Min Chen, profile picture
Uploaded byMin Chen
PDF, PPTX632 views

CloudStack Identity and Access Management (IAM)

The document discusses CloudStack's plans to implement an Identity and Access Management (IAM) service. It describes CloudStack's current limited IAM capabilities and the goal to provide a pluggable IAM service. The proposed architecture includes hosting an independent IAM server and integrating an IAM plugin with CloudStack via adapter interfaces. The plugin would support new IAM APIs and policies to control access at the user, group, and resource levels. Example use cases are provided to demonstrate how the IAM service could enable cross-account access policies and role-based access controls.

Embed presentation

Download as PDF, PPTX
CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle" Citrix
Agenda •  Background •  Our Design Goal •  Architecture •  Implementation •  Use Cases •  Next Steps
Background •  Limited IAM Services –  Out-of-box fixed roles (Root Admin, Domain Admin, User) with prebaked access control. –  No support for customized roles creation. –  Special hard-coded access control logic baked in service layer for some resources like networks, affinity group, etc. –  Granting permissions by dedicated APIs is very restrictive.
Our Goal Provide True Pluggable IAM Service
Our Goal Provide True Pluggable IAM Service
What is IAM" " 👩     👨     👦     Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Policy   Group   Resource   Resource   Resource   Resource   Principal   Principal   Principal   👫   Role   Impersonate   Allow/Deny  
Our IAM Model
Pluggable IAM Service" Host IAM server as an Independent Service listening at an endpoint which CloudStack or other portal services call to do access checks
Pluggable IAM Components" •  Server –  An implementation of pure IAM taxonomy independent of CloudStack. –  Out-of-box IAM server implementation based on our IAM schema –  Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server. •  Plugin –  A plugin integrated with CloudStack through adapter interfaces: •  APIChecker •  SecurityChecker •  QuerySelector –  Serve new IAM API requests
IAM Component Diagram CloudStack   cloud-­‐api   cloud-­‐server   IAM  Service   cloud-­‐plugin-­‐iam   APIChecker   SecurityChecker   QuerySelector   RoleBasedAPIChecker   RoleBasedEn+tyChecker   RoleBasedQuerySelector   IAM  Plugin  APIs   cloud-­‐iam-­‐server   IAM  Server  APIs  
IAM Server •  IAM Schema •  Implement IAM Server interface to provide your own 3rd-party IAM server.
IAM Plugin •  IAM APIs •  Adapters –  APIChecker –  SecurityChecker •  AccessType –  QuerySelector •  Plugin understands CloudStack’s terminology
IAM APIs createIAMGroup   deleteIAMGroup   listIAMGroups   createIAMPolicy   deleteIAMPolicy   listIAMPolicies   addIAMPermissionToIAMPolicy   removeIAMPermissionFromIAMPolicy   addAccountToIAMGroup   removeAccountFromIAMGroup   aDachIAMPolicyToAccount   removeIAMPolicyFromAccount   aDachIAMPolicyToIAMGroup   removeIAMPolicyFromIAMGroup  👩      Account  
APIChecker •  CS APIChecker interface •  commands.properties •  RoleBasedAPIAccessChecker –  On startup loads permissions from commands.properties –  checkAccess by listing policy permissions public  interface  APIChecker  extends  Adapter  {          boolean  checkAccess(User  user,    String  apiCommandName)  throws    PermissionDeniedExcep+on;  }   1  =  ADMIN,  2  =  RESOURCE_DOMAIN_ADMIN,  4  =  DOMAIN_ADMIN,  8  =  USER   startVirtualMachine=15  
Default CloudStack Policies User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   migrateVirtualMachine   Permission   Root  Admin  Group   IAM  APIChecker   startVirtualMachine  =  15  
SecurityChecker •  CS SecurityChecker interface •  RoleBasedEntityAccessChecker •  Check Policy permissions for the entity and action/accessType •  Only work with ‘Allow’. No ‘Deny’ in this phase. •  AccessType •  ListEntry (read-only access) •  UseEntry (read and use access) •  OperateEntry (operate access) public  interface  SecurityChecker  extends  Adapter  {   boolean  checkAccess(Account  caller,    ControlledEn+ty  en+ty,    AccessType  accessType,  String  ac+on)   throws  PermissionDeniedExcep+on;   }  
Access Check Flow 👩     User1   startVirtualMachine  ‘Foo’   👩     User2   💻   Foo   IAM  API  Checker   IAM   SecurityChecker   User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   Root  Admin  Group   startVirtualMachine  ‘Foo’   👩     Root  Admin   startVirtualMachine  ‘Foo’  
IAM QuerySelector •  QuerySelector => RoleBasedQuerySelector public  interface  QuerySelector  extends  Adapter  {              List<Long>  getAuthorizedDomains(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedAccounts(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedResources(Account  caller,  String  en+tyType,  AccessType  accessType);              boolean  isGrantedAll(Account  caller,  String  ac+on,  AccessType  accessType);              List<String>  listIAMGroupsByAccount(long  accountId);     }      
Custom Policy •  Use Case: Domain admin wants to grant “read only access” to all VMs of his domain to some service desk accounts. Service  Desk   Group   ReadOnlyPolicy   listVirtualMachines   VirtualMachine   DOMAIN   $domainId   Permission   👩     👨     addAccountToIAMGroup   aAachIAMPolicyToIAMGroup  
VMOpPolicy   Cross-Account Grant •  Use Case: Account A has a VM foo, and she wants to grant Account B to Start/Stop her VM foo. startVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   stopVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   👩     👨     A   B   💻   Foo  
Next Step •  Integrate IAM model with all CloudStack access control logic –  Shared and isolated networks –  Handle non ControlledEntity like Zone and Service Offering(Disk offering, Network Offering) –  Dedicated resource feature •  Provide UI support for IAM APIs. •  Handle JSON based policy definition.
References •  Functional Spec: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer •  Guidelines for Developers: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer

More Related Content

PDF
How Secure Are Your APIs?
byApigee | Google Cloud
 
PDF
Gravitee API Management - Ahmet AYDIN
bykloia
 
PPTX
BDD Approach with Karate Framework in Service Tests
bykloia
 
PPTX
Camunda BPM - Said Mengi
bykloia
 
PDF
Role of API Management in an API led Digital Economy
byWSO2
 
PPTX
A Definition of Done for DevSecOps
byGene Gotimer
 
PPTX
API Management Demystified
byManmohan Gupta
 
PPT
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
bydmbtr3
 
How Secure Are Your APIs?
byApigee | Google Cloud
 
Gravitee API Management - Ahmet AYDIN
bykloia
 
BDD Approach with Karate Framework in Service Tests
bykloia
 
Camunda BPM - Said Mengi
bykloia
 
Role of API Management in an API led Digital Economy
byWSO2
 
A Definition of Done for DevSecOps
byGene Gotimer
 
API Management Demystified
byManmohan Gupta
 
Cloud Foundry Summit 2014: Introducing Cloud Foundry Integration for Eclipse
bydmbtr3
 

What's hot

PDF
API strategy with IBM API connect
byKellton Tech Solutions Ltd
 
PDF
WSO2 API Platform: Vision and Roadmap
byWSO2
 
PPTX
IBM API Connect Deployment `Good Practices - IBM Think 2018
byChris Phillips
 
PDF
Gravitee.io
byKnoldus Inc.
 
PPTX
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
byapidays
 
PPTX
Overview of API Management Architectures
byNordic APIs
 
PPTX
The Business Value for Internal APIs in the Enterprise
byAkana
 
PPT
Api management introduction and product overview v1.0 2014.08.28
byfloridawusergroup
 
PPTX
Deep-Dive: API Security in the Digital Age
byApigee | Google Cloud
 
PDF
Strong Customer Authentication - All Your Questions Answered
byWSO2
 
PPTX
Authentication and single sign on (sso)
byKumaresh Chandra Baruri
 
PDF
Building Sustainable Ecosystems: The Economics of Collaboration
byWSO2
 
PDF
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
byapidays
 
PDF
API Security In Cloud Native Era
byWSO2
 
PDF
Melbourne API Management Seminar
byCA API Management
 
PPTX
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
byapidays
 
PDF
How APIs Can Be Secured in Mobile Environments
byWSO2
 
PDF
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
byapidays
 
PPTX
Webcast: AWS Sticker Shock? How can containers and automation help?
byApplatix
 
