Security

Overview

Security, in the context of the Cloudify Manager, means securing communication with the Cloudify Manager and controlling who has permission to use it to execute various operations.
Secured communication is achieved using SSL, which allows clients to validate the authenticity of the Cloudify Manager, and to ensure that the data sent to and from it is encrypted.
Controlling access to Cloudify Manager and permissions to perform actions, is implemented via Flask-Security to support user authentication and authorization.

Cloudify Manager is secured by default. It cannot be bootstrapped in a non-secure way.


Details about Cloudify’s SSL and Access Control implementation and configuration are provided below.

Cloudify security for client access focuses on the REST service, which is the first and only access point of clients to Cloudify Manager. All requests to Cloudify Manager are authenticated and authorized before reaching their endpoint.
For example, when a Cloudify Management Console user attempts to upload a new blueprint, a request is sent to the REST service’s /blueprints endpoint through port 80/ 443. The request only reaches the endpoint if the user is logged in and is authorized to upload blueprints. Similarly, a user who executes the CLI command cfy deployments list triggers a request to execute GET on /deployments that is only successful if it includes valid credentials that identify an authorized user.
Requests generated by other HTTP clients (e.g. curl) must also include valid credentials. Required credentials are a username and password, or a Cloudify-generated token, and a tenant name. If credentials are missing, invalid, or represent an unauthorized user the request fails with a “401: Unauthorized User” error.