Presentation is loading. Please wait.

Presentation is loading. Please wait.

Distributed Evaluation of XACML Policies Vijayant Dhankhar, George Mason University Saket Kaushik, Oracle and George Mason University Duminda Wijesekera,

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Distributed Evaluation of XACML Policies Vijayant Dhankhar, George Mason University Saket Kaushik, Oracle and George Mason University Duminda Wijesekera,"— Presentation transcript:

1 Distributed Evaluation of XACML Policies Vijayant Dhankhar, George Mason University Saket Kaushik, Oracle and George Mason University Duminda Wijesekera, George Mason University Anil Nerode, Cornell University

2 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 2 Introduction XACML is the default access control language for Web Services. Currently it does not support collaboration between distributed access controllers. We provide a solution by distributing the XCAML policy distribution point (PDP)

3 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 3 Outline Motivation Architecture Enhancements to XACML Examples Implementation details Performance Ongoing work

4 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 4 Motivation Client Choreographed Service WS1 WS2 PDP1 PDP2 Service Request Response Access Controller Service Layer Client Layer Providing individual control over collaborating services Require collaboration among access controllers

5 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 5 Current XACML Architecture

6 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 6 Architectural Enhancements PEP Master PDP Child PDP 2 Child PDP 1 Evaluation Coordinator Lock Manager Hierarchically organized multiple PDP’s support an ask-tell interface between distributed PDPs Serialization messages Resource Manager Acquire Resource

7 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 7 Functional Enhancements Concurrently evaluates access control request made to multiple PDP’sConcurrently evaluates access control request made to multiple PDP’s –Updated Resource status based on individual access control decisions –Decisions consistent across submission point Transactional Policy EvaluationTransactional Policy Evaluation –Success (Permit, Deny) –Competing request have no side-effects (due to SoD constraints) on each other –Failure tolerant Network, Exclusive Access, etc.

8 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 8 Sample Enabled Use Case Consider a web service that provisions bulk data transfers between international locations within a specified time window. Circuit switched MPLS links in the path belonging to partner organizations (Verio and DOCOMO). Both partners must agree to synchronize their link reservations to transfer the data. –If provisioning is possible: both partners must individually commit their resources to transfer data. –If provisioning not possible: none of the partners should commit their resources to transfer data. Because network resources are individual assets, business partners may not be willing to share their scheduling information Resources of the partners have to be used exclusively by at most one requester at a time.

9 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 9 Sample Use CaseVarioDocomo Central Server Request Reservation Must agree to synchronize reservations and lock them! Service request

10 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 10 Sample Use Case PEP Master PDP DOCOMO PDP Verio PDP Evaluation Coordinator Lock Manager Shared Resource Manager Docomo Resource Manager Verio Resource Manager’s

11 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 11 Distributed Evaluation 1.PEP intercepts an access request, and forwards to the master PDP 2.The master PDP identifies children PDP’s to be used for evaluating the request, and forwards the request 3.Child PDP apply local policy; result= allow/deny communicated to the master 4.The master combines all local results and forwards to the PEP

12 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 12 Updating Resources Because of distributed policy evaluation, resource allocation commitments may run in to read-write and write-write conflicts. That is, one PDP may need to read from a resources (or their attributes) that are being modified by (yet to complete) concurrent evaluation. To avoid inconsistencies in evaluation, we prevent such conflicts in our policy evaluation.

13 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 13 Evaluation Messages

14 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 14 Implementation details Enhances Sun’s XACML Implementation Lock Manager and Resource Manager are implemented as web services. Significant changes to classes –com.sun.xacml {PDP/PDPconfig/Rule/Policy} –to evaluate new extended syntax Added following classes –edu.gmu.xacml {AquireLock, PreAction, PostAction, Update, ReleaseLock} New Interfaces for web service invocations –edu.gmu.xacml.lock –edu.gmu.xacml.resource –edu.gmu.xacml.pdp

15 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 15 Performance

16 Nov 2nd 2007, SWS'07 © Vijayant Dhankhar, Saket Kaushik, Duminda Wijesekera and Anil Nerode 16 Ongoing Work Distributing the PEP to enable distributed policy enforcement N-Level Decision based resource updates to enable deeply nested XACML policy executions Meta policy driven Serialization Developing semantics consistent with legacy systems

Download ppt "Distributed Evaluation of XACML Policies Vijayant Dhankhar, George Mason University Saket Kaushik, Oracle and George Mason University Duminda Wijesekera,"

Similar presentations

Vassal: Loadable Scheduler Support for Multi-Policy Scheduling George M. Candea, Oracle Corporation Michael B. Jones, Microsoft Research.

Vassal: Loadable Scheduler Support for Multi-Policy Scheduling George M. Candea, Oracle Corporation Michael B. Jones, Microsoft Research.
© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.

© 2006 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Implement VTP LAN Switching and Wireless – Chapter 4.
Database Architectures and the Web

Database Architectures and the Web
GridRPC Sources / Credits: IRISA/IFSIC IRISA/INRIA Thierry Priol et. al papers.

GridRPC Sources / Credits: IRISA/IFSIC IRISA/INRIA Thierry Priol et. al papers.
New Challenges for Access Control April 27, 2005 1 Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.

New Challenges for Access Control April 27, Improving Usability and Expressiveness with Dynamic Policies and Obligations Dennis Kafura Markus Lorch.
Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science

Using DSVM to Implement a Distributed File System Ramon Lawrence Dept. of Computer Science
Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.

Approaches to generalization of XACML New challenges for access control 27 th April 2005 Tim Moses.
Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.

Web Services and the Semantic Web: Open Discussion Session Diana Geangalau Ryan Layfield.
Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.

XACML 2.0 and Earlier Hal Lockhart, Oracle. What is XACML? n XML language for access control n Coarse or fine-grained n Extremely powerful evaluation.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
1 Regulating the Synchronous Interaction of Web-Services Constantin Serban Department of Computer Science Rutgers University.

1 Regulating the Synchronous Interaction of Web-Services Constantin Serban Department of Computer Science Rutgers University.
Persistent State Service 1 Distributed Object Transactions  Transaction principles  Concurrency control  The two-phase commit protocol  Services for.

Persistent State Service 1 Distributed Object Transactions  Transaction principles  Concurrency control  The two-phase commit protocol  Services for.
Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Transaction Management and Concurrency Control.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 10 Transaction Management and Concurrency Control.
OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”
Overview Distributed vs. decentralized Why distributed databases

Overview Distributed vs. decentralized Why distributed databases
Middleware Technologies compiled by: Thomas M. Cosley.

Middleware Technologies compiled by: Thomas M. Cosley.
Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.

NFS. The Sun Network File System (NFS) An implementation and a specification of a software system for accessing remote files across LANs. The implementation.
TRANSACTION PROCESSING TECHNIQUES BY SON NGUYEN VIJAY RAO.

TRANSACTION PROCESSING TECHNIQUES BY SON NGUYEN VIJAY RAO.

Similar presentations

Ads by Google