Architecture and Design description

...

Code Block

/**
* QuerySelector returns granted domain, or account or resources for caller.
*/
public interface QuerySelector extends Adapter {

...

/**
* List granted domains for the caller, given a specific entity type.
*
* @param caller account to check against.
* @param entityType entity type
* @param accessType access type
* @return list of domain Ids granted to the caller account.
*/
List<Long> getAuthorizedDomains(Account caller, String entityType, AccessType accessType);

/**
* List granted accounts for the caller, given a specific entity type.
*
* @param caller account to check against.
* @param entityType entity type
* @param accessType access type
* @return list of account Ids granted to the caller account.
*/
List<Long> getAuthorizedAccounts(Account caller, String entityType, AccessType accessType);


/**
* List granted resources for the caller, given a specific entity type.
*
* @param caller account to check against.
* @param entityType entity type
* @param accessType access type
* @return list of resource Ids granted to the caller account.
*/
List<Long> getAuthorizedResources(Account caller, String entityType, AccessType accessType);

/**
 * Check if this account is associated with a policy with scope of ALL
 * @param caller account to check
 * @param action action.
  action.
 * @param accessType access type
 * @return true if this account is attached with a policy for the given action of ALL scope.
 */
boolean isGrantedAll(Account caller, String action, AccessType accessType);

/**
 * List of IAM group the given account belongs to
 * @param accountId account id.
 * @return IAM group names
 */
List<String> listIAMGroupsByAccount(long accountId);

...

id	name	description	uuid	path	removed	created	policy_type
1	REGULAR_USER	Domain user role	d2838dce-31f0-11e3-ad37-80f85ce25918	/	NULL	2013-10-10 14:13:34	Static
2	ADMIN	Root admin role	d2839c56-31f0-11e3-ad37-80f85ce25918	/	NULL	2013-10-10 14:13:34	Static
3	DOMAIN_ADMIN	Domain admin role	d283a7f0-31f0-11e3-ad37-80f85ce25918	/	NULL	2013-10-10 14:13:34	Static	6	RESOURCE_OWNER	Resource owner role	d283c794-31f0-11e3-ad37-80f85ce25918	/	NULL	2013-10-10 14:13:34	Dynamic

iam_group_policy_map

id	group_id	policy_id	removed	created
1	1	1	NULL	2013-10-10 14:13:34
2	2	2	NULL	2013-10-10 14:13:34
3	3	3	NULL	2013-10-10 14:13:34

...

id	policy_id	permission_id	removed	created
1	61	3	NULL	2013-10-10 14:13:34
2	2	1	NULL	2013-10-10 14:13:34
3	3	2	NULL	2013-10-10 14:13:34

...

Find all groups the user belongs to: groupIDs = 1
Find all 'Effective' policies the groups are associated to: policies = 1, 6
If any policy 'Allows' the startVirtualMachine API for this Vm Id, grant permission to make this call: Policy Id 6 1 and Permission Id 3 allow the API to be invoked for this user.
In this case, since this is a regular user and the user is the owner the VM belongs to the "ACCOUNT" scope of the VMuser, then he is granted access using policy Id 61.

A Domain Admin 'domainAdmin' calls this command for a VM in his domain:

...

Find all groups the user belongs to: groupIDs = 2
Find all 'Effective' policies the groups are associated to: policies = 2
Policy Id 3 2 and Permission Id 1 allow 'startVirtualMachine' access for ALL VMs .

...

For this release, creating a custom policy/group is supported through API only. For further releases, we can provide either a UI or a config file + policy language mechanism to facilitate the custom policy/group creation.

Presentation at CloudStack Collaboration Conference

ApachIAM.pptx

Space shortcuts

Child pages

Versions Compared

Old Version 117

New Version Current

Key

Architecture and Design description

Presentation at CloudStack Collaboration Conference

Space shortcuts

Child pages

Page History

Versions Compared

Old Version 117

New Version Current

Key

Architecture and Design description

Presentation at CloudStack Collaboration Conference