SlideShare a Scribd company logo
1 of 22
Download to read offline
CloudStack Identity and Access
Management (IAM)
Min Chen
 
Prachi Damle"
Citrix
Agenda
•  Background
•  Our Design Goal
•  Architecture
•  Implementation
•  Use Cases
•  Next Steps
Background
•  Limited IAM Services
–  Out-of-box fixed roles (Root Admin, Domain Admin, User) with
prebaked access control.
–  No support for customized roles creation.
–  Special hard-coded access control logic baked in service layer for
some resources like networks, affinity group, etc.
–  Granting permissions by dedicated APIs is very restrictive.
Our Goal





 
Provide True Pluggable IAM Service
Our Goal





 
Provide True Pluggable IAM Service
What is IAM"
"

 👩	
  	
  
👨	
  	
  
👦	
  	
  
Permission	
  
Principal	
  
Ac+on	
  
Resource	
  
Permission	
  
Principal	
  
Ac+on	
  
Resource	
  
Permission	
  
Principal	
  
Ac+on	
  
Resource	
  
Policy	
  
Group	
  
Resource	
  
Resource	
  
Resource	
  
Resource	
  
Principal	
  
Principal	
  
Principal	
  
👫	
  
Role	
  
Impersonate	
  
Allow/Deny	
  
Our IAM Model
Pluggable IAM Service"


Host IAM server as an Independent Service listening at an endpoint
which CloudStack or other portal services call to do access checks
Pluggable IAM Components"

•  Server
–  An implementation of pure IAM taxonomy independent of CloudStack.
–  Out-of-box IAM server implementation based on our IAM schema 
–  Provide IAM server interface for third-party (LDAP/AD based) to implement a
different IAM server.
•  Plugin
–  A plugin integrated with CloudStack through adapter interfaces:
•  APIChecker
•  SecurityChecker
•  QuerySelector
–  Serve new IAM API requests
IAM Component Diagram
CloudStack	
  
cloud-­‐api	
  
cloud-­‐server	
  
IAM	
  Service	
  
cloud-­‐plugin-­‐iam	
  
APIChecker	
  
SecurityChecker	
  
QuerySelector	
  
RoleBasedAPIChecker	
  
RoleBasedEn+tyChecker	
  
RoleBasedQuerySelector	
  
IAM	
  Plugin	
  APIs	
  
cloud-­‐iam-­‐server	
  
IAM	
  Server	
  APIs	
  
IAM Server
•  IAM Schema
•  Implement IAM Server
interface to provide your 
own 3rd-party IAM server.
IAM Plugin
•  IAM APIs 
•  Adapters
–  APIChecker
–  SecurityChecker
•  AccessType
–  QuerySelector
•  Plugin understands CloudStack’s terminology
IAM APIs
createIAMGroup	
  
deleteIAMGroup	
  
listIAMGroups	
  
createIAMPolicy	
  
deleteIAMPolicy	
  
listIAMPolicies	
  
addIAMPermissionToIAMPolicy	
  
removeIAMPermissionFromIAMPolicy	
  
addAccountToIAMGroup	
  
removeAccountFromIAMGroup	
  
aDachIAMPolicyToAccount	
  
removeIAMPolicyFromAccount	
  
aDachIAMPolicyToIAMGroup	
  
removeIAMPolicyFromIAMGroup	
  👩	
  	
  
	
  Account	
  
APIChecker
•  CS APIChecker interface
•  commands.properties 

•  RoleBasedAPIAccessChecker
–  On startup loads permissions from commands.properties 
–  checkAccess by listing policy permissions

public	
  interface	
  APIChecker	
  extends	
  Adapter	
  {	
  
	
  	
