-
Notifications
You must be signed in to change notification settings - Fork 24
iam 3.4 cluster policies design
Design for IAM policy changes in support of restricting images to availability zones.
Status | Draft | |
---|---|---|
Updated | 2013/08/29 | Initial document |
New NullConditionOp implements this functionality. Special handling is added in PolicyParser to allow this condition to be used with any condition key.
IfExistsDelegatingConditionOp implements this functionality as a wrapper around existing conditions. On discovery by ConditionOpDiscovery the PolicyCondition annotation is checked to determine if a ..IfExists condition should be added for each registered condition.
New ARN condtion implementations are:
- ArnEqualsConditionOp
- ArnLikeConditionOp
- ArnNotEqualsConditionOp
- ArnNotLikeConditionOp
New EC2 condition keys are added as follows:
ComputeKey |- AvailabilityZoneKey |- InstanceComputeKey | |- EbsOptimizedKey | |- InstanceProfileKey | |- InstanceTypeKey | |- PlacementGroupKey | |- RootDeviceTypeKey | |- TenancyKey |- RegionKey |- TargetImageKey |- VolumeComputeKey | |- ParentSnapshotKey | |- VolumeIopsKey | |- VolumeSizeKey | |- VolumeTypeKey |- VpcKey
Volume is updated with stubs for iops and type properties.
When a policy is evaluated there is now a per-resource callback via the new PolicyResourceInterceptor interface. These interceptors are discovered via PolicyResourceInterceptorDiscovery and registed on RestrictedTypes.
An EC2 specific interceptor ComputePolicyResourceInterceptor handles callbacks for EC2 resources and manages the new ComputePolicyContext by setting the relevant ComputePolicyContextResource from the transformed RestrictedType. There are transformers for instances, security groups and volumes.
The new condition keys access the ComputePolicyContext to get the current value for the key.
TargetImageKey implements this functionality. The image identifier is retrieved from the current (contextual) request
No upgrade impact noted.
No specific packaging requirements.
- New IAM conditions should be documented (Null, ..IfExists, ARN conditions)
- New EC2 specific IAM condition keys should be documented, Eucalyptus extensions should be clearly noted.
- New behavior for account level policies with Deny statements should be documented. Existing documention stating only quotas can be used at the account level should be revised.
All changes in this feature are IAM policy related and have security impact.
Use cases in the specification provide an overview for testing.
- Specification for this feature
- IAM Policies for Amazon EC2
- Granting IAM Users Required Permissions for Amazon EC2 Resources
- Contact Info
- email: architecture@eucalyptus.com
- IRC: #eucalyptus-devel (freenode)
- Eucalyptus Links