resource access decision server design and performance
play

Resource Access Decision Server : Design and Performance - PowerPoint PPT Presentation

Nov 04, 2023 •13 likes •263 views

Resource Access Decision Server : Design and Performance Considerations Konstantin Beznosov and Luis Espinal {beznosov,lespin03}@cs.fiu.edu CADSE October 22, November 5, 1999 Presentation Overview Introduction RAD Specification

  1. Resource Access Decision Server : Design and Performance Considerations Konstantin Beznosov and Luis Espinal {beznosov,lespin03}@cs.fiu.edu CADSE October 22, November 5, 1999

  2. Presentation Overview • Introduction • RAD Specification Overview • RAD Prototype Design • Performance Measurements – Model, Measurements, Results – Implementation Considerations • Conclusions 11/4/99 2

  3. Introduction: Access Control, etc. • Access control Authorization – concerned with limiting Database activity of legitimate users – enforced by a reference Authorization monitor Decisions • Authorization Reference – concerned with making monitor access control decisions Objects Subjects Access Control Mechanism Classical Access Control Model 11/4/99 3

  4. Access Control: Stand Alone vs. Distributed Systems Stand Alone ORB Access Control Distributed OO Application • Primitive operations • Stand alone systems, + Application Access Control on objects controlled • Complex operations by OS (create, read, write, Resources on interfaces delete, use) Middleware • Resources are • Objects are homogenous OS heterogeneous (files, processes, memory) Access Control (different interfaces), • Single point of control • Many points of • Application access Objects control (commonality, control is mangled OS consistency, with application logic administration issues) 11/4/99 4

  5. The Problem with Access Control in Distributed Systems It is difficult to develop distributed systems that: • insure commonality and consistency of policies • perform security administration • support access control for fine-grain resources • allow changing policies without changing systems • easy to verify and test 11/4/99 5

  6. A Possible Solution Target Client Access Decision Object (ADO client) Object 1. Application Request . 2. Authorization request . 3. Reply to authorization request . 4. Reply to application request . Middleware Application Application Authorization Client Server Server 11/4/99 6

  7. Objective Statement Study validity of the approach from the following perspectives – Performance and scalability – Ability to separate application logic from authorization logic (it works and performs) – Ability to enforce complex policies and change them without pain – Ability to test and verify application and authorization functionalities independently 11/4/99 7

  8. Objective Analysis • Why is this the right goal? – By solving it, we will be able to assess the validity of the approach • Help system designers and enterprise architects in constructing, verifying, and testing distributed systems. • Why is the goal worth addressing? – It is doable – Its results could be applicable to other security policies and mechanisms (audit, quality of protection, non-repudiation) 11/4/99 8

  9. Research Directions + Develop a prototype + Measure performance • Study the validity of the main claims – support for different access control policy types • extend the prototype to support various policy types? – consistency and commonality of access control policies • ??? 11/4/99 9

  10. RAD Specification Target Client Access Decision Object (ADO client) Object 1. Application Request . 2. Authorization request . 3. Reply to authorization request . 4. Reply to application request . Middleware Application Application Authorization Client Server Server 11/4/99 10

  11. RAD Specification: Component Collaboration an Application System 6: 1: access_allowed(ResourceName, Operation, AttributeList) a Locator : Policy an Access Decision EvaluatorLocator Object : AccessDecision 2: get_policy_decision_evaluators(ResourceName) 4: combine_decisions(ResourceName, Operation, AttributeList, PolicyEvaluatorList) a Combinator : DecisionCombinator 3: get_dynamic_attributes(AttributeList, ResourceName, Operation) an Attribute Service : 5: * evaluate(ResourceName, Operation, AttributeList) DynamicAttributeService an Evaluator : PolicyEvaluator 11/4/99 11

