SlideShare a Scribd company logo

CCCNA17 Dynamic Roles in CloudStack

ShapeBlue, profile picture
ShapeBlue

The document discusses the transition from static to dynamic roles in CloudStack, enabling easier management and customization of user permissions in cloud environments. It details the limitations of static role-based access control and outlines the benefits of a dynamic role-based access control system, including a database migration and a new user interface. The dynamic system allows for custom roles and rules without requiring a management restart, enhancing operational efficiency.

Technology
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
The Cloud Specialists Dynamic Roles in CloudStack Boris Stoyanov Software Development Engineer in Test boris.stoyanov@shapeblue.com twitter: @shapeblue
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue About Me • Break Stuff @ ShapeBlue • Background: • More than 10 years in Software Development and Testing • Specialize in: • Test Management • Automated Testing • Testing Frameworks • Joined ShapeBlue and CloudStack last year
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue “ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack services company.” About ShapeBlue
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue ShapeBlue customers
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue ShapeBlue customers
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue ShapeBlue customers
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic Roles in CloudStack
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Static Roles in CloudStack • List of pre-defined roles • All roles permissions are kept in a single file commands.properties • Each change requires a management server restart • How do we add a custom role with new set of permissions
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic Roles Quiz Time
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Hint: it’s related to permissions Q1: What are these numbers and what’s their purpose: 1, 2, 4, 8 Answer: These numbers represent the static roles 1 = ADMIN 2 = RESOURCE_DOMAIN_ADMIN 4 = DOMAIN_ADMIN 8 = USER
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue commands.properties
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Hint: related to permissions Q2: What are the 7s and 15s? Answer: all users until that number can execute the command
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Q3: What does this number represent: 790 Answer: That’s about the number of lines commands.properties has in 4.9. Hint: related to the permissions file
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Static Role-based Access Control • Pre-defined roles • All permissions kept in a commands.properties file • Changes are difficult to maintain • Management server restart is required after change • Hard to add a new role with custom permissions
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Add Read-only Admin • Root Admin • Read-only permission
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Let’s re-thing roles management • New way of managing roles • Add/Change roles made easy • Apply changes without management restart
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Here’s what we did • Move all permissions to the DB • Create a dynamic role based account checker (RBAC) • New UI interface • Handle migrations
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic ApiChecker
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Adding role Use case: Root Admin wants to create a root admin read-only account, who is not allowed to see Global Settings. • Create a custom role • Add an “allow rule” to all list APIs • Assign the role to the read-only account • Add ”deny rule” to all configuration APIs
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Adding role
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Good practices • When adding custom rules, user is allowed to select multiple APIs using “*” • It’s a good practice to move deny rules on top of the list when allowing multiple APIs at once. • Rules can be shifted in the list in set the order of the list
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Denied API • What happens in UI when user hits a denied API? • User is displayed with the following error
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic Role-based Access Control • Pre-defined roles are available • Moves all permissions into the DB • Adds UI interface to add a new role • Custom set of rules per API for a role • Does not require management restart
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Live demo • One must read slide title first
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Availability and Upgrade • Dynamic RBAC is available and enabled by default on all new installations post 4.9 • Users upgrading to >4.9.x will have the feature disabled post upgrade • Migration tool is available to do the migration and enable Dynamic RBAC
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Upgrade: Running the migration tool [root@host]# python migrate-dynamicroles.py -u cloud -p cloud -h localhost -p 3306 -f /etc/cloudstack/management/commands.properties Apache CloudStack Role Permission Migration Tool (c) Apache CloudStack Authors and the ASF, under the Apache License, Version 2.0 Running this migration tool will remove any default-role permissions from cloud.role_permissions. Do you want to continue? [y/N]y The commands.properties file has been deprecated and moved at: /etc/cloudstack/management/commands.properties.deprecated Static role permissions from commands.properties have been migrated into the db Dynamic role based API checker has been enabled!
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Migrating Roles • After enabling Dynamic RBAC root admin role permissions looks like this:
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Migrating Roles • While other roles have explicit rules created based on the settings in commands.properties file.
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Questions?
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue By the way…. Next CloudStack event: Cloudstack Collaboration Conference at ApacheCon North America May 16-18, 2017 InterContinental Miami MIAMI, FLORIDA United States http://events.linuxfoundation.org/events/apachecon-north- america/attend/register-
C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue More information • Slide deck: http://www.slideshare.net/shapeblue • Blog: http://shapeblue.com/blog • Email: boris.stoyanov@shapeblue.com • Web: http://shapeblue.com

More Related Content

What's hot (20)

PDF
CloudStack UI
ShapeBlue
 
PPTX
CloudStack EU user group - Trillian
ShapeBlue
 
PDF
CloudStack and NFV
ShapeBlue
 
PDF
New stuff in CloudStack!
ShapeBlue
 
PDF
Paul Angus - CloudStack Backup and Recovery Framework
ShapeBlue
 
PDF
Paul Angus – Backup & Recovery in CloudStack
ShapeBlue
 
PPTX
Cloudstack container service
ShapeBlue
 
PDF
Giles Sirett: Introduction and CloudStack news
ShapeBlue
 
PDF
Boris Stoyanov - some new features in Apache cloudStack
ShapeBlue
 
PDF
Customising the CloudStack UI - CloudStack European User Group Virtual, May 2...
ShapeBlue
 
PDF
CSEUG introduction
ShapeBlue
 
PPTX
Using the KVMhypervisor in CloudStack
ShapeBlue
 
PDF
CloudStack usage service
ShapeBlue
 
PDF
CloudStack Container Service
ShapeBlue
 
PPTX
CloudStack - Apache's best kept secret
ShapeBlue
 
PDF
TechUG Glasgow talk 22/Feb/17 Configuration Management Best Practices
Dag Sonstebo
 
PDF
Designing Lean CloudStack Environments for the Edge - IndiQus - CloudStack E...
ShapeBlue
 
PDF
ApacheCon Miami / CCCNA17 Using KVM in CloudStack
Dag Sonstebo
 
PDF
ApacheCon Miami / CCCNA17 CloudStack upgrade best practices
Dag Sonstebo
 
PPTX
Introduction and CloudStack news
ShapeBlue
 
CloudStack UI
ShapeBlue
 
CloudStack EU user group - Trillian
ShapeBlue
 
CloudStack and NFV
ShapeBlue
 
New stuff in CloudStack!
ShapeBlue
 
Paul Angus - CloudStack Backup and Recovery Framework
ShapeBlue
 
Paul Angus – Backup & Recovery in CloudStack
ShapeBlue
 
Cloudstack container service
ShapeBlue
 
Giles Sirett: Introduction and CloudStack news
ShapeBlue
 
Boris Stoyanov - some new features in Apache cloudStack
ShapeBlue
 
Customising the CloudStack UI - CloudStack European User Group Virtual, May 2...
ShapeBlue
 
CSEUG introduction
ShapeBlue
 
Using the KVMhypervisor in CloudStack
ShapeBlue
 
CloudStack usage service
ShapeBlue
 
CloudStack Container Service
ShapeBlue
 
CloudStack - Apache's best kept secret
ShapeBlue
 
TechUG Glasgow talk 22/Feb/17 Configuration Management Best Practices
Dag Sonstebo
 
Designing Lean CloudStack Environments for the Edge - IndiQus - CloudStack E...
ShapeBlue
 
ApacheCon Miami / CCCNA17 Using KVM in CloudStack
Dag Sonstebo
 
ApacheCon Miami / CCCNA17 CloudStack upgrade best practices
Dag Sonstebo
 
Introduction and CloudStack news
ShapeBlue
 

Similar to CCCNA17 Dynamic Roles in CloudStack (20)

PPTX
Improving CloudStack for operators
ShapeBlue
 
PDF
CloudStack upgrade best practices - Dag Sonstebo
Ingo Jochim
 
PPTX
Paul Angus - CloudStack Container Service
ShapeBlue
 
PDF
Paul Angus - what's new in ACS 4.11
ShapeBlue
 
PDF
Whats new in Cloudstack 4.11 - behind the headlines
ShapeBlue
 
PPTX
Salesforce Apex Hours: What means Winter 18 for Developers
Amit Chaudhary
 
PPTX
Connecticut Salesforce Developer Group - Jan 2017
Jitendra Zaa
 
PPTX
What's new in Spring Boot 2.0
VMware Tanzu
 
PPTX
Setting Up CircleCI Workflows for Your Salesforce Apps
Daniel Stange
 
PDF
Patterns and practices for building enterprise-scale HTML5 apps
Phil Leggetter
 
