cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Prachi Damle <Prachi.Da...@citrix.com>
Subject RE: [ACS5.0] IAM feature postponed from 4.4 to 5.0?
Date Wed, 04 Jun 2014 19:49:23 GMT
>For example, there are two accounts and they belong to a group with 
>Allow all permissions. If I have to remove some permissions for only 
>account 1 but keep them for account 2 is it possible?

This will be decided depending on whether Deny has higher precedence over Allow or the other
way. If Deny has the higher precedence, the evaluation logic will be:
- If there is a policy attached to the account or to a group that the account belongs to,
which states an explicit Deny, then the permission will be denied.

Based on above, for your usecase, you can attach a new policy to one account to deny specific
operations. So even if that account belongs to the group that allows All, the second policy
has an explicit Deny, so this will deny the specific operations.

Thanks,
Prachi

-----Original Message-----
From: Min Chen [mailto:min.chen@citrix.com] 
Sent: Tuesday, June 03, 2014 9:30 AM
To: dev@cloudstack.apache.org
Cc: Daan Hoogland; Hugo Trippaers
Subject: Re: [ACS5.0] IAM feature postponed from 4.4 to 5.0?

As mentioned in our FS doc in wiki, "In phase I, all the permissions attached to any policy
are by default explicit 'Allow' permissions. As of now 'Deny' permissions cannot be added."


For your use cases, you can have two options:
1. Assign the two accounts into 2 different groups,  and attach different policy for the group.
2. Directly attach an Allow policy to account 2 instead of assigning both accounts into the
Allow All group.

Thanks
-min


On 6/3/14 5:03 AM, "Meghna Kale" <meghna.kale@sungardas.com> wrote:

>Hi Min,
>
>With reference to the wiki doc, I had a query.
>In case of a customized role with deny permissions how will the 
>listAll, isrecursive ..etc. input parameters values will be ?
>
>For example, there are two accounts and they belong to a group with 
>Allow all permissions. If I have to remove some permissions for only 
>account 1 but keep them for account 2 is it possible?
>
>Thanks
>Meghna.
>
>
>On Thu, May 22, 2014 at 10:22 PM, Min Chen <min.chen@citrix.com> wrote:
>
>> Added API issues we found through IAM feature in the wiki page 
>>created by
>> Demetrius:
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/API+changes
>>
>> Thanks
>> -min
>>
>> On 5/14/14 9:34 AM, "Min Chen" <min.chen@citrix.com> wrote:
>>
>> >Thanks Daan. Yes, I saw that there is another thread about putting 
>> >an
>>API
>> >request for 5.0 api. Once we are done with this disabling, we will 
>> >put
>>the
>> >issues we have found with current API in that wiki page to take into 
>> >consideration when we design the new API.
>> >
>> >-min
>> >
>> >On 5/14/14 12:12 AM, "Daan Hoogland" <daan.hoogland@gmail.com> wrote:
>> >
>> >>Min,
>> >>
>> >>I think everybody knows I am all for less features per release. I 
>> >>don't think you are making a bad call, per se. I do think we should 
>> >>consider if we can come up with a total picture of what 5.x would 
>> >>require af the api, though. Can you add to the discussion what it 
>> >>is that is keeping you from implementing. And what requirements you 
>> >>have for the 5.0 api so we can start devising the architectural 
>> >>guidelines for the new api. more and more calls for a 5.0 are 
>> >>coming up lately so let's move forward. (changing title)
>> >>
>> >>On Wed, May 14, 2014 at 1:53 AM, Min Chen <min.chen@citrix.com> wrote:
>> >>> Hi All,
>> >>>
>> >>> In the past several weeks, QA has done some testing on IAM 
>> >>> feature
>>and
>> >>>found
>> >>> several backward-compatibility issues. Even though Prachi and I 
>> >>>have tried  our best to fix bugs to maintain backward 
>> >>>compatibility, we realized that in  order to support true IAM 
>> >>>model documented in our FS
>> >>>
>> >>>
>> https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Ide
>> nti
>> >>>t
>> >>>y+and+Access+Management+%28IAM%29+Plugin,
>> >>> we will have to make several API changes that will require us to 
>> >>>increment  CloudStack major version.
>> >>> Therefore we think that IAM feature is not ready for ACS 4.4
>>release,
>> >>>and we
>> >>> would like to propose to disable it in 4.4 branch and re-enable 
>> >>>it later  when community decides to go for 5.x.
>> >>>
>> >>> Thanks
>> >>> -min
>> >>
>> >>
>> >>
>> >>--
>> >>Daan
>> >
>>
>>
>>


Mime
View raw message