  12. Resource Access Decision Specification Overview an Application an Access Decision a Locator : Policy an Attribute Service : a Combinator : an Evaluator : System Object : AccessDecision EvaluatorLocator DynamicAttributeService DecisionCombinator PolicyEvaluator acce ss_ allowed(Resou rceName, Operation, Attribu teList) get_poli cy_decision_ evaluators(R es ourceNam e) get_dynamic_attributes(AttributeList, ResourceName, Operation) combine_decisions(ResourceName, Operation, AttributeList, PolicyEvaluatorList) * ev a lua te(R es ou rceName, Op eratio n, AttributeList) 11/4/99 12

  13. RAD Interfaces 1..1 1..1 <<IDL Interface>> <<Interface>> 0..* 0..* AccessDecisionAdminExt 1 1 DynamicAttributeService AccessDecisionExt (f rom ADO) (f rom ResourceAccessDecision) (f rom ADO) +theAccessDecisionAdm in +dynamic_attribute_service 1 1 <<IDL Interface>> 1 1 <<IDL Interface>> 1..* 1..* <<IDL Interface>> DynamicAttributeServiceExt AccessDecision AccessDecisionAdmin (f rom DAS) (f rom ResourceAccessDecision) (f rom ResourceAccessDecision) +admin 1 1 <<IDL Interface>> +policy_evaluator_locator PolicyEvaluatorLocatorNameAdmin <<IDL Interface>> (f rom ResourceAccessDecision) DynamicAttributeServiceAdminExt 0..1 0..1 1 1 (f rom DAS) +name_admin <<IDL Interface>> 1 1 0..* 0..* PolicyEv aluatorLocator +basic_admin 1 1 (f rom ResourceAccessDecision) +pattern_admin 1 1 <<IDL Interfa ce>> 0..1 0..1 <<IDL Interfa ce>> PolicyEvaluatorLocatorBasicAdmin PolicyEv aluatorLocatorPatternAdm in (f rom Resourc eAc c essDecision) (f rom Resourc eAccessDecision) <<IDL Interface>> <<IDL Interface>> <<IDL Interfa ce>> PolicyEvaluator PolicyEvaluatorAdmin PolicyEvaluatorLocatorAdminExt (f rom Resourc eAc cessDecision) (f rom Resourc eAccessDecision) (f rom PEL) <<IDL Interface>> <<IDL Interface>> PolicyEvaluatorAdminExt <<IDL Interface>> PolicyEvaluatorExt (f rom PE) DecisionCombinator 13 +thePolicyEvaluatorAdminExt (f rom PE) shutdown() (f rom Resourc eAccessDecision)

  14. Access Decision Object <<IDL Interface>> <<IDL Interface>> AccessDecisionAdmin Acces s Decision (f rom ResourceAccessDecision) (f rom ResourceAccessDecision) get_policy_evaluator_locator() acces s _allowed() set_policy_evaluator_locator() multiple_access_allowed() get_dynamic_attribute_service() set_dynamic_attribute_service() 1..1 1..1 <<IDL Interface>> <<IDL Interface>> 0..* 0..* AccessDecisionAdminExt Acces s Deci sionExt shutdown() +theAccessDecisionAdmin <<Interface>> <<Interface>> AccessDecisionExtOperations Acces s DecisionAdminExtOperations tie these two interfaces ResourceAccessDecider 11/4/99 14

  15. Tie Approach Provides mechanisms to communicate with CORBA middleware <<IDL Interface>> ComponentImplBase Component service() service() <<Interface>> delegate tieComponent ComponentOperations serviceImplementation() {tie.service()=delegate.serv iceImplementation()} registers with BOA ComponentOperationsImpl 11/4/99 15

