Cloud Integration: Google Cloud IAM + PowerBroker for Unix & Linux for Authorization and Command Control

PowerBroker for Unix & Linux (PBUL), BeyondTrust’s gold-standard solution for Unix/Linux privilege management, comes with a very powerful and flexible Policy Engine that enables organizations to satisfy even the most complex privileged access requirements. In this blog I will explain how that Policy Engine leverages an API for third-party solutions, such as cloud applications and DevOps tools, to enable full orchestration across an environment, in this case, Google Cloud. With PowerBroker, it’s possible to interface with Google Cloud IAM in order to verify that users are properly authorized via a Role, Group, or a specific permission before allowing them to execute a specific command on a specific server. If an administrator wants to issue a command to restart a server instance in Google Cloud, the PBUL Policy Engine can first verify that the user is a member of the appropriate permission Group, and that the user is authorized for the specific server instance. Other conditions can also be included, like time of day, the day of the week, the user’s location, and any other third-party solution scripted through PBUL policy. To see how this works, let’s look at the example below. First, we need to define a couple of sample groups in Google Cloud IAM. Our sample user, Adam Arnold, is a member of the Cloud Container Builder Editor Group. The groups are shown below (not his membership): Then, we use a simple test script (gcloud_test.sh) to our PowerBroker policy:

Policy.conf:

## The following user, adam.arnold, is used to test gcloud query.
 if (user in { "adam.arnold" } && basename(command) in { "gcloud_test.sh","gcloud_test"}) {
 # do not allow these commands to be delegated
 print ("user called gcloud_test.sh");
 if (basename(command) in { "gcloud_test.sh","gcloud_test"}) {
print ("command is gcloud_test.sh");
include '/etc/pb/gcloud_functions.conf';
 RetrieveGCloud_Group();
 DELIM=",";
 gcloudFIELDS=split(gcloudDATA,DELIM);
 print(gcloudFIELDS);
COUNT=0;
COUNTER=0;
TEST=split(gcloudDATA, "\n");
for Lines in TEST {
TEST2=split(Lines, ",");
COUNT=length(TEST2);
COUNT2=( COUNT -1);
 while ( COUNTER <= COUNT2 ) {
 #print(COUNTER);
 #print(TEST2[COUNTER]);
 if ( TEST2[COUNTER] == "roles/cloudbuild.builds.editor" ) {
 print("Congratulations - you are a member of the DevOps Group(roles/cloudbuild.builds.editor), so you are authorized to execute this command");
 COUNTER++;
 }
 else
 {
 COUNTER++;
 }
 } # End while
COUNT=0;
COUNTER=0;
} # End for
}
 accept;
 #reject("This is a restricted command gcloud_test.sh -- '" + basename(command) + "'.");
 }

When you execute the script as a part of a “test” policy, you are able to determine the Google Cloud IAM group membership as shown below: While this is a simplistic sample, it demonstrates:

1. The power of the PowerBroker for Unix & Linux scripting language to integrate into third-party solutions.
2. The integration from PowerBroker for Unix & Linux to support group membership of Google Cloud IAM users.
3. The support of PowerBroker for Unix & Linux in DevOps and Cloud environments in support of next-generation technologies.

If you would like more information on how BeyondTrust can support Google Cloud and next-generation initiatives, contact us today. You can also learn more about our technology partners/partnerships.