A Framework for Role-Based Access Control in Group Communica(2)

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines ro

applicationtode neitsspeci cpolicieswhiletheenforcementisperformedinane cientmannerbytheGCS.Thisisachievedbyde ningasetofbasicgroupoperationsandrolesthatcanbecon-trolledandenforcedbytheGCS.Anyapplicationspeci cpolicycanbedecomposedintotheseba-sicoperationsandapplicationspeci crolescanbemappedtosystemroles.

Weanalyzewhataretheimplicationsofprocess(serversandclients)failuresandnetworkconnec-tivitychangesonthelifecycleofagrouppol-icyingeneral,andofanaccesscontrolpolicyinparticular,andsuggesthowtheseissuescanbeaddressed.RoadmapWediscussthefailureandtrustmodelsweuseinSection2.InSection3wepresentindetailsthecomponentsforagrouppolicy,whileinSection4wediscussthee ectsofprocessfailuresandnetworkpartitionsonthelifecycleofthepolicy.WeoverviewrelatedworkinSection5.Finally,wesummarizeourworkandsuggestfutureworkdirectionsinSection6.

2TrustandFailureModels

Inthissection,wediscussthetrustandfailuremod-elsweareusinginthispaper.

2.1TrustModel

Inclient-serverGCS,atrustmodelhastode nethetrustrelationshipswithineachlayer(trustrelationshipbetweenclientsandtrustrelationshipbetweenservers)aswellasbetweenlayers(i.e.doclientstrustserversornot).Giventhisenvironment,severaltrustmodelsarepossible,rangingfromamodelwherenoentitytrustsanyotherentityforanyoperation,bothwithinalayerandbetweenlayers,toanoptimisticmodelwhereserversandclientstrusteachothercompletely.Inthispaper,weadoptthefollowingtrustmodel: Serverstrusteachother:Inorderforthesystemtobebootstrappedcorrectly,alistoflegitimateserversshouldbeprovidedtoallservers,intheformofanACL.Settingupthislistisasystemadministrator’staskandnotanapplicationtask.Weassumethatthereisawaytoauthenticateaserverwhenitcomesupandverifywhetheritisontheauthorizedcon gurationlist.Onceauthenti-catedandauthorizedallserverstrusteachother.Wenotethatingeneralthenumberofserversissmallandthatthewaythesesystemsareusedis

rstde neaservers’con gurationthatprovidesbestperformanceforaspeci cnetworkenviron-mentandapplicationdeployment.Therefore,inthiscase,anACLisanacceptablesolution. Clientstrustserverstoenforcetheaccesscontrolpolicy.Thisassumptionisacceptablebecause,intheclient-serverGCSarchitecture,clientsal-readytrusttheserverstomaintaingroupmem-bershipandtotransport,orderanddelivergroupmessages,soitseemsnaturaltotrustthemalsoforenforcingtheaccesscontrolpolicy.Further-more,thiswillallowforamoree cientenforce-mentsinceinnumerouscasesthedecisioncanbemadebyeachserverlocally,diminishingthecom-municationoverhead. Clientsarenottrusted(eitherbytheotherclientsorbyservers).Therefore,compromisingoneclientdoesnotcompromisethesecurityofthewholesystem.

2.2FailureModel

Ourmodelconsidersadistributedsystemthatiscomposedofagroupofserversexecutingonseveralcomputersandcoordinatingtheiractionsbyexchang-ingmessages.Themessageexchangeisconductedviaasynchronousmulticastandunicast.Messagescanbelostorcorrupted.Weassumethatmessagecorrup-tionismaskedbyalowerlayer.Aclientobtainsthegroupcommunicationservicesbyconnectingtooneoftheservers.Aclientcanconnectlocallyorremotely.Bothclientsandserversmayfail.Whenaserverfails,alltheclientsthatareconnectedtothatserverwillstopreceivinggroupcommunicationservices;theyarenotredirectedtootherservers.

Duetonetworkevents(e.g.,congestionoroutrightfailures)thenetworkcanbesplitintodisconnectedsubnetworkfragments.Atthegroupcommunicationlayer,thisisreferredtoasapartition.Anetworkpar-titionsplitstheserversandcanpotentiallysplitsev-eralclientgroupsindi erentcomponents.Whilepro-cesses(serversorclients)areinseparatedisconnectedcomponentstheycannotexchangemessages.Whenanetworkpartitionisrepaired,thedisconnectedcompo-nentsmergeintoalargerconnectedcomponent,thisisreferredatthegroupcommunicationlayerasamerge.Firstserversaremerged,whichinturncantriggerseveralclientgroupstobemerged.

Byzantine(arbitrary)processfailuresarenotcon-sideredinthiswork.