[PPT] - Cassandra: Distributed Access Control Policies with Tunable PowerPoint Presentation

SLIDE 1

Cassandra: Distributed Access Control Policies with Tunable Expressiveness

Moritz Y. Becker and Peter Sewell Computer Laboratory, University of Cambridge, U.K.

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 1/12

SLIDE 2

Cassandra: Yet Another PSL? Cassandra

distributed Trust Management
rule-based policy specification language (PSL)
role-based: activation, deactivation, actions
distributed: credential management

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 2/12

SLIDE 3

Cassandra: Yet Another PSL? Cassandra

✁

distributed Trust Management

✁

rule-based policy specification language (PSL)

✁

role-based: activation, deactivation, actions

✁

distributed: credential management

Why YAPSL?

✁

wide range of applications

✂ ✄

need tunable expressiveness

✁

formal semantics: language and dynamics

✁

distributed query evaluation with guaranteed termination

✁

practical foundation: real-life case study

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 2/12

SLIDE 4

Cassandra Overview

performaction deactivaterole activaterole requestcredential

Interface Policy

(rules&credentials)

AccessControlEngine Policy Evaluator

invoke modify grantaccess query

CassandraEntity

remotequery

Resources (Actions)

C

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 3/12

SLIDE 5

Access Control Semantics (1/2)

☎

What: specifies dynamic meaning of 4 requests

☎

Why: makes subtle design decisions explicit

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 4/12

SLIDE 6

Access Control Semantics (1/2)

✆

What: specifies dynamic meaning of 4 requests

✆

Why: makes subtle design decisions explicit

✆

can

✝

perform action

✞

n

✟

’s service?

✠

deduce permits

✡ ✝☞☛ ✞ ✌

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 4/12

SLIDE 7

Access Control Semantics (1/2)

✍

What: specifies dynamic meaning of 4 requests

✍

Why: makes subtle design decisions explicit

✍

can

✎

perform action

✏

n

✑

’s service?

✒

deduce permits

✓ ✎☞✔ ✏ ✕ ✍

can

✎

activate role

✖

n

✑

’s service?

✒

deduce canActivate

✓ ✎☞✔ ✖ ✕ ✒

add hasActivated

✓ ✎ ✔ ✖ ✕

to

✑

’s policy

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 4/12

SLIDE 8

Access Control Semantics (2/2)

✗

can

✘

deactivate

✙

’s role

✚

n

✛

’s service?

✜

deduce canDeactivate

✢ ✘☞✣ ✙ ✣ ✚ ✤ ✜

under the assumption isDeactivated

✢ ✙ ✣ ✚ ✤

, deduce all isDeactivated

✢ ✥ ✣ ✥ ✤

n

✛ ✜

remove all corresponding hasActivated

✢ ✥ ✣ ✥ ✤

from

✛

’s policy

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 5/12

SLIDE 9

Access Control Semantics (2/2)

✦

can

✧

deactivate

★

’s role

✩

n

✪

’s service?

✫

deduce canDeactivate

✬ ✧☞✭ ★ ✭ ✩ ✮ ✫

under the assumption isDeactivated

✬ ★ ✭ ✩ ✮

, deduce all isDeactivated

✬ ✯ ✭ ✯ ✮

n

✪ ✫

remove all corresponding hasActivated

✬ ✯ ✭ ✯ ✮

from

✪

’s policy

✦

can

✧

request credential

✰✲✱✴✳ ✳ ✵ ✶ ✬ ✷✹✸ ✮ ✺ ✻

from

✪

?

✫

deduce canReqCred

✬ ✧☞✭ ✰ ✱ ✳ ✳ ✵ ✶ ✬ ✷✹✸ ✮ ✺ ✻ ✮

to get

✻ ✼ ✫

deduce

✰ ✱ ✳ ✳ ✵ ✶ ✬ ✷✹✸ ✮ ✺ ✻ ✼

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 5/12

SLIDE 10

Policy Specification

✽

entities control access to their resources with a Cassandra policy

✽

a policy is a set of rules based on Datalog

✾ ✽

rules are of the form

✿❁❀ ❂ ❃✹❄ ❀ ❅ ❆ ❇❉❈❊ ❋

❍❏■

■ ❋▲❑ ✿ ❋ ❂ ❃ ❄ ❋ ❅◆▼ ❑ ❑ ▼ ❇❉❈❊ ❖

❍❏■

■ ❖ ❑ ✿ ❖ ❂ ❃✹❄ ❖ ❅◆▼ ❊ ❑

(where

❇❉❈❊ P

,

❍❏■ ■ P

are entities and

❊

is a constraint from the constraint domain)

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 6/12

SLIDE 11

Policy Specification

◗

entities control access to their resources with a Cassandra policy

◗

a policy is a set of rules based on Datalog

❘ ◗

rules are of the form

❙❁❚ ❯ ❱✹❲ ❚ ❳ ❨ ❩❉❬❭ ❪ ❫ ❴❏❵ ❵ ❪▲❛ ❙ ❪ ❯ ❱ ❲ ❪ ❳◆❜ ❛ ❛ ❜ ❩❉❬❭ ❝ ❫ ❴❏❵ ❵ ❝ ❛ ❙ ❝ ❯ ❱✹❲ ❝ ❳◆❜ ❭ ❛

