[Openstack] How to implement: Role based access control using XACML and SAML over rest for cloud

Adam Young ayoung at redhat.com
Tue May 20 03:20:52 UTC 2014

On 05/09/2014 08:00 AM, Ageeleshwar Kandavelu wrote:
> Hi,
> Your first hop is keystone project. It is the openstack identity 
> management system. Try to get a picture of how the various other parts 
> of openstack interact with keystone for providing their service.
> Second you should look into policy.json file. There is a policy.json 
> for every service under /etc/<service_name>. I have not used this so 
> far and can not offer any more information. Hope other openstack 
> developers throw up some.
> Thank you,
> Ageeleshwar K
> ------------------------------------------------------------------------
> *From:* Priya Sharma [priya_sharma at persistent.co.in]
> *Sent:* Friday, May 09, 2014 4:55 PM
> *To:* 'dev at cloudstack.apache.org'; 'users at cloudstack.apache.org'; 
> openstack at lists.openstack.org
> *Subject:* [Openstack] How to implement: Role based access control 
> using XACML and SAML over rest for cloud
> Hi All,
> I am pursuing MTech and my MTech project is "Role based access control 
> using XACML and SAML over rest for cloud".
> I am familiar with Technologies/platform
> ·Role based access control
> ·Linux environment
> But not aware how all this work in cloud. My aim is to implement the 
> role based access control for cloud ,my sole purpose is cloud security.
> Herein I am attaching the architecture diagram, I initially came up with.
> Any suggestion in thearchitect and how to implement role based access 
> control in cloud ,will be helpful.
Keystone does RBAC, but does not use SAML or XACML to implement it. Sorry.

We could, however, use your experince with those in expanding the RBAC 
capabilities of Keystone.  We are looking to use an XACLM-like system 
for distributed policy, and are still in the design stages.

> Thanks
> Priya
> DISCLAIMER ========== This e-mail may contain privileged and 
> confidential information which is the property of Persistent Systems 
> Ltd. It is intended only for the use of the individual or entity to 
> which it is addressed. If you are not the intended recipient, you are 
> not authorized to read, retain, copy, print, distribute or use this 
> message. If you have received this communication in error, please 
> notify the sender and delete all copies of this message. Persistent 
> Systems Ltd. does not accept any liability for virus infected mails.
> http://www.csscorp.com/common/email-disclaimer.php
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140519/2c944399/attachment.html>

More information about the Openstack mailing list