On Tue, Jan 21, 2014 at 10:57 PM, Prachi Damle <prachi.da...@citrix.com>wrote:
> Min and myself would like to propose an identity and access management > plugin for CloudStack for the ACS 4.4 release. > > Here is the functional spec we have drafted for the first phase: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Identity+and+Access+Management+%28IAM%29+Plugin > > Currently CloudStack provides very limited IAM services and there are > several drawbacks: > > - Offers few roles out of the box (user and admin) with prebaked access > control. There is no way to create customized policies and permissions. > - Some resources have access control baked into them. E.g., shared > networks, projects etc. > - We have to create special dedicateXXX APIs to grant permissions to > resources. > - Also it does not provide the flexibility to integrate with other RBAC > implementations say using AD/LDAP > > Goal for this feature would be to address these limitations and offer true > IAM services in a phased manner. > As a first phase, we need to separate out the current access control into > a separate component based on the standard IAM terminologies. Also we need > to create an access check mechanism to be used by the API layer to avoid > the checks scattered over the api/service layer. The read/listing APIs need > to be refactored accordingly to consider the policy based access granting. > > Please provide feedback/suggestions anyone has. > > Would love to see SAML 2.0 support, but any IAM solution is a good start :-) -- Erik Weber