Page History
...
The IAM plugin will provide another implementation of the SecurityChecker interface. We will also have to add to this interface some more methods or change some signatures to facilitate group, policy and Action api name (action) based access control.
| Code Block |
|---|
/**
* SecurityChecker checks the ownership and access control to objects within
*/
public interface SecurityChecker extends Adapter {
...
/**
* Checks if the account can access the object.
*
* @param caller
* account to check against.
* @param entity
* object that the account is trying to access.
* @param accessType
*
* @param action
*
* @return true if access allowed. false if this adapter cannot provide permission.
* @throws PermissionDeniedException
* if this adapter is suppose to authenticate ownership and the check failed.
*/
boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException;
....
}
|
IAM Plugin will also provide a group and policy based implementation of the APIChecker interface. The implementation will check if a given user is permitted to make the given API call by looking at the users' groups and the associated policies of those groups. If any of the policy allows the user to call that API then the user can make the call.
| Code Block |
|---|
// APIChecker checks the ownership and access control to API requests
public interface APIChecker extends Adapter {
// Interface for checking access for a role using apiname
// If true, apiChecker has checked the operation
// If false, apiChecker is unable to handle the operation or not implemented
// On exception, checkAccess failed don't allow
boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
}
|
Besides SecurityChecker and APIChecker interface, IAM plugin will also implement another QueryChecker interface to allow CloudStack to do proper row filter in ListAPI based on caller's policy.
...
Overview
Content Tools
Apps