This is the multi-page printable view of this section. Click here to print.
The Eucalyptus design of user identity and access management provides layers in the organization of user identities. This gives you refined control over resource access. Though compatible with the AWS IAM, there are also a few Eucalyptus-specific extensions.
This section describes what Eucalyptus access is and what you need to know about it so that you can configure access to your cloud.
In Eucalyptus, user identities are organized into accounts. An account is the unit of resource usage accounting, and also a separate namespace for many resources (security groups, key pairs, users, etc.).Accounts are identified by either a unique ID (UUID) or a unique name. The account name is like IAM’s account alias. It is used to manipulate accounts. However, for AWS compatibility, the EC2 commands often use account ID to display resource ownership.
There are command line tools to discover the correspondence of account ID and account name. For example, euare-accountlist lists all the accounts with both their IDs and names.
An account can have multiple users, but a user can only be in one account. Within an account, users can be associated with Groups. Group is used to attach access permissions to multiple users. A user can be associated with multiple groups. Because an account is a separate name space, user names and group names have to be unique only within an account. Therefore, user X in account A and user X in account B are two different identities.
Both users and groups are identified by their names, which are unique within an account (they also have UUIDs, but are rarely used).
Eucalyptus has two special identities for the convenience of administration and use of the system.
This topic describes the different types of credentials used by Eucalyptus.Each user has a unique set of credentials. These credentials are used to authenticate access to resources. There are three types of credentials:
euare- commands).In IAM, each account has its own credentials. In Eucalyptus, the equivalent of account credentials are the credentials of admin user of the account.
This topic describes the process for creating an account using the command line tool.You must be a cloud administrator to use this command. Accounts created are available for immediate access.
To create an account, run the following command:
euare-accountcreate -a account_name
When an account is created by euare-accountcreate command, an “admin” user is created by default.
Eucalyptus extends the IAM model by providing the following extra attributes for a user.
euare-usergetattributes and euare-usermod commands. You can retrieve and modify custom information using euare-usergetinfo and euare-userupdateinfo commands.A role A role is a mechanism that enables the delegation of access to users or applications.
A role is associated with an account, and has a set of permissions associated with it that are defined in the form of an IAM policy . A policy specifies a set of actions and resources within that account that the role is allowed to access.
By assuming a role, a user or an applications gets a set of permissions associated with that role. When a role is assumed, the Eucalyptus STS service returns a set of temporary security credentials that can then be used to make programmatic requests to resources in your account. This eliminates the need to share or hardcode security credentials with applications that need access to resources in your cloud.
Eucalyptus roles are managed through the Eucalyptus Euare service, which is compatible with Amazon’s Identity and Access Management service. For more information on IAM and roles, please see the Amazon IAM User Guide .
There are several scenarios in which roles can be useful, including:
Applications
Applications running on instances in your Eucalyptus cloud will often need access to other resources in your cloud. Instead of creating AWS credentials for each application, or distributing your own credentials,, you can use roles to enable you to delegate permission to the application to make API requests. For more information, see Launch an Instance with a Role .
Account Delegation
You can use roles to allow one account to access resources owned by another account. IAM Roles under the ’eucalyptus’ account can be assumed by users under ’non-eucalyptus’ account(s). For example, if you had an ‘infrastructure auditing’ account, and an audit was needed to be performed on all the cloud resources used on the cloud, a user could assume the ‘Resource Administrator’ role and audit all the resources used by all the accounts on the cloud. For more information on IAM account delegation, see Using Roles to Delegate Permissions and Federate Identities . Also, go to the walkthrough provided in the AWS Identity and Access Management section of the AWS documentation.
Eucalyptus offers a number of pre-defined privileged roles. These roles are associated with the eucalyptus account, and have privileges to manage resources across the cloud and non-privileged accounts. Only the eucalyptus account can manage or modify these roles.