PDF
Continuous Deployment of your Application - SpringOne Tour Dallas
VMware Tanzu
 
PPTX
Azure DevOps Tasks.pptx
PrasanthOneness
 
PPTX
Aug feb 2021
Maitrey Patel
 
PDF
Scaling Gilt: from Monolithic Ruby Application to Distributed Scala Micro-Ser...
C4Media
 
PPTX
Continuous Testing using Shippable and Docker
Mukta Aphale
 
PDF
Elevate Your Career as a Cloud Developer Webinar
Salesforce Developers
 
KEY
Features, Exportables & You
jskulski
 
PPTX
Move past bootstrap and build our lightweight responsive framework w.v1.2
Eric Overfield
 
PPTX
Cloud Foundry Technical Overview at IBM Interconnect 2016
Stormy Peters
 
PPTX
Depth Consulting - Calgary .NET User Group - Apr 22 2015 - Dependency Injection
Dave White
 
Improving CloudStack for operators
ShapeBlue
 
CloudStack upgrade best practices - Dag Sonstebo
Ingo Jochim
 
Paul Angus - CloudStack Container Service
ShapeBlue
 
Paul Angus - what's new in ACS 4.11
ShapeBlue
 
Whats new in Cloudstack 4.11 - behind the headlines
ShapeBlue
 
Salesforce Apex Hours: What means Winter 18 for Developers
Amit Chaudhary
 
Connecticut Salesforce Developer Group - Jan 2017
Jitendra Zaa
 
What's new in Spring Boot 2.0
VMware Tanzu
 
Setting Up CircleCI Workflows for Your Salesforce Apps
Daniel Stange
 
Patterns and practices for building enterprise-scale HTML5 apps
Phil Leggetter
 
Continuous Deployment of your Application - SpringOne Tour Dallas
VMware Tanzu
 
Azure DevOps Tasks.pptx
PrasanthOneness
 
Aug feb 2021
Maitrey Patel
 
Scaling Gilt: from Monolithic Ruby Application to Distributed Scala Micro-Ser...
C4Media
 
Continuous Testing using Shippable and Docker
Mukta Aphale
 
Elevate Your Career as a Cloud Developer Webinar
Salesforce Developers
 
Features, Exportables & You
jskulski
 
Move past bootstrap and build our lightweight responsive framework w.v1.2
Eric Overfield
 
Cloud Foundry Technical Overview at IBM Interconnect 2016
Stormy Peters
 
Depth Consulting - Calgary .NET User Group - Apr 22 2015 - Dependency Injection
Dave White
 
Ad

More from ShapeBlue (20)

PPTX
The Yotta x CloudStack Advantage: Scalable, India-First Cloud
ShapeBlue
 
PPTX
Simplifying End-to-End Apache CloudStack Deployment with a Web-Based Automati...
ShapeBlue
 
PPTX
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
PDF
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
PPTX
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
PDF
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
PDF
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
PDF
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
PDF
Meetup Kickoff & Welcome - Rohit Yadav, CSIUG Chairman
ShapeBlue
 
PDF
Fully Open-Source Private Clouds: Freedom, Security, and Control
ShapeBlue
 
PPTX
Pushing the Limits: CloudStack at 25K Hosts
ShapeBlue
 
PPTX
Stretching CloudStack over multiple datacenters
ShapeBlue
 
PPTX
Proposed Feature: Monitoring and Managing Cloud Usage Costs in Apache CloudStack
ShapeBlue
 
PPSX
CloudStack + KVM: Your Local Cloud Lab
ShapeBlue
 
PDF
I’d like to resell your CloudStack services, but...
ShapeBlue
 
PDF
Storage Setup for LINSTOR/DRBD/CloudStack
ShapeBlue
 
PDF
Apache CloudStack 101 - Introduction, What’s New and What’s Coming
ShapeBlue
 
PDF
Development of an Оbject Storage Plugin for CloudStack, Christian Reichert, s...
ShapeBlue
 
PDF
VM-HA with CloudStack and Linstor, Rene Peinthor
ShapeBlue
 
PDF
How We Use CloudStack to Provide Managed Hosting, Swen Brüseke, proIO
ShapeBlue
 
The Yotta x CloudStack Advantage: Scalable, India-First Cloud
ShapeBlue
 
Simplifying End-to-End Apache CloudStack Deployment with a Web-Based Automati...
ShapeBlue
 
Extensions Framework (XaaS) - Enabling Orchestrate Anything
ShapeBlue
 
CloudStack GPU Integration - Rohit Yadav
ShapeBlue
 
Building and Operating a Private Cloud with CloudStack and LINBIT CloudStack ...
ShapeBlue
 
Ampere Offers Energy-Efficient Future For AI And Cloud
ShapeBlue
 
Empowering Cloud Providers with Apache CloudStack and Stackbill
ShapeBlue
 
Apache CloudStack 201: Let's Design & Build an IaaS Cloud
ShapeBlue
 
Meetup Kickoff & Welcome - Rohit Yadav, CSIUG Chairman
ShapeBlue
 
Fully Open-Source Private Clouds: Freedom, Security, and Control
ShapeBlue
 
Pushing the Limits: CloudStack at 25K Hosts
ShapeBlue
 
Stretching CloudStack over multiple datacenters
ShapeBlue
 
Proposed Feature: Monitoring and Managing Cloud Usage Costs in Apache CloudStack
ShapeBlue
 
CloudStack + KVM: Your Local Cloud Lab
ShapeBlue
 
I’d like to resell your CloudStack services, but...
ShapeBlue
 
Storage Setup for LINSTOR/DRBD/CloudStack
ShapeBlue
 
Apache CloudStack 101 - Introduction, What’s New and What’s Coming
ShapeBlue
 
Development of an Оbject Storage Plugin for CloudStack, Christian Reichert, s...
ShapeBlue
 
VM-HA with CloudStack and Linstor, Rene Peinthor
ShapeBlue
 
How We Use CloudStack to Provide Managed Hosting, Swen Brüseke, proIO
ShapeBlue
 
Ad

Recently uploaded (20)

PDF
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
PPTX
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
PPTX
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
PDF
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
PPTX
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
PPTX
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
PDF
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
PPTX
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
PDF
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
PPTX
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
PPTX
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
PDF
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
PDF
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
PDF
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
PDF
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
PDF
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
PDF
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
PPTX
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
PDF
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
PDF
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 
Tea4chat - another LLM Project by Kerem Atam
a0m0rajab1
 
Agile Chennai 18-19 July 2025 | Emerging patterns in Agentic AI by Bharani Su...
AgileNetwork
 
AI and Robotics for Human Well-being.pptx
JAYMIN SUTHAR
 
OFFOFFBOX™ – A New Era for African Film | Startup Presentation
ambaicciwalkerbrian
 
What-is-the-World-Wide-Web -- Introduction
tonifi9488
 
IT Runs Better with ThousandEyes AI-driven Assurance
ThousandEyes
 
How ETL Control Logic Keeps Your Pipelines Safe and Reliable.pdf
Stryv Solutions Pvt. Ltd.
 
AVL ( audio, visuals or led ), technology.
Rajeshwri Panchal
 
Trying to figure out MCP by actually building an app from scratch with open s...
Julien SIMON
 
Agile Chennai 18-19 July 2025 | Workshop - Enhancing Agile Collaboration with...
AgileNetwork
 
cloud computing vai.pptx for the project
vaibhavdobariyal79
 
Google I/O Extended 2025 Baku - all ppts
HusseinMalikMammadli
 
NewMind AI Weekly Chronicles – July’25, Week III
NewMind AI
 
Make GenAI investments go further with the Dell AI Factory
Principled Technologies
 
AI Unleashed - Shaping the Future -Starting Today - AIOUG Yatra 2025 - For Co...
Sandesh Rao
 
State-Dependent Conformal Perception Bounds for Neuro-Symbolic Verification
Ivan Ruchkin
 
Presentation about Hardware and Software in Computer
snehamodhawadiya
 
Dev Dives: Automate, test, and deploy in one place—with Unified Developer Exp...
AndreeaTom
 
Structs to JSON: How Go Powers REST APIs
Emily Achieng
 
The Future of Mobile Is Context-Aware—Are You Ready?
iProgrammer Solutions Private Limited
 

CCCNA17 Dynamic Roles in CloudStack

  • 2. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue About Me • Break Stuff @ ShapeBlue • Background: • More than 10 years in Software Development and Testing • Specialize in: • Test Management • Automated Testing • Testing Frameworks • Joined ShapeBlue and CloudStack last year
  • 3. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue “ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack services company.” About ShapeBlue
  • 4. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue ShapeBlue customers
  • 5. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue ShapeBlue customers
  • 6. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue ShapeBlue customers
  • 7. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic Roles in CloudStack
  • 8. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Static Roles in CloudStack • List of pre-defined roles • All roles permissions are kept in a single file commands.properties • Each change requires a management server restart • How do we add a custom role with new set of permissions
  • 9. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic Roles Quiz Time
  • 10. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Hint: it’s related to permissions Q1: What are these numbers and what’s their purpose: 1, 2, 4, 8 Answer: These numbers represent the static roles 1 = ADMIN 2 = RESOURCE_DOMAIN_ADMIN 4 = DOMAIN_ADMIN 8 = USER
  • 11. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue commands.properties
  • 12. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Hint: related to permissions Q2: What are the 7s and 15s? Answer: all users until that number can execute the command
  • 13. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Q3: What does this number represent: 790 Answer: That’s about the number of lines commands.properties has in 4.9. Hint: related to the permissions file
  • 14. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Static Role-based Access Control • Pre-defined roles • All permissions kept in a commands.properties file • Changes are difficult to maintain • Management server restart is required after change • Hard to add a new role with custom permissions
  • 15. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Add Read-only Admin • Root Admin • Read-only permission
  • 16. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Let’s re-thing roles management • New way of managing roles • Add/Change roles made easy • Apply changes without management restart
  • 17. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Here’s what we did • Move all permissions to the DB • Create a dynamic role based account checker (RBAC) • New UI interface • Handle migrations
  • 18. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic ApiChecker
  • 19. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Adding role Use case: Root Admin wants to create a root admin read-only account, who is not allowed to see Global Settings. • Create a custom role • Add an “allow rule” to all list APIs • Assign the role to the read-only account • Add ”deny rule” to all configuration APIs
  • 20. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Adding role
  • 21. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Good practices • When adding custom rules, user is allowed to select multiple APIs using “*” • It’s a good practice to move deny rules on top of the list when allowing multiple APIs at once. • Rules can be shifted in the list in set the order of the list
  • 22. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue How to use it: Denied API • What happens in UI when user hits a denied API? • User is displayed with the following error
  • 23. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Dynamic Role-based Access Control • Pre-defined roles are available • Moves all permissions into the DB • Adds UI interface to add a new role • Custom set of rules per API for a role • Does not require management restart
  • 24. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Live demo • One must read slide title first
  • 25. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Availability and Upgrade • Dynamic RBAC is available and enabled by default on all new installations post 4.9 • Users upgrading to >4.9.x will have the feature disabled post upgrade • Migration tool is available to do the migration and enable Dynamic RBAC
  • 26. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Upgrade: Running the migration tool [root@host]# python migrate-dynamicroles.py -u cloud -p cloud -h localhost -p 3306 -f /etc/cloudstack/management/commands.properties Apache CloudStack Role Permission Migration Tool (c) Apache CloudStack Authors and the ASF, under the Apache License, Version 2.0 Running this migration tool will remove any default-role permissions from cloud.role_permissions. Do you want to continue? [y/N]y The commands.properties file has been deprecated and moved at: /etc/cloudstack/management/commands.properties.deprecated Static role permissions from commands.properties have been migrated into the db Dynamic role based API checker has been enabled!
  • 27. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Migrating Roles • After enabling Dynamic RBAC root admin role permissions looks like this:
  • 28. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Migrating Roles • While other roles have explicit rules created based on the settings in commands.properties file.
  • 29. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue Questions?
  • 30. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue By the way…. Next CloudStack event: Cloudstack Collaboration Conference at ApacheCon North America May 16-18, 2017 InterContinental Miami MIAMI, FLORIDA United States http://events.linuxfoundation.org/events/apachecon-north- america/attend/register-
  • 31. C l i c k t o e d i t The Cloud Specialists ShapeBlue.com @ShapeBlue More information • Slide deck: http://www.slideshare.net/shapeblue • Blog: http://shapeblue.com/blog • Email: [email protected] • Web: http://shapeblue.com