Policy Overview
Policy Overview
Eucalyptus uses the policy language to specify user level permissions as AWS IAM. Policies are written in JSON. Each policy file can contain multiple statements, each specifying a permission.A permission statement specifies whether to allow or deny a list of actions to be performed on a list of resources, under specific conditions.
A permission statement has the following components:
- Begins the decision that applies to all following components. Either: or
- Indicates service-specific and case-sensitive commands. For example:
- Indicates selected resources, each specified as an Amazon resource name (ARN). For example:
- Indicates additional constraints of the permission. For example:
The following policy example contains a statement that gives a user with full permission. This is the same access as the account administrator:
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"1",
"Effect":"Allow",
"Action":"*",
"Resource":"*"
}]
}
For more information about policy language, go to the IAM User Guide .
Policy Notes
You can combine IAM policies with account level permissions. For example, the admin of account A can give users in account B permission to launch one of account A’s images by changing the image attributes. Then the admin of account B can use IAM policy to designate the users who can actually use the shared images.
You can attach IAM policies to both users and groups. When attached to groups, a policy is equivalent to attaching the same policy to the users within that group. Therefore, a user might have multiple policies attached, both policies attached to the user, and policies attached to the group that the user belongs to.
Do not attach IAM policies (except quota policies, a Eucalyptus extension) to account admins. At this point, doing so won’t result in a failure but may have unexpected consequences.
2 - Quotas
Eucalyptus adds quota enforcement to resource usage. To avoid introducing another configuration language into Eucalyptus, and simplify the management, we extend the IAM policy language to support quotas.The only addition added to the language is the new limit effect. If a policy statement’s effect is limit , it is a quota statement.
A quota statement also has action and resource fields. You can use these fields to match specific requests, for example, quota only being checked on matched requests. The actual quota type and value are specified using special quota keys, and listed in the condition part of the statement. Only condition type NumericLessThanEquals can be used with quota keys.
Note
An account can only have a quota policy. Accounts can only accept IAM policies where Effect is “Deny” or “Limit”. If you attach an IAM policy to an account where the Effect is “Allow”, you will get unexpected results.The following quota policy statement limits the attached user to only launch a maximum of 16 instances in an account.
{
"Version":"2011-04-01",
"Statement":[{
"Sid":"4",
"Effect":"Limit",
"Action":"ec2:RunInstances",
"Resource":"*",
"Condition":{
“NumericLessThanEquals”:{
“ec2:quota-vminstancenumber”:”16”
}
}
}]
}
You can attach quotas to both users and accounts, although some of the quotas only apply to accounts. Quota attached to groups will take no effect.
When a quota policy is attached to an account, it actually is attached to the account administrator user. Since only system administrator can specify account quotas, the account administrator can only inspect quotas but can’t change the quotas attached to herself.
The following is all the quota keys implemented in Eucalyptus:
| Quota Key | Description | Applies to |
|---|
| autoscaling:quota-autoscalinggroupnumber | The number of Autoscaling Groups | account and user |
| autoscaling:quota-launchconfigurationnumber | Number of Autoscaling Group Launch Configurations | account and user |
| autoscaling:quota-scalingpolicynumber | Number of Autoscaling Group Scaling Policies | account and user |
| cloudformation:quota-stacknumber | Number of Cloudformation stacks allowed to create | account |
| ec2:quota-addressnumber | Number of elastic IPs | account and user |
| ec2:quota-cputotalsize | Number of Total CPUs Used by EC2 Instances | account and user |
| ec2:quota-disktotalsize | Number of Total Disk Space (in GB) of EC2 Instances | account and user |
| ec2:quota-imagenumber | Number of EC2 images | account and user |
| ec2:quota-internetgatewaynumber | Number of EC2 VPC Internet Gateways | account and user |
| ec2:quota-memorytotalsize | Number of Total Amount of Memory Used by EC2 Instances | account and user |
| ec2:quota-securitygroupnumber | Number of EC2 security groups | account and user |
| ec2:quota-snapshotnumber | Number of EC2 snapshots | account and user |
| ec2:quota-vminstancenumber | Number of EC2 instances | account and user |
| ec2:quota-vminstanceactivenumber | Number of EC2 Instances Using Node Resources (pending, running, shutting-down, etc.) | account and user |
| ec2:quota-volumenumber | Number of EC2 volumes | account and user |
| ec2:quota-volumetotalsize | Number of total volume size, in GB | account and user |
| ec2:quota-vpcnumber | Number of EC2 VPCs | account and user |
| elasticloadbalancing:quota-loadbalancernumber | Number of Elastic Load Balancers | account |
| iam:quota-groupnumber | Number of IAM groups | account |
| iam:quota-instanceprofilenumber | Number of IAM Instance Profiles | account and user |
| iam:quota-rolenumber | Number of IAM Roles | account and user |
| iam:quota-servercertificatenumber | Number of IAM Server Certificates | account and user |
| iam:quota-usernumber | Number of IAM users | account |
| s3:quota-bucketnumber | Number of S3 buckets | account and user |
| s3:quota-bucketobjectnumber | Number of objects in each bucket | account and user |
| s3:quota-bucketsize | Size of bucket, in MB | account and user |
| s3:quota-buckettotalsize | total size of all buckets, in MB | account and user |
Default Quota
Contrary to IAM policies, by default, there is no quota limits (except the hard system limit) on any resource allocations for a user or an account. Also, system administrators are not constrained by any quota. Account administrators are only be constrained by account quota.
3 - Algorithms
This topic describes the algorithms used by Eucalyptus to determine access.
Policy Evaluation Algorithm
You can associated multiple policies and permission statements with a user. The way these are combined together to control the access to resources in an account is defined by the policy evaluation algorithm. Eucalyptus implements the same policy evaluation algorithm as AWS IAM :
- If the request user is account admin, access is allowed.
- Otherwise, collect all the policy statements associated with the request user (attached to the user and all the groups the user belongs to), which match the incoming request (i.e. based on the API being invoked and the resources it is going to access).
Access Evaluation Algorithm
Now we give the overall access evaluation combining both account level permissions and IAM permissions, which decides whether a request is accepted by Eucalyptus:
- If the request user is sys admin, access is allowed.
- Otherwise, check account level permissions, e.g. image launch permission, to see if the request user’s account has access to the specific resources.
Quota Evaluation Algorithm
Like the normal IAM policies, a user may be associated with multiple quota policies (and multiple quota statements). How all the quota policies are combined to take effect is defined by the quota evaluation algorithm:
- If the request user is sys admin, there is no limit on resource usage.
- Otherwise, collect all the quotas associated with the request user, including those attached to the request user’s account and those attached to the request user himself/herself (for account admin, we only need collect account quotas).
- Evaluate each quota one by one. Reject the request as long as there is one quota being exceeded by the request. Otherwise, accept the request.
Note
The hard limits on some resources override quota limits. For example, (system property) overrides the (quota key).4 - Sample Policies
A few example use cases and associated policies.Here are some example use cases and associated polices. You can edit these polices for your use, or use them as examples of JSON syntax and form.
Note
For more information about JSON syntax used with AWS resources, go to .Examples: Allowing Specific Actions
The following policy allows a user to only run instances and describe things.
{
"Statement":[{
"Effect":"Allow",
"Action":["ec2:*Describe*","ec2:*Run*"],
"Resource":"*",
}
]
}
The following policy allows a user to only list things:
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:List*"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
The following policy grants a generic basic user permission for running instances and describing things.
{
"Statement": [
{
"Sid": "Stmt1313605116084",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AttachVolume",
"ec2:Authorize*",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateVolume",
"ec2:DeleteKeyPair",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteVolume",
"ec2:Describe*",
"ec2:DetachVolume",
"ec2:DisassociateAddress",
"ec2:GetConsoleOutput",
"ec2:RunInstances",
"ec2:TerminateInstances"
"ec2:ReleaseAddress"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
Examples: Denying Specific Actions
The following policy allows a user to do anything but delete.
{
"Statement": [
{
"Action": [
"ec2:Delete*"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
The following policy denies a user from creating other users.
{
"Statement": [
{
"Sid": "Stmt1313686153864",
"Action": [
"iam:CreateUser"
],
"Effect": "Deny",
"Resource": "*"
}
]
}
Examples: Specifying Time Limits
The following policy allows a user to run instances within a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
The following policy blocks users from running instances at a specific time.
{
"Statement": [
{
"Sid": "Stmt1313453084396",
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "*",
"Condition": {
"DateLessThanEquals": {
"aws:CurrentTime": "2011-08-16T00:00:00Z"
}
}
}
]
}
The following policy keeps alive an instance for 1,000 hours (60,000 minutes).
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "NumericEquals":{"ec2:KeepAlive":"60000"}}
}
]
}
The following policy sets an expiration date on running instances.
{
"Statement": [
{
"Action": ["ec2:RunInstances" ],
"Effect": "Allow",
"Resource": "*",
"Condition": { "DateEquals":{"ec2:ExpirationTime":"2011-08-16T00:00:00Z"}}
}
]
}
Examples: Restricting Resources
The following policy allows users to only launch instances with a large image type.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Allow",
"Resource": "arn:aws:ec2:::vmtype/m1.xlarge"
}
]
}
The following policy restricts users from launching instances with a specific image ID.
{
"Statement": [
{
"Action": [
"ec2:RunInstances"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::image/emi-0FFF1874"
}
]
}
The following policy restricts users from allocating addresses to a specific elastic IP address.
{
"Statement": [
{
"Sid": "Stmt1313626078249",
"Action": "*",
"Effect": "Deny",
"Resource": "arn:aws:ec2:::address/192.168.10.140"
}
]
}
The following policy denies volume access.
{
"Statement": [
{
"Action": [
"ec2:*"
],
"Effect": "Deny",
"Resource": "arn:aws:ec2:::volume/*"
}
]
}
Note
For policies attached to an account, quota limits can be specified. See the Quotas section for further details.