  	
  	
  boolean	
  checkAccess(User	
  user,	
  	
  String	
  apiCommandName)	
  throws	
  	
  PermissionDeniedExcep+on;	
  }	
  
1	
  =	
  ADMIN,	
  2	
  =	
  RESOURCE_DOMAIN_ADMIN,	
  4	
  =	
  DOMAIN_ADMIN,	
  8	
  =	
  USER	
  
startVirtualMachine=15	
  
Default CloudStack Policies


User	
  Policy	
  
startVirtualMachine	
  
VirtualMachine	
  
ACCOUNT	
  
$accountId	
  
Permission	
  
User	
  Group	
  
Domain	
  Admin	
  Policy	
  
startVirtualMachine	
  
VirtualMachine	
  
DOMAIN	
  
$domainId	
  
Permission	
  
Domain	
  Admin	
  Group	
   Root	
  Admin	
  Policy	
  
startVirtualMachine	
  
VirtualMachine	
  
Scope:	
  ALL	
  
Permission	
  
migrateVirtualMachine	
  
Permission	
  
Root	
  Admin	
  Group	
  
IAM	
  APIChecker	
  
startVirtualMachine	
  =	
  15	
  
SecurityChecker
•  CS SecurityChecker interface
•  RoleBasedEntityAccessChecker
•  Check Policy permissions for the entity and action/accessType
•  Only work with ‘Allow’. No ‘Deny’ in this phase.
•  AccessType
•  ListEntry (read-only access)
•  UseEntry (read and use access)
•  OperateEntry (operate access)
public	
  interface	
  SecurityChecker	
  extends	
  Adapter	
  {	
  
boolean	
  checkAccess(Account	
  caller,	
  	
  ControlledEn+ty	
  en+ty,	
  	
  AccessType	
  accessType,	
  String	
  ac+on)	
  
throws	
  PermissionDeniedExcep+on;	
  
}	
  
Access Check Flow


👩	
  	
  
User1	
   startVirtualMachine	
  ‘Foo’	
  
👩	
  	
  
User2	
  
💻	
  
Foo	
  
IAM	
  API	
  Checker	
  
IAM	
  
SecurityChecker	
  
User	
  Policy	
  
startVirtualMachine	
  
VirtualMachine	
  
ACCOUNT	
  
$accountId	
  
Permission	
  
User	
  Group	
   Domain	
  Admin	
  Policy	
  
startVirtualMachine	
  
VirtualMachine	
  
DOMAIN	
  
$domainId	
  
Permission	
  
Domain	
  Admin	
  Group	
  
Root	
  Admin	
  Policy	
  
startVirtualMachine	
  
VirtualMachine	
  
Scope:	
  ALL	
  
Permission	
  
Root	
  Admin	
  Group	
  
startVirtualMachine	
  ‘Foo’	
   👩	
  	
  
Root	
  Admin	
  
startVirtualMachine	
  ‘Foo’	
  
IAM QuerySelector
•  QuerySelector => RoleBasedQuerySelector
public	
  interface	
  QuerySelector	
  extends	
  Adapter	
  {	
  
	
  	
  	
  	
  	
  	
  List<Long>	
  getAuthorizedDomains(Account	
  caller,	
  String	
  en+tyType,	
  AccessType	
  accessType);	
  
	
  	
  	
  	
  	
  	
  List<Long>	
  getAuthorizedAccounts(Account	
  caller,	
  String	
  en+tyType,	
  AccessType	
  accessType);	
  
	
  	
  	
  	
  	
  	
  List<Long>	
  getAuthorizedResources(Account	
  caller,	
  String	
  en+tyType,	
  AccessType	
  accessType);	
  
	
  	
  	
  	
  	
  	
  boolean	
  isGrantedAll(Account	
  caller,	
  String	
  ac+on,	
  AccessType	
  accessType);	
  
	
  	
  	
  	
  	
  	
  List<String>	
  listIAMGroupsByAccount(long	
  accountId);	
  	
  
}	
  	
  	
  
Custom Policy
•  Use Case: Domain admin wants to grant “read only access” to all VMs
of his domain to some service desk accounts.
Service	
  Desk	
  
