MultiPol: Towards a Multi-policy Authorization Framework for RESTful Interfaces in the Cloud
Recently a large number of existing cloud systems adopt representational state transfer (REST) as the interface of their services. The end users or even components inside the cloud invoke RESTful calls to perform various actions. The authorization mechanisms of the existing clouds fail to supply two key elements: unified access control and flexible support for different policies. Moreover, different clouds usually provide distinct access control concepts and policy languages. This might cause confusion for customers whose business is distributed in multiple clouds. In this paper, we propose a multi-policy authorization framework called MultiPol to support various access control policies for OpenStack. The end users can customize or even integrate different policies together to form a single decision via logical connectors. This paper presents the design and implementation of MultiPol, including a new service called Policy Service and an attachment module called Request Filter. Experiments on OpenStack show that MultiPol has improved the flexibility and security of policy management without affecting other services. Meantime, the average performance overhead is as low as 7.8%, which is acceptable for practical use. Since MultiPol is built on REST, it is also adaptive to other clouds which also provide RESTful interfaces.
KeywordsRepresentational state transfer Access control OpenStack Multi-policy
We thank the reviewers for their help improving this paper. This work was supported by the National High Technology Research and Development Program (“863” Program) of China under Grant No. 2015AA016009, the National Natural Science Foundation of China under Grant No. 61232005, 61672062, and the Science and Technology Program of ShenZhen, China under Grant No. JSGG20140516162852628.
- 1.Crago, S., Dunn, K., Eads, P., Hochstein, L., Kang, D.-I., Kang, M., Modium, D., Singh, K., Suh, J., Walters, J.P.: Heterogeneous cloud computing. In: 2011 IEEE International Conference on Cluster Computing (CLUSTER), pp. 378–385. IEEE (2011)Google Scholar
- 4.Yuan, E., Tong, J.: Attributed based access control (ABAC) for web services. In: Proceedings of 2005 IEEE International Conference on Web Services, ICWS 2005. IEEE (2005)Google Scholar
- 7.Fielding, R.T.: Architectural styles and the design of network-based software architectures. Ph.D. dissertation, University of California, Irvine (2000)Google Scholar
- 8.OpenStack: Openstack mitaka (2016). https://www.openstack.org/software/mitaka
- 9.Ribeiro, C., Zúquete, A., Ferreira, P., Guedes, P.: SPL: an access control language for security policies with complex constraints. In: Network and Distributed System Security Symposium (NDSS01), pp. 89–107 (2001)Google Scholar
- 10.Bertino, E., Jajodia, S., Samarati, P.: Supporting multiple access control policies in database systems. In: Proceedings of 1996 IEEE Symposium on Security and Privacy, vol. 1996, pp. 94–107. IEEE (1996)Google Scholar
- 11.Carney, M., Loe, B.: A comparison of methods for implementing adaptive security policies. In: Proceedings of the Seventh USENIX Security Symposium, pp. 1–14 (1998)Google Scholar
- 13.Minsky, N.H., Ungureanu, V.: Unified support for heterogeneous security policies in distributed systems. In: 7th USENIX Security Symposium, pp. 131–142 (1998)Google Scholar
- 14.Wu, R., Zhang, X., Ahn, G.-J., Sharifi, H., Xie, H.: Acaas: access control as a service for iaas cloud. In: 2013 International Conference on Social Computing (SocialCom), pp. 423–428. IEEE (2013)Google Scholar
- 16.Jin, X., Krishnan, R., Sandhu, R.: Role and attribute based collaborative administration of intra-tenant cloud iaaS. In: 2014 International Conference on Collaborative Computing: Networking, Applications and Worksharing (CollaborateCom), pp. 261–274. IEEE (2014)Google Scholar
- 17.OpenStack, Openstack tempest (2016). https://github.com/openstack/tempest