This has come up in numerous contexts, but I wasn't sure if it was here on the forum... here are some ideas for you on a security model. Personally, I think that these are good features for any grid, but they are nearly critical for multi-tenant grids (eg. one grid shared by multiple administrative groups or departments). The bottom line I suppose is that it would be hugely beneficial to have a better administrative access/security model.

Here are some ideas for your consideration:

1) Role based security with perhaps something like the following administrative roles:

a) Can create, delete and manage users (sshkeys, passwords, roles, etc.)
b) Can administer applications and components (start, stop, restart)
c) Can ssh into running components (perhaps with a switch for with/without password confirmation)
d) Can obtain statistics and grid info
e) Can perform basic grid operations (reboot servers, disable servers, etc.)
f) Can perform basic volume maintenance (vol checks, repairs, etc. - but maybe not copies or resizing)
g) Can view all applications (individual app viewing would be covered in "2)" below)
h) Can configure all applications (individual app configuring and/or editing would be covered in "2)" below)
...
z) others beyond these examples

2) Application-specific grid access rights, perhaps/perhaps-not achieved using roles... for example, a user could be granted administrative access to a particular application -- and only to that particular application. Even viewing applications should be restricted. Whether or not applications are completely hidden other than the ones to which a given user has rights is another consideration. I think initially, it would be fine to use the *IX "ps" model where all users can see what processes (applications & components) are running, but cannot access those things without sufficient rights.

3) User quotas. In order to maintain a given application (starting app/components, provisioning, etc.), a user should have sufficient quotas privs for CPU/mem/bw. This would allow a superuser to create an application with a fixed quota for these resources and assign administrative access to only that application (per "2" above) to a particular user. Quotas could be assigned per-user or per-user/application. This thought needs more work - but what I'm asking for is a controlled mechanism to dish out resources.

4) Formal IP address assignment. Perhaps public IP addresses should be provisioned to applications somehow. It seems like this might be more difficult because there is no network layer intercepting the VIP activity on the external interfaces. But maybe you have some ideas here that could help?

5) Inability to "Login" through the GUI without confirmation of appropriate access. For example, to be able to "Login" to an application's running component with only the "View" role -- this is probably not a good thing.

6) Ability to (selectively) configure challenged logins from the CLI. While this can obviously be tightened via SSH configuration on running components, we don't really want to branch standard components solely to add this-- and we don't want to break the normal grid maintenance operations during component startup by changing accessibility of SSH on the components themselves. Perhaps a simple "please confirm password" would suffice on the CLI (or GUI) before the connection is even attempted. If this could be configured selectively, then it could probably be a user-specific or application-specific role.

Hi!

I just opened a ticket about this feature a couple of days ago. We would love to see this feature soon!

In the meantime, is there any workaround you can think of? We are mainly interested to restrict a user's access right to his application, so that he can use the infrastructure editor without being able to edit other applications than his own.

Christoph

Tim, Christoph,

Thanks for the suggestions; Tim, thanks for the extensive notes -- correctly defining the user rights, roles and quotas is essential for this to be useful.

Wrt login - I think the login to components should be a separate right -- just as you listed, not depending on the remaining rights (other than "all-access" which would imply all others). We're also extending the login via ssh/web to components to provide authenticated user ID context -- so that the appliance can log the access and/or provide additional checks as it wants (assuming it will trust the authentication performed by the grid).

We are reviewing the priority of supporting access rights and multi-tenancy access. These are not quite the same thing (as you properly noted in the *ix ps-type visibility vs. complete separation needed in multi-tenancy). We should have clarity on scheduling support for them in a couple of months, after our upcoming major release. The access controls are going to go in later this year for sure; we're still discussing several approaches to multi-tenancy -- among ourselves and with customers (and this discussion here is very useful - thanks).

Christoph, currently there are two ways to deal with this restricted access:
- for full grid UI access, including the editor, the only way is to run separate grids for each customer (aldo supports multiple grids on the same backbone with no configuration changes to switches, etc.)
- for a very limited control or visibility access (e.g., provisioning instances, destroying instances, start/stop/restart), several of our customers have built simple web or API portals that run as AppLogic applications and provide this limited functionality with proper authentication. For example, I have somewhere a small web app that shows the list of apps on the grid and gives start/stop/restart access, without using AJAX/Javascript and suitable for mobile device use (e.g., being able to restart applications from an iPhone/Blackberry/any smartphone -- it was useful also for one of our service provider customers who needed to allow their level 1 techs to restart apps without the ability to log in or make config changes).

Best regards,

-- Peter

Peter,

Thanks for your reply. It would be very helpful if you could send me te small web app you were talking about.

Thanks in advance

Christoph

Christoph, still digging....

....still digging?

Oops, sorry -- strikeout. I couldn't find the app, seems it was lost more than a year ago. If you like I can sketch out how it worked if you want to re-create it (it is fairly simple).

Regards,
-- Peter

Peter,
I might also suggest the concept of providing options for things like re-credentialling (re-confirming current permissions and asking for a passphrase again) for each command that crosses an application boundary. For example:

+ copying volumes across applications
+ starting/stopping/restartting one application when in the "ca" context of another application
+ the "ca" command itself

By "option" I mean that this might be part of a higher security level that could be enabled by a grid maintainer.

Peter

You don't have to dig any more. We built our own frontend to provision/start/stop/scale applications.

Thanks

Christoph

Christoph -- great. Is it something that is publicly accessible?

Best regards,
-- Peter

Peter,
Is there any news/developments on the role-based or hierarchical security model (or something similar)?

Eh? Any developments here yet?

Tim, no updates on this yet. We're currently looking at this as part of multi-tenancy. We may discuss as we meet and/or at bootcamp.

Regards,
-- Peter

shameless bump