cloudstack-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rohit Yadav <>
Subject RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Date Fri, 25 Mar 2016 13:10:52 GMT
Hi Daan,

Thanks for the comments.

Yes, I looked into it but the IAM-services related work started by some of our former colleagues
was not in a good shape to be picked up, it also introduced resource level fine-grain ACLs
that would have required a lot of effort to both implement and test thoroughly.

The proposed solution is not the final solution to the rbac problem, but aims to solve for
role/account management issues for operators while ensuring strict backward compatibility,
an upgrade path from static based system to a db-backed dynamic system and allows scope for
future improvements.

To share some progress, the feature implementation so far looks promising and I'm trying to
nail down the edges around upgrade process.
I'm also investing a lot of time of marvin tests to ensure high quality delivery of this feature.



Rohit Yadav
53 Chandos Place, Covent Garden, London  WC2N 4HSUK

-----Original Message-----
From: Daan Hoogland [] 
Sent: Friday, March 25, 2016 12:55 PM
To: dev <>
Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack

Rohit, I had a first glance and it looks promising; +1 You have been thourough on the fs.
One question that comes to mind is whatever happened to the role base access That Min and
Pradhi(not sure if I remeber her name
correctly) where implementing for 4.4. It failed then because the work was taking much more
effort then estimated but it was pushed to git.wip-us. Did you look at thaat work?

On Wed, Mar 23, 2016 at 6:04 PM, Rohit Yadav <>

> Hi all,
> I want to propose a new feature for CloudStack, dynamic role-based API 
> access checker. This feature will allow us to migrate rules define in 
> file to database, while role management (such as 
> creating/editing roles, adding/removing rules) won't require 
> restarting management server(s).
> Please find more details in the FS here:
> sed+API+Access+Checker+for+CloudStack
> I look forward to your comments, suggestions and questions. Thanks.
> Regards,
> Rohit Yadav
> Regards,
> Rohit Yadav
> 53 Chandos Place, Covent Garden, London  WC2N 4HSUK @shapeblue

View raw message