Resource Access Decision Server : Design and Performance - PowerPoint PPT Presentation

Resource Access Decision Server : Design and Performance Considerations Konstantin Beznosov and Luis Espinal {beznosov,lespin03}@cs.fiu.edu CADSE October 22, November 5, 1999

Presentation Overview • Introduction • RAD Specification Overview • RAD Prototype Design • Performance Measurements – Model, Measurements, Results – Implementation Considerations • Conclusions 11/4/99 2

Introduction: Access Control, etc. • Access control Authorization – concerned with limiting Database activity of legitimate users – enforced by a reference Authorization monitor Decisions • Authorization Reference – concerned with making monitor access control decisions Objects Subjects Access Control Mechanism Classical Access Control Model 11/4/99 3

Access Control: Stand Alone vs. Distributed Systems Stand Alone ORB Access Control Distributed OO Application • Primitive operations • Stand alone systems, + Application Access Control on objects controlled • Complex operations by OS (create, read, write, Resources on interfaces delete, use) Middleware • Resources are • Objects are homogenous OS heterogeneous (files, processes, memory) Access Control (different interfaces), • Single point of control • Many points of • Application access Objects control (commonality, control is mangled OS consistency, with application logic administration issues) 11/4/99 4

The Problem with Access Control in Distributed Systems It is difficult to develop distributed systems that: • insure commonality and consistency of policies • perform security administration • support access control for fine-grain resources • allow changing policies without changing systems • easy to verify and test 11/4/99 5

A Possible Solution Target Client Access Decision Object (ADO client) Object 1. Application Request . 2. Authorization request . 3. Reply to authorization request . 4. Reply to application request . Middleware Application Application Authorization Client Server Server 11/4/99 6

Objective Statement Study validity of the approach from the following perspectives – Performance and scalability – Ability to separate application logic from authorization logic (it works and performs) – Ability to enforce complex policies and change them without pain – Ability to test and verify application and authorization functionalities independently 11/4/99 7

Objective Analysis • Why is this the right goal? – By solving it, we will be able to assess the validity of the approach • Help system designers and enterprise architects in constructing, verifying, and testing distributed systems. • Why is the goal worth addressing? – It is doable – Its results could be applicable to other security policies and mechanisms (audit, quality of protection, non-repudiation) 11/4/99 8

Research Directions + Develop a prototype + Measure performance • Study the validity of the main claims – support for different access control policy types • extend the prototype to support various policy types? – consistency and commonality of access control policies • ??? 11/4/99 9

RAD Specification Target Client Access Decision Object (ADO client) Object 1. Application Request . 2. Authorization request . 3. Reply to authorization request . 4. Reply to application request . Middleware Application Application Authorization Client Server Server 11/4/99 10

RAD Specification: Component Collaboration an Application System 6: 1: access_allowed(ResourceName, Operation, AttributeList) a Locator : Policy an Access Decision EvaluatorLocator Object : AccessDecision 2: get_policy_decision_evaluators(ResourceName) 4: combine_decisions(ResourceName, Operation, AttributeList, PolicyEvaluatorList) a Combinator : DecisionCombinator 3: get_dynamic_attributes(AttributeList, ResourceName, Operation) an Attribute Service : 5: * evaluate(ResourceName, Operation, AttributeList) DynamicAttributeService an Evaluator : PolicyEvaluator 11/4/99 11

Resource Access Decision Specification Overview an Application an Access Decision a Locator : Policy an Attribute Service : a Combinator : an Evaluator : System Object : AccessDecision EvaluatorLocator DynamicAttributeService DecisionCombinator PolicyEvaluator acce ss_ allowed(Resou rceName, Operation, Attribu teList) get_poli cy_decision_ evaluators(R es ourceNam e) get_dynamic_attributes(AttributeList, ResourceName, Operation) combine_decisions(ResourceName, Operation, AttributeList, PolicyEvaluatorList) * ev a lua te(R es ou rceName, Op eratio n, AttributeList) 11/4/99 12

