Abstract
OpenStack has been rapidly established as the most popular open-source platform for cloud Infrastrusture-as-a-Service in this fast moving industry. In response to increasing access control requirements from its users, the OpenStack identity service Keystone has introduced several entities, such as domains and projects in addition to roles, resulting in a rather complex and somewhat obscure authorization model. In this paper, we present a formalized description of the core OpenStack access control (OSAC). We further propose a domain trust extension for OSAC to facilitate secure cross-domain authorization. We have implemented a proof-of-concept prototype of this trust extension based on Keystone. The authorization delay introduced by the domain trusts is 0.7 percent on average in our experiments.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Devstack, http://www.devstack.org
Microsoft windows active directory, http://en.wikipedia.org/wiki/Active_Directory
OpenStack Havana Release, http://www.openstack.org/software/havana
Openstack identity service api v3 (stable), http://developer.openstack.org/api-ref-identity-v3.html
Alfieri, R., Cecchini, R., et al.: From gridmap-file to VOMS: managing authorization in a grid environment. Future Generation Computer Systems 21(4), 549–558 (2005)
Baracaldo, N., Masoumzadeh, A., Joshi, J.: A secure, constraint-aware role-based access control interoperation framework. In: Proc. of the 5th International Conference on Network and System Security (NSS), pp. 200–207. IEEE (2011)
Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proc. of the Annual Conf. on Comp. Sec. Applications (ACSAC), pp. 168–176. IEEE (2000)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proc. of the 1996 IEEE Symp. on Security and Privacy, pp. 164–173. IEEE (1996)
Calero, J.M.A., Edwards, N., et al.: Toward a multi-tenancy authorization system for cloud services. IEEE Security & Privacy, 48–55 (November/December 2010)
Chadwick, D.W., Otenko, A.: The PERMIS X. 509 role based privilege management infrastructure, vol. 19, pp. 277–289. Elsevier (2003)
Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. TISSEC 4(3), 224–274 (2001)
Freudenthal, E., Pesin, T., et al.: dRBAC: distributed role-based access control for dynamic coalition environments. In: Proc. of ICDCS, pp. 411–420. IEEE (2002)
Li, N., Mitchell, J.C., et al.: Design of a role-based trust-management framework. In: Proc. of IEEE Symp. on Sec. and Privacy, pp. 114–130. IEEE (2002)
Li, Q., Zhang, X., Xu, M., Wu, J.: Towards secure dynamic collaborations with group-based RBAC model. Computers & Security 28(5), 260–275 (2009)
Pearlman, L., Welch, V., Foster, I., et al.: A community authorization service for group collaboration. In: Proc. of Intl. POLICY, pp. 50–59. IEEE (2002)
Ray, I., Mulamba, D., Ray, I., Han, K.J.: A model for trust-based access control and delegation in mobile clouds. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 242–257. Springer, Heidelberg (2013)
Shafiq, B., Joshi, J.B., Bertino, E., Ghafoor, A.: Secure interoperation in a multidomain environment employing RBAC policies. IEEE Transactions on Knowledge and Data Engineering 17(11), 1557–1577 (2005)
Shehab, M., Bertino, E., Ghafoor, A.: SERAT: SEcure role mApping technique for decentralized secure interoperability. In: Proc. of SACMAT, pp. 159–167 (2005)
Tang, B., Li, Q., Sandhu, R.: A multi-tenant RBAC model for collaborative cloud services. In: Proc. of IEEE Conf. on Privacy, Security and Trust, PST (2013)
Tang, B., Sandhu, R.: Cross-tenant trust models in cloud computing. In: Proc. of IEEE Conf. on Information Reuse and Integration, IRI (2013)
Tang, B., Sandhu, R., Li, Q.: Multi-tenancy authorization models for collaborative cloud services. In: Proc. of Intl. Conf. on Collab. Tech. and Sys., CTS (2013)
Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proc. of SACMAT, pp. 149–157. ACM (2003)
Zhang, Z., Zhang, X., Sandhu, R.: ROBAC: Scalable role and organization based access control models. In: Proc. of CollaborateCom, pp. 1–9. IEEE (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Tang, B., Sandhu, R. (2014). Extending OpenStack Access Control with Domain Trust. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-11698-3_5
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-11697-6
Online ISBN: 978-3-319-11698-3
eBook Packages: Computer ScienceComputer Science (R0)