AccentOS RBAC Centralized management systems¶
Centralized management systems for virtualization tools, such as oVirt, PVE, OpenNebula, implement centralized management functions for virtualization tools for only one environment.
The fundamental difference between a virtualization environment and a cloud platform, the most popular representative of which is OpenStack, is that it can perform segmentation between virtualization environments and simultaneously manage all segments. The AccentOS centralized management system for virtualization tools implements the cloud architecture and OpenStack modules, significantly expanding its functionality.
The implementation of simultaneous centralized management of virtualization tools in many isolated environments is carried out through segmentation of virtualization system tools:
- equipment of data transmission networks using hardware and software implementation of network separation at the L2, L3 levels, using the same network equipment;
- equipment of data storage systems that use hardware and software implementation of separation of stored information and separate connections using SAN switches, Infiniband switches, iSCSI switches and specialized adapters FibreChannel, Infiniband, SAS, network protocols FCoE, iSCSI, using the same storage equipment;
- AccentOS SUV software, which segments virtualization tools and separates centralized virtualization management systems for each segment within one information system.
Accordingly, in contrast to classical systems for centralized management of virtualization tools, in AccentOS the concept of “domain” arises, which is an analogue of the virtualization environment.
From the point of view of role-based access for managing domains, an additional role “domain administrator” appears, which manages the AccentOS segment.
System segment is a part of the AccentOS system that is provided by the System administrator to the domain administrator for management. A segment may include its own physical servers, availability zones, its own users, and have restrictions in the form of resource quotas.
It is advisable for a segment to allocate its own network of instances based on VLAN or IP Fabric technology, which makes the segments completely isolated from each other, while maintaining a common management system.
AccentOS system implements a role-based access control method that ensures the differentiation of functionality and powers of users (roles), administrators and persons responsible for the functioning of the information system:
- project administrator;
- System security administrator;
- System administrator;
- Domain administrator (System segment);
- instance administrator.
Access control tools provide the ability to define powers for users of the virtualization tool within the roles assigned to them:
System administrator has the following rights:
- create domain administrator, project administrator, system security administrator accounts;
- manage system accounts;
- assign administrator access rights to projects and instances;
- manage physical equipment - servers, switches, storage systems through additional software;
- manage host operating systems and hypervisors;
- add and remove nodes, networks, storage systems to the system;
- manage monitoring, access, logging and backup software;
- create and delete virtual hardware templates for instances;
- change configuration templates for virtual equipment of the virtualization tool;
- create images of instances in Glance storage;
- manage access of instances to physical and virtual equipment;
- manage instance access quotas to physical and virtual equipment;
- manage the movement of instances;
- delete instances;
- start and stop instances;
- create snapshots of the state of instances, including a instance configuration file, a instance image and a instance memory image.
Domain administrator has rights similar to the System Administrator in relation to the System segment, i.e. has limitations on availability zone and quotas. A domain is a dedicated entity and can have usernames independent of names in other domains.
Domain administrator does not have any rights outside the domain.
Project administrator has rights within the project, i.e. has restrictions on quotas, VM templates, VM images, access to physical VM equipment, and system functionality. A project is a dedicated entity and can have usernames independent of those in other projects.
Project administrator has the following rights within his project:
- create instances within the project created by the administrator;
- generate a list of actions to initialize instances;
- start/stop/pause instances;
- change the configuration of instances within the project created by the administrator;
- delete instances within the project created by the administrator;
- create users in the project - project administrators and instance administrators;
- create routing rules within the project;
- create tasks for the event planner within your project.
Project administrator does not have any rights outside the project.
Instance administrator has the following rights:
- access the instance through the virtualization tool interface.
The security administrator of the virtualization tool has the following rights:
- read the security event log of the virtualization tool;
- generate reports taking into account the specified selection criteria;
- download (export) data from the security event log of the virtualization tool.
Defining and changing the role model of users (administrators) is implemented using the Keystone functionality or jointly Keystone and an external identification and authentication service, which implements the following capabilities shown in the table.
| Functions | Rights, available roles | Administrator | Domain administrator | VM project developer | VM host OS administrator | IS administrator (reading) |
|---|---|---|---|---|---|---|
| Object Management Boundaries | System | Domain | Project | VM | Subjects, Event Objects | |
| Types of managed objects | Physical logical | Physical logical | Logical | Logical | Informational | |
| System for centralized management of virtualization tools | ||||||
| Create System user accounts. Manage user accounts | Assigning rights to the System | ✖ |
- |
- |
- |
✖ |
| Cloud segmentation into Domains | ✖ |
- |
- |
- |
✖ |
|
| Create System user accounts. Manage user accounts | Assigning rights to a Domain | ✖ |
- |
- |
- |
✖ |
| Create and delete virtual hardware virtualization tools. Manage VM access to physical and virtual equipment | Manage CPU, RAM, GPU | ✖ |
✖ |
- |
- |
✖ |
| Create and delete virtual hardware virtualization tools. Manage VM access to physical and virtual equipment | Local storage management. HDD, NFS, LUNs, S3 | ✖ |
✖ |
- |
- |
✖ |
| Create and delete virtual hardware virtualization tools. Manage VM access to physical and virtual equipment | Manage a physical network hosts | ✖ |
✖ |
- |
- |
✖ |
| Create and delete virtual hardware virtualization tools. Manage VM access to physical and virtual equipment | Manage virtual networks | ✖ |
✖ |
- |
- |
✖ |
| Create and delete virtual hardware virtualization tools. Manage VM access to physical and virtual equipment | Manage virtual system routers | ✖ |
✖ |
- |
- |
✖ |
| Manage VM movement. Create snapshots of the VM state, including a configuration file, a VM image, and a VM memory image. Delete VM. Create a VM. Change VM configurations. Start and stop VMs | Manipulating VMs at the System level | ✖ |
✖ |
- |
- |
✖ |
| Change VM configuration templates | Create VM images | ✖ |
✖ |
- |
- |
✖ |
| Change VM configuration templates | Creating and changing VM configuration templates | ✖ |
✖ |
- |
- |
✖ |
| Creation of Projects | ✖ |
✖ |
- |
- |
✖ |
|
| Create System user accounts. Manage System user accounts | Assigning VM Project Developer rights | ✖ |
✖ |
- |
- |
✖ |
| Manage VM access quotas to physical and virtual equipment | Manage vCPU, vRAM, vGPU Project quotas | ✖ |
✖ |
- |
- |
✖ |
| Manage VM access quotas to physical and virtual equipment | Manage Project storage quotas | ✖ |
✖ |
- |
- |
✖ |
| Manage VM access quotas to physical and virtual equipment | Manage Project network quotas | ✖ |
✖ |
- |
- |
✖ |
| Have read access to the System security event log | Access to logs | ✖ |
✖ |
- |
- |
✖ |
| Generate reports taking into account specified selection criteria, download (export) data from System security event logs | Generate reports | ✖ |
✖ |
- |
- |
✖ |
| Project | ||||||
| Assign access rights to the project | Assign rights to the project | − |
− |
✖ |
- |
− |
| Assign access rights to users to the VM | Assign rights to the VM | − |
− |
✖ |
- |
− |
| Managing routing in a project | Managing planned Project activities | − |
− |
✖ |
- |
− |
| Managing the scheduler in a project | Assigning rights to a project | − |
− |
✖ |
- |
− |
| Create a VM. Change VM configurations (from a set of configuration templates) | Create a VM | − |
− |
✖ |
- |
− |
| Delete VM. Start and stop VMs | Manage VMs | − |
− |
✖ |
- |
− |
| Host OS | ||||||
| Assign rights to users to the VM guest OS | Assignment of guest OS rights | − |
− |
− |
✖ |
− |
| Provide virtualization tool user access to the VM through the virtualization tool interface | Ghost OS Management | − |
− |
− |
✖ |
− |
where:
✖- Requirements of Order 187+- Implementation of additional rights-- Lack of function for this role−- Can be provided if required