RAD Interfaces 1..1 1..1 <<IDL Interface>> <<Interface>> 0..* 0..* AccessDecisionAdminExt 1 1 DynamicAttributeService AccessDecisionExt (f rom ADO) (f rom ResourceAccessDecision) (f rom ADO) +theAccessDecisionAdm in +dynamic_attribute_service 1 1 <<IDL Interface>> 1 1 <<IDL Interface>> 1..* 1..* <<IDL Interface>> DynamicAttributeServiceExt AccessDecision AccessDecisionAdmin (f rom DAS) (f rom ResourceAccessDecision) (f rom ResourceAccessDecision) +admin 1 1 <<IDL Interface>> +policy_evaluator_locator PolicyEvaluatorLocatorNameAdmin <<IDL Interface>> (f rom ResourceAccessDecision) DynamicAttributeServiceAdminExt 0..1 0..1 1 1 (f rom DAS) +name_admin <<IDL Interface>> 1 1 0..* 0..* PolicyEv aluatorLocator +basic_admin 1 1 (f rom ResourceAccessDecision) +pattern_admin 1 1 <<IDL Interfa ce>> 0..1 0..1 <<IDL Interfa ce>> PolicyEvaluatorLocatorBasicAdmin PolicyEv aluatorLocatorPatternAdm in (f rom Resourc eAc c essDecision) (f rom Resourc eAccessDecision) <<IDL Interface>> <<IDL Interface>> <<IDL Interfa ce>> PolicyEvaluator PolicyEvaluatorAdmin PolicyEvaluatorLocatorAdminExt (f rom Resourc eAc cessDecision) (f rom Resourc eAccessDecision) (f rom PEL) <<IDL Interface>> <<IDL Interface>> PolicyEvaluatorAdminExt <<IDL Interface>> PolicyEvaluatorExt (f rom PE) DecisionCombinator 13 +thePolicyEvaluatorAdminExt (f rom PE) shutdown() (f rom Resourc eAccessDecision)

Access Decision Object <<IDL Interface>> <<IDL Interface>> AccessDecisionAdmin Acces s Decision (f rom ResourceAccessDecision) (f rom ResourceAccessDecision) get_policy_evaluator_locator() acces s _allowed() set_policy_evaluator_locator() multiple_access_allowed() get_dynamic_attribute_service() set_dynamic_attribute_service() 1..1 1..1 <<IDL Interface>> <<IDL Interface>> 0..* 0..* AccessDecisionAdminExt Acces s Deci sionExt shutdown() +theAccessDecisionAdmin <<Interface>> <<Interface>> AccessDecisionExtOperations Acces s DecisionAdminExtOperations tie these two interfaces ResourceAccessDecider 11/4/99 14

Tie Approach Provides mechanisms to communicate with CORBA middleware <<IDL Interface>> ComponentImplBase Component service() service() <<Interface>> delegate tieComponent ComponentOperations serviceImplementation() {tie.service()=delegate.serv iceImplementation()} registers with BOA ComponentOperationsImpl 11/4/99 15

Policy Evaluator Locator <<IDL Interface>> PolicyEvaluatorLocatorBasicAdmin <<IDL Interface>> 0..* 0..* 1 1 (from ResourceAccessDecision) PolicyEvaluatorLocator set_default_evaluators() (from ResourceAccessDecision) get_default_combinator() get_policy_decision_evaluators() set_default_combinator() +basic_admin get_default_evaluators() tie <<IDL Interface>> mechanism PolicyEv aluatorLocatorAdminExt PolicyEvaluatorLocatorContext set_default_evaluators() get_default_combinator() set_default_combinator() get_default_evaluators() get_policy_decision_evaluators() 11/4/99 16

Dynamic Attribute Service <<IDL Interface>> <<IDL Interface>> DynamicAttributeService DynamicAttributeServiceAdminExt get_dynamic_attributes() shutdown() +admin <<IDL Interface>> DynamicAttributeServiceExt <<Interface>> <<Interface>> tie DynamicA ttributeServic eExtOperations DynamicA ttributeServiceAdminExtOperations mechanism <<Interface>> #_strategy DynamicA ttributeServiceContext DynamicAttributeServiceStrategy get_dynamic_attributes() Strategy Pattern EchoingDynamicAttributeService get_dynamic_attributes() 11/4/99 17

Decision Combinator <<IDL Interface>> <<Interface>> DecisionCombinator DecisionCombinatorOperations combine_decisions() tie Strategy mechanism Pattern <<Interface>> DecisionCombinatorContext DecisionCombinatorStrategy DecisionCombinatorContext() makeDecision() combine_decisions() -strategy 0..* 0..* 1..1 1..1 Template AbstractAndOrCombinator Method Pattern shouldDeny() makeDecision() OpenWorldAndOrCombinationPolicy ClosedWorldAndOrCombinationPolicy 11/4/99 18 grant access if no PE returns "NO" grant access if all PE's return "YES"