To see the pre-defined roles, use euare-rolelistbypath with the credentials of a user that is part of the eucalyptus account. For example:
# euare-rolelistbypath
arn:aws:iam::944786667073:role/eucalyptus/AccountAdministrator
arn:aws:iam::944786667073:role/eucalyptus/InfrastructureAdministrator
arn:aws:iam::944786667073:role/eucalyptus/ResourceAdministrator
Account Administrator
The Account Administrator (AA) can manage Eucalyptus accounts. To view the policy associated with the Account Administrator role, use euare-rolelistpolicies with the credentials of a user that is part of the eucalyptus account. For example:
# euare-rolelistpolicies --role-name AccountAdministrator --verbose
AccountAdministrator
{
"Statement":[ {
"Effect": "Allow",
"Action": [
"iam:*"
],
"NotResource": "arn:aws:iam::eucalyptus:*",
"Condition": {
"Bool": { "iam:SystemAccount": "false" }
}
} ]
}
IsTruncated: false
Resource Administrator
The Resource Administrator (RA) can manage AWS-defined resources (such as S3 objects, instances, users, etc) across accounts. To view the policy associated with the Resource Administrator role, use euare-rolelistpolicies with the credentials of a user that is part of the eucalyptus account. For example:
# euare-rolelistpolicies --role-name ResourceAdministrator --verbose
ResourceAdministrator
{
"Statement":[ {
"Effect": "Allow",
"Action": [
"autoscaling:*",
"cloudwatch:*",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:GetConsoleOutput",
"ec2:GetPasswordData",
"ec2:ImportInstance",
"ec2:ModifyInstanceAttribute",
"ec2:MonitorInstances",
"ec2:RebootInstances",
"ec2:ReportInstanceStatus",
"ec2:ResetInstanceAttribute",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UnmonitorInstances",
"ec2:*AccountAttributes*",
"ec2:*Address*",
"ec2:*AvailabilityZones*",
"ec2:*Bundle*",
"ec2:*ConversionTask*",
"ec2:*CustomerGateway*",
"ec2:*DhcpOptions*",
"ec2:*ExportTask*",
"ec2:*Image*",
"ec2:*InternetGateway*",
"ec2:*KeyPair*",
"ec2:*NetworkAcl*",
"ec2:*NetworkInterface*",
"ec2:*PlacementGroup*",
"ec2:*ProductInstance*",
"ec2:*Region*",
"ec2:*ReservedInstance*",
"ec2:*Route*",
"ec2:*SecurityGroup*",
"ec2:*Snapshot*",
"ec2:*SpotDatafeedSubscription*",
"ec2:*SpotInstance*",
"ec2:*SpotPrice*",
"ec2:*Subnet*",
"ec2:*Tag*",
"ec2:*Volume*",
"ec2:*Vpc*",
"ec2:*Vpn*",
"ec2:*VpnGateway*",
"elasticloadbalancing:*",
"s3:*"
],
"Resource": "*"
}, {
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*"
],
"NotResource": "arn:aws:iam::eucalyptus:*"
} ]
}
IsTruncated: false
Infrastructure Administrator
The Infrastructre Administrator (IA) can perform operations related to cloud setup and management. Typical responibilities include:
Installation and configuration (prepare environment, install Eucalyptus, configure Eucalyptus)
Monitoring and maintenance (infrastructure supporting the cloud, cloud management layer, upgrades, security patches, diagnostics and troubleshooting)
Backup and restoration
To view the policy associated with the Infrastructure Administrator role, use euare-rolelistpolicies with the credentials of a user that is part of the eucalyptus account. For example:
InfrastructureAdministrator { “Statement”:[ { “Effect”: “Allow”, “Action”: [ “euprop:”, “euserv:”, “euconfig:”, “ec2:MigrateInstances” ], “Resource”: “” } ] } IsTruncated: false
Eucalyptus uses the policy language to specify user level permissions as AWS IAM. Policies are written in JSON. Each policy file can contain multiple statements, each specifying a permission.A permission statement specifies whether to allow or deny a list of actions to be performed on a list of resources, under specific conditions.
A permission statement has the following components:
The following policy example contains a statement that gives a user with full permission. This is the same access as the account administrator:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"1",
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}]
}
For more information about policy language, go to the IAM User Guide .
You can combine IAM policies with account level permissions. For example, the admin of account A can give users in account B permission to launch one of account A’s images by changing the image attributes. Then the admin of account B can use IAM policy to designate the users who can actually use the shared images.
You can attach IAM policies to both users and groups. When attached to groups, a policy is equivalent to attaching the same policy to the users within that group. Therefore, a user might have multiple policies attached, both policies attached to the user, and policies attached to the group that the user belongs to.
Do not attach IAM policies (except quota policies, a Eucalyptus extension) to account admins. At this point, doing so won’t result in a failure but may have unexpected consequences.
Different identities have different default access permissions. When no policy is associated with them, these identities have the permission listed in the following table.
| Identity | Permission |
|---|---|
| System admin | Access to all resources in the system |
| Account admin | Access to all account resources, including those shared resources from other accounts like public images and shared snapshots |
| Regular user | No access to any resource |
Eucalyptus adds quota enforcement to resource usage. To avoid introducing another configuration language into Eucalyptus, and simplify the management, we extend the IAM policy language to support quotas.The only addition added to the language is the new limit effect. If a policy statement’s effect is limit , it is a quota statement.
A quota statement also has action and resource fields. You can use these fields to match specific requests, for example, quota only being checked on matched requests. The actual quota type and value are specified using special quota keys, and listed in the condition part of the statement. Only condition type NumericLessThanEquals can be used with quota keys.
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"4",
"Effect":"Limit",
"Action":"ec2:RunInstances",
"Resource":"*",
"Condition":{
“NumericLessThanEquals”:{
“ec2:quota-vminstancenumber”:”16”
}
}
}]
}
You can attach quotas to both users and accounts, although some of the quotas only apply to accounts. Quota attached to groups will take no effect.
When a quota policy is attached to an account, it actually is attached to the account administrator user. Since only system administrator can specify account quotas, the account administrator can only inspect quotas but can’t change the quotas attached to herself.
The following is all the quota keys implemented in Eucalyptus:
| Quota Key | Description | Applies to |
|---|---|---|
| autoscaling:quota-autoscalinggroupnumber | The number of Autoscaling Groups | account and user |
| autoscaling:quota-launchconfigurationnumber | Number of Autoscaling Group Launch Configurations | account and user |
| autoscaling:quota-scalingpolicynumber | Number of Autoscaling Group Scaling Policies | account and user |
| cloudformation:quota-stacknumber | Number of Cloudformation stacks allowed to create | account |
| ec2:quota-addressnumber | Number of elastic IPs | account and user |
| ec2:quota-cputotalsize | Number of Total CPUs Used by EC2 Instances | account and user |
| ec2:quota-disktotalsize | Number of Total Disk Space (in GB) of EC2 Instances | account and user |
| ec2:quota-imagenumber | Number of EC2 images | account and user |
| ec2:quota-internetgatewaynumber | Number of EC2 VPC Internet Gateways | account and user |
| ec2:quota-memorytotalsize | Number of Total Amount of Memory Used by EC2 Instances | account and user |
| ec2:quota-securitygroupnumber | Number of EC2 security groups | account and user |
| ec2:quota-snapshotnumber | Number of EC2 snapshots | account and user |
| ec2:quota-vminstancenumber | Number of EC2 instances | account and user |
| ec2:quota-vminstanceactivenumber | Number of EC2 Instances Using Node Resources (pending, running, shutting-down, etc.) | account and user |
| ec2:quota-volumenumber | Number of EC2 volumes | account and user |
| ec2:quota-volumetotalsize | Number of total volume size, in GB | account and user |
| ec2:quota-vpcnumber | Number of EC2 VPCs | account and user |
| elasticloadbalancing:quota-loadbalancernumber | Number of Elastic Load Balancers | account |
| iam:quota-groupnumber | Number of IAM groups | account |
| iam:quota-instanceprofilenumber | Number of IAM Instance Profiles | account and user |
| iam:quota-rolenumber | Number of IAM Roles | account and user |
| iam:quota-servercertificatenumber | Number of IAM Server Certificates | account and user |
| iam:quota-usernumber | Number of IAM users | account |
| s3:quota-bucketnumber | Number of S3 buckets | account and user |
| s3:quota-bucketobjectnumber | Number of objects in each bucket | account and user |
| s3:quota-bucketsize | Size of bucket, in MB | account and user |
| s3:quota-buckettotalsize | total size of all buckets, in MB | account and user |
Contrary to IAM policies, by default, there is no quota limits (except the hard system limit) on any resource allocations for a user or an account. Also, system administrators are not constrained by any quota. Account administrators are only be constrained by account quota.
This topic describes the algorithms used by Eucalyptus to determine access.
You can associated multiple policies and permission statements with a user. The way these are combined together to control the access to resources in an account is defined by the policy evaluation algorithm. Eucalyptus implements the same policy evaluation algorithm as AWS IAM :
Now we give the overall access evaluation combining both account level permissions and IAM permissions, which decides whether a request is accepted by Eucalyptus:
Like the normal IAM policies, a user may be associated with multiple quota policies (and multiple quota statements). How all the quota policies are combined to take effect is defined by the quota evaluation algorithm:
A few example use cases and associated policies.Here are some example use cases and associated polices. You can edit these polices for your use, or use them as examples of JSON syntax and form.
The following policy allows a user to only run instances and describe things.
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:*Describe*","ec2:*Run*"],
"Resource":"*",
}
]
}
The following policy allows a user to only list things:
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The following policy grants a generic basic user permission for running instances and describing things.
{
"Statement": [
{
"Sid": "Stmt1313605116084",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachVolume",
"ec2:Authorize*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:Describe*",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput",
"ec2:RunInstances",
"ec2:TerminateInstances"
"ec2:ReleaseAddress"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The following policy allows a user to do anything but delete.
{
"Statement": [
{
"Action": [
"ec2:Delete*"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
The following policy denies a user from creating other users.
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:CreateUser"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
The following policy allows a user to run instances within a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
The following policy blocks users from running instances at a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
The following policy keeps alive an instance for 1,000 hours (60,000 minutes).
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "NumericEquals":{"ec2:KeepAlive":"60000"}}
}
]
}
The following policy sets an expiration date on running instances.
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "DateEquals":{"ec2:ExpirationTime":"2011-08-16T00:00:00Z"}}
}
]
}
The following policy allows users to only launch instances with a large image type.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:::vmtype/m1.xlarge"
}
]
}
The following policy restricts users from launching instances with a specific image ID.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::image/emi-0FFF1874"
}
]
}
The following policy restricts users from allocating addresses to a specific elastic IP address.
{
"Statement": [
{
"Sid": "Stmt1313626078249",
"Action": "*",
"Effect": "Deny",
"Resource": "arn:aws:ec2:::address/192.168.10.140"
}
]
}
The following policy denies volume access.
{
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::volume/*"
}
]
}