The Eucalyptus design of user identity and access management provides
layers in the hierarchical organization of user identities. This
gives you refined control over resource access. The core of the this
design is compatible with the AWS Identity and Access Management
(IAM) service. There are also a few Eucalyptus-specific extensions
that meet the needs of enterprise customers.
Differences in Access from Eucalyptus 2
The concept of “user” has changed from when Amazon first
introduced IAM. The original “user” has become the “account,”
and the new “user” is an identity within the “account”. We made
a similar change in the current Eucalyptus implementation of an
IAM-compatible identity management system. If you upgrade of
Eucalyptus 2 to Eucalyptus 3 is performed, the “users” in
Eucalyptus 2 are converted into “accounts” in Eucalyptus 3.
Please refer to the Eucalyptus upgrade section in the Installation Guide
the details about this identity conversion process.
In Eucalyptus 2, the access management ability was limited:
- The admin user had full access control of the system
- Regular users controled resources that they created.
- Certain resources could be shared among users, using
mechanisms like image launch permissions and Walrus bucket
Eucalyptus 3 introduces a two-tier hierarchy of user identities
based on accounts. The access control, therefore, is provided at
- Eucalyptus 2 style resource sharing is still available, but
now implemented at account level.
- Within each account, fine-grained access control is provided
by a policy that is fully compatible with IAM.