(where

❩❉❬❭ ❞

,

❴❏❵ ❵ ❞

are entities and

❭

is a constraint from the constraint domain)

◗

predicates with special access control meaning:

permits, hasActivated, canActivate, canDeactivate, isDeactivated, canReqCred

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 6/12

SLIDE 12

Policy Specification

❡

entities control access to their resources with a Cassandra policy

❡

a policy is a set of rules based on Datalog

❢ ❡

rules are of the form

❣❁❤ ✐ ❥✹❦ ❤ ❧ ♠ ♥❉♦♣ q r s❏t t q▲✉ ❣ q ✐ ❥ ❦ q ❧◆✈ ✉ ✉ ✈ ♥❉♦♣ ✇ r s❏t t ✇ ✉ ❣ ✇ ✐ ❥✹❦ ✇ ❧◆✈ ♣ ✉

(where

♥❉♦♣ ①

,

s❏t t ①

are entities and

♣

is a constraint from the constraint domain)

❡

predicates with special access control meaning:

permits, hasActivated, canActivate, canDeactivate, isDeactivated, canReqCred

❡

Example: suppose a hospital’s policy contains

canActivate

✐③② ✈

Doctor

✐ t ❣ ♣ ④⑥⑤ ❧ ❧ ♠ ② r

NHS

✉

canActivate

✐ ② ✈

CertifiedDoctor

✐ t ❣ ♣ ④⑥⑤ ❧ ❧ ✈ ② ⑦⑨⑧

Alice

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 6/12

SLIDE 13

Constraint Domains for Tuning Expressiveness

⑩ ❶❸❷ ❹✴❺

, The simplest constraint domain:

❻ ❼ ❼ ❽ ❾ ❿ ➀ ➁ ➀➃➂ ➄ ➅ ➄ ➅ ❻➆ ➇ ❼ ❼ ❽

true

❿

false

❿➈ ❻❁➉ ❽ ❻❁➊ ➋ ❿ ➇ ➉ ➌ ➇ ➊ ❿ ➇ ➉ ➍ ➇ ➊

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 7/12

SLIDE 14

Constraint Domains for Tuning Expressiveness

➎ ➏❸➐ ➑✴➒

, The simplest constraint domain:

➓ ➔ ➔ → ➣ ↔ ↕ ➙ ↕➃➛ ➜ ➝ ➜ ➝ ➓➞ ➟ ➔ ➔ →

true

↔

false

↔➠ ➓❁➡ → ➓❁➢ ➤ ↔ ➟ ➡ ➥ ➟ ➢ ↔ ➟ ➡ ➦ ➟ ➢ ➎ ➏➨➧

, a useful one for complex policies:

➓ ➔ ➔ → ➩ ➩ ➩ ↔ ➛ ↔ ➟ ↔➠ ➓❁➡▲➫ ➩ ➩ ➫ ➓ ➒ ➤ ↔➯➭ ➑ ➠ ➓ ➤ ↔ ➲ ➠ ➓ ➤ ↔ ➳ ➠ ➓❁➡ ➫ ➩ ➩ ➫ ➓ ➒ ➤ ↔ ➵ ➠ ➓❁➡▲➫ ➩ ➩ ➫ ➓ ➒ ➤ ↔ ➸ ↔ ➺ ↔➻ ➓❁➡▲➫ ➩ ➩ ➫ ➓ ➒ ➼ ↔ ➓❁➡ ➽ ➓❁➢ ↔ ➓❁➡ ➾ ➓❁➢ ↔ ➓❁➡ ➚ ➓❁➢ ➟ ➔ ➔ → ➩ ➩ ➩ ↔ ➓➪➡ ➶ → ➓➪➢ ↔ ➓➪➡ ➹ ➓➪➢ ↔ ➓➪➡ ➘ ➓➪➢

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 7/12

SLIDE 15

Constraint Domains for Tuning Expressiveness

➴ ➷❸➬ ➮✴➱

, The simplest constraint domain:

✃ ❐ ❐ ❒ ❮ ❰ Ï Ð Ï➃Ñ Ò Ó Ò Ó ✃Ô Õ ❐ ❐ ❒

true

❰

false

❰Ö ✃❁× ❒ ✃❁Ø Ù ❰ Õ × Ú Õ Ø ❰ Õ × Û Õ Ø ➴ ➷➨Ü

, a useful one for complex policies:

