Thanks Daan. With completion I meant the documentation part.
On Thu, Jun 26, 2014 at 6:49 PM, Daan Hoogland <daan.hoogl...@gmail.com> wrote: > Megha, the page you mention is a collection bin for all things planned > that are going to require a major version upgrade as they change the > application programming interface. > > It is not just for the IAM extensions planned. > > It is completed only when 5.0 is out ;) Feel free to add to it or to > propose implementing parts of it. > > regards > > On Thu, Jun 26, 2014 at 12:02 PM, Meghna Kale <meghna.k...@sungardas.com> > wrote: > > Hi All, > > > > I have been following the IAM functionality work from quite sometime. > > And I am interested in this work and would like to contribute in the API > > changes and discussions. > > If there are any design documents or any Jira tickets related to these > > changes can you please point me to them that will be helpful. > > > > From looking over the API changes documentation for the IAM feature I was > > curious if everything you set out to accomplish that is mentioned > > here https://cwiki.apache.org/confluence/display/CLOUDSTACK/API+changes > is > > completed ? > > > > Thanks > > Meghna. > > > > > > > > On Thu, Jun 5, 2014 at 11:03 PM, Prachi Damle <prachi.da...@citrix.com> > > wrote: > >> > >> > >> > >> -----Original Message----- > >> From: Meghna Kale [mailto:meghna.k...@sungardas.com] > >> Sent: Wednesday, June 04, 2014 11:24 PM > >> To: dev > >> Cc: Daan Hoogland; Hugo Trippaers > >> Subject: Re: [ACS5.0] IAM feature postponed from 4.4 to 5.0? > >> > >> Thanks Min and Prachi. > >> > >> >Based on above, for your usecase, you can attach a new policy to one > >> account to deny specific operations. So even if that account belongs to > >> the group that allows All, the second >policy has an explicit Deny, so > this > >> will deny the specific operations. > >> > >> Does that mean that a new deny permission role should be created and > then > >> applied to the user? If yes then is it like we are apply two roles to a > >> single user. > >> > >> >> Yes it means attaching two policies to the account. The policy > >> >> evaluation logic should look at all the policies attached and > evaluate using > >> >> the precedence. > >> > >> Thanks > >> Meghna. > >> > >> Thanks > >> Meghna. > >> > >> > >> > >> On Thu, Jun 5, 2014 at 1:19 AM, Prachi Damle <prachi.da...@citrix.com> > >> wrote: > >> > >> > >For example, there are two accounts and they belong to a group with > >> > >Allow all permissions. If I have to remove some permissions for only > >> > >account 1 but keep them for account 2 is it possible? > >> > > >> > This will be decided depending on whether Deny has higher precedence > >> > over Allow or the other way. If Deny has the higher precedence, the > >> > evaluation logic will be: > >> > - If there is a policy attached to the account or to a group that the > >> > account belongs to, which states an explicit Deny, then the permission > >> > will be denied. > >> > > >> > Based on above, for your usecase, you can attach a new policy to one > >> > account to deny specific operations. So even if that account belongs > >> > to the group that allows All, the second policy has an explicit Deny, > >> > so this will deny the specific operations. > >> > > >> > Thanks, > >> > Prachi > >> > > >> > -----Original Message----- > >> > From: Min Chen [mailto:min.c...@citrix.com] > >> > Sent: Tuesday, June 03, 2014 9:30 AM > >> > To: dev@cloudstack.apache.org > >> > Cc: Daan Hoogland; Hugo Trippaers > >> > Subject: Re: [ACS5.0] IAM feature postponed from 4.4 to 5.0? > >> > > >> > As mentioned in our FS doc in wiki, "In phase I, all the permissions > >> > attached to any policy are by default explicit 'Allow' permissions. As > >> > of now 'Deny' permissions cannot be added." > >> > > >> > For your use cases, you can have two options: > >> > 1. Assign the two accounts into 2 different groups, and attach > >> > different policy for the group. > >> > 2. Directly attach an Allow policy to account 2 instead of assigning > >> > both accounts into the Allow All group. > >> > > >> > Thanks > >> > -min > >> > > >> > > >> > On 6/3/14 5:03 AM, "Meghna Kale" <meghna.k...