Group	
  
ReadOnlyPolicy	
  
listVirtualMachines	
  
VirtualMachine	
  
DOMAIN	
  
$domainId	
  
Permission	
  
👩	
  	
  
👨	
  	
  
addAccountToIAMGroup	
  
aAachIAMPolicyToIAMGroup	
  
VMOpPolicy	
  
Cross-Account Grant
•  Use Case: Account A has a VM foo, and she wants to grant Account
B to Start/Stop her VM foo.
startVirtualMachine	
  
VirtualMachine	
  
RESOURCE	
  
foo	
  
Permission	
  
stopVirtualMachine	
  
VirtualMachine	
  
RESOURCE	
  
foo	
  
Permission	
  
👩	
  	
  
👨	
  	
  
A	
  
B	
  
💻	
  
Foo	
  
Next Step
•  Integrate IAM model with all CloudStack access control logic
–  Shared and isolated networks
–  Handle non ControlledEntity like Zone and Service Offering(Disk
offering, Network Offering)
–  Dedicated resource feature 
•  Provide UI support for IAM APIs.
•  Handle JSON based policy definition.
References
•  Functional Spec:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack
+IAM+guidelines+for+API+and+Service+Layer
•  Guidelines for Developers:
https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack
+IAM+guidelines+for+API+and+Service+Layer

More Related Content

What's hot

Building Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationBuilding Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationWSO2
 
Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28floridawusergroup
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseAkana
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater Apigee | Google Cloud
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredWSO2
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsWSO2
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management SeminarCA API Management
 
Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock?  How can containers and automation help?Webcast: AWS Sticker Shock?  How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?Applatix
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native EraWSO2
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018Chris Phillips
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management ArchitecturesNordic APIs
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeApigee | Google Cloud
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays
 

What's hot (20)

Building Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of CollaborationBuilding Sustainable Ecosystems: The Economics of Collaboration
Building Sustainable Ecosystems: The Economics of Collaboration
 
Gravitee.io
Gravitee.ioGravitee.io
Gravitee.io
 
Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28Api management introduction and product overview v1.0 2014.08.28
Api management introduction and product overview v1.0 2014.08.28
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
 
The Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the EnterpriseThe Business Value for Internal APIs in the Enterprise
The Business Value for Internal APIs in the Enterprise
 
Authentication and single sign on (sso)
Authentication and single sign on (sso)Authentication and single sign on (sso)
Authentication and single sign on (sso)
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Strong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions AnsweredStrong Customer Authentication - All Your Questions Answered
Strong Customer Authentication - All Your Questions Answered
 
WSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and RoadmapWSO2 API Platform: Vision and Roadmap
WSO2 API Platform: Vision and Roadmap
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
 
How APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile EnvironmentsHow APIs Can Be Secured in Mobile Environments
How APIs Can Be Secured in Mobile Environments
 
API strategy with IBM API connect
API strategy with IBM API connectAPI strategy with IBM API connect
API strategy with IBM API connect
 
Melbourne API Management Seminar
Melbourne API Management SeminarMelbourne API Management Seminar
Melbourne API Management Seminar
 
Webcast: AWS Sticker Shock? How can containers and automation help?
Webcast: AWS Sticker Shock?  How can containers and automation help?Webcast: AWS Sticker Shock?  How can containers and automation help?
Webcast: AWS Sticker Shock? How can containers and automation help?
 
API Security In Cloud Native Era
API Security In Cloud Native EraAPI Security In Cloud Native Era
API Security In Cloud Native Era
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018IBM API Connect Deployment `Good Practices - IBM Think 2018
IBM API Connect Deployment `Good Practices - IBM Think 2018
 
Overview of API Management Architectures
Overview of API Management ArchitecturesOverview of API Management Architectures
Overview of API Management Architectures
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhuapidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...apidays LIVE Paris - Potential of API integrations, common traps and advices ...
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
 

Similar to CloudStack Identity and Access Management (IAM)

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...Amazon Web Services
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Amazon Web Services
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live byJohn Varghese
 
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...Amazon Web Services
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Amazon Web Services
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftAmazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Amazon Web Services
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesAmazon Web Services
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityAmazon Web Services
 
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Amazon Web Services
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended PracticesAmazon Web Services
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Amazon Web Services
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Amazon Web Services
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 

Similar to CloudStack Identity and Access Management (IAM) (20)

IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
IAM for Enterprises: How Vanguard Matured IAM Controls to Support Micro Accou...
 