✃ ❐ ❐ ❒ Ý Ý Ý ❰ Ñ ❰ Õ ❰Ö ✃❁×▲Þ Ý Ý Þ ✃ ➱ Ù ❰➯ß ➮ Ö ✃ Ù ❰ à Ö ✃ Ù ❰ á Ö ✃❁× Þ Ý Ý Þ ✃ ➱ Ù ❰ â Ö ✃❁×▲Þ Ý Ý Þ ✃ ➱ Ù ❰ ã ❰ ä ❰å ✃❁×▲Þ Ý Ý Þ ✃ ➱ æ ❰ ✃❁× ç ✃❁Ø ❰ ✃❁× è ✃❁Ø ❰ ✃❁× é ✃❁Ø Õ ❐ ❐ ❒ Ý Ý Ý ❰ ✃➪× ê ❒ ✃➪Ø ❰ ✃➪× ë ✃➪Ø ❰ ✃➪× ì ✃➪Ø ➴

Constraint domains must support

í

satisfiability checking

í

projection

í

subsumption checking

➴

For guaranteed termination, constraint domains have to be constraint compact

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 7/12

SLIDE 16

Policy Idioms in Cassandra (1/2)

î

appointment

canActivate

ï③ð ñòôó

AppointEmployee

ï③õ ð ö ÷ ÷ ø

hasActivated

ï③ð ñ ò ó

Manager

ï ÷ ÷

canActivate

ï õ ð ö ó

Employee

ï③ù ö öú û❏ü ý õ ò ÷ ÷ ø

hasActivated

ï ù ö ö ú û ü ý õ òôó

AppointEmployee

ï õ ð ö ÷ ÷ î

appointment revocation

isDeactivated

ï③õ ð ö ó

Employee

ï③ù ö öú û ü ý õ ò ÷ ÷ ø

isDeactivated

ï ù ö ö ú û ü ý õ òôó

AppointEmployee

ï õ ð ö ÷ ÷

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 8/12

SLIDE 17

Policy Idioms in Cassandra (2/2)

þ

grant-dependent vs grant-independent appointment revocation

canDeactivate

ÿ✁ ✂ ✄☎ ☎ ✆ ✝✟✞ ✠☛✡ ☞ ✂

AppointEmployee

ÿ ✡ ✌☎ ✍ ✍ ✎

✏

✄ ☎ ☎ ✆ ✝✟✞ ✠☛✡ ☞

canDeactivate

ÿ✁ ✂ ✄☎ ☎ ✆ ✝✟✞ ✠☛✡ ☞ ✂

AppointEmployee

ÿ ✡ ✌☎ ✍ ✍ ✎

hasActivated

ÿ

✂

Manager

ÿ ✍ ✍ þ

cascading appointment revocation

isDeactivated

ÿ ✌✑ ☞ ✂

AppointEmployee

ÿ ✡ ✌ ☎ ✍ ✍ ✎

isDeactivated

ÿ✁✒✓ ☎ ✡ ☞ ✌✑ ☞ ✂

AppointManager

ÿ ✌✑ ☞ ✍ ✍ þ

thers: role hierarchy, role delegation, separation of duties, role

validity dates, cardinality/manifold constraints, trust negotiation, ...

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 9/12

SLIDE 18

National EHR in UK

✔

NHS planning ICRS with online EHR for clinicians and patients

✔

Difficulties:

✕

huge: 100m records, 400m episodes/yr, 1bn accesses/yr

✕

changing requirements

✕

distributed policies

✕

patient confidentiality requirements

✕

access control can be configured by patients/clinicians

✔

Our three layer approach: Master Patient Index (1), EHR servers (100s), health orgs (1000s)

✔

Cassandra policies for all layers: 310 rules, 58 roles, 10 actions

✔

patient consent, third-party consent, personal AC configuration, legal agents, staff appointment, clinician certification

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 10/12

SLIDE 19

An Example from the EHR Policy Prerequisite for Treating-clinician

canActivate

✖✁✗ ✘ ✙✛✚

Treating-clinician

✖✁✜✢ ✣ ✚ ✤✥✦ ✚ ✧ ✜ ✗ ✣☛★ ✩ ✩ ✪ ✤✥ ✦ ✫

canActivate

✖ ✗ ✘ ✙✛✚

Group-treating-clinician

✖ ✜ ✢ ✣ ✚ ✦ ✥ ✤✬ ✜ ✚ ✧ ✜ ✗ ✣☛★ ✩ ✩ ✚ ✤✥ ✦ ✭ ✥ ✢ ✫

hasActivated

✖✁✮ ✚

NHS-health-org-cred

✖ ✤✥✦ ✚ ✧ ✣ ✢ ✥ ✣ ✚ ✯✰ ✱ ✩ ✩ ✚ ✥ ✢ ✲

NHS-registration-authorities

✖ ✩ ✚

Current-time

✖ ✩ ✲ ✳ ✧ ✣ ✢ ✥ ✣ ✚ ✯✰ ✱ ✴

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 11/12

SLIDE 20

Conclusion

✵

Cassandra’s expressiveness is tunable; very expressive with

✶✸✷ ✵

high-level enough for concise and readable policies

✵

low-level enough to express wide range of policies

✵

formal foundation

✵

substantial case study

✵

prototype implementation

Cassandra: Distributed Access Control Policies with Tunable Expressiveness – p. 12/12