cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rajani Karuturi <>
Subject RE: [Proposal]CloudStack IAM plugin feature (CLOUDSTACK-5920)
Date Wed, 22 Jan 2014 14:29:20 GMT
some questions I have:
1. Do we need groups and policies? Cant we derive group information from policy applied? ie)
any user can become domain admin if he is given the right policies.
2. Can we restrict the permission to Resource Type's CRUD? permissions at api level seems
to be like too much of control and information to save. 

From: Prachi Damle []
Sent: Wednesday, January 22, 2014 3:27 AM
Subject: [Proposal]CloudStack IAM plugin feature (CLOUDSTACK-5920)

Min and myself would like to propose an identity and access management plugin for CloudStack
for the ACS 4.4 release.

Here is the functional spec we have drafted for the first phase:

Currently CloudStack provides very limited IAM services and there are several drawbacks:

- Offers few roles out of the box (user and admin) with prebaked access control. There is
no way to create customized policies and permissions.
- Some resources have access control baked into them. E.g., shared networks, projects etc.
- We have to create special dedicateXXX APIs to grant permissions to resources.
- Also it does not provide the flexibility to integrate with other RBAC implementations say
using AD/LDAP

Goal for this feature would be to address these limitations and offer true IAM services in
a phased manner.
As a first phase, we need to separate out the current access control into a separate component
based on the standard IAM terminologies. Also we need to create an access check mechanism
to be used by the API layer to avoid the checks scattered over the api/service layer. The
read/listing APIs need to be refactored accordingly to consider the policy based access granting.

Please provide feedback/suggestions anyone has.

Prachi & Min

View raw message