cccna17 cs dynamic roles in cloudstackevents17.linuxfoundation.org/sites/events/files/slides/cccna17...
TRANSCRIPT
The Cloud Specialists
DynamicRolesinCloudStack
BorisStoyanovSoftwareDevelopmentEngineerinTest
[email protected]:@shapeblue
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
About Me
• Break Stuff @ ShapeBlue• Background:
• Morethan10yearsinSoftwareDevelopmentandTesting
• Specializein:• TestManagement• AutomatedTesting• TestingFrameworks
• JoinedShapeBlueandCloudStack lastyear
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
“ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack
services company.”
About ShapeBlue
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Sta t ic Roles in C loudStack
• Listofpre-definedroles• Allrolespermissionsarekeptinasinglefilecommands.properties• Eachchangerequiresamanagementserverrestart• Howdoweaddacustomrolewithnewsetofpermissions
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
H int : i t ’s re la ted to permiss ions
Q1:Whatarethesenumbersandwhat’stheirpurpose:1,2,4,8
Answer:Thesenumbersrepresentthestaticroles1=ADMIN2=RESOURCE_DOMAIN_ADMIN4=DOMAIN_ADMIN8=USER
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
H int : re la ted to permiss ions
Q2: What are the 7s and 15s?
Answer:allusersuntilthatnumbercanexecutethecommand
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Q3:Whatdoesthisnumberrepresent:790
Answer:That’saboutthenumberoflinescommands.properties hasin4.9.
Hint : re la ted to the permiss ions f i le
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Sta t ic Role -based Access Contro l
• Pre-defined roles
• All permissions kept in a commands.properties file
• Changes are difficult to maintain
• Management server restart is required after change
• Hard to add a new role with custom permissions
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Add Read-only Admin
• Root Admin• Read-only permission
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Let ’s re - th ing ro les management
• New way of managing roles
• Add/Change roles made easy
• Apply changes without management restart
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Here ’s what we d id
• Move all permissions to the DB • Create a dynamic role based account checker (RBAC)• New UI interface• Handle migrations
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
How to use i t : Adding ro le
Usecase:RootAdminwantstocreatearootadminread-onlyaccount,whoisnotallowedtoseeGlobalSettings.
• Createacustomrole
• Addan“allowrule”toalllistAPIs
• Assigntheroletotheread-onlyaccount
• Add”denyrule”toallconfigurationAPIs
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
How to use i t : Good pract ices
• Whenaddingcustomrules,userisallowedtoselectmultipleAPIsusing“*”
• It’sagoodpracticetomovedenyrulesontopofthelistwhenallowingmultipleAPIsatonce.
• Rulescanbeshiftedinthelistinsettheorderofthelist
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
How to use i t : Denied API
• WhathappensinUIwhenuserhitsadeniedAPI?
• Userisdisplayedwiththefollowingerror
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Dynamic Role -based Access Contro l
• Pre-defined roles are available
• Moves all permissions into the DB
• Adds UI interface to add a new role
• Custom set of rules per API for a role
• Does not require management restart
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
L ive demo
• One must read slide title first
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Ava i lab i l i ty and Upgrade
• DynamicRBACisavailableandenabledbydefaultonallnewinstallationspost4.9
• Usersupgradingto>4.9.xwillhavethefeaturedisabledpostupgrade
• MigrationtoolisavailabletodothemigrationandenableDynamicRBAC
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Upgrade: Running the migrat ion tool
[root@host]#pythonmigrate-dynamicroles.py -ucloud-pcloud-hlocalhost-p3306-f/etc/cloudstack/management/commands.properties
ApacheCloudStack RolePermissionMigrationTool(c)ApacheCloudStack AuthorsandtheASF,undertheApacheLicense,Version2.0Runningthismigrationtoolwillremoveanydefault-rolepermissionsfromcloud.role_permissions.Doyouwanttocontinue?[y/N]yThecommands.properties filehasbeendeprecatedandmovedat:/etc/cloudstack/management/commands.properties.deprecatedStaticrolepermissionsfromcommands.properties havebeenmigratedintothedbDynamicrolebasedAPIcheckerhasbeenenabled!
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Migra t ing Roles
• AfterenablingDynamicRBACrootadminrolepermissionslookslikethis:
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
Migra t ing Roles
• Whileotherroleshaveexplicitrulescreatedbasedonthesettingsincommands.propertiesfile.
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
By the way….
Next CloudStack event: Cloudstack Collaboration Conference at ApacheCon North America
May16-18,2017InterContinentalMiamiMIAMI,FLORIDAUnitedStates
http://events.linuxfoundation.org/events/apachecon-north-america/attend/register-
C l i c k t o e d i t
The Cloud Specialists ShapeBlue.com @ShapeBlue
More in format ion
• Slide deck: http://www.slideshare.net/shapeblue
• Blog: http://shapeblue.com/blog
• Email: [email protected]
• Web: http://shapeblue.com