Introduction to Identity and Access¶
Accounts and Projects¶
The virtual resources of the Zadara Cloud Services region are managed through an administrative hierarchy of accounts & projects. The Zadara Cloud Services region consists of one or more accounts each of which contains one or more projects. Virtual resources such as VLANs, instances, volumes, images and snapshots are created per project, account or region. Users, who are members of a account, can be assigned different projects within their account, through either a Zadara Cloud Services role and one or more Zadara Cloud Services policies, one or more AWS API policies, or both. This assignment enables you to provide access to Zadara Cloud Services to numerous users, dividing and separating the resources that each user will be able to view, create, and manage.
Users, Roles and Zadara Cloud Services Policies¶
If a Zadara Cloud Services account is connected to an Identity Provider such as MS Active Directory, users are authorized by the Identity Provider. If an account is not connected to an identity provider, users can be manually created within Zadara Cloud Services as members of this account.
Access to Zadara Cloud Services functionality is gained by assigning the user to one or more projects within this account. This is done by assigning to the user, per project, the following two entities:
One or more Zadara Cloud Services policies which define the functionality or APIs, which are being permitted.
A single Zadara Cloud Services role, which determines which of those policies or APIs can actually be assigned or used, by a user. There are three Zadara Cloud Services roles, each permitting the use of different functionality, as follows:
Member - This role allows the user to use policies and APIs for creating, viewing, modifying and deleting virtual resources belonging to projects to which the user has been assigned. This is the standard role for most users.
Tenant Admin - In addition to allowing the use of those policies and APIs which are granted to a Member, the Tenant Admin role also allows the user to use policies and APIs for creating and managing new projects and users within a specific account, assigning to these users, per project, roles and Zadara Cloud Services and AWS policies. It is recommended that each account have at least one user with this role.
Admin - In addition to allowing the use of those policies and APIs which are granted to a Member and a Tenant Admin, the Admin role also allows the user to use policies and APIs for viewing, creating, managing and deleting all physical resources, such as nodes (servers), disks, storage pools, physical networks, etc., and administrative entities such as accounts. It is possible to create more than one user per region with Admin rights.
Two important guidelines concerning the assignment of Zadara Cloud Services roles:
Only assign a single role per project.
When assigning multiple projects to a user, assign the same role for each project.
When Zadara Cloud Services is installed, it comes with a single account containing one project and one user.
The account is called cloud_admin.
The project inside is called default.
The user is called admin.
This user, who serves as the System Administrator of the entire region, comes assigned to the ‘default’ project with the ‘Admin’ Zadara Cloud Services role, the ‘FullAccess’ Zadara Cloud Services Policy and the ‘AdministratorAccess’ AWS API policy. This built-in account, project and user cannot be deleted or modified in any way (except that the admin user can change the password).
AWS API Policies¶
Access to AWS APIs is gained by assigning to the user, per project, one or more AWS API policies which list the AWS APIs that are permitted to be used by the user. A user can be granted access to both AWS API and Zadara Cloud Services functionality on the same project.
AWS IAM Roles are policy-based tokens with temporary credentials, allowing a user temporary access to AWS services and actions which the user is normally not permitted to access. These users may be from different projects or even different accounts. These roles can also be embedded into specific instances allowing these instances access to the necessary actions.
The AWS IAM roles are independent of the three Zadara Cloud Services roles, Admin, Tenant Admin and Member which together with Zadara Cloud Services policies grant access to Zadara Cloud Services services and actions.
The AWS IAM role consists of the following:
Permissions document which give access to certain Zadara Cloud Services supported AWS services or actions.
Trust policy document that defines the relationship between user per project and this role.
This nature of the relationship may be ‘allow’ which grants permission to the specified users to assume the role, or ‘deny’ which prevents these users from assuming the role.
This permission may be granted to multiple users of the same projects, different projects within the same account, or even users of different accounts.
The maximum session duration that can be requested when assuming this role.