: `resource.org_id == token.org_id`
- Cross-tenant access results in 403 Forbidden
### Layer 2: Network VPC Isolation
Each VPC provides a logical network boundary:
- VPC scoped to an `org_id`
- OVN overlay ensures traffic isolation between VPCs
- Different tenants can use the same CIDR without collision
- Security groups provide intra-VPC firewall rules
### Layer 3: VM Scoping
Virtual machines are scoped to tenant organizations:
- VM metadata includes `org_id` and `project_id`
- VMs can only attach to ports in their tenant's VPC
- VM operations filter by token scope
- Hypervisor isolation ensures compute boundary
**Validation**: All three layers tested in [cross-tenant denial tests](docs/por/T023-e2e-tenant-path/e2e_test.md#test-scenario-2-cross-tenant-denial).
## Example Workflow
### Create a Tenant with Network and VM
```bash
# 1. Authenticate and get token
grpcurl -plaintext -d '{
"principal_id": "alice",
"org_id": "acme-corp",
"project_id": "project-alpha"
}' localhost:50080 iam.v1.IamTokenService/IssueToken
export TOKEN="<your-token>"
# 2. Create VPC
grpcurl -plaintext -H "Authorization: Bearer $TOKEN" -d '{
"org_id": "acme-corp",
"project_id": "project-alpha",
"name": "main-vpc",
"cidr": "10.0.0.0/16"
}' localhost:50081 prismnet.v1.VpcService/CreateVpc
export VPC_ID="<vpc-id>"
# 3. Create Subnet
grpcurl -plaintext -H "Authorization: Bearer $TOKEN" -d '{
"org_id": "acme-corp",
"project_id": "project-alpha",
"vpc_id": "'$VPC_ID'",
"name": "web-subnet",
"cidr": "10.0.1.0/24",
"gateway": "10.0.1.1",
"dhcp_enabled": true
}' localhost:50081 prismnet.v1.SubnetService/CreateSubnet
export SUBNET_ID="<subnet-id>"
# 4. Create Port
grpcurl -plaintext -H "Authorization: Bearer $TOKEN" -d '{
"org_id": "acme-corp",
"project_id": "project-alpha",
"subnet_id": "'$SUBNET_ID'",
"name": "vm-port",
"ip_address": "10.0.1.10"
}' localhost:50081 prismnet.v1.PortService/CreatePort
export PORT_ID="<port-id>"
# 5. Create VM with Network
grpcurl -plaintext -H "Authorization: Bearer $TOKEN" -d '{
"name": "web-server-1",
"org_id": "acme-corp",
"project_id": "project-alpha",
"spec": {
"network": [{
"id": "eth0",
"port_id": "'$PORT_ID'"
}]
}
}' localhost:50082 plasmavmc.v1.VmService/CreateVm
```
**Full walkthrough**: See [Tenant Onboarding Guide](docs/getting-started/tenant-onboarding.md)
## Development
### Prerequisites
- Rust 1.70+ with Cargo
- Protocol Buffers compiler (protoc)
- Optional: KVM for real VM execution
- Optional: OVN for production networking
### Build from Source
```bash
# Clone repository
git clone https://github.com/your-org/plasmacloud.git
cd cloud
# Initialize submodules
git submodule update --init --recursive
# Build all components
cd iam && cargo build --release
cd ../prismnet && cargo build --release
cd ../plasmavmc && cargo build --release
```
### Run Tests
```bash
# IAM tests
cd iam && cargo test --test tenant_path_integration
# Network + VM tests
cd plasmavmc && cargo test --test prismnet_integration -- --ignored
# Unit tests (all components)
cargo test
```
### Project Structure
```
cloud/
├── iam/ # Identity & Access Management
│ ├── crates/
│ │ ├── iam-api/ # gRPC services
│ │ ├── iam-authz/ # Authorization engine
│ │ ├── iam-store/ # Data persistence
│ │ └── iam-types/ # Core types
│ └── tests/
│ └── tenant_path_integration.rs # E2E tests
├── prismnet/ # Network Virtualization
│ ├── crates/
│ │ ├── prismnet-server/ # gRPC services
│ │ ├── prismnet-api/ # Protocol buffers
│ │ ├── prismnet-metadata/ # Metadata store
│ │ └── prismnet-ovn/ # OVN integration
│ └── proto/
├── plasmavmc/ # VM Provisioning
│ ├── crates/
│ │ ├── plasmavmc-server/ # VM service
│ │ ├── plasmavmc-api/ # Protocol buffers
│ │ ├── plasmavmc-hypervisor/ # Hypervisor abstraction
│ │ ├── plasmavmc-kvm/ # KVM backend
│ │ └── plasmavmc-firecracker/ # Firecracker backend
│ └── tests/
│ └── prismnet_integration.rs # E2E tests
├── flashdns/ # DNS Service (planned)
├── fiberlb/ # Load Balancing (planned)
├── lightningstor/ # Block Storage (planned)
├── chainfire/ # Immutable event log (submodule)
├── flaredb/ # Distributed metadata store (submodule)
├── docs/
│ ├── architecture/ # Architecture docs
│ ├── getting-started/ # Onboarding guides
│ └── por/ # Plan of Record (POR) docs
│ └── T023-e2e-tenant-path/ # MVP-Beta deliverables
├── specifications/ # Component specifications
└── README.md # This file
```
## Contributing
We welcome contributions! Please follow these guidelines:
1. **Fork the repository** and create a feature branch
2. **Write tests** for new functionality
3. **Update documentation** as needed
4. **Run tests** before submitting PR: `cargo test`
5. **Follow Rust style**: Use `cargo fmt` and `cargo clippy`
### Code Review Process
1. All PRs require at least one approval
2. CI must pass (tests, formatting, lints)
3. Documentation must be updated for user-facing changes
4. Integration tests required for new features
## License
PlasmaCloud is licensed under the Apache License 2.0. See [LICENSE](LICENSE) for details.
## Support & Community
- **GitHub Issues**: Report bugs or request features
- **Documentation**: See [docs/](docs/) for detailed guides
- **Architecture**: Review [architecture docs](docs/architecture/mvp-beta-tenant-path.md) for design decisions
## Roadmap
### Completed (MVP-Beta) ✅
- [x] IAM with RBAC and tenant scoping
- [x] PrismNET VPC overlay networking
- [x] PlasmaVMC VM provisioning
- [x] End-to-end integration tests
- [x] Comprehensive documentation
### In Progress
- [ ] FlashDNS integration (S3)
- [ ] FiberLB integration (S4)
- [ ] LightningStor integration (S5)
### Planned
- [ ] FlareDB persistence for production
- [ ] ChainFire integration for VM metadata
- [ ] OVN production deployment
- [ ] Kubernetes integration
- [ ] Terraform provider
- [ ] Web UI / Dashboard
## Acknowledgments
PlasmaCloud builds upon:
- **ChainFire**: Immutable event log for audit trails
- **FlareDB**: Distributed metadata store
- **OVN (Open Virtual Network)**: Production-grade overlay networking
- **gRPC**: High-performance RPC framework
- **Rust**: Safe, concurrent systems programming
---
**Status**: MVP-Beta Complete ✅
**Last Updated**: 2025-12-09
**Next Milestone**: FlashDNS, FiberLB, LightningStor integration
For detailed information, see:
- [Tenant Onboarding Guide](docs/getting-started/tenant-onboarding.md)
- [Architecture Documentation](docs/architecture/mvp-beta-tenant-path.md)
- [Test Documentation](docs/por/T023-e2e-tenant-path/e2e_test.md)
Reference in a new issue View git blame Copy permalink