You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cloudstack.apache.org by "Rajani Karuturi (JIRA)" <ji...@apache.org> on 2014/02/02 06:18:09 UTC

[jira] [Commented] (CLOUDSTACK-5920) CloudStack IAM Plugin feature

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-5920?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13888826#comment-13888826 ] 

Rajani Karuturi commented on CLOUDSTACK-5920:
---------------------------------------------

Hi Daan,
I think its going to be on api-call basis.
Please check the related mail discussion @ http://cloudstack.markmail.org/message/q2joujsnztytseje
The proposed design is at https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Identity+and+Access+Management+%28IAM%29+Plugin#CloudStackIdentityandAccessManagement(IAM)Plugin-SampleDBentriesforthepolicypermissionsfor'StartVM'operation:

> CloudStack IAM Plugin feature
> -----------------------------
>
>                 Key: CLOUDSTACK-5920
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-5920
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: API, Management Server
>    Affects Versions: 4.3.0
>            Reporter: Prachi Damle
>            Assignee: Prachi Damle
>             Fix For: 4.4.0
>
>
> Currently CloudStack provides very limited IAM services and there are several drawbacks within those services:
> -  Offers few roles out of the box (user and admin) with prebaked access control for these roles. There is no way to create additional roles with customized permissions.
> -  Some resources have access control baked into them. E.g., shared networks, projects etc. 
> -  We have to create special dedicate APIs to grant permissions to resources.
> - Also it should be based on a plugin model to be possible to integrate with other RBAC implementations say using AD/LDAP in future 
> Goal for this feature would be to address these limitations and offer true IAM services in a phased manner.
> As a first phase, we need to separate out the current access control into a separate component and create a standard access check mechanism to be used by the API layer. Also the read/listing APIs need to be refactored accordingly to consider the role based access granting.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)