Versions Compared

Old Version 8

changes.mady.by.user Prachi Damle

Saved on

compared with

New Version 9

changes.mady.by.user Prachi Damle

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • Until 4.4, CloudStack did not distinguish between a read-only access Vs read-and-use access Vs operate access. 
  • CloudStack access control layer always checked if the caller is owner of the entity and granted all types of access based on that. 
  • With IAM feature following are the types of entity access one can specify:
    1. ListEntry  (read only access)
    2. UseEntry  (read and use access)
    3. OperateEntry (operate/execute access)
Sectioncode
bordertrue
Example
<p>Example: A domainAdmin registers a template T and allows a regular user of the domain to launch a VM using that template.
Entity: TemplateT
Principal1:  domainAdmin, Access allowed: OperateEntry   (operate access since he can invoke delete/updatepermissions operations on the template)
Principal2: normal domain user, Access allowed: UseEntry  (the user can only list the template and use it for launching VM)
</p><p>Entity: TemplateT<br />Principal1:&nbsp; domainAdmin, Access allowed: OperateEntry&nbsp;&nbsp; (operate access since he can invoke delete/updatepermissions operations on the template)<br />Principal2: normal domain user, Access allowed: UseEntry&nbsp; (the user can only list the template and use it for launching VM)</p>

 

IAM At API layer: use @ACL

...