dynamic roles in cloudstack
play

Dynamic Roles in CloudStack Boris Stoyanov Software Development - PowerPoint PPT Presentation

Oct 21, 2023 •438 likes •759 views

Dynamic Roles in CloudStack Boris Stoyanov Software Development Engineer in Test boris.stoyanov@shapeblue.com twitter: @shapeblue The Cloud Specialists About Me Break Stuff @ ShapeBlue Background: C l i c k t o e d i t More

  1. Dynamic Roles in CloudStack Boris Stoyanov Software Development Engineer in Test boris.stoyanov@shapeblue.com twitter: @shapeblue The Cloud Specialists

  2. About Me • Break Stuff @ ShapeBlue • Background: C l i c k t o e d i t • More than 10 years in Software Development and Testing • Specialize in: • Test Management • Automated Testing • Testing Frameworks Joined ShapeBlue and CloudStack last year • ShapeBlue.com @ShapeBlue The Cloud Specialists

  3. About ShapeBlue C l i c k t o e d i t “ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack services company.” @ShapeBlue ShapeBlue.com The Cloud Specialists

  4. ShapeBlue customers C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  5. ShapeBlue customers C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  6. ShapeBlue customers C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  7. C l i c k t o e d i t Dynamic Roles in CloudStack ShapeBlue.com @ShapeBlue The Cloud Specialists

  8. Static Roles in CloudStack C l i c k t o e d i t • List of pre-defined roles • All roles permissions are kept in a single file commands.properties • Each change requires a management server restart • How do we add a custom role with new set of permissions ShapeBlue.com @ShapeBlue The Cloud Specialists

  9. Dynamic Roles C l i c k t o e d i t Quiz Time ShapeBlue.com @ShapeBlue The Cloud Specialists

  10. Hint: it’s related to permissions Q1: What are these numbers and what’s their purpose: 1, 2, 4, 8 C l i c k t o e d i t Answer: These numbers represent the static roles 1 = ADMIN 2 = RESOURCE_DOMAIN_ADMIN 4 = DOMAIN_ADMIN 8 = USER ShapeBlue.com @ShapeBlue The Cloud Specialists

  11. commands.properties C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  12. Hint: related to permissions Q2: What are the 7s and 15s? C l i c k t o e d i t Answer: all users until that number can execute the command ShapeBlue.com @ShapeBlue The Cloud Specialists

  13. Hint: related to the permissions file Q3: What does this number represent: 790 C l i c k t o e d i t Answer: That’s about the number of lines commands.properties has in 4.9. ShapeBlue.com @ShapeBlue The Cloud Specialists

  14. Static Role-based Access Control • Pre-defined roles C l i c k t o e d i t • All permissions kept in a commands.properties file • Changes are difficult to maintain • Management server restart is required after change • Hard to add a new role with custom permissions ShapeBlue.com @ShapeBlue The Cloud Specialists

  15. Add Read-only Admin • Root Admin C l i c k t o e d i t • Read-only permission ShapeBlue.com @ShapeBlue The Cloud Specialists

  16. Let’s re-thing roles management • New way of managing roles C l i c k t o e d i t • Add/Change roles made easy • Apply changes without management restart ShapeBlue.com @ShapeBlue The Cloud Specialists

  17. Here’s what we did C l i c k t o e d i t • Move all permissions to the DB • Create a dynamic role based account checker (RBAC) • New UI interface • Handle migrations ShapeBlue.com @ShapeBlue The Cloud Specialists

  18. Dynamic ApiChecker C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  19. How to use it: Adding role Use case: Root Admin wants to create a root admin read-only account, who is not allowed to see Global Settings. C l i c k t o e d i t Create a custom role • Add an “allow rule” to all list APIs • • Add ”deny rule” to all configuration APIs • Assign the role to the read-only account ShapeBlue.com @ShapeBlue The Cloud Specialists

  20. How to use it: Adding role C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  21. How to use it: Good practices C l i c k t o e d i t When adding custom rules, user is allowed to select multiple APIs using “*” • Rules can be shifted in the list in set the order of the list • It’s a good practice to move deny rules on top of the list when allowing • multiple APIs at once. ShapeBlue.com @ShapeBlue The Cloud Specialists

