The Eucalyptus design of user identity and access management provides
layers in the hierarchical organization of user identities. This
gives you refined control over resource access. The core of the this
design is compatible with the AWS Identity and Access Management
(IAM) service. There are also a few Eucalyptus-specific extensions
that meet the needs of enterprise customers.
Differences in Access from Eucalyptus 2
The concept of “user” has changed from when Amazon first
introduced IAM. The original “user” has become the “account,”
and the new “user” is an identity within the “account”. We made
a similar change in the current Eucalyptus implementation of an
IAM-compatible identity management system. If you upgrade of
Eucalyptus 2 to Eucalyptus 3 is performed, the “users” in
Eucalyptus 2 are converted into “accounts” in Eucalyptus 3.
Please refer to the Eucalyptus upgrade section in the
Installation Guide for
the details about this identity conversion process.
In Eucalyptus 2, the access management ability was limited:
- The admin user had full access control of the system
resources.
- Regular users controled resources that they created.
- Certain resources could be shared among users, using
mechanisms like image launch permissions and Walrus bucket
ACLs.
Eucalyptus 3 introduces a two-tier hierarchy of user identities
based on accounts. The access control, therefore, is provided at
both tiers:
- Eucalyptus 2 style resource sharing is still available, but
now implemented at account level.
- Within each account, fine-grained access control is provided
by a policy that is fully compatible with IAM.
