cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anton Opgenoort <>
Subject RE: [DISCUSS] api level access controll
Date Fri, 31 Jan 2014 16:35:24 GMT
+1 voted.

Example use case: Our customer portal should actually be able to do a 'listclusters showcapacities=true',
to inform our customers on their privately owned private zones, which are controlled by our
CloudStack environment. 
At this stage, I can only give a root-level API/Secret key combination to our customer portal
team, but all they need to do now, is to list some hardware usage, create some domains, accounts
and users. But with this api key, they get the keys to the kingdom, without needing it. 

We thus want to break up the keys to the kingdom in a flexible way, meaning via RBAC. A role
the customer portal can play is to 'list capacity' at different levels, but also 'manage users'
at the same time. Both profiles would allow reading and managing of different resources within
cloudstack. Therefore any 'user' in cloudstack has a 1:N relationship with the roles, and
each role has a 1:N relation with the resources, and/or API capabilities. 


Anton Opgenoort +31624864156

-----Original Message-----
From: Daan Hoogland [] 
Sent: Friday, January 31, 2014 12:55 PM
To: dev
Subject: Re: [DISCUSS] api level access controll

tehre is a ticket CLOUDSTACK-5920

not much activity on it yet. It does however mention the buzzword rbac which would point in
the direction of Eriks whishes and our own.

vote vote vote please

On Fri, Jan 31, 2014 at 12:47 PM, Alex Hitchins <> wrote:
> Agreed - I believe the IAM proposal that went out recently may have covered this topic
a little too.
> Is it something to bake into the API layer or better/cleaner to build some proxy layer
that handles permissions?
> Alex Hitchins
> +44 7788 423 969
> -----Original Message-----
> From: Erik Weber []
> Sent: 31 January 2014 11:13
> To:
> Subject: Re: [DISCUSS] api level access controll
> On Fri, Jan 31, 2014 at 12:00 PM, Daan Hoogland <>wrote:
>> H,
>> I git a question of an operator ad Schuberg Philis to crete a set of 
>> api keys and to have control over excatly what api calls are allowed 
>> for this set of keys. Does anybody else recognise this use case?
>> already hacked it in? have an idea how to do it? has a reason why not 
>> to do it?
> Having more flexibility with access control is something that I and the company I work
for appreciate.
> I can also see several use cases for this, monitoring user that should only be able to
list stuff (but all stuff) et cetera.
> --
> Erik Weber
> Need Enterprise Grade Support for Apache CloudStack?
> Our CloudStack Infrastructure Support<>
offers the best 24/7 SLA for CloudStack Environments.
> Apache CloudStack Bootcamp training courses
> **NEW!** CloudStack 4.2.1 
> training<>
> 18th-19th February 2014, Brazil. 
> Classroom<>
> 17th-23rd March 2014, Region A. Instructor led, 
> On-line<>
> 24th-28th March 2014, Region B. Instructor led, 
> On-line<>
> 16th-20th June 2014, Region A. Instructor led, 
> On-line<>
> 23rd-27th June 2014, Region B. Instructor led, 
> On-line<>
> This email and any attachments to it may be confidential and are intended solely for
the use of the individual to whom it is addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

View raw message