  22. How to use it: Denied API What happens in UI when user hits a denied API? • C l i c k t o e d i t User is displayed with • the following error ShapeBlue.com @ShapeBlue The Cloud Specialists

  23. Dynamic Role-based Access Control • Pre-defined roles are available C l i c k t o e d i t • Moves all permissions into the DB • Adds UI interface to add a new role • Custom set of rules per API for a role • Does not require management restart ShapeBlue.com @ShapeBlue The Cloud Specialists

  24. Live demo • One must read slide title first C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  25. Availability and Upgrade Dynamic RBAC is available and • C l i c k t o e d i t enabled by default on all new installations post 4.9 Users upgrading to >4.9.x • will have the feature disabled post upgrade Migration tool is available to • do the migration and enable Dynamic RBAC ShapeBlue.com @ShapeBlue The Cloud Specialists

  26. Upgrade: Running the migration tool [root@host]# python migrate-dynamicroles.py -u cloud -p cloud -h localhost -p 3306 -f /etc/cloudstack/management/commands.properties C l i c k t o e d i t Apache CloudStack Role Permission Migration Tool (c) Apache CloudStack Authors and the ASF, under the Apache License, Version 2.0 Running this migration tool will remove any default-role permissions from cloud.role_permissions. Do you want to continue? [y/N]y The commands.properties file has been deprecated and moved at: /etc/cloudstack/management/commands.properties.deprecated Static role permissions from commands.properties have been migrated into the db Dynamic role based API checker has been enabled! ShapeBlue.com @ShapeBlue The Cloud Specialists

  27. Migrating Roles After enabling Dynamic RBAC root admin role permissions looks like this: • C l i c k t o e d i t ShapeBlue.com @ShapeBlue The Cloud Specialists

  28. Migrating Roles While other roles • have explicit rules C l i c k t o e d i t created based on the settings in commands.properties file. ShapeBlue.com @ShapeBlue The Cloud Specialists

  29. C l i c k t o e d i t Questions? ShapeBlue.com @ShapeBlue The Cloud Specialists

  30. By the way…. Next CloudStack event: Cloudstack Collaboration C l i c k t o e d i t Conference at ApacheCon North America May 16-18, 2017 InterContinental Miami MIAMI, FLORIDA United States http://events.linuxfoundation.org/events/apachecon-north- america/attend/register- ShapeBlue.com @ShapeBlue The Cloud Specialists

  31. More information C l i c k t o e d i t • Slide deck: http://www.slideshare.net/shapeblue • Blog: http://shapeblue.com/blog • Email: boris.stoyanov@shapeblue.com • Web: http://shapeblue.com ShapeBlue.com @ShapeBlue The Cloud Specialists

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Apache CloudStack & Apalia Involved with CloudStack since 2010 Dozens of CloudStack

Apache CloudStack & Apalia Involved with CloudStack since 2010 Dozens of CloudStack

Billing for Apache CloudStack Billing for Apache CloudStack CloudStack Collaboration Confer CloudStack Collaboration Conference US ence US Miami May 18 Miami May 18 th th 2017 2017 Apache CloudStack & Apalia Involved with

322 views • 15 slides
Developing API Plug-ins for CloudStack* * Specifically Using Version 4.5 Mike Tutkowski

Developing API Plug-ins for CloudStack* * Specifically Using Version 4.5 Mike Tutkowski

Developing API Plug-ins for CloudStack* * Specifically Using Version 4.5 Mike Tutkowski (@mtutkowski on Twitter) CloudStack Software Engineer Member of CloudStack Project Management Committee (PMC) Focused on CloudStacks storage

461 views • 26 slides
Transparent Service Migration to the Cloud Clone existing VMs to CloudStack/OpenStack templates

Transparent Service Migration to the Cloud Clone existing VMs to CloudStack/OpenStack templates

Transparent Service Migration to the Cloud Clone existing VMs to CloudStack/OpenStack templates without user downtime CloudOpen Dublin 2015 #whoami Name: Tim Mackey Current roles: XenServer Community Manager and Evangelist; occasional coder

740 views • 29 slides
Architecting for the cloud: lessons learned from 100 CloudStack deployments Sheng Liang CTO,

Architecting for the cloud: lessons learned from 100 CloudStack deployments Sheng Liang CTO,

