CloudStack Identity and Access Management (IAM)
1 like631 views
The document discusses CloudStack's plans to implement an Identity and Access Management (IAM) service. It describes CloudStack's current limited IAM capabilities and the goal to provide a pluggable IAM service. The proposed architecture includes hosting an independent IAM server and integrating an IAM plugin with CloudStack via adapter interfaces. The plugin would support new IAM APIs and policies to control access at the user, group, and resource levels. Example use cases are provided to demonstrate how the IAM service could enable cross-account access policies and role-based access controls.
CloudStack Identity and Access Management (IAM)
- 1. CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle" Citrix
- 2. Agenda • Background • Our Design Goal • Architecture • Implementation • Use Cases • Next Steps
- 3. Background • Limited IAM Services – Out-of-box fixed roles (Root Admin, Domain Admin, User) with prebaked access control. – No support for customized roles creation. – Special hard-coded access control logic baked in service layer for some resources like networks, affinity group, etc. – Granting permissions by dedicated APIs is very restrictive.
- 4. Our Goal Provide True Pluggable IAM Service
- 5. Our Goal Provide True Pluggable IAM Service
- 6. What is IAM" " 👩 👨 👦 Permission Principal Ac+on Resource Permission Principal Ac+on Resource Permission Principal Ac+on Resource Policy Group Resource Resource Resource Resource Principal Principal Principal 👫 Role Impersonate Allow/Deny
- 8. Pluggable IAM Service" Host IAM server as an Independent Service listening at an endpoint which CloudStack or other portal services call to do access checks
- 9. Pluggable IAM Components" • Server – An implementation of pure IAM taxonomy independent of CloudStack. – Out-of-box IAM server implementation based on our IAM schema – Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server. • Plugin – A plugin integrated with CloudStack through adapter interfaces: • APIChecker • SecurityChecker • QuerySelector – Serve new IAM API requests
- 10. IAM Component Diagram CloudStack cloud-‐api cloud-‐server IAM Service cloud-‐plugin-‐iam APIChecker SecurityChecker QuerySelector RoleBasedAPIChecker RoleBasedEn+tyChecker RoleBasedQuerySelector IAM Plugin APIs cloud-‐iam-‐server IAM Server APIs
- 11. IAM Server • IAM Schema • Implement IAM Server interface to provide your own 3rd-party IAM server.
- 12. IAM Plugin • IAM APIs • Adapters – APIChecker – SecurityChecker • AccessType – QuerySelector • Plugin understands CloudStack’s terminology
- 13. IAM APIs createIAMGroup deleteIAMGroup listIAMGroups createIAMPolicy deleteIAMPolicy listIAMPolicies addIAMPermissionToIAMPolicy removeIAMPermissionFromIAMPolicy addAccountToIAMGroup removeAccountFromIAMGroup aDachIAMPolicyToAccount removeIAMPolicyFromAccount aDachIAMPolicyToIAMGroup removeIAMPolicyFromIAMGroup 👩 Account
- 14. APIChecker • CS APIChecker interface • commands.properties • RoleBasedAPIAccessChecker – On startup loads permissions from commands.properties – checkAccess by listing policy permissions public interface APIChecker extends Adapter { boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedExcep+on; } 1 = ADMIN, 2 = RESOURCE_DOMAIN_ADMIN, 4 = DOMAIN_ADMIN, 8 = USER startVirtualMachine=15
- 15. Default CloudStack Policies User Policy startVirtualMachine VirtualMachine ACCOUNT $accountId Permission User Group Domain Admin Policy startVirtualMachine VirtualMachine DOMAIN $domainId Permission Domain Admin Group Root Admin Policy startVirtualMachine VirtualMachine Scope: ALL Permission migrateVirtualMachine Permission Root Admin Group IAM APIChecker startVirtualMachine = 15
- 16. SecurityChecker • CS SecurityChecker interface • RoleBasedEntityAccessChecker • Check Policy permissions for the entity and action/accessType • Only work with ‘Allow’. No ‘Deny’ in this phase. • AccessType • ListEntry (read-only access) • UseEntry (read and use access) • OperateEntry (operate access) public interface SecurityChecker extends Adapter { boolean checkAccess(Account caller, ControlledEn+ty en+ty, AccessType accessType, String ac+on) throws PermissionDeniedExcep+on; }
- 17. Access Check Flow 👩 User1 startVirtualMachine ‘Foo’ 👩 User2 💻 Foo IAM API Checker IAM SecurityChecker User Policy startVirtualMachine VirtualMachine ACCOUNT $accountId Permission User Group Domain Admin Policy startVirtualMachine VirtualMachine DOMAIN $domainId Permission Domain Admin Group Root Admin Policy startVirtualMachine VirtualMachine Scope: ALL Permission Root Admin Group startVirtualMachine ‘Foo’ 👩 Root Admin startVirtualMachine ‘Foo’
- 18. IAM QuerySelector • QuerySelector => RoleBasedQuerySelector public interface QuerySelector extends Adapter { List<Long> getAuthorizedDomains(Account caller, String en+tyType, AccessType accessType); List<Long> getAuthorizedAccounts(Account caller, String en+tyType, AccessType accessType); List<Long> getAuthorizedResources(Account caller, String en+tyType, AccessType accessType); boolean isGrantedAll(Account caller, String ac+on, AccessType accessType); List<String> listIAMGroupsByAccount(long accountId); }
- 19. Custom Policy • Use Case: Domain admin wants to grant “read only access” to all VMs of his domain to some service desk accounts. Service Desk Group ReadOnlyPolicy listVirtualMachines VirtualMachine DOMAIN $domainId Permission 👩 👨 addAccountToIAMGroup aAachIAMPolicyToIAMGroup
- 20. VMOpPolicy Cross-Account Grant • Use Case: Account A has a VM foo, and she wants to grant Account B to Start/Stop her VM foo. startVirtualMachine VirtualMachine RESOURCE foo Permission stopVirtualMachine VirtualMachine RESOURCE foo Permission 👩 👨 A B 💻 Foo
- 21. Next Step • Integrate IAM model with all CloudStack access control logic – Shared and isolated networks – Handle non ControlledEntity like Zone and Service Offering(Disk offering, Network Offering) – Dedicated resource feature • Provide UI support for IAM APIs. • Handle JSON based policy definition.
- 22. References • Functional Spec: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer • Guidelines for Developers: https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack +IAM+guidelines+for+API+and+Service+Layer