This repository has been archived by the owner on Aug 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 24
iam 3.4 privileged personas spec
chris grzegorczyk edited this page Jul 3, 2013
·
7 revisions
- Eucalyptus should clearly differentiate between different privileged cloud personas (currently all accommodated by the eucalyptus account) and provide ways to compartmentalize their privileges
- Eucalyptus should be able to accommodate simple deployments where most of the below roles are played by 1 or 2 individuals
- Eucalyptus should provide the ability to define which roles are needed for a particular deployment AND what each of these roles are going to be able to do
- the Cloud Super Admin (CSA)
- the super powerful user, which can perform any privileged operation in Eucalyptus and delegate these privileges
- should have limited access (local root only?)
- the only user who can create, modify and delete privileged policies and assign these policies to users
- the Cloud Resource Manager (CRM)
- can manage AWS-defined resources (such as S3 objects, instances, users, etc) across accounts
- from PRD-37, typical responsibilities
- Management (accounts, cloud resources, policies, quotas, users, groups)
- Monitoring (capacity, usage)
- Reporting (usage reporting, account activity, audit trail)
- Backup and Restore
- the Infrastructure Admin (IA)
- can perform operations related to system setup and management
- from PRD-37, typical responsibilities
- installation and configuration
- prepare environment
- install Eucalyptus
- configure Eucalyptus
- Monitoring and Maintenance
- Infrastructure supporting the cloud
- Cloud management layer
- Upgrades, security patches
- Diagnostics and troubleshooting
- Backup and Restore
- installation and configuration
- Users
- CSA
- Roles
- CRM
- a policy should allow for any supported AWS action (e.g., actions: "ec2:*", "s3:*", "iam:*", "elb:*", "as:*", "cw:*") + reporting
- need a way to specify in a policy that cross-account access is allowed (e.g., by prepending a special namespace to all actions "euca:ec2:*" or by employing ARNs "arn:aws:service:region:*:resource")
- IA
- a policy should allow for the actions supported by Empyrean, Configuration, and Properties services)
- CRM
- a user can assume more than one role (is there a limit?)
- provide canned policies for privileged roles
- policy language should allow for specifying cross-account access
- limited access to CSA functionality (local root only?)
- only CSA can
- define privileged policies
- define privileged policies to users and roles
- grant/revoke access to privileged roles
- accounts with privileged access should not have preset default password
- That usage of privileged personae should not require extra steps from the GUI console once the policies have been defined and the user is logged in (usage of privileged personae should be transparent to the user).
- That usage of privileged personae should not require extra steps from the CLI tools once the policies have been defined (assumption of roles from CLI may require extra step you mentioned above)
- That options which are not allowed for a logged in user of a GUI console are either hidden or disabled (which of these to use will be TBD on a case-by-case basis)
- That options which are not allowed for a user of CLI tools will have a clear error message indicating cause and remedy
- That canned policies are provided with Eucalyptus
- That predefined roles using the canned policies will be provided
- These predefined policies and roles must be editable by those with permissions to do so
- That cloud admins or users with IAM permissions can easily assign full roles or just the operations they want to grant access to with any level of desired granularity
- That any errors related to privileged personae must have clear and concise error messages returned indicating cause and remedy to be displayed in either CLI or GUI
- euca-modify-property should be separated into 2 operation: to modify properties (for IA) and to modify runtime (by default, for CSA only)
- how to distinguish between expired and invalid credentials?! (if valid, but expired, the error message can say that they are expired)
- lifetime of STS credentials for privileged roles
- should be short, allow for one operation only?
- role discovery by client tools and UI
- should only work for the privileged roles, but not any roles that an account is allowed to assume
- some operations typically performed by IA, also need to be available to other users and account admins should be able to delegate these privileges
- DescribeServices
- any others?
tag:rls-3.4