  16. Policy Evaluator Locator <<IDL Interface>> PolicyEvaluatorLocatorBasicAdmin <<IDL Interface>> 0..* 0..* 1 1 (from ResourceAccessDecision) PolicyEvaluatorLocator set_default_evaluators() (from ResourceAccessDecision) get_default_combinator() get_policy_decision_evaluators() set_default_combinator() +basic_admin get_default_evaluators() tie <<IDL Interface>> mechanism PolicyEv aluatorLocatorAdminExt PolicyEvaluatorLocatorContext set_default_evaluators() get_default_combinator() set_default_combinator() get_default_evaluators() get_policy_decision_evaluators() 11/4/99 16

  17. Dynamic Attribute Service <<IDL Interface>> <<IDL Interface>> DynamicAttributeService DynamicAttributeServiceAdminExt get_dynamic_attributes() shutdown() +admin <<IDL Interface>> DynamicAttributeServiceExt <<Interface>> <<Interface>> tie DynamicA ttributeServic eExtOperations DynamicA ttributeServiceAdminExtOperations mechanism <<Interface>> #_strategy DynamicA ttributeServiceContext DynamicAttributeServiceStrategy get_dynamic_attributes() Strategy Pattern EchoingDynamicAttributeService get_dynamic_attributes() 11/4/99 17

  18. Decision Combinator <<IDL Interface>> <<Interface>> DecisionCombinator DecisionCombinatorOperations combine_decisions() tie Strategy mechanism Pattern <<Interface>> DecisionCombinatorContext DecisionCombinatorStrategy DecisionCombinatorContext() makeDecision() combine_decisions() -strategy 0..* 0..* 1..1 1..1 Template AbstractAndOrCombinator Method Pattern shouldDeny() makeDecision() OpenWorldAndOrCombinationPolicy ClosedWorldAndOrCombinationPolicy 11/4/99 18 grant access if no PE returns "NO" grant access if all PE's return "YES"

Recommend

Decision on Standard Resource Adequacy Capacity Product &amp; Resource Adequacy Must Offer

Decision on Standard Resource Adequacy Capacity Product &amp; Resource Adequacy Must Offer

Decision on Standard Resource Adequacy Capacity Product &amp; Resource Adequacy Must Offer Obligation Greg Cook Manager, Market Design &amp; Regulatory Policy Board of Governors Meeting General Session March 26-27, 2009 There is significant

747 views • 6 slides
Resource Management in VMware ESX Server 3 Mark Fei Technical Instructor, VMware Objectives To

Resource Management in VMware ESX Server 3 Mark Fei Technical Instructor, VMware Objectives To

Resource Management in VMware ESX Server 3 Mark Fei Technical Instructor, VMware Objectives To understand: How resource pools allow you to define resource policies that are enforceable regardless of server heterogeneity or VMotion activity

547 views • 25 slides
Decision on Proxy Demand Resource Margaret Miller Senior Market Design and Policy Specialist

Decision on Proxy Demand Resource Margaret Miller Senior Market Design and Policy Specialist

Decision on Proxy Demand Resource Margaret Miller Senior Market Design and Policy Specialist Board of Governors Meeting General Session September 10-11, 2009 Why do we need Proxy Demand Resource? ! Moves the ISO closer towards active demand

411 views • 6 slides
Day 7 Economic-based Cloud Resource Provisioning Introduction The performance of a

Day 7 Economic-based Cloud Resource Provisioning Introduction The performance of a

2/6/2018 Day 7 Economic-based Cloud Resource Provisioning Introduction The performance of a distributed system often depends on the maximum load of any of the machines. Modern datacenters employ server virtualization and consolidation

388 views • 15 slides
Resource Access Decision Facility: Overview Konstantin Beznosov Baptist Health Systems of South

Resource Access Decision Facility: Overview Konstantin Beznosov Baptist Health Systems of South

Resource Access Decision Facility: Overview Konstantin Beznosov Baptist Health Systems of South Florida beznosov@baptisthealth.net DOCsec 99 1 Konstantin Beznosov C:\data\presentations\rad\to-docsec-99\presentation.fm 15-Jul-1999 Do You

329 views • 21 slides
Dovecot: Secure IMAP Email Server February 2, 2006 Why Run An Email Server? Control resource

Dovecot: Secure IMAP Email Server February 2, 2006 Why Run An Email Server? Control resource

NDLUG Dovecot: Secure IMAP Email Server February 2, 2006 Why Run An Email Server? Control resource allocation Limited storage on regular email account (50 megabytes at ND) Unlimited on your own computer Do filtering and sorting

454 views • 8 slides
Server algorithms and their design many ways that a client/server can be designed each different

Server algorithms and their design many ways that a client/server can be designed each different

slide 1 gaius Server algorithms and their design many ways that a client/server can be designed each different algorithm has various benefits and problems are able to classify these algorithms by looking at the various server differences the

400 views • 25 slides
Decision on proposed transmission access charge area Deb Le Vine Director, Infrastructure

Decision on proposed transmission access charge area Deb Le Vine Director, Infrastructure

Decision on proposed transmission access charge area Deb Le Vine Director, Infrastructure Contracts &amp; Management ISO Board of Governors General Session May 1 - 2, 2017 ISO Confidential Issue is allocation of local resource adequacy

92 views • 5 slides
Novidades 6 .5 Domino Server 6.5 Domino Designer 6.5 Notes 6.5 Domino Web Access Lotus

Novidades 6 .5 Domino Server 6.5 Domino Designer 6.5 Notes 6.5 Domino Web Access Lotus

Novidades 6 .5 Domino Server 6.5 Domino Designer 6.5 Notes 6.5 Domino Web Access Lotus Enterprise Integrator (LEI) Dom ino Server 6 .5 Novas Plataformas Domino 6.5 support the Linux on zSeries (S390) Windows Server 2003 platforms. Domino

202 views • 16 slides
Decision on extending transitional participating intermittent resource program protective measures

Decision on extending transitional participating intermittent resource program protective measures

Decision on extending transitional participating intermittent resource program protective measures Don Tretheway Sr. Advisor, Market Design and Regulatory Policy Board of Governors Meeting General Session March 15-16, 2017 ISO Confidential

187 views • 7 slides
SYBASE IQ ANALYTICS SERVER Sybase Inc March, 2010 SYBASE IQ ANALYTICS SERVER The New

SYBASE IQ ANALYTICS SERVER Sybase Inc March, 2010 SYBASE IQ ANALYTICS SERVER The New

SYBASE IQ ANALYTICS SERVER Sybase Inc March, 2010 SYBASE IQ ANALYTICS SERVER The New Generation Analytics Market Leader #1 COLUMN-BASED ANALYTICS SERVER Performance: Industry leading performance Customer deployments: Over 3,100+

382 views • 24 slides
Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like

Decision Tree Decision Trees A decision tree is a decision support tool that uses a tree-like graph or model of decisions and their possible MSE 2400 EaLiCaRA consequences, including chance event Dr. Tom Way outcomes, resource costs, and

568 views • 8 slides
AFS Server Performance Comparisons Bo Tretta Kim Kimball Jet Propulsion Laboratory Information

AFS Server Performance Comparisons Bo Tretta Kim Kimball Jet Propulsion Laboratory Information

AFS Server Performance Comparisons Bo Tretta Kim Kimball Jet Propulsion Laboratory Information Services - FIL Service http://fil.jpl.nasa.gov SLAC AFS Best Practices Workshop March 24, 2004 JPLIS-FIL Server Performance Comparisons 1 n

701 views • 21 slides
Server Design Server Design Srinidhi Varadarajan Topics Topics Types of servers Server

Server Design Server Design Srinidhi Varadarajan Topics Topics Types of servers Server

Server Design Server Design Srinidhi Varadarajan Topics Topics Types of servers Server algorithms Iterative, connection-oriented servers Iterative, connectionless servers Iterative, connectionless servers Concurrent,

741 views • 45 slides
Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of

Web Server Design Lecture 9 Server-Side Execution Old Dominion University Department of Computer Science CS 431/531 Fall 2019 Sawood Alam &lt;salam@cs.odu.edu&gt; 2019-10-24 Original slides by Michael L. Nelson Common Gateway Interface

653 views • 16 slides
Using Natural Resource Wealth to Improve Improve Access to Access to Water and Sanitation Water

Using Natural Resource Wealth to Improve Improve Access to Access to Water and Sanitation Water

Using Natural Resource Wealth to Using Natural Resource Wealth to Improve Improve Access to Access to Water and Sanitation Water and Sanitation David Doepel Ryan Admiraal Mark McHenry Judy Walls Africa Research Group Murdoch University

248 views • 23 slides
OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single

OpenID Connect &amp; OAuth 2.0 Server for the Enterprise Your enterprise server for single identity sign-on provision identity API access federation management The four Connect2id server pillars Based on the latest standards OpenID

580 views • 26 slides
Use of Decision Analysis to Model Natural Resource Management Decision Scenarios in Contentious

Use of Decision Analysis to Model Natural Resource Management Decision Scenarios in Contentious

Use of Decision Analysis to Model Natural Resource Management Decision Scenarios in Contentious Settings: Selenium in Appalachian Watersheds Jim Coleman, Chief Scientist, Eastern Energy Team, USGS Ione Taylor, Chief Scientist, Eastern Region,

633 views • 39 slides
Protocol on SEA Section A4.6: SEA of plans &amp; programmes Decision Resource Manual to

Protocol on SEA Section A4.6: SEA of plans &amp; programmes Decision Resource Manual to

Protocol on SEA Section A4.6: SEA of plans &amp; programmes Decision Resource Manual to Support Application of the UNECE Protocol on Strategic Environmental Assessment draft 27-Apr-07 A4.6 Decision Legal obligations Protocol on SEA

314 views • 6 slides
Performance-Based Design Workshop April 22, 2019 Workshop Outline Welcome and Introductions

Performance-Based Design Workshop April 22, 2019 Workshop Outline Welcome and Introductions

Performance-Based Design Workshop April 22, 2019 Workshop Outline Welcome and Introductions Overview from Metro Overview of Performance- Based Design and Decision- Making Framework Interactive Session Closing

1.2k views • 83 slides
Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo

Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo

Implications of Cache Asymmetry on Server Consolidation Performance Presenter: Omesh Tickoo Padma Apparao, Ravi Iyer, Don Newell *Hardware Architecture Lab Intel Corporation 1 IISWC 2008 Outline Server Consolidation Asymmetric

334 views • 14 slides
Riverine Modeling November 13-15, 2013 Decision Support System Options Prepared by R2 Resource

Riverine Modeling November 13-15, 2013 Decision Support System Options Prepared by R2 Resource

Instream Flow Technical Team Meeting - Riverine Modeling November 13-15, 2013 Decision Support System Options Prepared by R2 Resource Consultants 11/13/2013 DRAFT SUBJECT TO REVISION 2 Decision Support System - Define Decision:

692 views • 19 slides
Draft Decision on Western Power Access Arrangement Revisions Roundtable Discussion: Draft

Draft Decision on Western Power Access Arrangement Revisions Roundtable Discussion: Draft

Draft Decision on Western Power Access Arrangement Revisions Roundtable Discussion: Draft Decision on Proposed Revisions to the Access Arrangement for the South West Interconnected Network Mr Lyndon Rowe, Chairman Wednesday, 5 August 2009

550 views • 26 slides
Adaptive Mobile Web Design with a server side flavour James Rosewell &amp; Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell &amp; Thomas Holmes 1st

Adaptive Mobile Web Design with a server side flavour James Rosewell &amp; Thomas Holmes 1st June 2012 Explain Server Side options Objective = Efficient use of 1. your time 2. resources (server, client and data network) 1st June 2012 Agenda

626 views • 51 slides

More recommend