cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chiradeep Vittal <>
Subject Re: [DISCUSS] api level access controll
Date Mon, 03 Feb 2014 18:47:43 GMT
Have you seen this.
There was a recent thread on this ML as well.

On 1/31/14 8:35 AM, "Anton Opgenoort" <>

>+1 voted.
>Example use case: Our customer portal should actually be able to do a
>'listclusters showcapacities=true', to inform our customers on their
>privately owned private zones, which are controlled by our CloudStack
>At this stage, I can only give a root-level API/Secret key combination to
>our customer portal team, but all they need to do now, is to list some
>hardware usage, create some domains, accounts and users. But with this
>api key, they get the keys to the kingdom, without needing it.
>We thus want to break up the keys to the kingdom in a flexible way,
>meaning via RBAC. A role the customer portal can play is to 'list
>capacity' at different levels, but also 'manage users' at the same time.
>Both profiles would allow reading and managing of different resources
>within cloudstack. Therefore any 'user' in cloudstack has a 1:N
>relationship with the roles, and each role has a 1:N relation with the
>resources, and/or API capabilities.
>Anton Opgenoort +31624864156
>-----Original Message-----
>From: Daan Hoogland []
>Sent: Friday, January 31, 2014 12:55 PM
>To: dev
>Subject: Re: [DISCUSS] api level access controll
>tehre is a ticket CLOUDSTACK-5920
>not much activity on it yet. It does however mention the buzzword rbac
>which would point in the direction of Eriks whishes and our own.
>vote vote vote please
>On Fri, Jan 31, 2014 at 12:47 PM, Alex Hitchins
><> wrote:
>> Agreed - I believe the IAM proposal that went out recently may have
>>covered this topic a little too.
>> Is it something to bake into the API layer or better/cleaner to build
>>some proxy layer that handles permissions?
>> Alex Hitchins
>> +44 7788 423 969
>> -----Original Message-----
>> From: Erik Weber []
>> Sent: 31 January 2014 11:13
>> To:
>> Subject: Re: [DISCUSS] api level access controll
>> On Fri, Jan 31, 2014 at 12:00 PM, Daan Hoogland
>>> H,
>>> I git a question of an operator ad Schuberg Philis to crete a set of
>>> api keys and to have control over excatly what api calls are allowed
>>> for this set of keys. Does anybody else recognise this use case?
>>> already hacked it in? have an idea how to do it? has a reason why not
>>> to do it?
>> Having more flexibility with access control is something that I and the
>>company I work for appreciate.
>> I can also see several use cases for this, monitoring user that should
>>only be able to list stuff (but all stuff) et cetera.
>> --
>> Erik Weber
>> Need Enterprise Grade Support for Apache CloudStack?
>> Our CloudStack Infrastructure
>>Support<> offers
>>the best 24/7 SLA for CloudStack Environments.
>> Apache CloudStack Bootcamp training courses
>> **NEW!** CloudStack 4.2.1
>> training<>
>> 18th-19th February 2014, Brazil.
>> Classroom<>
>> 17th-23rd March 2014, Region A. Instructor led,
>> On-line<>
>> 24th-28th March 2014, Region B. Instructor led,
>> On-line<>
>> 16th-20th June 2014, Region A. Instructor led,
>> On-line<>
>> 23rd-27th June 2014, Region B. Instructor led,
>> On-line<>
>> This email and any attachments to it may be confidential and are
>>intended solely for the use of the individual to whom it is addressed.
>>Any views or opinions expressed are solely those of the author and do
>>not necessarily represent those of Shape Blue Ltd or related companies.
>>If you are not the intended recipient of this email, you must neither
>>take any action based upon its contents, nor copy or show it to anyone.
>>Please contact the sender if you believe you have received this email in
>>error. Shape Blue Ltd is a company incorporated in England & Wales.
>>ShapeBlue Services India LLP is a company incorporated in India and is
>>operated under license from Shape Blue Ltd. Shape Blue Brasil
>>Consultoria Ltda is a company incorporated in Brasil and is operated
>>under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

View raw message