-----Original Message----- From: sebgoa [mailto:run...@gmail.com] Sent: Wednesday, January 22, 2014 12:41 AM To: dev@cloudstack.apache.org Subject: Re: [Proposal]CloudStack IAM plugin feature (CLOUDSTACK-5920)
On Jan 21, 2014, at 10:57 PM, Prachi Damle <prachi.da...@citrix.com> wrote: > Min and myself would like to propose an identity and access management plugin > for CloudStack for the ACS 4.4 release. > > Here is the functional spec we have drafted for the first phase: > https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Identity+and+Access+Management+%28IAM%29+Plugin > > Currently CloudStack provides very limited IAM services and there are several > drawbacks: > > - Offers few roles out of the box (user and admin) with prebaked access > control. There is no way to create customized policies and permissions. > - Some resources have access control baked into them. E.g., shared networks, > projects etc. > - We have to create special dedicateXXX APIs to grant permissions to > resources. > - Also it does not provide the flexibility to integrate with other RBAC > implementations say using AD/LDAP > > Goal for this feature would be to address these limitations and offer true > IAM services in a phased manner. > As a first phase, we need to separate out the current access control into a > separate component based on the standard IAM terminologies. Also we need to > create an access check mechanism to be used by the API layer to avoid the > checks scattered over the api/service layer. The read/listing APIs need to be > refactored accordingly to consider the policy based access granting. > > Please provide feedback/suggestions anyone has. > Prachi, I think that's a good idea, it would be nice to look at the AWS IAM service and map the API one2one. It would ease pain down the road if we want to serve a AWS compatible IAM. -sebastien >> Thanks Sebastien, yes true, we are trying to model this as close as possible >> to AWS IAM (Using the API name based access granting, >> group-policy-permission model) Although we need to accommodate differences to be backwards compatible with the current CloudStack access control. E.g all access is linked with the account and not per user basis or the domain tree hierarchy > Thanks, > Prachi & Min