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
Foundations - Understanding the Critical Building Blocks of AWS Identity & Go...
 
Aws iam best practices to live by
Aws iam best practices to live byAws iam best practices to live by
Aws iam best practices to live by
 
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
Authentication & Authorization in GraphQL with AWS AppSync (MOB402) - AWS re:...
 
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
AWS re:Invent 2016: IAM Best Practices to Live By (SAC317)
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
Mastering Identity at Every Layer of the Cake (SEC401-R1) - AWS re:Invent 2018
 
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF LoftIdentity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
Identity Round Robin Workshop - Serverless Round: Security Week at the SF Loft
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 
Compliance and Security Mitigation Techniques
Compliance and Security Mitigation TechniquesCompliance and Security Mitigation Techniques
Compliance and Security Mitigation Techniques
 
Identify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS SecurityIdentify and Access Management: The First Step in AWS Security
Identify and Access Management: The First Step in AWS Security
 
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
Security in Amazon Elasticsearch Service (ANT392) - AWS re:Invent 2018
 
IAM Recommended Practices
IAM Recommended PracticesIAM Recommended Practices
IAM Recommended Practices
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
Security Day IAM Recommended Practices
Security Day IAM Recommended PracticesSecurity Day IAM Recommended Practices
Security Day IAM Recommended Practices
 
Mitigating techniques
Mitigating techniquesMitigating techniques
Mitigating techniques
 
Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)Introduction to Identity and Access Management (IAM)
Introduction to Identity and Access Management (IAM)
 
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
Deconstructing SaaS: Deep Dive into Building Multi-Tenant Solutions on AWS (A...
 
IAM Introduction
IAM IntroductionIAM Introduction
IAM Introduction
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 

Recently uploaded

sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfJulia Kaye
 
Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...sahb78428
 
Mohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptxMohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptxKISHAN KUMAR
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingMarian Marinov
 
nvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxnvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxjasonsedano2
 
Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...Apollo Techno Industries Pvt Ltd
 
Test of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptxTest of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptxHome
 
Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...soginsider
 
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....santhyamuthu1
 
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxSUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxNaveenVerma126
 
ASME BPVC 2023 Section I para leer y entender
ASME BPVC 2023 Section I para leer y entenderASME BPVC 2023 Section I para leer y entender
ASME BPVC 2023 Section I para leer y entenderjuancarlos286641
 
me3493 manufacturing technology unit 1 Part A
me3493 manufacturing technology unit 1 Part Ame3493 manufacturing technology unit 1 Part A
me3493 manufacturing technology unit 1 Part Akarthi keyan
 
The relationship between iot and communication technology
The relationship between iot and communication technologyThe relationship between iot and communication technology
The relationship between iot and communication technologyabdulkadirmukarram03
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptxMUKULKUMAR210
 
Phase noise transfer functions.pptx
Phase noise transfer      functions.pptxPhase noise transfer      functions.pptx
Phase noise transfer functions.pptxSaiGouthamSunkara
 

Recently uploaded (20)

sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdfsdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
sdfsadopkjpiosufoiasdoifjasldkjfl a asldkjflaskdjflkjsdsdf
 
Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...Clutches and brkesSelect any 3 position random motion out of real world and d...
Clutches and brkesSelect any 3 position random motion out of real world and d...
 
Mohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptxMohs Scale of Hardness, Hardness Scale.pptx
Mohs Scale of Hardness, Hardness Scale.pptx
 
Présentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdfPrésentation IIRB 2024 Marine Cordonnier.pdf
Présentation IIRB 2024 Marine Cordonnier.pdf
 
Dev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & LoggingDev.bg DevOps March 2024 Monitoring & Logging
Dev.bg DevOps March 2024 Monitoring & Logging
 
nvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptxnvidia AI-gtc 2024 partial slide deck.pptx
nvidia AI-gtc 2024 partial slide deck.pptx
 
Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...Technology Features of Apollo HDD Machine, Its Technical Specification with C...
Technology Features of Apollo HDD Machine, Its Technical Specification with C...
 
