Unified Authentication

CloudControl intercepts all requests destined for CloudControl-protected hosts (e.g., ESXi and vCenter Server) and authenticates the user against the Directory Service. Authentication of the user (including session ID) lasts for the full session. Once a session is established, authorization to perform a particular operation, including directory group membership, can occur on multiple occasions per session.

After CloudControl authenticates the user, it performs an authorization check for each request based on the local policy data. If authorized, CloudControl forwards the request to the target server using a special service account.

Note: CloudControl has the ability to follow the domain controller and global catalog referrals in a single Active Directory forest. If your Active Directory environment is set up to follow referrals, please contact HyTrust Support to help you enable this feature in CloudControl.

The following example shows the authentication and authorization process using the vSphere Client:

  1. CloudControl obtains the user's identity when the user attempts to log in.

  2. CloudControl queries the Directory Service to authenticate the user and validate the user's password. CloudControl also obtains information about the user's group membership to authorize every operation the user attempts to perform, for example:

    1. Identify the requested operation (i.e., start a virtual machine).

    2. Identify the object a user is targeting for an operation (i.e., VM ‘mref 449’).

    3. Query the CloudControl policy database to identify the list of user groups authorized to perform the requested operation on the specified object and determine if the current user is a member of an authorized user group.

    4. CloudControl logs information about the operation, the user, and the object involved.

If the user is authorized, CloudControl reissues the operation request and sends it to the vCenter Server or ESXi host to which the original login request was routed. Otherwise, CloudControl returns an error message to the user.

If CloudControl cannot authenticate a user, the authentication fails and the user is denied access to the specified target.

Similarly, CloudControl performs the following sequence when a user logs into an ESXi host using an SSH client:

  1. Identify the requested operation (i.e., change the iSCSI configuration on the server).

  2. Identify the host a user is targeting for an operation (e.g., esx54.example.com).

  3. Query the CloudControl policy database to identify the list of user groups authorized to perform the requested operation on the specified object and determine if the current user is a member of an authorized user group.

  4. CloudControl logs information about the operation, the user, and the object involved.

If the user is authorized, CloudControl reissues the operation request and sends it to the CloudControl protected host (e.g., vCenter Server, ESXi) to which the original login request was routed. Otherwise, CloudControl returns an error message to the user.

An CloudControl client goes through a similar authentication and authorization process.

 

 

HyTrust CloudControl v 5.3.1

Copyright © 2018 HyTrust, Inc. All Rights Reserved.

Follow us: