The Cloud Specialists

DynamicRolesinCloudStack

BorisStoyanovSoftwareDevelopmentEngineerinTest

boris.stoyanov@shapeblue.comtwitter:@shapeblue

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

About Me

• Break Stuff @ ShapeBlue• Background:

• Morethan10yearsinSoftwareDevelopmentandTesting

• Specializein:• TestManagement• AutomatedTesting• TestingFrameworks

• JoinedShapeBlueandCloudStack lastyear

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

“ShapeBlue are expert builders of public & private clouds. They are the leading global CloudStack

services company.”

About ShapeBlue

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

ShapeBlue customers

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

ShapeBlue customers

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

ShapeBlue customers

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Dynamic Roles in CloudStack

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Sta t ic Roles in C loudStack

• Listofpre-definedroles• Allrolespermissionsarekeptinasinglefilecommands.properties• Eachchangerequiresamanagementserverrestart• Howdoweaddacustomrolewithnewsetofpermissions

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Dynamic Roles

Quiz Time

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

H int : i t ’s re la ted to permiss ions

Q1:Whatarethesenumbersandwhat’stheirpurpose:1,2,4,8

Answer:Thesenumbersrepresentthestaticroles1=ADMIN2=RESOURCE_DOMAIN_ADMIN4=DOMAIN_ADMIN8=USER

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

commands.proper t ies

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

H int : re la ted to permiss ions

Q2: What are the 7s and 15s?

Answer:allusersuntilthatnumbercanexecutethecommand

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Q3:Whatdoesthisnumberrepresent:790

Answer:That’saboutthenumberoflinescommands.properties hasin4.9.

Hint : re la ted to the permiss ions f i le

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Sta t ic Role -based Access Contro l

• Pre-defined roles

• All permissions kept in a commands.properties file

• Changes are difficult to maintain

• Management server restart is required after change

• Hard to add a new role with custom permissions

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Add Read-only Admin

• Root Admin• Read-only permission

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Let ’s re - th ing ro les management

• New way of managing roles

• Add/Change roles made easy

• Apply changes without management restart

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Here ’s what we d id

• Move all permissions to the DB • Create a dynamic role based account checker (RBAC)• New UI interface• Handle migrations

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Dynamic ApiChecker

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

How to use i t : Adding ro le

Usecase:RootAdminwantstocreatearootadminread-onlyaccount,whoisnotallowedtoseeGlobalSettings.

• Createacustomrole

• Addan“allowrule”toalllistAPIs

• Assigntheroletotheread-onlyaccount

• Add”denyrule”toallconfigurationAPIs

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

How to use i t : Adding ro le

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

How to use i t : Good pract ices

• Whenaddingcustomrules,userisallowedtoselectmultipleAPIsusing“*”

• It’sagoodpracticetomovedenyrulesontopofthelistwhenallowingmultipleAPIsatonce.

• Rulescanbeshiftedinthelistinsettheorderofthelist

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

How to use i t : Denied API

• WhathappensinUIwhenuserhitsadeniedAPI?

• Userisdisplayedwiththefollowingerror

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Dynamic Role -based Access Contro l

• Pre-defined roles are available

• Moves all permissions into the DB

• Adds UI interface to add a new role

• Custom set of rules per API for a role

• Does not require management restart

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

L ive demo

• One must read slide title first

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Ava i lab i l i ty and Upgrade

• DynamicRBACisavailableandenabledbydefaultonallnewinstallationspost4.9

• Usersupgradingto>4.9.xwillhavethefeaturedisabledpostupgrade

• MigrationtoolisavailabletodothemigrationandenableDynamicRBAC

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Upgrade: Running the migrat ion tool

[root@host]#pythonmigrate-dynamicroles.py -ucloud-pcloud-hlocalhost-p3306-f/etc/cloudstack/management/commands.properties

ApacheCloudStack RolePermissionMigrationTool(c)ApacheCloudStack AuthorsandtheASF,undertheApacheLicense,Version2.0Runningthismigrationtoolwillremoveanydefault-rolepermissionsfromcloud.role_permissions.Doyouwanttocontinue?[y/N]yThecommands.properties filehasbeendeprecatedandmovedat:/etc/cloudstack/management/commands.properties.deprecatedStaticrolepermissionsfromcommands.properties havebeenmigratedintothedbDynamicrolebasedAPIcheckerhasbeenenabled!

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Migra t ing Roles

• AfterenablingDynamicRBACrootadminrolepermissionslookslikethis:

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Migra t ing Roles

• Whileotherroleshaveexplicitrulescreatedbasedonthesettingsincommands.propertiesfile.

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

Questions?

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

By the way….

Next CloudStack event: Cloudstack Collaboration Conference at ApacheCon North America

May16-18,2017InterContinentalMiamiMIAMI,FLORIDAUnitedStates

http://events.linuxfoundation.org/events/apachecon-north-america/attend/register-

C l i c k t o e d i t

The Cloud Specialists ShapeBlue.com @ShapeBlue

More in format ion

• Slide deck: http://www.slideshare.net/shapeblue

• Blog: http://shapeblue.com/blog

• Email: boris.stoyanov@shapeblue.com

• Web: http://shapeblue.com