Test of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptxTest of Significance of Large Samples for Mean = µ.pptx
Test of Significance of Large Samples for Mean = µ.pptx
 
Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...Transforming Process Safety Management: Challenges, Benefits, and Transition ...
Transforming Process Safety Management: Challenges, Benefits, and Transition ...
 
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
SATELITE COMMUNICATION UNIT 1 CEC352 REGULATION 2021 PPT BASICS OF SATELITE ....
 
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docxSUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
SUMMER TRAINING REPORT ON BUILDING CONSTRUCTION.docx
 
Lecture 2 .pptx
Lecture 2                            .pptxLecture 2                            .pptx
Lecture 2 .pptx
 
ASME BPVC 2023 Section I para leer y entender
ASME BPVC 2023 Section I para leer y entenderASME BPVC 2023 Section I para leer y entender
ASME BPVC 2023 Section I para leer y entender
 
me3493 manufacturing technology unit 1 Part A
me3493 manufacturing technology unit 1 Part Ame3493 manufacturing technology unit 1 Part A
me3493 manufacturing technology unit 1 Part A
 
Litature Review: Research Paper work for Engineering
Litature Review: Research Paper work for EngineeringLitature Review: Research Paper work for Engineering
Litature Review: Research Paper work for Engineering
 
Lecture 4 .pdf
Lecture 4                              .pdfLecture 4                              .pdf
Lecture 4 .pdf
 
The relationship between iot and communication technology
The relationship between iot and communication technologyThe relationship between iot and communication technology
The relationship between iot and communication technology
 
Power System electrical and electronics .pptx
Power System electrical and electronics .pptxPower System electrical and electronics .pptx
Power System electrical and electronics .pptx
 
Présentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdfPrésentation IIRB 2024 Chloe Dufrane.pdf
Présentation IIRB 2024 Chloe Dufrane.pdf
 
Phase noise transfer functions.pptx
Phase noise transfer      functions.pptxPhase noise transfer      functions.pptx
Phase noise transfer functions.pptx
 

CloudStack Identity and Access Management (IAM)