Architecting for the cloud: lessons learned from 100 CloudStack deployments Sheng Liang CTO, Cloud Platforms, Citrix CloudStack History 2008 2009 2010 2012 2011 Sept 2008: Nov 2009: May 2010: July 2011: April 2012: CloudStack

457 views • 34 slides
SDN in CloudStack Tuesday, October 15, 13 About me Hugo Trippaers Email:

SDN in CloudStack Tuesday, October 15, 13 About me Hugo Trippaers Email:

SDN in CloudStack Tuesday, October 15, 13 About me Hugo Trippaers Email: htrippaers@schubergphilis.com Twitter: @Spark404 Freenode: Spark404 http://www.schubergphilis.com Tuesday, October 15, 13 CloudStack networking - the

572 views • 35 slides
+ Monitoring Consolidate Prescriptive Analytics for Apache CloudStack Madan Ganesh Velayudham

+ Monitoring Consolidate Prescriptive Analytics for Apache CloudStack Madan Ganesh Velayudham

+ Monitoring Consolidate Prescriptive Analytics for Apache CloudStack Madan Ganesh Velayudham Founder, CEO ActOnMagic madan@actonmagic.com + Agenda n Introduction n Different Stages of Analytics n Cloudstack Communitys concerns

438 views • 16 slides
CloudStack Networking Paul Angus Cloud Architect ShapeBlue paul.angus@shapeblue.com @CloudyAngus

CloudStack Networking Paul Angus Cloud Architect ShapeBlue paul.angus@shapeblue.com @CloudyAngus

CloudStack Networking Paul Angus Cloud Architect ShapeBlue paul.angus@shapeblue.com @CloudyAngus @ShapeBlue About Me Cloud Architect with ShapeBlue Worked with CloudStack since 2.2.13 Specialising in deployment of CloudStack and

1.25k views • 33 slides
Ansible & CloudStack Cloud Era Configuration Management Paul Angus Cloud Architect

Ansible & CloudStack Cloud Era Configuration Management Paul Angus Cloud Architect

Ansible & CloudStack Cloud Era Configuration Management Paul Angus Cloud Architect paul.angus@shapeblue.com @CloudyAngus @ShapeBlue Ansible & CloudStack Configuration Management Ansible Using Ansible with CloudStack @ShapeBlue

1.39k views • 44 slides
CloudStack and Big Data Sebastien Goasguen @sebgoa May 22 nd 2013 LinuxTag, Berlin Google

CloudStack and Big Data Sebastien Goasguen @sebgoa May 22 nd 2013 LinuxTag, Berlin Google

CloudStack and Big Data Sebastien Goasguen @sebgoa May 22 nd 2013 LinuxTag, Berlin Google trends Start of Clouds Cloud computing trending down, while Big Data is booming. Virtualization remains constant . BigData on

591 views • 42 slides
Why Apache CloudStack Alexandre Limas Santana, Gabriel Beims Br ascher, Lucas Berri

Why Apache CloudStack Alexandre Limas Santana, Gabriel Beims Br ascher, Lucas Berri

Why Apache CloudStack Alexandre Limas Santana, Gabriel Beims Br ascher, Lucas Berri Cristofolini, Pedro Henrique Pereira Martins, and Rafael Weing artner August 18, 2016 Florian opolis, SC Brazil Agenda Cloud computing

266 views • 24 slides
Junit-contracts: A Contract Testing Tool Claude N. Warren, Jr. CloudStack Collaboration

Junit-contracts: A Contract Testing Tool Claude N. Warren, Jr. CloudStack Collaboration

Junit-contracts: A Contract Testing Tool Claude N. Warren, Jr. CloudStack Collaboration Conference Europe October 8-9, 2015 Dublin, Ireland Who Is Claude Warren? claude@xenei.com Apache Jena Project Management Committee Member and

712 views • 32 slides
CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle Citrix Agenda Background

CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle Citrix Agenda Background

CloudStack Identity and Access Management (IAM) Min Chen Prachi Damle Citrix Agenda Background Our Design Goal Architecture Implementation Use Cases Next Steps Background Limited IAM Services Out-of-box fixed

251 views • 22 slides
Building an autonomic CloudStack Gabriel Beims Br ascher, Lucas Berri Cristofolini, and Rafael

Building an autonomic CloudStack Gabriel Beims Br ascher, Lucas Berri Cristofolini, and Rafael

Building an autonomic CloudStack Gabriel Beims Br ascher, Lucas Berri Cristofolini, and Rafael Weing artner January 19, 2017 Florian opolis, SC Brazil Agenda Current cloud environments The cloud we want How far are we from

441 views • 27 slides
What creates community? Roles Experiences Time Community Roles What Are Roles? A role is

What creates community? Roles Experiences Time Community Roles What Are Roles? A role is

What creates community? Roles Experiences Time Community Roles What Are Roles? A role is a person, in a place, doing something predictable Janet Klees 2013 The more competencies a person is perceived or believed to have, that much

589 views • 17 slides
Standard Project Roles and Responsibilities This describes typical roles and responsibilities for

Standard Project Roles and Responsibilities This describes typical roles and responsibilities for

Standard Project Roles and Responsibilities This describes typical roles and responsibilities for projects and programs. Roles may be assigned to one or more individuals. Conversely, individuals may play one or more roles. Executive Sponsor

48 views • 3 slides
Distributed CI and testing for cloudstack in a hybrid community Daan Hoogland Not senior. Not

Distributed CI and testing for cloudstack in a hybrid community Daan Hoogland Not senior. Not

Distributed CI and testing for cloudstack in a hybrid community Daan Hoogland Not senior. Not manager. Other job titles apply. daan.hoogland@shapeblue.com +DaanHoogland https://www.slideshare.net/ShapeBlue/cccna17-distributed-ci-

620 views • 22 slides
All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do

All About Apps Well cover... Whats an app? What are app permissions? What do companies gain by getting your permission? Typical permissions requested by apps How to check up on apps already on your phone App safety

134 views • 11 slides
COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne

COMP 2718: Permissions: Part 2 By: Dr. Andrew Vardy Adapted from the notes of Dr. Rod Byrne Outline Permissions: Part 2 umask - Set Default Permissions Special Permissions Changing Identities su - Run a New Shell as Another

288 views • 11 slides
Agenda Virtual Memory Final Review Assembly Calling Conventions Malloc/Free

Agenda Virtual Memory Final Review Assembly Calling Conventions Malloc/Free

Agenda Virtual Memory Final Review Assembly Calling Conventions Malloc/Free Caching Questions, Evaluations Virtual Memory Used for 3 things Efficient use of main memory (RAM) Use RAM as cache for parts of

499 views • 18 slides
Real-time Access Control Reconfiguration By Ashish Gehani and Gershon Kedem Department of

Real-time Access Control Reconfiguration By Ashish Gehani and Gershon Kedem Department of

Real-time Access Control Reconfiguration By Ashish Gehani and Gershon Kedem Department of Computer Science, Duke University Introduction Internet growth Increasingly frequent attacks Heterogenous deployed software More

585 views • 15 slides
Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate

Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate

Windows Not just for houses Everyone Uses Windows! (sorry James!) Users - Accounts to separate people on a computer - Multiple user accounts on a computer - Ex) shared family computer - Access level can be set differently for each user

1.2k views • 51 slides
Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend

Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend

Taking you API to the next level Django Rest Framework $whoami Carlos Martnez Backend Developer en twitter @carlosmart626 github carlosmart626 https://carlosmart.co $whoami Colombia @carlosmart626 $whoami @carlosmart626 5

945 views • 65 slides
CSCI 2132 Software Development Lecture 5: File Permissions Instructor: Vlado Keselj Faculty of

CSCI 2132 Software Development Lecture 5: File Permissions Instructor: Vlado Keselj Faculty of

CSCI 2132 Software Development Lecture 5: File Permissions Instructor: Vlado Keselj Faculty of Computer Science Dalhousie University 14-Sep-2018 (5) CSCI 2132 1 Previous Lecture Files and Directories Pathnames Commands for

571 views • 25 slides
Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J

Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J

Formalizing and Ref ining Authorization in SQL by Aaron Rosenthal and Edward Sciore (MI TRE) J i-Won Byun Tr uSe Reading Group J anuar y 11, 2005 I ntroduction Problems of current aut horizat ion semant ics of SQL t oo complex due t

611 views • 32 slides

More recommend