SlideShare ist ein Scribd-Unternehmen logo

CloudStack IAM Architecture and Implementation

Min Chen
Min Chen

IAM system designed and implemented for Apache CloudStack.

Ingenieurwesen
1 von 22
Downloaden Sie, um offline zu lesen
CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle" Citrix
Agenda •  Background •  Our Design Goal •  Architecture •  Implementation •  Use Cases •  Next Steps
Background •  Limited IAM Services –  Out-of-box fixed roles (Root Admin, Domain Admin, User) with prebaked access control. –  No support for customized roles creation. –  Special hard-coded access control logic baked in service layer for some resources like networks, affinity group, etc. –  Granting permissions by dedicated APIs is very restrictive.
Our Goal Provide True Pluggable IAM Service
Our Goal Provide True Pluggable IAM Service
What is IAM" " 👩     👨     👦     Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Policy   Group   Resource   Resource   Resource   Resource   Principal   Principal   Principal   👫   Role   Impersonate   Allow/Deny  
Our IAM Model
Pluggable IAM Service" Host IAM server as an Independent Service listening at an endpoint which CloudStack or other portal services call to do access checks
Pluggable IAM Components" •  Server –  An implementation of pure IAM taxonomy independent of CloudStack. –  Out-of-box IAM server implementation based on our IAM schema –  Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server. •  Plugin –  A plugin integrated with CloudStack through adapter interfaces: •  APIChecker •  SecurityChecker •  QuerySelector –  Serve new IAM API requests
IAM Component Diagram CloudStack   cloud-­‐api   cloud-­‐server   IAM  Service   cloud-­‐plugin-­‐iam   APIChecker   SecurityChecker   QuerySelector   RoleBasedAPIChecker   RoleBasedEn+tyChecker   RoleBasedQuerySelector   IAM  Plugin  APIs   cloud-­‐iam-­‐server   IAM  Server  APIs  
IAM Server •  IAM Schema •  Implement IAM Server interface to provide your own 3rd-party IAM server.
IAM Plugin •  IAM APIs •  Adapters –  APIChecker –  SecurityChecker •  AccessType –  QuerySelector •  Plugin understands CloudStack’s terminology
IAM APIs createIAMGroup   deleteIAMGroup   listIAMGroups   createIAMPolicy   deleteIAMPolicy   listIAMPolicies   addIAMPermissionToIAMPolicy   removeIAMPermissionFromIAMPolicy   addAccountToIAMGroup   removeAccountFromIAMGroup   aDachIAMPolicyToAccount   removeIAMPolicyFromAccount   aDachIAMPolicyToIAMGroup   removeIAMPolicyFromIAMGroup  👩      Account  
APIChecker •  CS APIChecker interface •  commands.properties •  RoleBasedAPIAccessChecker –  On startup loads permissions from commands.properties –  checkAccess by listing policy permissions public  interface  APIChecker  extends  Adapter  {          boolean  checkAccess(User  user,    String  apiCommandName)  throws    PermissionDeniedExcep+on;  }   1  =  ADMIN,  2  =  RESOURCE_DOMAIN_ADMIN,  4  =  DOMAIN_ADMIN,  8  =  USER   startVirtualMachine=15  
Default CloudStack Policies User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   migrateVirtualMachine   Permission   Root  Admin  Group   IAM  APIChecker   startVirtualMachine  =  15  
SecurityChecker •  CS SecurityChecker interface •  RoleBasedEntityAccessChecker •  Check Policy permissions for the entity and action/accessType •  Only work with ‘Allow’. No ‘Deny’ in this phase. •  AccessType •  ListEntry (read-only access) •  UseEntry (read and use access) •  OperateEntry (operate access) public  interface  SecurityChecker  extends  Adapter  {   boolean  checkAccess(Account  caller,    ControlledEn+ty  en+ty,    AccessType  accessType,  String  ac+on)   throws  PermissionDeniedExcep+on;   }  
Access Check Flow 👩     User1   startVirtualMachine  ‘Foo’   👩     User2   💻   Foo   IAM  API  Checker   IAM   SecurityChecker   User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   Root  Admin  Group   startVirtualMachine  ‘Foo’   👩     Root  Admin   startVirtualMachine  ‘Foo’  
IAM QuerySelector •  QuerySelector => RoleBasedQuerySelector public  interface  QuerySelector  extends  Adapter  {              List<Long>  getAuthorizedDomains(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedAccounts(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedResources(Account  caller,  String  en+tyType,  AccessType  accessType);              boolean  isGrantedAll(Account  caller,  String  ac+on,  AccessType  accessType);              List<String>  listIAMGroupsByAccount(long  accountId);     }      
Custom Policy •  Use Case: Domain admin wants to grant “read only access” to all VMs of his domain to some service desk accounts. Service  Desk   Group   ReadOnlyPolicy   listVirtualMachines   VirtualMachine   DOMAIN   $domainId   Permission   👩     👨     addAccountToIAMGroup   aAachIAMPolicyToIAMGroup  
VMOpPolicy   Cross-Account Grant •  Use Case: Account A has a VM foo, and she wants to grant Account B to Start/Stop her VM foo. startVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   stopVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   👩     👨     A   B   💻   Foo  
Next Step •  Integrate IAM model with all CloudStack access control logic –  Shared and isolated networks –  Handle non ControlledEntity like Zone and Service Offering(Disk offering, Network Offering) –  Dedicated resource feature •  Provide UI support for IAM APIs. •  Handle JSON based policy definition.
References •  Functional Spec: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer •  Guidelines for Developers: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer

Empfohlen

Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDINkloia
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
Camunda BPM - Said Mengi
Camunda BPM - Said MengiCamunda BPM - Said Mengi
Camunda BPM - Said Mengikloia
 
BDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service TestsBDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service Testskloia
 
API Management Demystified
API Management DemystifiedAPI Management Demystified
API Management DemystifiedManmohan Gupta
 
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for EclipseCloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipsedmbtr3
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyWSO2
 

Empfohlen

Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDIN Gravitee API Management - Ahmet AYDIN
Gravitee API Management - Ahmet AYDINkloia
 
A Definition of Done for DevSecOps
A Definition of Done for DevSecOpsA Definition of Done for DevSecOps
A Definition of Done for DevSecOpsGene Gotimer
 
Camunda BPM - Said Mengi
Camunda BPM - Said MengiCamunda BPM - Said Mengi
Camunda BPM - Said Mengikloia
 
BDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service TestsBDD Approach with Karate Framework in Service Tests
BDD Approach with Karate Framework in Service Testskloia
 
API Management Demystified
API Management DemystifiedAPI Management Demystified
API Management DemystifiedManmohan Gupta
 
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for EclipseCloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipsedmbtr3
 
How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?Apigee | Google Cloud
 
Role of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyRole of API Management in an API led Digital Economy
Role of API Management in an API led Digital EconomyWSO2
 
Building Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationBuilding Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationWSO2
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.ioKnoldus Inc.
 
Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28floridawusergroup
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)Kumaresh Chandra Baruri
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connectKellton Tech Solutions Ltd
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?Applatix
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Building Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationBuilding Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationWSO2
 
Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28floridawusergroup
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?Applatix
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 

Was ist angesagt? (20)

Building Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationBuilding Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of Collaboration
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.io
 
Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
 
Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
 

Ähnlich wie CloudStack IAM Architecture and Implementation

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live byJohn Varghese
 
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...Amazon Web Services
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 

Ähnlich wie CloudStack IAM Architecture and Implementation (20)

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
 
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 

Kürzlich hochgeladen

Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxAsutosh Ranjan
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSSIVASHANKAR N
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...ranjana rawat
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Dr.Costas Sachpazis
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Christo Ananth
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxupamatechverse
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxpranjaldaimarysona
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...Soham Mondal
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSKurinjimalarL3
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISrknatarajan
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 

Kürzlich hochgeladen (20)

Coefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptxCoefficient of Thermal Expansion and their Importance.pptx
Coefficient of Thermal Expansion and their Importance.pptx
 
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLSMANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
MANUFACTURING PROCESS-II UNIT-5 NC MACHINE TOOLS
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur EscortsHigh Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
High Profile Call Girls Nagpur Meera Call 7001035870 Meet With Nagpur Escorts
 
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
Sheet Pile Wall Design and Construction: A Practical Guide for Civil Engineer...
 
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
Call for Papers - African Journal of Biological Sciences, E-ISSN: 2663-2187, ...
 
Introduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptxIntroduction and different types of Ethernet.pptx
Introduction and different types of Ethernet.pptx
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Processing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptxProcessing & Properties of Floor and Wall Tiles.pptx
Processing & Properties of Floor and Wall Tiles.pptx
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
OSVC_Meta-Data based Simulation Automation to overcome Verification Challenge...
 
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICSAPPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
APPLICATIONS-AC/DC DRIVES-OPERATING CHARACTERISTICS
 
UNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSISUNIT-III FMM. DIMENSIONAL ANALYSIS
UNIT-III FMM. DIMENSIONAL ANALYSIS
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 

