Paradigm and basic concepts
Permission for a user or a group of users to use AirCloud system resources is configured for each resource individually.
From the system's perspective, the moment a user accesses one of its resources to perform an action on it, a certain API method is executed. The system checks the permissions for this method to see if the user is authorized to perform the requested operation.
For example, when a user attempts to add a virtual machine (VM) to the cluster, the create_VM method is called. This method requires that the user role has the privilege to create a VM in the cluster. If this privilege is not found as a result of the check, the user will be denied the privilege to create the VM.
It is important to define the following concepts:
System resource - An element of the system inventory whose computing power can be allocated to a user to process their data during an AirCloud session.
Access List - Each resource in the system has an access list containing a list of users and their corresponding roles. The access list can be local (affecting access to a specific resource on the system) or global (affecting access to all resources on the system). An access list can extend to child objects. For more information about how access lists work, see "Access Lists". Access lists to resources.
Privilege - An atomic action that a user is allowed to perform on a system with respect to its resource. Some privileges in the system have dependencies on each other (for example, the "Change cluster name" privilege is related to the "View cluster name" privilege and granting the former privilege to a role will entail adding the latter. However, the reverse dependency does not work for this example).
Role - is a set of privileges that define access rules and a list of possible actions for each type of resource in the system. Roles allow you to assign permissions to access system resources based on a set of typical tasks performed by users. In AirCloud, there are system roles, such as administrator, that are not allowed to be changed. User roles can be created either from scratch or by cloning and modifying existing roles. For more information on role operations, see Roles and Privileges. Roles and privileges.
User - is an authenticated user of the system whose account is created in the system database. For more information about user management, see User Management. User Management.
User group - a set of users united by a common name. A group is created for the convenience of access administration when an administrator needs to perform the same actions for a number of users.
Access - The right to perform some actions in the system. Access in the context of the system can be administrative (for example, the right of the user to create virtual machines) and user (restrictions set by the administrator on the amount of system resources used by the user).
Thus, access administration in AirCloud is based on the following principles:
Each resource in the system has its own access list. The administrator of the resource can work with the access list - he can edit the access list, adding or removing users or their groups from it.
For each user or their groups in the access list of a resource, their role is defined, which they will fulfill in relation to the resource.
User and role are not directly related - they are related only within the access list of a particular resource, which allows you to fine-tune the system's access policy so that the same user has a different list of privileges for each resource in the system.