MultiPol: Towards a Multi-policy Authorization Framework for RESTful Interfaces in the Cloud

  • Yang Luo
  • Tian Puyang
  • Wu Luo
  • Qingni Shen
  • Anbang Ruan
  • Zhonghai WuEmail author
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9977)


Recently a large number of existing cloud systems adopt representational state transfer (REST) as the interface of their services. The end users or even components inside the cloud invoke RESTful calls to perform various actions. The authorization mechanisms of the existing clouds fail to supply two key elements: unified access control and flexible support for different policies. Moreover, different clouds usually provide distinct access control concepts and policy languages. This might cause confusion for customers whose business is distributed in multiple clouds. In this paper, we propose a multi-policy authorization framework called MultiPol to support various access control policies for OpenStack. The end users can customize or even integrate different policies together to form a single decision via logical connectors. This paper presents the design and implementation of MultiPol, including a new service called Policy Service and an attachment module called Request Filter. Experiments on OpenStack show that MultiPol has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead is as low as 7.8%, which is acceptable for practical use. Since MultiPol is built on REST, it is also adaptive to other clouds which also provide RESTful interfaces.


Representational state transfer Access control OpenStack Multi-policy 



We thank the reviewers for their help improving this paper. This work was supported by the National High Technology Research and Development Program (“863” Program) of China under Grant No. 2015AA016009, the National Natural Science Foundation of China under Grant No. 61232005, 61672062, and the Science and Technology Program of ShenZhen, China under Grant No. JSGG20140516162852628.


  1. 1.
    Crago, S., Dunn, K., Eads, P., Hochstein, L., Kang, D.-I., Kang, M., Modium, D., Singh, K., Suh, J., Walters, J.P.: Heterogeneous cloud computing. In: 2011 IEEE International Conference on Cluster Computing (CLUSTER), pp. 378–385. IEEE (2011)Google Scholar
  2. 2.
    Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1–11 (2011)CrossRefGoogle Scholar
  3. 3.
    Takabi, H., Joshi, J.B., Ahn, G.-J.: Security and privacy challenges in cloud computing environments. IEEE Secur. Privacy 6, 24–31 (2010)CrossRefGoogle Scholar
  4. 4.
    Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of 2005 IEEE International Conference on Web Services, ICWS 2005. IEEE (2005)Google Scholar
  5. 5.
    Hu, V.C., Kuhn, D.R., Ferraiolo, D.F.: Attribute-based access control. Computer 2, 85–88 (2015)CrossRefGoogle Scholar
  6. 6.
    Sandhu, R.S., Coyne, E.J., Feinstein, H.L., Youman, C.E.: Role-based access control models. Computer 2, 38–47 (1996)CrossRefGoogle Scholar
  7. 7.
    Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. dissertation, University of California, Irvine (2000)Google Scholar
  8. 8.
    OpenStack: Openstack mitaka (2016).
  9. 9.
    Ribeiro, C., Zúquete, A., Ferreira, P., Guedes, P.: SPL: an access control language for security policies with complex constraints. In: Network and Distributed System Security Symposium (NDSS01), pp. 89–107 (2001)Google Scholar
  10. 10.
    Bertino, E., Jajodia, S., Samarati, P.: Supporting multiple access control policies in database systems. In: Proceedings of 1996 IEEE Symposium on Security and Privacy, vol. 1996, pp. 94–107. IEEE (1996)Google Scholar
  11. 11.
    Carney, M., Loe, B.: A comparison of methods for implementing adaptive security policies. In: Proceedings of the Seventh USENIX Security Symposium, pp. 1–14 (1998)Google Scholar
  12. 12.
    Jajodia, S., Samarati, P., Subrahmanian, V., Bertino, E.: A unified framework for enforcing multiple access control policies. ACM Sigmod Record 26(2), 474–485 (1997)CrossRefGoogle Scholar
  13. 13.
    Minsky, N.H., Ungureanu, V.: Unified support for heterogeneous security policies in distributed systems. In: 7th USENIX Security Symposium, pp. 131–142 (1998)Google Scholar
  14. 14.
    Wu, R., Zhang, X., Ahn, G.-J., Sharifi, H., Xie, H.: Acaas: access control as a service for iaas cloud. In: 2013 International Conference on Social Computing (SocialCom), pp. 423–428. IEEE (2013)Google Scholar
  15. 15.
    Tang, B., Sandhu, R.: Extending openstack access control with domain trust. In: Au, M.H., Carminati, B., Kuo, C.-C.J. (eds.) NSS 2014. LNCS, vol. 8792, pp. 54–69. Springer, Heidelberg (2014). doi: 10.1007/978-3-319-11698-3_5 Google Scholar
  16. 16.
    Jin, X., Krishnan, R., Sandhu, R.: Role and attribute based collaborative administration of intra-tenant cloud iaaS. In: 2014 International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), pp. 261–274. IEEE (2014)Google Scholar
  17. 17.
    OpenStack, Openstack tempest (2016).

Copyright information

© Springer International Publishing AG 2016

Authors and Affiliations

  • Yang Luo
    • 1
  • Tian Puyang
    • 1
  • Wu Luo
    • 1
  • Qingni Shen
    • 1
  • Anbang Ruan
    • 2
  • Zhonghai Wu
    • 1
    Email author
  1. 1.Peking UniversityBeijingChina
  2. 2.University of OxfordOxfordUK

Personalised recommendations