CloudStack IAM Architecture and Implementation

  • 1. CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle" Citrix
  • 2. Agenda •  Background •  Our Design Goal •  Architecture •  Implementation •  Use Cases •  Next Steps
  • 3. Background •  Limited IAM Services –  Out-of-box fixed roles (Root Admin, Domain Admin, User) with prebaked access control. –  No support for customized roles creation. –  Special hard-coded access control logic baked in service layer for some resources like networks, affinity group, etc. –  Granting permissions by dedicated APIs is very restrictive.
  • 4. Our Goal Provide True Pluggable IAM Service
  • 5. Our Goal Provide True Pluggable IAM Service
  • 6. What is IAM" " 👩     👨     👦     Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Policy   Group   Resource   Resource   Resource   Resource   Principal   Principal   Principal   👫   Role   Impersonate   Allow/Deny  
  • 8. Pluggable IAM Service" Host IAM server as an Independent Service listening at an endpoint which CloudStack or other portal services call to do access checks
  • 9. Pluggable IAM Components" •  Server –  An implementation of pure IAM taxonomy independent of CloudStack. –  Out-of-box IAM server implementation based on our IAM schema –  Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server. •  Plugin –  A plugin integrated with CloudStack through adapter interfaces: •  APIChecker •  SecurityChecker •  QuerySelector –  Serve new IAM API requests
  • 10. IAM Component Diagram CloudStack   cloud-­‐api   cloud-­‐server   IAM  Service   cloud-­‐plugin-­‐iam   APIChecker   SecurityChecker   QuerySelector   RoleBasedAPIChecker   RoleBasedEn+tyChecker   RoleBasedQuerySelector   IAM  Plugin  APIs   cloud-­‐iam-­‐server   IAM  Server  APIs  
  • 11. IAM Server •  IAM Schema •  Implement IAM Server interface to provide your own 3rd-party IAM server.
  • 12. IAM Plugin •  IAM APIs •  Adapters –  APIChecker –  SecurityChecker •  AccessType –  QuerySelector •  Plugin understands CloudStack’s terminology
  • 13. IAM APIs createIAMGroup   deleteIAMGroup   listIAMGroups   createIAMPolicy   deleteIAMPolicy   listIAMPolicies   addIAMPermissionToIAMPolicy   removeIAMPermissionFromIAMPolicy   addAccountToIAMGroup   removeAccountFromIAMGroup   aDachIAMPolicyToAccount   removeIAMPolicyFromAccount   aDachIAMPolicyToIAMGroup   removeIAMPolicyFromIAMGroup  👩      Account  
  • 14. APIChecker •  CS APIChecker interface •  commands.properties •  RoleBasedAPIAccessChecker –  On startup loads permissions from commands.properties –  checkAccess by listing policy permissions public  interface  APIChecker  extends  Adapter  {          boolean  checkAccess(User  user,    String  apiCommandName)  throws    PermissionDeniedExcep+on;  }   1  =  ADMIN,  2  =  RESOURCE_DOMAIN_ADMIN,  4  =  DOMAIN_ADMIN,  8  =  USER   startVirtualMachine=15  
  • 15. Default CloudStack Policies User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   migrateVirtualMachine   Permission   Root  Admin  Group   IAM  APIChecker   startVirtualMachine  =  15  
  • 16. SecurityChecker •  CS SecurityChecker interface •  RoleBasedEntityAccessChecker •  Check Policy permissions for the entity and action/accessType •  Only work with ‘Allow’. No ‘Deny’ in this phase. •  AccessType •  ListEntry (read-only access) •  UseEntry (read and use access) •  OperateEntry (operate access) public  interface  SecurityChecker  extends  Adapter  {   boolean  checkAccess(Account  caller,    ControlledEn+ty  en+ty,    AccessType  accessType,  String  ac+on)   throws  PermissionDeniedExcep+on;   }  
  • 17. Access Check Flow 👩     User1   startVirtualMachine  ‘Foo’   👩     User2   💻   Foo   IAM  API  Checker   IAM   SecurityChecker   User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   Root  Admin  Group   startVirtualMachine  ‘Foo’   👩     Root  Admin   startVirtualMachine  ‘Foo’  
  • 18. IAM QuerySelector •  QuerySelector => RoleBasedQuerySelector public  interface  QuerySelector  extends  Adapter  {              List<Long>  getAuthorizedDomains(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedAccounts(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedResources(Account  caller,  String  en+tyType,  AccessType  accessType);              boolean  isGrantedAll(Account  caller,  String  ac+on,  AccessType  accessType);              List<String>  listIAMGroupsByAccount(long  accountId);     }      
  • 19. Custom Policy •  Use Case: Domain admin wants to grant “read only access” to all VMs of his domain to some service desk accounts. Service  Desk   Group   ReadOnlyPolicy   listVirtualMachines   VirtualMachine   DOMAIN   $domainId   Permission   👩     👨     addAccountToIAMGroup   aAachIAMPolicyToIAMGroup  
  • 20. VMOpPolicy   Cross-Account Grant •  Use Case: Account A has a VM foo, and she wants to grant Account B to Start/Stop her VM foo. startVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   stopVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   👩     👨     A   B   💻   Foo  
  • 21. Next Step •  Integrate IAM model with all CloudStack access control logic –  Shared and isolated networks –  Handle non ControlledEntity like Zone and Service Offering(Disk offering, Network Offering) –  Dedicated resource feature •  Provide UI support for IAM APIs. •  Handle JSON based policy definition.
  • 22. References •  Functional Spec: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer •  Guidelines for Developers: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer