Page History
Background
Currently CloudStack provides very limited IAM services and there are several drawbacks within those services:
...
Goal for this feature would be to address these limitations and offer true IAM services in a phased manner
Architecture and Design description
IAM Taxonomy
| Gliffy Diagram | ||||||||
|---|---|---|---|---|---|---|---|---|
|
Group
Group contains a number of CloudStack accounts. Customers should be able to Create, Edit, List and Delete Groups. Editing includes adding or removing accounts to or from a group. For backwards compatibility, out of box, CloudStack will provide 3 default groups:
- Root Admin Group
- Domain Admin Group
- End User Group
Account
Account is just our current CloudStack Account, all the permission controls are done at Account level. We can assign an Account to more than one Group.
User
CloudStack user just contains login credentials, and this is not the level that we are performing permission control.
Policy
Policy is a set of permission. Customer should be able to attach several policies to a Group to define the permission for that group. By default, we have the following 3 types of policy templates:
...
- Grant by Domain and Resource Type: grant permissions to all resources of the given resource type under the given domain.
- Grant by Account and Resource Type: grant permissions to all resources of the given resource type under the given account.
- Grant by individual resource: grant permission to an individual resource.
IAM Schema
IAM API
IAM Interface
Overview
Content Tools
Apps