Versions Compared

Old Version 43

changes.mady.by.user Min Chen

Saved on

compared with

New Version 44

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • createAclPolicy
    1. String name - name of the ACL Policy. Required
    2. String description - short decsription
    3. String domainId - UUID of the domain of the account owning the acl policy
    4. String sourcePolicyId - UUID of the policy which should be used as a template to generate the new policy
  • deleteAclPolicy
    1. String id - UUID of the ACL Policy. Required

...

  • removeAclPermissionFromAclPolicy
    1. String id - UUID of the ACL policy. Required
    2. List<String> permission Ids - comma separated list of permission ids that are going to be removed from the acl policy

IAM Interface

IAM Interface to check Entity Access

CloudStack currently has a domain-tree based implementation of access checks, namely com.cloud.acl.DomainChecker. This implementation is based on the an adapter interface of Cloudstack - org.apache.cloudstack.acl.SecurityChecker that defines the basic ACL interface to check ownership and access control to objects within the account/ domain.

...

Code Block
/**
* SecurityChecker checks the ownership and access control to objects within
*/
public interface SecurityChecker extends Adapter {

...

/**
* Checks if the account can access the object.
*
* @param caller
* account to check against.
* @param entity
* object that the account is trying to access.
* @param accessType
*
* @param action
*
* @return true if access allowed. false if this adapter cannot provide permission.
* @throws PermissionDeniedException
* if this adapter is suppose to authenticate ownership and the check failed.
*/
boolean checkAccess(Account caller, ControlledEntity entity, AccessType accessType, String action) throws PermissionDeniedException;

....
}

IAM Interface to check API Access

IAM Plugin will also provide a group and policy based implementation of the APIChecker interface. The implementation will check if a given user is permitted to make the given API call by looking at the users' groups and the associated policies of those groups. If any of the policy allows the user to call that API then the user can make the call.

For given user and given api name,

  • Find all groups the user belongs too.
  • Find all policies the groups are associated to
  • If any policy 'Allows' the API, grant permission to make this call
  • Else, if any policy 'Denies' the API, deny permission to make this call
  • else, if no Allow or Deny entry is found for any policy for this API, deny the permission
Code Block
// APIChecker checks the ownership and access control to API requests
public interface APIChecker extends Adapter {
    // Interface for checking access for a role using apiname
    // If true, apiChecker has checked the operation
    // If false, apiChecker is unable to handle the operation or not implemented
    // On exception, checkAccess failed don't allow
    boolean checkAccess(User user, String apiCommandName) throws PermissionDeniedException;
}

IAM Interface to facilitate Query APIs

Besides SecurityChecker and APIChecker interface, IAM plugin will also implement another QueryChecker interface to allow CloudStack to do proper row filter in ListAPI based on caller's policy.

...