PPTX
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 
API strategy with IBM API connect
byKellton Tech Solutions Ltd
 
WSO2 API Platform: Vision and Roadmap
byWSO2
 
IBM API Connect Deployment `Good Practices - IBM Think 2018
byChris Phillips
 
Gravitee.io
byKnoldus Inc.
 
apidays LIVE India - Asynchronous and Broadcasting APIs using Kafka by Rohit ...
byapidays
 
Overview of API Management Architectures
byNordic APIs
 
The Business Value for Internal APIs in the Enterprise
byAkana
 
Api management introduction and product overview v1.0 2014.08.28
byfloridawusergroup
 
Deep-Dive: API Security in the Digital Age
byApigee | Google Cloud
 
Strong Customer Authentication - All Your Questions Answered
byWSO2
 
Authentication and single sign on (sso)
byKumaresh Chandra Baruri
 
Building Sustainable Ecosystems: The Economics of Collaboration
byWSO2
 
apidays LIVE Hong Kong - Orchestrating APIs at Scale by Hieu Nguyen Nhu
byapidays
 
API Security In Cloud Native Era
byWSO2
 
Melbourne API Management Seminar
byCA API Management
 
apidays LIVE India - 10 steps to secure your API by Pabitra Kumar Sahoo, Qual...
byapidays
 
How APIs Can Be Secured in Mobile Environments
byWSO2
 
apidays LIVE Paris - Potential of API integrations, common traps and advices ...
byapidays
 
Webcast: AWS Sticker Shock? How can containers and automation help?
byApplatix
 
OAuth - Don’t Throw the Baby Out with the Bathwater
byApigee | Google Cloud
 

Similar to CloudStack Identity and Access Management (IAM)

PPTX
Aws iam best practices to live by
byJohn Varghese
 
PPTX
IBM Cloud VPC Deep Dive
byNagesh Ramamoorthy
 
PPTX
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
by😸 Richard Spindler
 
PPTX
The fundamentals of AWS Cloud Security 🛠⛅️🚀
byThanh Nguyen
 
PPTX
Aws principle services: IAM,VPC, EC2, Cloudwatch
bysawsan slii
 
PPTX
Configure cloud services Presentation.pptx
byRoyTari
 
PPTX
CloudStack Overview
bysedukull
 
PDF
The Keys To A Successful Identity And Access Management Program: How Does You...
byDell World
 
PPTX
Openstack Icehouse IaaS Presentation
byemad ahmed
 
PPTX
AWS Twin Cities Meetup - IAM Deep Dive
byAdam Fokken
 
PPTX
Getting Started with Apache CloudStack
byJoe Brockmeier
 
PPTX
IAM Deep Dive - Custom IAM Policies with Conditions
byBryant Poush
 
PDF
CloudStack Architecture and Refactor
bygavin_lee
 
PDF
AWS Systems Manager
byCrishantha Nanayakkara
 
PPTX
Identity access management (iam)
byParag Patil
 
PDF
Oracle Cloud Infrastructure Foundations Associate_Hand-On.pdf
byIlidio Mimiel
 
PDF
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
PDF
Overview of Amazon Web Services
byBrett Gillett
 
PDF
Cloud stack for_beginners
byRadhika Puthiyetath
 
PDF
CloudStack - LinuxFest NorthWest
byke4qqq
 
Aws iam best practices to live by
byJohn Varghese
 
IBM Cloud VPC Deep Dive
byNagesh Ramamoorthy
 
AWS Security - An Engineer’s Introduction to AWS Security Auditing using CIS ...
by😸 Richard Spindler
 