  • 1. CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle" Citrix
  • 2. Agenda •  Background •  Our Design Goal •  Architecture •  Implementation •  Use Cases •  Next Steps
  • 3. Background •  Limited IAM Services –  Out-of-box fixed roles (Root Admin, Domain Admin, User) with prebaked access control. –  No support for customized roles creation. –  Special hard-coded access control logic baked in service layer for some resources like networks, affinity group, etc. –  Granting permissions by dedicated APIs is very restrictive.
  • 4. Our Goal Provide True Pluggable IAM Service
  • 5. Our Goal Provide True Pluggable IAM Service
  • 6. What is IAM" " 👩     👨     👦     Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Policy   Group   Resource   Resource   Resource   Resource   Principal   Principal   Principal   👫   Role   Impersonate   Allow/Deny  
  • 8. Pluggable IAM Service" Host IAM server as an Independent Service listening at an endpoint which CloudStack or other portal services call to do access checks
  • 9. Pluggable IAM Components" •  Server –  An implementation of pure IAM taxonomy independent of CloudStack. –  Out-of-box IAM server implementation based on our IAM schema –  Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server. •  Plugin –  A plugin integrated with CloudStack through adapter interfaces: •  APIChecker •  SecurityChecker •  QuerySelector –  Serve new IAM API requests
  • 10. IAM Component Diagram CloudStack   cloud-­‐api   cloud-­‐server   IAM  Service   cloud-­‐plugin-­‐iam   APIChecker   SecurityChecker   QuerySelector   RoleBasedAPIChecker   RoleBasedEn+tyChecker   RoleBasedQuerySelector   IAM  Plugin  APIs   cloud-­‐iam-­‐server   IAM  Server  APIs  
  • 11. IAM Server •  IAM Schema •  Implement IAM Server interface to provide your own 3rd-party IAM server.
  • 12. IAM Plugin •  IAM APIs •  Adapters –  APIChecker –  SecurityChecker •  AccessType –  QuerySelector •  Plugin understands CloudStack’s terminology
  • 13. IAM APIs createIAMGroup   deleteIAMGroup   listIAMGroups   createIAMPolicy   deleteIAMPolicy   listIAMPolicies   addIAMPermissionToIAMPolicy   removeIAMPermissionFromIAMPolicy   addAccountToIAMGroup   removeAccountFromIAMGroup   aDachIAMPolicyToAccount   removeIAMPolicyFromAccount   aDachIAMPolicyToIAMGroup   removeIAMPolicyFromIAMGroup  👩      Account  
  • 14. APIChecker •  CS APIChecker interface •  commands.properties •  RoleBasedAPIAccessChecker –  On startup loads permissions from commands.properties –  checkAccess by listing policy permissions public  interface  APIChecker  extends  Adapter  {          boolean  checkAccess(User  user,    String  apiCommandName)  throws    PermissionDeniedExcep+on;  }   1  =  ADMIN,  2  =  RESOURCE_DOMAIN_ADMIN,  4  =  DOMAIN_ADMIN,  8  =  USER   startVirtualMachine=15  
  • 15. Default CloudStack Policies User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   migrateVirtualMachine   Permission   Root  Admin  Group   IAM  APIChecker   startVirtualMachine  =  15  
  • 16. SecurityChecker •  CS SecurityChecker interface •  RoleBasedEntityAccessChecker •  Check Policy permissions for the entity and action/accessType •  Only work with ‘Allow’. No ‘Deny’ in this phase. •  AccessType •  ListEntry (read-only access) •  UseEntry (read and use access) •  OperateEntry (operate access) public  interface  SecurityChecker  extends  Adapter  {   boolean  checkAccess(Account  caller,    ControlledEn+ty  en+ty,    AccessType  accessType,  String  ac+on)   throws  PermissionDeniedExcep+on;   }  
  • 17. Access Check Flow 👩     User1   startVirtualMachine  ‘Foo’   👩     User2   💻   Foo   IAM  API  Checker   IAM   SecurityChecker   User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   Root  Admin  Group   startVirtualMachine  ‘Foo’   👩     Root  Admin   startVirtualMachine  ‘Foo’  
  • 18. IAM QuerySelector •  QuerySelector => RoleBasedQuerySelector public  interface  QuerySelector  extends  Adapter  {              List<Long>  getAuthorizedDomains(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedAccounts(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedResources(Account  caller,  String  en+tyType,  AccessType  accessType);              boolean  isGrantedAll(Account  caller,  String  ac+on,  AccessType  accessType);              List<String>  listIAMGroupsByAccount(long  accountId);     }      
  • 19. Custom Policy •  Use Case: Domain admin wants to grant “read only access” to all VMs of his domain to some service desk accounts. Service  Desk   Group   ReadOnlyPolicy   listVirtualMachines   VirtualMachine   DOMAIN   $domainId   Permission   👩     👨     addAccountToIAMGroup   aAachIAMPolicyToIAMGroup  
  • 20. VMOpPolicy   Cross-Account Grant •  Use Case: Account A has a VM foo, and she wants to grant Account B to Start/Stop her VM foo. startVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   stopVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   👩     👨     A   B   💻   Foo  
  • 21. Next Step •  Integrate IAM model with all CloudStack access control logic –  Shared and isolated networks –  Handle non ControlledEntity like Zone and Service Offering(Disk offering, Network Offering) –  Dedicated resource feature •  Provide UI support for IAM APIs. •  Handle JSON based policy definition.
  • 22. References •  Functional Spec: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer •  Guidelines for Developers: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer