eucalyptus identity and access management (iam) in the enterprise - lightning webinar #2
TRANSCRIPT
![Page 1: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/1.jpg)
© 2012 Eucalyptus Systems, Inc.
Eucalyptus Identity and Access Management (IAM) in the Enterprise
Govind Rangasamy Director, Product Management
![Page 2: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/2.jpg)
© 2012 Eucalyptus Systems, Inc.
Eucalyptus Leadership
Agility is Key…
Flexibility Automation Speed Trust
Self-Service
Resource
Configuration
Self-Service
Resource
Provisioning
Dynamic
Resource
Management
Resource
Chargeback
and
Reporting
![Page 3: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/3.jpg)
© 2012 Eucalyptus Systems, Inc.
An Enterprise Open Source, On-premise Cloud Infrastructure as a Service (IaaS) Software Platform
Physical resource management tools interface with
hypervisor, storage, and network infrastructure
Virtual resource management orchestrates disposable virtual cloud resources placement, handles security &
traffic isolation, identity and storage
Cloud compute, network, storage and identity resources are accessible as services
Web services API to enable Self-serviceable infrastructure
![Page 4: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/4.jpg)
© 2012 Eucalyptus Systems, Inc.
Eucalyptus IaaS Deployment (non HA)
• Cloud Controller
• Cloud level - Virtual Resource System
• AWS EC2 Compatible
• Walrus Storage
• Persistent data store
• Bucket-based, like S3
• Cluster Controller
• Node level - Virtual Resource System
• Manage Virtual Network
• Storage Controller
• Block accessed network storage
• Like EBS
• Node Controller
• VM management
• Instance management
• VMware Broker
• ESX, ESXi management
• vCenter server compatible
Cloud Controller
Node Controller
Cluster Controller
VMware Broker
Cluster Controller
ESX
ESXi
Walrus Storage
SAN
NAS
VM
Storage Controller
Storage Controller
Resource Admin
VM
VM
VM
IAM
Enforcement
![Page 5: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/5.jpg)
© 2012 Eucalyptus Systems, Inc.
Eucalyptus IAM
![Page 6: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/6.jpg)
© 2012 Eucalyptus Systems, Inc.
Features:
• Users, groups and accounts management
• Security credentials management
• Flexible policy based resource access
management
• Authenticate instances using existing
AD/LDAP systems
• Flexible policy based resource utilization
management
Benefits: • Centralized efficient management of self-
service infrastructure access
• Centralized efficient utilization control of
infrastructure resources
Eucalyptus IaaS: Identity Management
![Page 7: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/7.jpg)
© 2012 Eucalyptus Systems, Inc.
Example: Dev/test/staging IAM Scenarios
Dev Zone 1
WEB App DB
WEB App DB
WEB App DB
Test Zone 1
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
Dev Zone 2
WEB App DB
WEB App DB
WEB App DB
WEB App DB
Stage Zone 1
WEB App DB
WEB App DB
Shared Infrastructure
• Dev/test/staging use of shared infrastructure
• Dynamic scale-out and scale-in using Application Lifecycle Management systems
![Page 8: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/8.jpg)
© 2012 Eucalyptus Systems, Inc.
LDAP/AD
eucalyptus dev test support
ou=groups,dc=foo,dc=com
LIC
IAM and LDAP integration
• Sync and manage groups and users
– Configurable
– Use LIC files
• User Authentication against AD/LDAP
Eucalyptus
• Special user accounts
• Policies, access keys, certs association with AD/LDAP users
![Page 9: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/9.jpg)
© 2012 Eucalyptus Systems, Inc.
IAM Policy Language
• Effect: Decision to allow/deny
• Action-noAction: “API”
• Resource: “specific resource” arn:aws:s3
• Condition: Additional Constraints on resource access
![Page 10: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/10.jpg)
© 2012 Eucalyptus Systems, Inc.
Exercise Control Over Dev/Test Cloud with Policies
Dev Zone 1
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
WEB App DB
Built-in policy
enforcement
engine
• Allow or deny API and Resource* access
• Allow or deny specific API/User actions
• Specify resource access time limits
* Extension to AWS IAM
Lease
instances to
Dev groups
![Page 11: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/11.jpg)
© 2012 Eucalyptus Systems, Inc.
eucalyptus support sales dev
EC2 image permission
S3 bucket ACL
quota
quota
{ "Version":"2012-02-12", "Statement":[{ "Sid":"2", "Effect":“Limit", "Action":"ec2:RunInstances", "Resource":"*", "Condition":{ "NumericLessThanEquals":{ "ec2:quota-vminstancenumber": "256" } } }] }
Flexible, Fine-grained Policies
![Page 12: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/12.jpg)
© 2012 Eucalyptus Systems, Inc.
RunInstances
Cloud Controller
Sys admin?
Reject Accept
Yes No
Account-level
Permission Satisfied?
Yes
Account admin
or
IAM policy
allowed?
No
Reject
No
Allocating
resources?
Yes
Accept
No Yes
Exceeding
Quota?
Reject
Yes No
Accept
IAM Policy Enforcement Logic
![Page 13: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/13.jpg)
© 2012 Eucalyptus Systems, Inc.
Third Party Integration Possibilities
Cloud Service Management Cloud Services
(SaaS, PaaS)
AWS IAM API
Integration
Extensibility
• AWS IAM compatible API
Reporting
Company Confidential
GUI
Integration
Accounts,
Groups, Users,
Resources
Policies,
Certs, Keys,
Images, VMs,
Reports
Physical Resource Management
Virtual Cloud Resources
Enhanced
Virtual Resource System High Availability IaaS
Virtual and Physical
Resource
Administration
Eucalyptus Identity Authorization and Management Web Services
Compute Network Identity Storage
![Page 14: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/14.jpg)
© 2012 Eucalyptus Systems, Inc.
Resources
• Documentation: http://www.eucalyptus.com/eucalyptus-cloud/documentation
• Eucalyptus Compatibility Matrix: http://www.eucalyptus.com/eucalyptus-cloud/iaas/compatibility
• AWS IAM Policy Generator: http://awspolicygen.s3.amazonaws.com/policygen.html
• AWS IAM Documentation: http://docs.amazonwebservices.com/IAM/latest/UserGuide/IAM_Concepts.html
![Page 15: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/15.jpg)
© 2012 Eucalyptus Systems, Inc.
Euca IaaS Support Stack
Physical Resource Management
Virtual Resource Management
Cloud Resources
IaaS Web Services
Third Party
Management
SaaS / PaaS Providers
![Page 16: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/16.jpg)
© 2012 Eucalyptus Systems, Inc.
Demo
![Page 18: Eucalyptus Identity and Access Management (IAM) in the Enterprise - Lightning Webinar #2](https://reader034.vdocument.in/reader034/viewer/2022052307/558c17dad8b42ae8718b45e3/html5/thumbnails/18.jpg)