The fundamentals of AWS Cloud Security 🛠⛅️🚀
byThanh Nguyen
 
Aws principle services: IAM,VPC, EC2, Cloudwatch
bysawsan slii
 
Configure cloud services Presentation.pptx
byRoyTari
 
CloudStack Overview
bysedukull
 
The Keys To A Successful Identity And Access Management Program: How Does You...
byDell World
 
Openstack Icehouse IaaS Presentation
byemad ahmed
 
AWS Twin Cities Meetup - IAM Deep Dive
byAdam Fokken
 
Getting Started with Apache CloudStack
byJoe Brockmeier
 
IAM Deep Dive - Custom IAM Policies with Conditions
byBryant Poush
 
CloudStack Architecture and Refactor
bygavin_lee
 
AWS Systems Manager
byCrishantha Nanayakkara
 
Identity access management (iam)
byParag Patil
 
Oracle Cloud Infrastructure Foundations Associate_Hand-On.pdf
byIlidio Mimiel
 
CIS 2015 Practical Deployments Enterprise Cloud Access Management Platform - ...
byCloudIDSummit
 
Overview of Amazon Web Services
byBrett Gillett
 
Cloud stack for_beginners
byRadhika Puthiyetath
 
CloudStack - LinuxFest NorthWest
byke4qqq
 

Recently uploaded

PPTX
Optimizing Plant Maintenance — Key Elements of a Successful Maintenance Plan ...
byMaintWiz Technologies Private Limited
 
PPTX
Network Security v1.0 - Module 2.pptx
byssuserb1479b
 
PPTX
Industrial Plant Safety – Comprehensive Guide for Workplace Safety & Risk Pre...
byMaintWiz Technologies Private Limited
 
PDF
Modeltomodel_Transformation_with_ATL (1).pdf
byISEMENSIAS
 
PPTX
How to Create an Effective Monthly Preventive Maintenance Plan
byMaintWiz Technologies Private Limited
 
PPTX
infosecurity & Cyber Sec 2025 September for deep.pptx
bymsrehan
 
PPTX
Civil_Engineering_Technician_Skill_Assessment_2025_2026_Presentation.pptx
byCDR Australia Engineer
 
PPTX
UNIT -3 -DIGITAL AND MOBILE FORENSICS FORENSIC READINESS-.pptx
byjemimaa3
 
PPTX
Engineering Economics CHAPTER 4.pptx - R
byMisgnaArefe
 
PDF
Nostr : A protocol for freedom of speech
byEmre YILMAZ
 
PPTX
22PEOIT4C Session 4 Breath First Search & Depth First Search.pptx
bymailmegokilavani
 
PPTX
Transportation Engineering- Modes of Transport, Types of roads, Components of...
byvidyanand kadam
 
PDF
Troubleshooting of Marine Refrigeration System - Part 4
byMahmoud Moghtaderi
 
PDF
chapter 30 inductance chương trình tiên tiến bách khoa.pdf
byconbohai1500
 
PDF
AI-Driven CTI for Business: Emerging Threats, Attack Strategies, and Defensiv...
byAIRCC Publishing Corporation
 
PPTX
22PEOIT4C Session 9 Local search in continuous space.pptx
bymailmegokilavani
 
PPTX
Aix-Marseille Université Diploma
by美国加利福尼亚州立理工大学波莫纳分校学位证书补办【Q微号:1954 292 140】CPP毕业证购买
 
PDF
A Guide to Components and Operation of Refrigeration Plant - Part 1
byMahmoud Moghtaderi
 
PPTX
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
PPT
24CYT13 - Chemistry for Electronics and Computer Systems-Unit-V-E Waste & Its...
byKrishnaveniKrishnara1
 
Optimizing Plant Maintenance — Key Elements of a Successful Maintenance Plan ...
byMaintWiz Technologies Private Limited
 
Network Security v1.0 - Module 2.pptx
byssuserb1479b
 
Industrial Plant Safety – Comprehensive Guide for Workplace Safety & Risk Pre...
byMaintWiz Technologies Private Limited
 
Modeltomodel_Transformation_with_ATL (1).pdf
byISEMENSIAS
 
How to Create an Effective Monthly Preventive Maintenance Plan
byMaintWiz Technologies Private Limited
 
infosecurity & Cyber Sec 2025 September for deep.pptx
bymsrehan
 
Civil_Engineering_Technician_Skill_Assessment_2025_2026_Presentation.pptx
byCDR Australia Engineer
 
UNIT -3 -DIGITAL AND MOBILE FORENSICS FORENSIC READINESS-.pptx
byjemimaa3
 
Engineering Economics CHAPTER 4.pptx - R
byMisgnaArefe
 
Nostr : A protocol for freedom of speech
byEmre YILMAZ
 
22PEOIT4C Session 4 Breath First Search & Depth First Search.pptx
bymailmegokilavani
 
Transportation Engineering- Modes of Transport, Types of roads, Components of...
byvidyanand kadam
 
Troubleshooting of Marine Refrigeration System - Part 4
byMahmoud Moghtaderi
 
chapter 30 inductance chương trình tiên tiến bách khoa.pdf
byconbohai1500
 
AI-Driven CTI for Business: Emerging Threats, Attack Strategies, and Defensiv...
byAIRCC Publishing Corporation
 
22PEOIT4C Session 9 Local search in continuous space.pptx
bymailmegokilavani
 
Aix-Marseille Université Diploma
by美国加利福尼亚州立理工大学波莫纳分校学位证书补办【Q微号:1954 292 140】CPP毕业证购买
 
A Guide to Components and Operation of Refrigeration Plant - Part 1
byMahmoud Moghtaderi
 
KTU 2024 SCHEME -PEMET 413 COMPOSITE MATERIALS MODULE 1 LECTURE 1.pptx
byVinayB68
 
24CYT13 - Chemistry for Electronics and Computer Systems-Unit-V-E Waste & Its...
byKrishnaveniKrishnara1
 

CloudStack Identity and Access Management (IAM)

  • 1.
    CloudStack Identity andAccess Management (IAM) Min Chen Prachi Damle" Citrix
  • 2.
    Agenda •  Background •  OurDesign Goal •  Architecture •  Implementation •  Use Cases •  Next Steps
  • 3.
    Background •  Limited IAMServices –  Out-of-box fixed roles (Root Admin, Domain Admin, User) with prebaked access control. –  No support for customized roles creation. –  Special hard-coded access control logic baked in service layer for some resources like networks, affinity group, etc. –  Granting permissions by dedicated APIs is very restrictive.
  • 4.
    Our Goal ProvideTrue Pluggable IAM Service
  • 5.
    Our Goal ProvideTrue Pluggable IAM Service
  • 6.
    What is IAM" " 👩     👨     👦     Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Permission   Principal   Ac+on   Resource   Policy   Group   Resource   Resource   Resource   Resource   Principal   Principal   Principal   👫   Role   Impersonate   Allow/Deny  
  • 7.
  • 8.
    Pluggable IAM Service" HostIAM server as an Independent Service listening at an endpoint which CloudStack or other portal services call to do access checks
  • 9.
    Pluggable IAM Components" • Server –  An implementation of pure IAM taxonomy independent of CloudStack. –  Out-of-box IAM server implementation based on our IAM schema –  Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server. •  Plugin –  A plugin integrated with CloudStack through adapter interfaces: •  APIChecker •  SecurityChecker •  QuerySelector –  Serve new IAM API requests
  • 10.
    IAM Component Diagram CloudStack   cloud-­‐api   cloud-­‐server   IAM  Service   cloud-­‐plugin-­‐iam   APIChecker   SecurityChecker   QuerySelector   RoleBasedAPIChecker   RoleBasedEn+tyChecker   RoleBasedQuerySelector   IAM  Plugin  APIs   cloud-­‐iam-­‐server   IAM  Server  APIs  
  • 11.
    IAM Server •  IAMSchema •  Implement IAM Server interface to provide your own 3rd-party IAM server.
  • 12.
    IAM Plugin •  IAMAPIs •  Adapters –  APIChecker –  SecurityChecker •  AccessType –  QuerySelector •  Plugin understands CloudStack’s terminology
  • 13.
    IAM APIs createIAMGroup   deleteIAMGroup   listIAMGroups   createIAMPolicy   deleteIAMPolicy   listIAMPolicies   addIAMPermissionToIAMPolicy   removeIAMPermissionFromIAMPolicy   addAccountToIAMGroup   removeAccountFromIAMGroup   aDachIAMPolicyToAccount   removeIAMPolicyFromAccount   aDachIAMPolicyToIAMGroup   removeIAMPolicyFromIAMGroup  👩      Account  
  • 14.
    APIChecker •  CS APICheckerinterface •  commands.properties •  RoleBasedAPIAccessChecker –  On startup loads permissions from commands.properties –  checkAccess by listing policy permissions public  interface  APIChecker  extends  Adapter  {          boolean  checkAccess(User  user,    String  apiCommandName)  throws    PermissionDeniedExcep+on;  }   1  =  ADMIN,  2  =  RESOURCE_DOMAIN_ADMIN,  4  =  DOMAIN_ADMIN,  8  =  USER   startVirtualMachine=15  
  • 15.
    Default CloudStack Policies User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   migrateVirtualMachine   Permission   Root  Admin  Group   IAM  APIChecker   startVirtualMachine  =  15  
  • 16.
    SecurityChecker •  CS SecurityCheckerinterface •  RoleBasedEntityAccessChecker •  Check Policy permissions for the entity and action/accessType •  Only work with ‘Allow’. No ‘Deny’ in this phase. •  AccessType •  ListEntry (read-only access) •  UseEntry (read and use access) •  OperateEntry (operate access) public  interface  SecurityChecker  extends  Adapter  {   boolean  checkAccess(Account  caller,    ControlledEn+ty  en+ty,    AccessType  accessType,  String  ac+on)   throws  PermissionDeniedExcep+on;   }  
  • 17.
    Access Check Flow 👩     User1   startVirtualMachine  ‘Foo’   👩     User2   💻   Foo   IAM  API  Checker   IAM   SecurityChecker   User  Policy   startVirtualMachine   VirtualMachine   ACCOUNT   $accountId   Permission   User  Group   Domain  Admin  Policy   startVirtualMachine   VirtualMachine   DOMAIN   $domainId   Permission   Domain  Admin  Group   Root  Admin  Policy   startVirtualMachine   VirtualMachine   Scope:  ALL   Permission   Root  Admin  Group   startVirtualMachine  ‘Foo’   👩     Root  Admin   startVirtualMachine  ‘Foo’  
  • 18.
    IAM QuerySelector •  QuerySelector=> RoleBasedQuerySelector public  interface  QuerySelector  extends  Adapter  {              List<Long>  getAuthorizedDomains(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedAccounts(Account  caller,  String  en+tyType,  AccessType  accessType);              List<Long>  getAuthorizedResources(Account  caller,  String  en+tyType,  AccessType  accessType);              boolean  isGrantedAll(Account  caller,  String  ac+on,  AccessType  accessType);              List<String>  listIAMGroupsByAccount(long  accountId);     }      
  • 19.
    Custom Policy •  UseCase: Domain admin wants to grant “read only access” to all VMs of his domain to some service desk accounts. Service  Desk   Group   ReadOnlyPolicy   listVirtualMachines   VirtualMachine   DOMAIN   $domainId   Permission   👩     👨     addAccountToIAMGroup   aAachIAMPolicyToIAMGroup  
  • 20.
    VMOpPolicy   Cross-Account Grant • Use Case: Account A has a VM foo, and she wants to grant Account B to Start/Stop her VM foo. startVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   stopVirtualMachine   VirtualMachine   RESOURCE   foo   Permission   👩     👨     A   B   💻   Foo  
  • 21.
    Next Step •  IntegrateIAM model with all CloudStack access control logic –  Shared and isolated networks –  Handle non ControlledEntity like Zone and Service Offering(Disk offering, Network Offering) –  Dedicated resource feature •  Provide UI support for IAM APIs. •  Handle JSON based policy definition.
  • 22.
    References •  Functional Spec: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer • Guidelines for Developers: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer