RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Thanks Sadhu. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Suresh Sadhu [mailto:suresh.sa...@accelerite.com] Sent: Thursday, March 31, 2016 6:01 PM To: us...@cloudstack.apache.org; dev@cloudstack.apache.org Subject: RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack HI Rohit, I have reviewed the FS and it looks good . I have updated my suggestion on createRolePermission API on FS it self .Please check and share your views. Regards Sadhu suresh.sa...@accelerite.com -Original Message- From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com] Sent: Thursday, March 31, 2016 4:12 PM To: dev@cloudstack.apache.org Cc: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Thanks Koushik, I'll add my reply to your comments. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Mar 28 2016, at 2:08 pm, Koushik Das wrote: Thanks Rohit, for the replies. Added some more comments based on the replies. -Koushik From: Rohit Yadav Sent: Friday, March 25, 2016 6:42 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi Koushik, Thanks for the comments on the FS, I've replied to all of them and updated the FS (for example, default param in APIs). Let me know on this ML thread or on the FS if you've further questions/comments. Thanks. Regards. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Koushik Das [mailto:koushik@accelerite.com] Sent: Friday, March 25, 2016 1:34 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack The idea looks good. I have provided some questions/comments on the FS itself. Thanks, Koushik From: Rohit Yadav Sent: Wednesday, March 23, 2016 10:34 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi all, I want to propose a new feature for CloudStack, dynamic role-based API access checker. This feature will allow us to migrate rules define in commands.properties file to database, while role management (such as creating/editing roles, adding/removing rules) won't require restarting management server(s). Please find more details in the FS here: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack I look forward to your comments, suggestions and questions. Thanks. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
HI Rohit, I have reviewed the FS and it looks good . I have updated my suggestion on createRolePermission API on FS it self .Please check and share your views. Regards Sadhu suresh.sa...@accelerite.com -Original Message- From: Rohit Yadav [mailto:rohit.ya...@shapeblue.com] Sent: Thursday, March 31, 2016 4:12 PM To: dev@cloudstack.apache.org Cc: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Thanks Koushik, I'll add my reply to your comments. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Mar 28 2016, at 2:08 pm, Koushik Das wrote: Thanks Rohit, for the replies. Added some more comments based on the replies. -Koushik From: Rohit Yadav Sent: Friday, March 25, 2016 6:42 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi Koushik, Thanks for the comments on the FS, I've replied to all of them and updated the FS (for example, default param in APIs). Let me know on this ML thread or on the FS if you've further questions/comments. Thanks. Regards. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Koushik Das [mailto:koushik@accelerite.com] Sent: Friday, March 25, 2016 1:34 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack The idea looks good. I have provided some questions/comments on the FS itself. Thanks, Koushik From: Rohit Yadav Sent: Wednesday, March 23, 2016 10:34 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi all, I want to propose a new feature for CloudStack, dynamic role-based API access checker. This feature will allow us to migrate rules define in commands.properties file to database, while role management (such as creating/editing roles, adding/removing rules) won't require restarting management server(s). Please find more details in the FS here: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack I look forward to your comments, suggestions and questions. Thanks. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Thanks Koushik, I'll add my reply to your comments. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue On Mar 28 2016, at 2:08 pm, Koushik Das wrote: Thanks Rohit, for the replies. Added some more comments based on the replies. -Koushik From: Rohit Yadav Sent: Friday, March 25, 2016 6:42 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi Koushik, Thanks for the comments on the FS, I've replied to all of them and updated the FS (for example, default param in APIs). Let me know on this ML thread or on the FS if you've further questions/comments. Thanks. Regards. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Koushik Das [mailto:koushik@accelerite.com] Sent: Friday, March 25, 2016 1:34 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack The idea looks good. I have provided some questions/comments on the FS itself. Thanks, Koushik From: Rohit Yadav Sent: Wednesday, March 23, 2016 10:34 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi all, I want to propose a new feature for CloudStack, dynamic role-based API access checker. This feature will allow us to migrate rules define in commands.properties file to database, while role management (such as creating/editing roles, adding/removing rules) won't require restarting management server(s). Please find more details in the FS here: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack I look forward to your comments, suggestions and questions. Thanks. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Thanks Rohit, for the replies. Added some more comments based on the replies. -Koushik From: Rohit Yadav Sent: Friday, March 25, 2016 6:42 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi Koushik, Thanks for the comments on the FS, I've replied to all of them and updated the FS (for example, default param in APIs). Let me know on this ML thread or on the FS if you've further questions/comments. Thanks. Regards. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Koushik Das [mailto:koushik@accelerite.com] Sent: Friday, March 25, 2016 1:34 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack The idea looks good. I have provided some questions/comments on the FS itself. Thanks, Koushik From: Rohit Yadav Sent: Wednesday, March 23, 2016 10:34 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi all, I want to propose a new feature for CloudStack, dynamic role-based API access checker. This feature will allow us to migrate rules define in commands.properties file to database, while role management (such as creating/editing roles, adding/removing rules) won't require restarting management server(s). Please find more details in the FS here: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack I look forward to your comments, suggestions and questions. Thanks. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails. DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
you know you are great, right? On Fri, Mar 25, 2016 at 2:10 PM, Rohit Yadav wrote: > Hi Daan, > > Thanks for the comments. > > Yes, I looked into it but the IAM-services related work started by some of > our former colleagues was not in a good shape to be picked up, it also > introduced resource level fine-grain ACLs that would have required a lot of > effort to both implement and test thoroughly. > > The proposed solution is not the final solution to the rbac problem, but > aims to solve for role/account management issues for operators while > ensuring strict backward compatibility, an upgrade path from static based > system to a db-backed dynamic system and allows scope for future > improvements. > > To share some progress, the feature implementation so far looks promising > and I'm trying to nail down the edges around upgrade process. > I'm also investing a lot of time of marvin tests to ensure high quality > delivery of this feature. > > Regards. > > Regards, > > Rohit Yadav > > rohit.ya...@shapeblue.com > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > > -Original Message- > From: Daan Hoogland [mailto:daan.hoogl...@gmail.com] > Sent: Friday, March 25, 2016 12:55 PM > To: dev > Cc: us...@cloudstack.apache.org > Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access > Checker for CloudStack > > Rohit, I had a first glance and it looks promising; +1 You have been > thourough on the fs. One question that comes to mind is whatever happened > to the role base access That Min and Pradhi(not sure if I remeber her name > correctly) where implementing for 4.4. It failed then because the work was > taking much more effort then estimated but it was pushed to git.wip-us. Did > you look at thaat work? > > On Wed, Mar 23, 2016 at 6:04 PM, Rohit Yadav > wrote: > > > Hi all, > > > > I want to propose a new feature for CloudStack, dynamic role-based API > > access checker. This feature will allow us to migrate rules define in > > commands.properties file to database, while role management (such as > > creating/editing roles, adding/removing rules) won't require > > restarting management server(s). > > > > Please find more details in the FS here: > > > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Ba > > sed+API+Access+Checker+for+CloudStack > > > > I look forward to your comments, suggestions and questions. Thanks. > > > > Regards, > > Rohit Yadav > > > > Regards, > > > > Rohit Yadav > > > > rohit.ya...@shapeblue.com > > www.shapeblue.com > > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue > > > > > > -- > Daan > -- Daan
RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Hi Koushik, Thanks for the comments on the FS, I've replied to all of them and updated the FS (for example, default param in APIs). Let me know on this ML thread or on the FS if you've further questions/comments. Thanks. Regards. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Koushik Das [mailto:koushik@accelerite.com] Sent: Friday, March 25, 2016 1:34 PM To: dev@cloudstack.apache.org; us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack The idea looks good. I have provided some questions/comments on the FS itself. Thanks, Koushik From: Rohit Yadav Sent: Wednesday, March 23, 2016 10:34 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi all, I want to propose a new feature for CloudStack, dynamic role-based API access checker. This feature will allow us to migrate rules define in commands.properties file to database, while role management (such as creating/editing roles, adding/removing rules) won't require restarting management server(s). Please find more details in the FS here: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack I look forward to your comments, suggestions and questions. Thanks. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
