Skip to main content

Extending OpenStack Access Control with Domain Trust

  • Conference paper
Network and System Security (NSS 2015)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8792))

Included in the following conference series:

  • 2322 Accesses

Abstract

OpenStack has been rapidly established as the most popular open-source platform for cloud Infrastrusture-as-a-Service in this fast moving industry. In response to increasing access control requirements from its users, the OpenStack identity service Keystone has introduced several entities, such as domains and projects in addition to roles, resulting in a rather complex and somewhat obscure authorization model. In this paper, we present a formalized description of the core OpenStack access control (OSAC). We further propose a domain trust extension for OSAC to facilitate secure cross-domain authorization. We have implemented a proof-of-concept prototype of this trust extension based on Keystone. The authorization delay introduced by the domain trusts is 0.7 percent on average in our experiments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. DevOps, http://en.wikipedia.org/wiki/DevOps

  2. Devstack, http://www.devstack.org

  3. Microsoft windows active directory, http://en.wikipedia.org/wiki/Active_Directory

  4. OpenStack Havana Release, http://www.openstack.org/software/havana

  5. Openstack identity service api v3 (stable), http://developer.openstack.org/api-ref-identity-v3.html

  6. Alfieri, R., Cecchini, R., et al.: From gridmap-file to VOMS: managing authorization in a grid environment. Future Generation Computer Systems 21(4), 549–558 (2005)

    Article  Google Scholar 

  7. Baracaldo, N., Masoumzadeh, A., Joshi, J.: A secure, constraint-aware role-based access control interoperation framework. In: Proc. of the 5th International Conference on Network and System Security (NSS), pp. 200–207. IEEE (2011)

    Google Scholar 

  8. Barka, E., Sandhu, R.: Framework for role-based delegation models. In: Proc. of the Annual Conf. on Comp. Sec. Applications (ACSAC), pp. 168–176. IEEE (2000)

    Google Scholar 

  9. Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: Proc. of the 1996 IEEE Symp. on Security and Privacy, pp. 164–173. IEEE (1996)

    Google Scholar 

  10. Calero, J.M.A., Edwards, N., et al.: Toward a multi-tenancy authorization system for cloud services. IEEE Security & Privacy, 48–55 (November/December 2010)

    Google Scholar 

  11. Chadwick, D.W., Otenko, A.: The PERMIS X. 509 role based privilege management infrastructure, vol. 19, pp. 277–289. Elsevier (2003)

    Google Scholar 

  12. Ferraiolo, D.F., Sandhu, R., Gavrila, S., Kuhn, D.R., Chandramouli, R.: Proposed NIST standard for role-based access control. TISSEC 4(3), 224–274 (2001)

    Article  Google Scholar 

  13. Freudenthal, E., Pesin, T., et al.: dRBAC: distributed role-based access control for dynamic coalition environments. In: Proc. of ICDCS, pp. 411–420. IEEE (2002)

    Google Scholar 

  14. Li, N., Mitchell, J.C., et al.: Design of a role-based trust-management framework. In: Proc. of IEEE Symp. on Sec. and Privacy, pp. 114–130. IEEE (2002)

    Google Scholar 

  15. Li, Q., Zhang, X., Xu, M., Wu, J.: Towards secure dynamic collaborations with group-based RBAC model. Computers & Security 28(5), 260–275 (2009)

    Article  Google Scholar 

  16. Pearlman, L., Welch, V., Foster, I., et al.: A community authorization service for group collaboration. In: Proc. of Intl. POLICY, pp. 50–59. IEEE (2002)

    Google Scholar 

  17. Ray, I., Mulamba, D., Ray, I., Han, K.J.: A model for trust-based access control and delegation in mobile clouds. In: Wang, L., Shafiq, B. (eds.) DBSec 2013. LNCS, vol. 7964, pp. 242–257. Springer, Heidelberg (2013)

    Chapter  Google Scholar 

  18. Shafiq, B., Joshi, J.B., Bertino, E., Ghafoor, A.: Secure interoperation in a multidomain environment employing RBAC policies. IEEE Transactions on Knowledge and Data Engineering 17(11), 1557–1577 (2005)

    Article  Google Scholar 

  19. Shehab, M., Bertino, E., Ghafoor, A.: SERAT: SEcure role mApping technique for decentralized secure interoperability. In: Proc. of SACMAT, pp. 159–167 (2005)

    Google Scholar 

  20. Tang, B., Li, Q., Sandhu, R.: A multi-tenant RBAC model for collaborative cloud services. In: Proc. of IEEE Conf. on Privacy, Security and Trust, PST (2013)

    Google Scholar 

  21. Tang, B., Sandhu, R.: Cross-tenant trust models in cloud computing. In: Proc. of IEEE Conf. on Information Reuse and Integration, IRI (2013)

    Google Scholar 

  22. Tang, B., Sandhu, R., Li, Q.: Multi-tenancy authorization models for collaborative cloud services. In: Proc. of Intl. Conf. on Collab. Tech. and Sys., CTS (2013)

    Google Scholar 

  23. Zhang, X., Oh, S., Sandhu, R.: PBDM: a flexible delegation model in RBAC. In: Proc. of SACMAT, pp. 149–157. ACM (2003)

    Google Scholar 

  24. Zhang, Z., Zhang, X., Sandhu, R.: ROBAC: Scalable role and organization based access control models. In: Proc. of CollaborateCom, pp. 1–9. IEEE (2006)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Tang, B., Sandhu, R. (2014). Extending OpenStack Access Control with Domain Trust. In: Au, M.H., Carminati, B., Kuo, CC.J. (eds) Network and System Security. NSS 2015. Lecture Notes in Computer Science, vol 8792. Springer, Cham. https://doi.org/10.1007/978-3-319-11698-3_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-11698-3_5

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-11697-6

  • Online ISBN: 978-3-319-11698-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics