© 2012 Eucalyptus Systems, Inc.

Eucalyptus Identity and Access Management (IAM) in the Enterprise

Govind Rangasamy Director, Product Management

© 2012 Eucalyptus Systems, Inc.

Eucalyptus Leadership

Agility is Key…

Flexibility Automation Speed Trust

Self-Service

Resource

Configuration

Self-Service

Resource

Provisioning

Dynamic

Resource

Management

Resource

Chargeback

and

Reporting

© 2012 Eucalyptus Systems, Inc.

An Enterprise Open Source, On-premise Cloud Infrastructure as a Service (IaaS) Software Platform

Physical resource management tools interface with

hypervisor, storage, and network infrastructure

Virtual resource management orchestrates disposable virtual cloud resources placement, handles security &

traffic isolation, identity and storage

Cloud compute, network, storage and identity resources are accessible as services

Web services API to enable Self-serviceable infrastructure

© 2012 Eucalyptus Systems, Inc.

Eucalyptus IaaS Deployment (non HA)

• Cloud Controller

• Cloud level - Virtual Resource System

• AWS EC2 Compatible

• Walrus Storage

• Persistent data store

• Bucket-based, like S3

• Cluster Controller

• Node level - Virtual Resource System

• Manage Virtual Network

• Storage Controller

• Block accessed network storage

• Like EBS

• Node Controller

• VM management

• Instance management

• VMware Broker

• ESX, ESXi management

• vCenter server compatible

Cloud Controller

Node Controller

Cluster Controller

VMware Broker

Cluster Controller

ESX

ESXi

Walrus Storage

SAN

NAS

VM

Storage Controller

Storage Controller

Resource Admin

VM

VM

VM

IAM

Enforcement

© 2012 Eucalyptus Systems, Inc.

Eucalyptus IAM

© 2012 Eucalyptus Systems, Inc.

Features:

• Users, groups and accounts management

• Security credentials management

• Flexible policy based resource access

management

• Authenticate instances using existing

AD/LDAP systems

• Flexible policy based resource utilization

management

Benefits: • Centralized efficient management of self-

service infrastructure access

• Centralized efficient utilization control of

infrastructure resources

Eucalyptus IaaS: Identity Management

© 2012 Eucalyptus Systems, Inc.

Example: Dev/test/staging IAM Scenarios

Dev Zone 1

WEB App DB

WEB App DB

WEB App DB

Test Zone 1

WEB App DB

WEB App DB

WEB App DB

WEB App DB

WEB App DB

WEB App DB

Dev Zone 2

WEB App DB

WEB App DB

WEB App DB

WEB App DB

Stage Zone 1

WEB App DB

WEB App DB

Shared Infrastructure

• Dev/test/staging use of shared infrastructure

• Dynamic scale-out and scale-in using Application Lifecycle Management systems

© 2012 Eucalyptus Systems, Inc.

LDAP/AD

eucalyptus dev test support

ou=groups,dc=foo,dc=com

LIC

IAM and LDAP integration

• Sync and manage groups and users

– Configurable

– Use LIC files

• User Authentication against AD/LDAP

Eucalyptus

• Special user accounts

• Policies, access keys, certs association with AD/LDAP users

© 2012 Eucalyptus Systems, Inc.

IAM Policy Language

• Effect: Decision to allow/deny

• Action-noAction: “API”

• Resource: “specific resource” arn:aws:s3

• Condition: Additional Constraints on resource access

© 2012 Eucalyptus Systems, Inc.

Exercise Control Over Dev/Test Cloud with Policies

Dev Zone 1

WEB App DB

WEB App DB

WEB App DB

WEB App DB

WEB App DB

WEB App DB

Built-in policy

enforcement

engine

• Allow or deny API and Resource* access

• Allow or deny specific API/User actions

• Specify resource access time limits

* Extension to AWS IAM

Lease

instances to

Dev groups

© 2012 Eucalyptus Systems, Inc.

eucalyptus support sales dev

EC2 image permission

S3 bucket ACL

quota

quota

{ "Version":"2012-02-12", "Statement":[{ "Sid":"2", "Effect":“Limit", "Action":"ec2:RunInstances", "Resource":"*", "Condition":{ "NumericLessThanEquals":{ "ec2:quota-vminstancenumber": "256" } } }] }

Flexible, Fine-grained Policies

© 2012 Eucalyptus Systems, Inc.

RunInstances

Cloud Controller

Sys admin?

Reject Accept

Yes No

Account-level

Permission Satisfied?

Yes

Account admin

or

IAM policy

allowed?

No

Reject

No

Allocating

resources?

Yes

Accept

No Yes

Exceeding

Quota?

Reject

Yes No

Accept

IAM Policy Enforcement Logic

© 2012 Eucalyptus Systems, Inc.

Third Party Integration Possibilities

Cloud Service Management Cloud Services

(SaaS, PaaS)

AWS IAM API

Integration

Extensibility

• AWS IAM compatible API

Reporting

Company Confidential

GUI

Integration

Accounts,

Groups, Users,

Resources

Policies,

Certs, Keys,

Images, VMs,

Reports

Physical Resource Management

Virtual Cloud Resources

Enhanced

Virtual Resource System High Availability IaaS

Virtual and Physical

Resource

Administration

Eucalyptus Identity Authorization and Management Web Services

Compute Network Identity Storage

© 2012 Eucalyptus Systems, Inc.

Resources

• Documentation: http://www.eucalyptus.com/eucalyptus-cloud/documentation

• Eucalyptus Compatibility Matrix: http://www.eucalyptus.com/eucalyptus-cloud/iaas/compatibility

• AWS IAM Policy Generator: http://awspolicygen.s3.amazonaws.com/policygen.html

• AWS IAM Documentation: http://docs.amazonwebservices.com/IAM/latest/UserGuide/IAM_Concepts.html

© 2012 Eucalyptus Systems, Inc.

Euca IaaS Support Stack

Physical Resource Management

Virtual Resource Management

Cloud Resources

IaaS Web Services

Third Party

Management

SaaS / PaaS Providers

© 2012 Eucalyptus Systems, Inc.

Demo

© 2012 Eucalyptus Systems, Inc.

Thank you.

Govind Rangasamy

govind@eucalyptus.com