Cassandra: Distributed Access Control Policies with Tunable Expressiveness Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K. Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 1/12
� � � � Cassandra: Yet Another PSL? Cassandra distributed Trust Management rule-based policy specification language (PSL) role-based: activation, deactivation, actions distributed: credential management Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 2/12
✁ ✂ ✁ ✁ ✁ ✁ ✁ ✁ ✁ ✄ Cassandra: Yet Another PSL? Cassandra distributed Trust Management rule-based policy specification language (PSL) role-based: activation, deactivation, actions distributed: credential management Why YAPSL? wide range of applications need tunable expressiveness formal semantics: language and dynamics distributed query evaluation with guaranteed termination practical foundation: real-life case study Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 2/12
Cassandra Overview Cassandra�Entity remote�query C Policy Access�Control�Engine invoke perform�action Evaluator query activate�role Interface modify Policy (rules�&�credentials) deactivate�role request�credential Resources grant�access (Actions) Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 3/12
☎ ☎ Access Control Semantics (1/2) What: specifies dynamic meaning of 4 requests Why: makes subtle design decisions explicit Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 4/12
✡ ✆ ✆ ✝ ✞ ✆ ✟ ✌ ✠ ✞ Access Control Semantics (1/2) What: specifies dynamic meaning of 4 requests Why: makes subtle design decisions explicit can perform action on ’s service? deduce permits ✝☞☛ Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 4/12
✎ ✕ ✒ ✕ ✖ ✔ ✓ ✖ ✒ ✕ ✑ ✑ ✖ ✍ ✎ ✍ ✏ ✓ ✑ ✍ ✍ ✎ ✏ ✒ ✓ Access Control Semantics (1/2) What: specifies dynamic meaning of 4 requests Why: makes subtle design decisions explicit can perform action on ’s service? deduce permits ✎☞✔ can activate role on ’s service? deduce canActivate ✎☞✔ add hasActivated to ’s policy Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 4/12
✣ ✣ ✢ ✥ ✤ ✤ ✚ ✗ ✙ ✢ ✛ ✜ ✤ ✚ ✙ ✣ ✜ ✢ ✢ ✜ ✥ ✛ ✣ ✚ ✥ ✙ ✤ ✘ ✛ ✥ Access Control Semantics (2/2) can deactivate ’s role on ’s service? deduce canDeactivate ✘☞✣ under the assumption isDeactivated , deduce all isDeactivated on remove all corresponding hasActivated from ’s policy Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 5/12
✧ ✳ ✫ ✬ ✯ ✭ ✯ ✮ ✼ ✪ ✻ ✦ ✮ ✦ ✻ ✺ ✵ ✪ ✶ ✬ ✮ ✮ ✺ ✻ ✬ ✪ ✶ ✫ ✵ ✬ ✳ ✰ ✫ ✰ ✳ ✭ ✼ ✧ ✻ ★ ✺ ✩ ✮ ✪ ✬ ✫ ✶ ✬ ✵ ★ ✩ ✮ ✮ ✫ ✳ ✬ ★ ✭ ✩ ✮ ✳ ✱ ✬ ✯ ✭ ✯ ✱ Access Control Semantics (2/2) can deactivate ’s role on ’s service? deduce canDeactivate ✧☞✭ under the assumption isDeactivated , deduce all isDeactivated on remove all corresponding hasActivated from ’s policy can request credential from ? ✰✲✱✴✳ ✷✹✸ deduce canReqCred to get ✧☞✭ ✷✹✸ deduce ✷✹✸ Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 5/12
❑ ❖ ✿ ❋ ❂ ❃ ❄ ❋ ❑ ■ ✽ ▼ ✿ ❖ ● ❑ ❂ ❖ ❖ P ❊ ✽ P ✾ ✽ ■ ❂ ● ❑ ❀ ❅ ❆ ❊ ❋ ■ Policy Specification entities control access to their resources with a Cassandra policy a policy is a set of rules based on Datalog rules are of the form ❅◆▼ ❅◆▼ ❃✹❄ ❇❉❈❊ ❇❉❈❊ ❃✹❄ ❍❏■ ❍❏■ ✿❁❀ ❋▲❑ (where , are entities and is a constraint from the ❇❉❈❊ ❍❏■ constraint domain) Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 6/12
❭ ❫ ❲ ❪ ❛ ❛ ❜ ◗ ❝ ❵ ❛ ❵ ❝ ❛ ❙ ❝ ❯ ❞ ❝ ❱ ❯ ❪ ❳ ◗ ❘ ◗ ◗ ❯ ❙ ❚ ❨ ❪ ❫ ❭ ❵ ❞ Policy Specification entities control access to their resources with a Cassandra policy a policy is a set of rules based on Datalog rules are of the form ❳◆❜ ❳◆❜ ❱✹❲ ❩❉❬❭ ❩❉❬❭ ❱✹❲ ❴❏❵ ❴❏❵ ❙❁❚ ❪▲❛ (where , are entities and is a constraint from the ❩❉❬❭ ❴❏❵ constraint domain) predicates with special access control meaning: permits , hasActivated , canActivate , canDeactivate , isDeactivated , canReqCred Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 6/12
① ✉ r ✐ t ✇ ✉ ❣ ✇ ✐ ✉ ✇ r ♣ ② ② ♠ ❡ ❧ ❧ t ① ♣ ♣ ❣ t ❡ ✐ ✇ ✈ ❡ ❣ ② ❡ ✈ ❢ ❡ ❧ ❧ ✐ ♣ ❤ ❧ ♠ q ✉ r t t ✐ ❣ q ✐ ❥ ❦ q ✈ ✉ ✈ Policy Specification entities control access to their resources with a Cassandra policy a policy is a set of rules based on Datalog rules are of the form ❧◆✈ ❧◆✈ ❥✹❦ ♥❉♦♣ ♥❉♦♣ ❥✹❦ s❏t s❏t ❣❁❤ q▲✉ (where , are entities and is a constraint from the ♥❉♦♣ s❏t constraint domain) predicates with special access control meaning: permits , hasActivated , canActivate , canDeactivate , isDeactivated , canReqCred Example: suppose a hospital’s policy contains ✐③② ④⑥⑤ canActivate Doctor ⑦⑨⑧ NHS canActivate CertifiedDoctor ④⑥⑤ Alice Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 6/12
❽ ❻➆ ➇ ❿ ➋ ➇ ❽ ➊ ❿➈ ❿ ❿ ➇ ⑩ ❼ ❼ ➇ ➅ ➌ ❽ ➊ ➇ ➍ ❻ ❼ ❼ ❾ ➄ ❿ ➀ ➁ ➉ ➄ ➅ ➉ Constraint Domains for Tuning Expressiveness , The simplest constraint domain: ❶❸❷ ❹✴❺ ➀➃➂ true false ❻❁➉ ❻❁➊ Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 7/12
↔ ➲ ➫ ➩ ➩ ➫ ➔ ➠ ➳ ↔ ➤ ➓ ➠ ➎ ➒ ➤ ➓ ➠ ➑ ➔ ➤ ➒ ➓ ➫ ➩ ➩ ➓ ➤ ↔➠ ➺ ➽ ↔ ↔ ➼ ➒ ➓ ➫ ➩ ➩ ➚ ↔➻ ↔ ↔ ➸ ↔ ➤ ➒ ➓ ➫ ➩ ➩ ➟ ➠ ➵ → ➟ ↔ ➜ ➶ ↔ → → ➔ ➔ ➟ ➓➞ ➝ ➜ ➝ ↔ ↔ ➙ ↕ ↔ ➣ → ➔ ➔ ➓ ➹ ↔ ➘ ↔➠ → ↔ ➎ ➛ ↔ ➩ ➩ ➩ → ➔ ➔ ➓ ➩ ➩ ➢ ➩ ➟ ➦ ➡ ➟ ↔ ➢ ➟ ➥ ➡ ➟ ↔ ➤ ➾ Constraint Domains for Tuning Expressiveness , The simplest constraint domain: ➏❸➐ ➑✴➒ ↕➃➛ true false ➓❁➡ ➓❁➢ ➏➨➧ , a useful one for complex policies: ↔➯➭ ➓❁➡▲➫ ➓❁➡ ➓❁➡▲➫ ➓❁➡▲➫ ➓❁➡ ➓❁➢ ➓❁➡ ➓❁➢ ➓❁➡ ➓❁➢ ➓➪➡ ➓➪➢ ➓➪➡ ➓➪➢ ➓➪➡ ➓➪➢ Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 7/12
á Ù Ù ➱ ✃ Þ Ý Ý Þ Ý Ö ➴ ❰ ✃ â Ö à ❰ Ù ✃ Ö ➮ ❰ Ù ➱ ✃ Þ ❰ Ö Ý Ý Õ è ❐ ❰ ❐ ç ❒ ❰ æ ➱ ✃ Þ Ý Ý Ý ❰å ä ❰ ã ❰ Ù ➱ ✃ Þ Ý Ý Ý ê é Ó ❰Ö ì ❰ ➴ ❒ ❐ ❐ Õ ✃Ô Ó Ò Ò ❒ í Ð Ï ❰ ❮ ❒ ❐ ❐ ✃ í í ➴ ❰ ë ❰Ö ❰ Õ ❰ Ñ ❰ Ý Ý Ý ❒ ❐ ❐ ✃ ❒ ➴ Ù Ø Õ Û × Õ ❰ Ø Õ Ú × Õ ❰ ❰ Constraint Domains for Tuning Expressiveness , The simplest constraint domain: ➷❸➬ ➮✴➱ Ï➃Ñ true false ✃❁× ✃❁Ø ➷➨Ü , a useful one for complex policies: ❰➯ß ✃❁×▲Þ ✃❁× ✃❁×▲Þ ✃❁×▲Þ ✃❁× ✃❁Ø ✃❁× ✃❁Ø ✃❁× ✃❁Ø ✃➪× ✃➪Ø ✃➪× ✃➪Ø ✃➪× ✃➪Ø Constraint domains must support satisfiability checking projection subsumption checking For guaranteed termination, constraint domains have to be constraint compact Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 7/12
ý ï ÷ ø ù ï ù ö ö ú û ü î õ ï ø õ ò ð öú ö ý õ ó ö ò ð ÷ ÷ î ÷ ÷ ö ÷ õ ü ò ÷ ÷ ö ð õ ï ð ö ÷ ÷ ø õ ý ñ ó ý ö ö öú ö ö ú ó ð ü õ ï û ÷ ÷ ï û Policy Idioms in Cassandra (1/2) appointment ï③ð ï③õ canActivate AppointEmployee ñòôó ï③ð hasActivated Manager ï③ù û❏ü canActivate Employee hasActivated AppointEmployee òôó appointment revocation ï③õ ï③ù isDeactivated Employee isDeactivated AppointEmployee òôó Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 8/12
Recommend
More recommend
