Abstract
We discuss the protection requirements of a distributed storage service comprising a two-level hierarchy of storage servers with value-adding service layers above them. A flexible and extensible access control mechanism is required. Our scheme uses Access Control Lists (ACLs) to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal- specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery.
- [ASTvR86] S. J. Mullender A. S. Tanenbaum and R. van Renesse. Using sparse capabilities in a distributed operating system. In Proceedings of the 6th International Conference on Distributed Computing Systems, pages 558-563. IEEE, May 1986.Google Scholar
- [DH66] J. B. Dennis and E. C. Van Horn. Programming semantics for multiprogrammed computations. Communications of the ACM, 9(3):143-155, March 1966. Google ScholarDigital Library
- [Dio80] Jeremy Dion. The Cambridge File Server. ACM Operating Systems Review, 14(4):26-35, October 1980. Google ScholarDigital Library
- [Gon89] Li Gong. A secure identity-based capability system. In Proceedings of the 1989 Symposium on Security and Privacy, pages 56-63. IEEE, May 1989.Google ScholarCross Ref
- [Lam74] B. W. Lampson. Protection. ACM Operating Systems Review, 8(1), January 1974. Google ScholarDigital Library
- [Lo94] Sai Lai Lo. A Modular and Extensible Network Storage Architecture. PhD thesis, University of Cambridge, January 1994. Technical Report No. TR 326.Google Scholar
- [MBB+93] K. Moody, J. Bacon, J. Bates, S. L. Lo, and Z. Wu. OPERA storage, programming and display of multimedia objects. In Proceedings of the Fourth Workshop on Future Trends of Distributed Computing Systems, pages 442-448. IEEE Computer Society Press, 1993.Google ScholarCross Ref
- [Mil90] D. L. Mills. On the accuracy and stability of clocks synchronised by the network time protocol in the internet system. ACM Computer Communication Review, 20(1):65-75, January 1990. Google ScholarDigital Library
- [NS78] R. M. Needham and M. D. Schroeder. Using encryption for authentication in large networks of computers. Communications of the ACM, 21(12):993-999, December 1978. Google ScholarDigital Library
- [Sal91] Jerome H. Saltzer. File system indexing, and backup. In A. Karshmer and J. Nehmer, editors, International Workshop on Operating Systems of the 90s and Beyond, number 563 in Lecture Notes in Computer Science, pages 13-19. Springer-Verlag, 1991. Google ScholarDigital Library
- [SNS88] J. G. Steiner, C. Neuman, and J. I. Schiller. Kerberos: An authentication service for open network systems. In Proceedings of the USENIX Winter Conference , pages 191-202, February 1988.Google Scholar
- [SS75] J. H. Saltzer and M. D. Schroeder. The protection of information in computer systems. Proceedings of the IEEE, 63(9):1278-1308, September 1975.Google ScholarCross Ref
Index Terms
- Extensible access control for a hierarchy of servers
Recommendations
Configuring role-based access control to enforce mandatory and discretionary access control policies
Access control models have traditionally included mandatory access control (or lattice-based access control) and discretionary access control. Subsequently, role-based access control has been introduced, along with claims that its mechanisms are general ...
Role-Based Access Control Models
Since the 1970s, computer systems have featured multiple applications and served multiple users, leading to heightened awareness of data security issues. System administrators and software developers focused on different kinds of access control to ...
Delegation in role-based access control
User delegation is a mechanism for assigning access rights available to one user to another user. A delegation can either be a grant or transfer operation. Existing work on delegation in the context of role-based access control models has extensively ...
Comments