Access Management System
Below we explain key cloud computing and Eucalyptus private cloud concepts that help you to better understand the Eucalyptus platform, including the identity and access management system.
Eucalyptus Machine Images (EMIs)
Eucalyptus Machine Images (EMIs) are copies of a virtual machine bootable disk that are stored in a central repository (e.g., Walrus). An EMI is a template from which many identical instances are deployed. EMIs are the Eucalyptus equivalent to Amazon Machine Images (AMIs) and can be used interchangeably. EMIs can be images of Linux or Windows file systems.
An instance is a virtual machine (VM) running under the control of a hypervisor. Eucalyptus supports two types of instances: EC2-backed instances and EBS-backed instances. An EC2-backed instance always boots or reboots from a known baseline (a static EMI). Instances can be configured to automatically connect to storage and network resources based on the user’s credentials. Access to storage is controlled by Identity and Access Management System policies. Access to network resources is controlled by security groups.
Virtual Machine Types
Think of a virtual machine type as a container for an EMI. The virtual machine type defines the available resources (e.g., number of CPUs, memory size, disk capacity) when an EMI is deployed. Virtual machine types allow a single EMI to be deployed as instances with different hardware resources. There are default sizes, but the administrator can modify them according to the needs of the cloud. At boot time the EMI is loaded into a container and becomes a running instance.
Public and Private IP Addresses
Instances are assigned a private IP address when they boot for internal cloud network communication. The private address is the only one instance OS is aware of. Eucalyptus can also assign the instance a public IP address which would be used by outside entities. Whether or not the instance gets both a private and public IP address depends on the network mode configured in Eucalyptus. The networking modes supported in Eucalyptus are SYSTEM,STATIC, and MANAGED (plus MANAGED-NOVLAN). What networking mode you choose depends on how you architect your cloud.
Elastic IP Addresses
Elastic IPs are nothing more than public IPs that a user reserves for a specific use. Those reserved IPs can be assigned to specific instances by a user in cases where an instance must be reachable at a well-known and specific address. These IPs would replace the Eucalyptus-assigned public IPs. Reserved IPs remain reserved even after instance termination.
Security groups are essentially a firewall or set of networking rules that apply to all instances associated with a group. Security groups define access rules and can be configured based on application needs. Each security group is in its own subnet and perhaps even its own VLAN. When a virtual machine instance is created, it is assigned to a default security group that denies incoming network traffic from all sources. Multiple security groups can be configured to allow multiple levels of security based on application needs.
Identity and Access Management System (IAM)
The Identity and Access Management System (IAM) is an authentication, authorization, and accounting system that:
- Manages user identities
- Enforces access controls over resources
- Provides reporting on resource usage as a basis for auditing and managing cloud activities
Eucalyptus stores all of the identities and policies in the local Cloud Controller (CLC) database by default. Identity information can also be pulled from LDAP or Active Directory. The user identity organizational model and the scheme of authorizations are compatible with the AWS Identity and Access Management system with some Eucalyptus extensions that support a private cloud.