@sungardas.com> wrote: > >> > > >> > >Hi Min, > >> > > > >> > >With reference to the wiki doc, I had a query. > >> > >In case of a customized role with deny permissions how will the > >> > >listAll, isrecursive ..etc. input parameters values will be ? > >> > > > >> > >For example, there are two accounts and they belong to a group with > >> > >Allow all permissions. If I have to remove some permissions for only > >> > >account 1 but keep them for account 2 is it possible? > >> > > > >> > >Thanks > >> > >Meghna. > >> > > > >> > > > >> > >On Thu, May 22, 2014 at 10:22 PM, Min Chen <min.c...@citrix.com> > wrote: > >> > > > >> > >> Added API issues we found through IAM feature in the wiki page > >> > >>created by > >> > >> Demetrius: > >> > >> https://cwiki.apache.org/confluence/display/CLOUDSTACK/API+changes > >> > >> > >> > >> Thanks > >> > >> -min > >> > >> > >> > >> On 5/14/14 9:34 AM, "Min Chen" <min.c...@citrix.com> wrote: > >> > >> > >> > >> >Thanks Daan. Yes, I saw that there is another thread about putting > >> > >> >an > >> > >>API > >> > >> >request for 5.0 api. Once we are done with this disabling, we will > >> > >> >put > >> > >>the > >> > >> >issues we have found with current API in that wiki page to take > >> > >> >into consideration when we design the new API. > >> > >> > > >> > >> >-min > >> > >> > > >> > >> >On 5/14/14 12:12 AM, "Daan Hoogland" <daan.hoogl...@gmail.com> > >> > >> > wrote: > >> > >> > > >> > >> >>Min, > >> > >> >> > >> > >> >>I think everybody knows I am all for less features per release. I > >> > >> >>don't think you are making a bad call, per se. I do think we > >> > >> >>should consider if we can come up with a total picture of what > >> > >> >>5.x would require af the api, though. Can you add to the > >> > >> >>discussion what it is that is keeping you from implementing. And > >> > >> >>what requirements you have for the 5.0 api so we can start > >> > >> >>devising the architectural guidelines for the new api. more and > >> > >> >>more calls for a 5.0 are coming up lately so let's move forward. > >> > >> >>(changing title) > >> > >> >> > >> > >> >>On Wed, May 14, 2014 at 1:53 AM, Min Chen <min.c...@citrix.com> > >> > wrote: > >> > >> >>> Hi All, > >> > >> >>> > >> > >> >>> In the past several weeks, QA has done some testing on IAM > >> > >> >>> feature > >> > >>and > >> > >> >>>found > >> > >> >>> several backward-compatibility issues. Even though Prachi and I > >> > >> >>>have tried our best to fix bugs to maintain backward > >> > >> >>>compatibility, we realized that in order to support true IAM > >> > >> >>>model documented in our FS > >> > >> >>> > >> > >> >>> > >> > >> > https://cwiki.apache.org/confluence/display/CLOUDSTACK/CloudStack+I > >> > >> de > >> > >> nti > >> > >> >>>t > >> > >> >>>y+and+Access+Management+%28IAM%29+Plugin, > >> > >> >>> we will have to make several API changes that will require us > >> > >> >>>to increment CloudStack major version. > >> > >> >>> Therefore we think that IAM feature is not ready for ACS 4.4 > >> > >>release, > >> > >> >>>and we > >> > >> >>> would like to propose to disable it in 4.4 branch and re-enable > >> > >> >>>it later when community decides to go for 5.x. > >> > >> >>> > >> > >> >>> Thanks > >> > >> >>> -min > >> > >> >> > >> > >> >> > >> > >> >> > >> > >> >>-- > >> > >> >>Daan > >> > >> > > >> > >> > >> > >> > >> > >> > >> > > >> > > >> > > > > > > > > > -- > Daan >