RE: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Hi Daan, Thanks for the comments. Yes, I looked into it but the IAM-services related work started by some of our former colleagues was not in a good shape to be picked up, it also introduced resource level fine-grain ACLs that would have required a lot of effort to both implement and test thoroughly. The proposed solution is not the final solution to the rbac problem, but aims to solve for role/account management issues for operators while ensuring strict backward compatibility, an upgrade path from static based system to a db-backed dynamic system and allows scope for future improvements. To share some progress, the feature implementation so far looks promising and I'm trying to nail down the edges around upgrade process. I'm also investing a lot of time of marvin tests to ensure high quality delivery of this feature. Regards. Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue -Original Message- From: Daan Hoogland [mailto:daan.hoogl...@gmail.com] Sent: Friday, March 25, 2016 12:55 PM To: dev Cc: us...@cloudstack.apache.org Subject: Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Rohit, I had a first glance and it looks promising; +1 You have been thourough on the fs. One question that comes to mind is whatever happened to the role base access That Min and Pradhi(not sure if I remeber her name correctly) where implementing for 4.4. It failed then because the work was taking much more effort then estimated but it was pushed to git.wip-us. Did you look at thaat work? On Wed, Mar 23, 2016 at 6:04 PM, Rohit Yadav wrote: > Hi all, > > I want to propose a new feature for CloudStack, dynamic role-based API > access checker. This feature will allow us to migrate rules define in > commands.properties file to database, while role management (such as > creating/editing roles, adding/removing rules) won't require > restarting management server(s). > > Please find more details in the FS here: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Ba > sed+API+Access+Checker+for+CloudStack > > I look forward to your comments, suggestions and questions. Thanks. > > Regards, > Rohit Yadav > > Regards, > > Rohit Yadav > > rohit.ya...@shapeblue.com > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue > -- Daan
Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
The idea looks good. I have provided some questions/comments on the FS itself. Thanks, Koushik From: Rohit Yadav Sent: Wednesday, March 23, 2016 10:34 PM To: dev@cloudstack.apache.org Cc: us...@cloudstack.apache.org Subject: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack Hi all, I want to propose a new feature for CloudStack, dynamic role-based API access checker. This feature will allow us to migrate rules define in commands.properties file to database, while role management (such as creating/editing roles, adding/removing rules) won't require restarting management server(s). Please find more details in the FS here: https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack I look forward to your comments, suggestions and questions. Thanks. Regards, Rohit Yadav Regards, Rohit Yadav rohit.ya...@shapeblue.com www.shapeblue.com 53 Chandos Place, Covent Garden, London WC2N 4HSUK @shapeblue DISCLAIMER == This e-mail may contain privileged and confidential information which is the property of Accelerite, a Persistent Systems business. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Accelerite, a Persistent Systems business does not accept any liability for virus infected mails.
Re: [DISCUSS] Request for comments: Dynamic Role Based API Access Checker for CloudStack
Rohit, I had a first glance and it looks promising; +1 You have been thourough on the fs. One question that comes to mind is whatever happened to the role base access That Min and Pradhi(not sure if I remeber her name correctly) where implementing for 4.4. It failed then because the work was taking much more effort then estimated but it was pushed to git.wip-us. Did you look at thaat work? On Wed, Mar 23, 2016 at 6:04 PM, Rohit Yadav wrote: > Hi all, > > I want to propose a new feature for CloudStack, dynamic role-based API > access checker. This feature will allow us to migrate rules define in > commands.properties file to database, while role management (such as > creating/editing roles, adding/removing rules) won't require restarting > management server(s). > > Please find more details in the FS here: > > https://cwiki.apache.org/confluence/display/CLOUDSTACK/Dynamic+Role+Based+API+Access+Checker+for+CloudStack > > I look forward to your comments, suggestions and questions. Thanks. > > Regards, > Rohit Yadav > > Regards, > > Rohit Yadav > > rohit.ya...@shapeblue.com > www.shapeblue.com > 53 Chandos Place, Covent Garden, London WC2N 4HSUK > @shapeblue > -- Daan
