© 2012 Eucalyptus Systems, Inc. Eucalyptus Identity and Access Management (IAM) in the Enterprise Govind Rangasamy Director, Product Management
Jun 25, 2015
© 2012 Eucalyptus Systems, Inc.
Eucalyptus Identity and Access Management (IAM) in the Enterprise
Govind Rangasamy Director, Product Management
© 2012 Eucalyptus Systems, Inc.
Eucalyptus Leadership
Agility is Key…
Flexibility Automation Speed Trust
Self-Service
Resource
Configuration
Self-Service
Resource
Provisioning
Dynamic
Resource
Management
Resource
Chargeback
and
Reporting
© 2012 Eucalyptus Systems, Inc.
An Enterprise Open Source, On-premise Cloud Infrastructure as a Service (IaaS) Software Platform
Physical resource management tools interface with
hypervisor, storage, and network infrastructure
Virtual resource management orchestrates disposable virtual cloud resources placement, handles security &
traffic isolation, identity and storage
Cloud compute, network, storage and identity resources are accessible as services
Web services API to enable Self-serviceable infrastructure
© 2012 Eucalyptus Systems, Inc.
Eucalyptus IaaS Deployment (non HA)
• Cloud Controller
• Cloud level - Virtual Resource System
• AWS EC2 Compatible
• Walrus Storage
• Persistent data store
• Bucket-based, like S3
• Cluster Controller
• Node level - Virtual Resource System
• Manage Virtual Network
• Storage Controller
• Block accessed network storage
• Like EBS
• Node Controller
• VM management
• Instance management
• VMware Broker
• ESX, ESXi management
• vCenter server compatible
Cloud Controller
Node Controller
Cluster Controller
VMware Broker
Cluster Controller
ESX
ESXi
Walrus Storage
SAN
NAS
VM
Storage Controller
Storage Controller
Resource Admin
VM
VM
VM
IAM
Enforcement
© 2012 Eucalyptus Systems, Inc.
Eucalyptus IAM
© 2012 Eucalyptus Systems, Inc.
Features:
• Users, groups and accounts management
• Security credentials management
• Flexible policy based resource access
management
• Authenticate instances using existing
AD/LDAP systems
• Flexible policy based resource utilization
management
Benefits: • Centralized efficient management of self-
service infrastructure access
• Centralized efficient utilization control of
infrastructure resources
Eucalyptus IaaS: Identity Management
© 2012 Eucalyptus Systems, Inc.
Example: Dev/test/staging IAM Scenarios
Dev Zone 1
WEB App DB
WEB App DB
WEB App DB
Test Zone 1
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
Dev Zone 2
WEB App DB
WEB App DB
WEB App DB
WEB App DB
Stage Zone 1
WEB App DB
WEB App DB
Shared Infrastructure
• Dev/test/staging use of shared infrastructure
• Dynamic scale-out and scale-in using Application Lifecycle Management systems
© 2012 Eucalyptus Systems, Inc.
LDAP/AD
eucalyptus dev test support
ou=groups,dc=foo,dc=com
LIC
IAM and LDAP integration
• Sync and manage groups and users
– Configurable
– Use LIC files
• User Authentication against AD/LDAP
Eucalyptus
• Special user accounts
• Policies, access keys, certs association with AD/LDAP users
© 2012 Eucalyptus Systems, Inc.
IAM Policy Language
• Effect: Decision to allow/deny
• Action-noAction: “API”
• Resource: “specific resource” arn:aws:s3
• Condition: Additional Constraints on resource access
© 2012 Eucalyptus Systems, Inc.
Exercise Control Over Dev/Test Cloud with Policies
Dev Zone 1
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
Built-in policy
enforcement
engine
• Allow or deny API and Resource* access
• Allow or deny specific API/User actions
• Specify resource access time limits
* Extension to AWS IAM
Lease
instances to
Dev groups
© 2012 Eucalyptus Systems, Inc.
eucalyptus support sales dev
EC2 image permission
S3 bucket ACL
quota
quota
{ "Version":"2012-02-12", "Statement":[{ "Sid":"2", "Effect":“Limit", "Action":"ec2:RunInstances", "Resource":"*", "Condition":{ "NumericLessThanEquals":{ "ec2:quota-vminstancenumber": "256" } } }] }
Flexible, Fine-grained Policies
© 2012 Eucalyptus Systems, Inc.
RunInstances
Cloud Controller
Sys admin?
Reject Accept
Yes No
Account-level
Permission Satisfied?
Yes
Account admin
or
IAM policy
allowed?
No
Reject
No
Allocating
resources?
Yes
Accept
No Yes
Exceeding
Quota?
Reject
Yes No
Accept
IAM Policy Enforcement Logic
© 2012 Eucalyptus Systems, Inc.
Third Party Integration Possibilities
Cloud Service Management Cloud Services
(SaaS, PaaS)
AWS IAM API
Integration
Extensibility
• AWS IAM compatible API
Reporting
Company Confidential
GUI
Integration
Accounts,
Groups, Users,
Resources
Policies,
Certs, Keys,
Images, VMs,
Reports
Physical Resource Management
Virtual Cloud Resources
Enhanced
Virtual Resource System High Availability IaaS
Virtual and Physical
Resource
Administration
Eucalyptus Identity Authorization and Management Web Services
Compute Network Identity Storage
© 2012 Eucalyptus Systems, Inc.
Resources
• Documentation: http://www.eucalyptus.com/eucalyptus-cloud/documentation
• Eucalyptus Compatibility Matrix: http://www.eucalyptus.com/eucalyptus-cloud/iaas/compatibility
• AWS IAM Policy Generator: http://awspolicygen.s3.amazonaws.com/policygen.html
• AWS IAM Documentation: http://docs.amazonwebservices.com/IAM/latest/UserGuide/IAM_Concepts.html
© 2012 Eucalyptus Systems, Inc.
Euca IaaS Support Stack
Physical Resource Management
Virtual Resource Management
Cloud Resources
IaaS Web Services
Third Party
Management
SaaS / PaaS Providers
© 2012 Eucalyptus Systems, Inc.
Demo