Embed Size (px)
Citation preview
Distributed Evaluation of XACML Policies
Vijayant Dhankhar, Vijayant Dhankhar, George Mason UniversityGeorge Mason UniversitySaket Kaushik, Saket Kaushik, OracleOracle and and George Mason UniversityGeorge Mason University
Duminda Wijesekera, Duminda Wijesekera, George Mason UniversityGeorge Mason UniversityAnil Nerode, Anil Nerode, Cornell UniversityCornell University
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
2
Introduction
• XACML is the default access control language for Web Services.
• Currently it does not support collaboration between distributed access controllers.
• We provide a solution by distributing the XCAML policy distribution point (PDP)
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
3
Outline
• Motivation• Architecture • Enhancements to XACML • Examples• Implementation details• Performance• Ongoing work
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
4
Motivation
Client
Choreographed Service
WS1
WS2
PDP1
PDP2
Service Request
Response
AccessController
ServiceLayer
ClientLayer
Providing individual control over collaborating services
Require collaboration among access controllers
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
5
Current XACML Architecture
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
6
Architectural Enhancements
PEP Master PDP
ChildPDP 2
Child PDP 1
Evaluation Coordinator
Lock Manager
Hierarchically organized
multiple PDP’s
support an ask-tell interface
between distributed PDPs
Serialization
messages
ResourceManager
Acquire Resource
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
7
Functional Enhancements
• Concurrently evaluates access control Concurrently evaluates access control request made to multiple PDP’srequest made to multiple PDP’s– Updated Resource status based on individual
access control decisions– Decisions consistent across submission point
• Transactional Policy EvaluationTransactional Policy Evaluation– Success (Permit, Deny)– Competing request have no side-effects (due to
SoD constraints) on each other – Failure tolerant
• Network, Exclusive Access, etc.
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
8
Sample Enabled Use Case
• Consider a web service that provisions bulk data transfers between international locations within a specified time window.
• Circuit switched MPLS links in the path belonging to partner organizations (Verio and DOCOMO).
• Both partners must agree to synchronize their link reservations to transfer the data. – If provisioning is possible: both partners must individually
commit their resources to transfer data. – If provisioning not possible: none of the partners should
commit their resources to transfer data.• Because network resources are individual assets,
business partners may not be willing to share their scheduling information
• Resources of the partners have to be used exclusively by at most one requester at a time.
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
9
Sample Use Case
VarioVario DocomoDocomo
Central Server
Request ReservationRequest Reservation
Must agree to Must agree to synchronize synchronize
reservations and lock reservations and lock them!them!
Service request
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
10
Sample Use Case
PEP Master PDP
DOCOMOPDP
VerioPDP
Evaluation Coordinator
Lock Manager
SharedResourceManager
DocomoResourceManager
VerioResourceManager’s
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
11
Distributed Evaluation
1. PEP intercepts an access request, and forwards to the master PDP
2. The master PDP identifies children PDP’s to be used for evaluating the request, and forwards the request
3. Child PDP apply local policy; result= allow/deny communicated to the master
4. The master combines all local results and forwards to the PEP
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
12
Updating Resources• Because of distributed policy evaluation,
resource allocation commitments may run in to read-write and write-write conflicts.
• That is, one PDP may need to read from a resources (or their attributes) that are being modified by (yet to complete) concurrent evaluation.
• To avoid inconsistencies in evaluation, we prevent such conflicts in our policy evaluation.
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
13
Evaluation Messages
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
14
Implementation details• Enhances Sun’s XACML Implementation• Lock Manager and Resource Manager are
implemented as web services.• Significant changes to classes
– com.sun.xacml {PDP/PDPconfig/Rule/Policy} – to evaluate new extended syntax
• Added following classes– edu.gmu.xacml {AquireLock, PreAction, PostAction,
Update, ReleaseLock}
• New Interfaces for web service invocations– edu.gmu.xacml.lock– edu.gmu.xacml.resource– edu.gmu.xacml.pdp
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
15
Performance
Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode
16
Ongoing Work
• Distributing the PEP to enable distributed policy enforcement
• N-Level Decision based resource updates to enable deeply nested XACML policy executions
• Meta policy driven Serialization• Developing semantics consistent
with legacy systems
