cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Meghna Kale <meghna.k...@sungardas.com>
Subject Re: [ACS5.0] IAM feature postponed from 4.4 to 5.0?
Date Thu, 05 Jun 2014 06:23:31 GMT
Thanks Min and Prachi.

>Based on above, for your usecase, you can attach a new policy to one
account to deny specific operations. So even if that account belongs to the
group that allows All, the second >policy has an explicit Deny, so this
will deny the specific operations.

Does that mean that a new deny permission role should be created and then
applied to the user? If yes then is it like we are apply two roles to a
single user.

Thanks
Meghna.

Thanks
Meghna.



On Thu, Jun 5, 2014 at 1:19 AM, Prachi Damle <Prachi.Damle@citrix.com>
wrote:

> >For example, there are two accounts and they belong to a group with
> >Allow all permissions. If I have to remove some permissions for only
> >account 1 but keep them for account 2 is it possible?
>
> This will be decided depending on whether Deny has higher precedence over
> Allow or the other way. If Deny has the higher precedence, the evaluation
> logic will be:
> - If there is a policy attached to the account or to a group that the
> account belongs to, which states an explicit Deny, then the permission will
> be denied.
>
> Based on above, for your usecase, you can attach a new policy to one
> account to deny specific operations. So even if that account belongs to the
> group that allows All, the second policy has an explicit Deny, so this will
> deny the specific operations.
>
> Thanks,
> Prachi
>
> -----Original Message-----
> From: Min Chen [mailto:min.chen@citrix.com]
> Sent: Tuesday, June 03, 2014 9:30 AM
> To: dev@cloudstack.apache.org
> Cc: Daan Hoogland; Hugo Trippaers
> Subject: Re: [ACS5.0] IAM feature postponed from 4.4 to 5.0?
>
> As mentioned in our FS doc in wiki, "In phase I, all the permissions
> attached to any policy are by default explicit 'Allow' permissions. As of
> now 'Deny' permissions cannot be added."
>
> For your use cases, you can have two options:
> 1. Assign the two accounts into 2 different groups,  and attach different
> policy for the group.
> 2. Directly attach an Allow policy to account 2 instead of assigning both
> accounts into the Allow All group.
>
> Thanks
> -min
>
>
> On 6/3/14 5:03 AM, "Meghna Kale" <meghna.kale@sungardas.com> wrote:
>
> >Hi Min,
> >
> >With reference to the wiki doc, I had a query.
> >In case of a customized role with deny permissions how will the
> >listAll, isrecursive ..etc. input parameters values will be ?
> >
> >For example, there are two accounts and they belong to a group with
> >Allow all permissions. If I have to remove some permissions for only
> >account 1 but keep them for account 2 is it possible?
> >
> >Thanks
> >Meghna.
> >
> >
> >On Thu, May 22, 2014 at 10:22 PM, Min Chen <min.chen@citrix.com> wrote:
> >
> >> Added API issues we found through IAM feature in the wiki page
> >>created by
> >> Demetrius:
> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/API+changes
> >>
> >> Thanks
> >> -min
> >>
> >> On 5/14/14 9:34 AM, "Min Chen" <min.chen@citrix.com> wrote:
> >>
> >> >Thanks Daan. Yes, I saw that there is another thread about putting
> >> >an
> >>API
> >> >request for 5.0 api. Once we are done with this disabling, we will
> >> >put
> >>the
> >> >issues we have found with current API in that wiki page to take into
> >> >consideration when we design the new API.
> >> >
> >> >-min
> >> >
> >> >On 5/14/14 12:12 AM, "Daan Hoogland" <daan.hoogland@gmail.com> wrote:
> >> >
> >> >>Min,
> >> >>
> >> >>I think everybody knows I am all for less features per release. I
> >> >>don't think you are making a bad call, per se. I do think we should
> >> >>consider if we can come up with a total picture of what 5.x would
> >> >>require af the api, though. Can you add to the discussion what it
> >> >>is that is keeping you from implementing. And what requirements you
> >> >>have for the 5.0 api so we can start devising the architectural
> >> >>guidelines for the new api. more and more calls for a 5.0 are
> >> >>coming up lately so let's move forward. (changing title)
> >> >>
> >> >>On Wed, May 14, 2014 at 1:53 AM, Min Chen <min.chen@citrix.com>
> wrote:
> >> >>> Hi All,
> >> >>>
> >> >>> In the past several weeks, QA has done some testing on IAM
> >> >>> feature
> >>and
> >> >>>found
> >> >>> several backward-compatibility issues. Even though Prachi and I
> >> >>>have tried  our best to fix bugs to maintain backward
> >> >>>compatibility, we realized that in  order to support true IAM
> >> >>>model documented in our FS
> >> >>>
> >> >>>
> >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Ide
> >> nti
> >> >>>t
> >> >>>y+and+Access+Management+%28IAM%29+Plugin,
> >> >>> we will have to make several API changes that will require us to
> >> >>>increment  CloudStack major version.
> >> >>> Therefore we think that IAM feature is not ready for ACS 4.4
> >>release,
> >> >>>and we
> >> >>> would like to propose to disable it in 4.4 branch and re-enable
> >> >>>it later  when community decides to go for 5.x.
> >> >>>
> >> >>> Thanks
> >> >>> -min
> >> >>
> >> >>
> >> >>
> >> >>--
> >> >>Daan
> >> >
> >>
> >>
> >>
>
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message