N系列 | 基于元模型的访问控制策略描述语言

摘要列表

中文摘要

为了保护云资源的安全，防止数据泄露和非授权访问，必须对云平台的资源访问实施访问控制.然而，目前主流云平台通常采用自己的安全策略语言和访问控制机制。

从而造成两个问题：

（1）云用户若要使用多个云平台，则需要学习不同的策略语言，分别编写安全策略；

（2）云服务提供商需要自行设计符合自己平台的安全策略语言及访问控制机制，开发成本较高。

对此，提出一种基于元模型的访问控制策略描述语言PML及其实施机制PML-EM.PML支持表达BLP、RBAC、ABAC等访问控制模型.PML-EM实现了3个性质：策略语言无关性、访问控制模型无关性和程序设计语言无关性，从而降低了用户编写策略的成本与云服务提供商开发访问控制机制的成本.在OpenStack云平台上实现了PML-EM机制.实验结果表明，PML策略支持从其他策略进行自动转换。

在表达云中多租户场景时具有优势.性能方面，与OpenStack原有策略相比，PML策略的评估开销为4.8%.PML-EM机制的侵入性较小，与云平台原有代码相比增加约0.42%.

英文摘要

In order to protect the cloud resources, access control mechanisms have to be established in the cloud. However, cloud platforms have tendency to design their own security policy languages and authorization mechanisms. It leads to two issues:(i) a cloud user has to learn different policy languages to customize the permissions for each cloud, and (ii) a cloud service provider has to design and implement the authorization mechanism from the beginning, which is a high development cost. In this work, a new access control policy specification language called PML is proposed to support expressing multiple access control models like BLP, RBAC, ABAC and important features like multi-tenants. An authorization framework called PML-EM is implemented on OpenStack to centralize the authorization. PML-EM is irrelative to policy languages, access control models and programming languages that implement the authorization module. Other policies like XACML policy and OpenStack policy can be automatically translated into PML, which facilitates the migration between the clouds that both support PML-EM. The experimental results indicate PML-EM has improved the flexibility of policy management from a tenant's perspective. And the performance overhead for policy evaluation is 4.8%, and the invasiveness is about 0.42%.

资源RBAC基于角色

模型（Model）

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)

策略（Policy）

p, role:user, user, add
p, role:user, user, update
p, role:user, user, delete

p, role:admin, user, add
p, role:admin, user, update
p, role:admin, user, delete
p, role:admin, book, add
p, role:admin, book, update
p, role:admin, book, delete

g, user001, role:admin
g, user002, role:user

访问（Request）

user001, user, add
user001, user, update
user001, user, delete
user001, book, add
user001, book, update
user001, book, delete
user002, user, add
user002, user, update
user002, user, delete
user002, book, add
user002, book, update
user002, book, delete

执行结果（Enforcement Result）

true
true
true
true
true
true
true
true
true
false
false
false

相关截图

参考文献

1.https://casbin.org/en/editor

2.http://www.jos.org.cn/jos/ch/reader/view_abstract.aspx?flag=1&file_no=5624&journal_id=jos