...
- Until 4.4, CloudStack did not distinguish between a read-only access Vs read-and-use access Vs operate access.
- CloudStack access control layer always checked if the caller is owner of the entity and granted all types of access based on that.
- With IAM feature following are the types of entity access one can specify:
- ListEntry (read only access)
- UseEntry (read and use access)
- OperateEntry (operate/execute access)
Section |
---|
Example: A domainAdmin registers a template T and allows a regular user of the domain to launch a VM using that template. Entity: TemplateT Principal1: domainAdmin, Access allowed: OperateEntry (operate access since he can invoke delete/updatepermissions operations on the template) Principal2: normal domain user, Access allowed: UseEntry (the user can only list the template and use it for launching VM) |
IAM At API layer: use @ACL
- For the primary ID API parameter which identifies the entity being operated on, put annotation @ACL(accessType = AccessType.OperateEntry)
- For all other entities putting @ACL or @ACL(accessType = AccessType.UseEntry) should suffice. This will make sure the caller can 'list and use' the entity for the desired operation.
- By default the annotation uses AccessType.UseEntry
Typically for:
- create APIs : one needs @ACL(accessType = AccessType.UseEntry) on all the entities required to be used for creating the desired new entity
- update/delete APIs: These modify or operate on an entity and change its state. @ACL(accessType = AccessType.OperateEntry) should be used in these APIs on the parameter that identifies the main entity being modified.
...
DeployVMCmd: This is a create API: |
...
Add @ACL(accessType = AccessType.UseEntry access for all entities like template, network Start/Stop/Reboot/Destroy/AttachXXXTOVM: |
...
These are the update/delete APIs. |
...
Add @ACL(accessType = AccessType.OperateEntry) access for VM ID parameter that identifies the VM entity being operated on |
IAM At Service Layer:
CS Service layer logic uses "accountManager.checkAccess" to invoke the SecurityCheckers to do access control. Instead, one should try to use @ACL annotation on the API parameters that have to be checked for access.
...