© 2014 Sungard AS. All rights reserved.

CloudStack Identity and Access Management (IAM)June 2014

Meghna Kale

2

In next 45 minutes …

Agenda

• What is IAM? IAM as a service

• Cloudstack IAM

• Background

• Proposal

• Architecture and Design

• Use cases

• Problems faced during 4.4 release.

• Sungard contribution.

3

What is IAM?

What is IAM ?

Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.

What does it do ?

IAM enables you to securely control access to your application or product services and resources for your users.

Using IAM, you can create and manage users and groups and use permissions to allow and deny their access to the resources.

4

… IAM ?

Why IAM ?

IAM addresses the mission-critical need to ensure appropriate access to resources across increasingly heterogeneous technology environments, and to meet increasingly rigorous compliance requirements.

This security practice is a crucial undertaking for any enterprise.

It is increasingly business-aligned, and it requires business skills, not just technical expertise.

Enterprises that develop mature IAM capabilities can reduce their identity management costs and, more importantly, become significantly more agile in supporting new business initiatives.

5

Amazon : IAM as a service

AWS Identity and Access Management

AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS.

The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon SimpleDB, and the AWS Management Console.

With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

6

Amazon : IAM as a service …

7

Amazon : IAM as a service …

8

Amazon : IAM as a service …

9

Amazon : IAM as a service …

10

Amazon : IAM as a service …

11

Amazon : IAM as a service …

12

Cloudstack IAM : Background

Existing role bases access control in Cloudstack

• Fixed roles (Root Admin, Domain Admin, User)

• Prebaked Access control.

• No support for custom roles.

• Special hard-coded access control logic baked in service layer

for some resources like networks, affinity groups, etc.

• Granting permissions by dedicated API’s is very restrictive.

13

Proposal

Component diagram of the IAM module.

Server :

–  An implementation of pure IAM taxonomy independent of CloudStack.

–  Out-of-box IAM server implementation based on cloudstack IAM schema

–  Provide IAM server interface for third-party (LDAP/AD based) to implement a different IAM server.

Plugin:

A plugin integrated with CloudStack through adapter interfaces:

- APIChecker

- SecurityChecker

- QuerySelector

14

Proposal

Component diagram of the IAM module.

15

Proposal

Component diagram of the IAM module.

IAM Plugin:

•  IAM APIs

•  Adapters

–  APIChecker

–  SecurityChecker

•  AccessType

–  QuerySelector

•  Plugin understands CloudStack’s terminology.

16

Proposal

IAM API’s :

17

Architecture and Design

18

Design

Group

Group contains a number of CloudStack accounts. Customers should be able to Create, Edit, List and Delete Groups. Editing includes adding or removing accounts to or from a group.

Account

Account is just our current CloudStack Account, all the permission controls are done at Account level. We can assign an Account to more than one Group.

User

CloudStack user just contains login credentials, and this is not the level that we are performing permission control.

19

Design …

Policy

Policy is a set of permission. Customer should be able to attach several policies to a Group to define the permission for that group.

By default, we have the following 3 types of policy templates:

Root Admin Policy: have permissions to all resources in the CloudStack for allowed APIs.

Domain Admin Policy: have permissions to all resources under the belonging domain for allowed APIs.

Resource Owner Policy: have permissions to all owned resources for allowed APIs.

Other than that, customer should be able to define customized policies by grant or deny permission to customize permissions for the group.

20

Design …

Permission

A policy consists of set of Permissions. A Permission is a way of defining access control.Using Permission, customer defines what actions are allowed or denied, on what resources, under which account or domain.

A single permission definition consists of:

- Action (API Name)

- Allow / Deny

- Scope (Account | Domain | Resource)

- Scope Id (Id of the above defined scope)

- Resource Type

21

Use cases 1:

Custom Policy:

Use case : Domain Admin wants to grant “read only access” to all VM’s for his domain to some accounts.

22

Use cases 2:

Cross-Account Grant:

Use case : Account A has a VM and wants to grant Account B to start/stop this VM.

23

Problems faced in 4.4 release :

During the development of IAM feature, it was found that there are several areas of current APIs which are not compatible with the Real IAM model introduced. For these reasons this feature is disabled in 4.4 release.

- Current implementation of the list APIs is tied tightly with the default roles  (root admin,domain.admin, regular user).

- There are few flags in API which do not have a clear definition and also which one takes precedence like listAll, isRecursive.

- The owner of the entities being created is implicitly derived from other entities used in the creation. This will break granting, even if user A grants a resource to user B, the entity created by user B is still owned by user A.

Thank You!