On Jan 21, 2014, at 10:57 PM, Prachi Damle <prachi.da...@citrix.com> wrote:
> Min and myself would like to propose an identity and access management plugin > for CloudStack for the ACS 4.4 release. > > Here is the functional spec we have drafted for the first phase: > https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+Identity+and+Access+Management+%28IAM%29+Plugin > > Currently CloudStack provides very limited IAM services and there are several > drawbacks: > > - Offers few roles out of the box (user and admin) with prebaked access > control. There is no way to create customized policies and permissions. > - Some resources have access control baked into them. E.g., shared networks, > projects etc. > - We have to create special dedicateXXX APIs to grant permissions to > resources. > - Also it does not provide the flexibility to integrate with other RBAC > implementations say using AD/LDAP > > Goal for this feature would be to address these limitations and offer true > IAM services in a phased manner. > As a first phase, we need to separate out the current access control into a > separate component based on the standard IAM terminologies. Also we need to > create an access check mechanism to be used by the API layer to avoid the > checks scattered over the api/service layer. The read/listing APIs need to be > refactored accordingly to consider the policy based access granting. > > Please provide feedback/suggestions anyone has. > Prachi, I think that's a good idea, it would be nice to look at the AWS IAM service and map the API one2one. It would ease pain down the road if we want to serve a AWS compatible IAM. -sebastien > Thanks, > Prachi & Min