This topic describes the algorithms used by Eucalyptus to determine
access.
Policy Evaluation Algorithm
You can associated multiple policies and permission statements with a user. The way
these are combined together to control the access to resources in an account is
defined by the policy evaluation algorithm. Eucalyptus implements the same policy evaluation algorithm as AWS IAM:
- If the request user is account admin, access is allowed.
- Otherwise, collect all the policy statements associated with the request user
(attached to the user and all the groups the user belongs to), which match the
incoming request (i.e. based on the API being invoked and the resources it is
going to access).
- If there is no matched policy statement, access is denied (default
implicit deny).
- Otherwise, evaluate each policy statement that matches.
- If there is a statement that explicitly denies the access, the
request is denied.
- If there is no explicit deny, which means there is at least one
explicit allow, access is allowed.
Access Evaluation Algorithm
Now we give the overall access evaluation combining both account level permissions
and IAM permissions, which decides whether a request is accepted by Eucalyptus:
- If the request user is sys admin, access is allowed.
- Otherwise, check account level permissions, e.g. image launch permission, to see
if the request user’s account has access to the specific resources.
- If not, the access is denied.
- Otherwise, invoke the policy evaluation algorithm to check if the
request user has access to the resources based on IAM policies.
Quota Evaluation Algorithm
Like the normal IAM policies, a user may be associated with multiple quota policies
(and multiple quota statements). How all the quota policies are combined to take
effect is defined by the quota evaluation algorithm:
- If the request user is sys admin, there is no limit on resource usage.
- Otherwise, collect all the quotas associated with the request user, including
those attached to the request user’s account and those attached to the request
user himself/herself (for account admin, we only need collect account
quotas).
- Evaluate each quota one by one. Reject the request as long as there is one quota
being exceeded by the request. Otherwise, accept the request.
Note: The hard limits on some resources override quota limits. For example,
walrusbackend.storagemaxbucketsizeinmb (system property)
overrides the s3:quota-bucketsize (quota key).