A Framework for Role-Based Access Control in Group Communica(6)

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines ro

operatedbyaPolicyTranslationEnginethatparsesthegrouppolicyandoutputsanother lethattheGCSwilluseinmaking/enforcingaccesscontrol, lethatde nespermissionbasedontherolesandoperationsthattheGCSimplements.Twoadditionaloperationsarerequiredonceapolicyisinplace.The rstoneinvolvesacheckonmakingsurethatthepolicydoesnotincludeanycontradictoryrules.Thesecondonerelateswiththeonethepolicyisdistributedtotheotherserversandmakesurethatallservershavethesamepolicy.Incasethepolicyisstaticallisneededisthatthepolicyiscerti ed(digitallysigned)anddis-tributedbyaserver.Incasethepolicyisdynamic,thepolicy leshouldbetreatedasreplicateddataamongthesetofservers.

Besidesdecisionreaching,anotherimportantaspectiswhoisenforcinganoperation.Formostoftheoperations,theenforcementcanbedonelocallybytheserverthatmakestheauthorizationdecision.Forothergroupoperations,suchasgroupdestroying,theserverenforcingthedecisioncanbedi erentfromtheonemakingthedecision.Forlackofspacewecouldnotincludeadetaileddescriptiononhowenforcementisperformedoneachgroupoperations.Thisinforma-tionisavailablein[19].

4

LifeCycleofanAccessControlPol-icy

Intheprevioussectionwedescribedhowa ne-grainedaccesscontrolpolicyforGCScanbede nedandenforcedinamodelwherefaultsdonothappen.Unfortunately,thisisnotthecaseintherealworldwhereprocessescancrash,computerscanfail,net-workmis-con gurationscanhappen,orthenetworkoverloadcancreateunusuallatenciesthatcanbeper-ceivedasnetworkpartitions.Inthissectionweexam-inehowfailuresandnetworkconnectivitya ectthelifecycleofthepolicy.

Thelifecycleofapolicyisde nedbythepolicycreationandsubsequentupdates.Asdescribedintheprevioussectionweassumethatbasedonanapplica-tionpolicy’sspeci cationsagrouptemplateisgener-ated.ThecreationandrevisionofagrouptemplateishandledbytheadministratorofaGCS.Basedonthetemplate,agrouppolicyiscreatedwhenaclientallowedtocreategroups,createsagroupbasedonthetemplate.

Anaccesscontrolpolicycanbestatic,inotherwordsitcanneverchangeduringthelifeofthegroup,oritcanbedynamic,inwhichcaseitcansu er

changes.Incaseofdynamicpolicies,apolicyrecon-ciliationmustbeperformedinmanycases.Asshownin[16],policyreconciliationcannotalwaysbesolv-able,inwhichcasethequestioniswhathappenstothegroup.Forexample,currentgroupmembersthatdonotsatisfythepolicyanymorecanbeexcludedfromthegroup.Thistaskcanbetakenbythegroupcon-troller.Notethateveninthecaseofstaticpolicies,policyreconciliationcannotbeavoidedwhenseveralgroupsneedtobemerged.

Wenowdiscusswhathappenswhentwoormoregroupsneedtobemerged.Ifthegroupstobemergedhavetheoriginsinthesamegroup–e.g.theyaretheresultofanetworkpartitionthatseparatedagroup–andifthegrouppolicyisstatic,thegroupsshouldinfacthavethesamepolicysonoreconciliationwillbenecessary.Whatneedstobeaddressediswhowillbecomethenewgroupcontroller,sinceeachpolicyspeci esthesamegroupcreatoroftheoriginalgroup,butdi erentcontrollers.

Anothercaseiswhengroupswiththesamenamewerecreatedindependentlyinpartitionedcompo-nents.Somesystemsuniquelyidentifygroupsbasedonlyonthegroupname,sotheywilltrytomergethegroups,which,canpossiblyhavedi erentpolicies.Again,thereisnoguaranteethatareconciliationispossible.Incaseareconciliationisnotpossible,theserverscandecidetodestroythegroupandinformallclientsthatthegroupwasdestroyedbecauseapolicyreconciliationwasnotpossible.IftheGCSidenti- esgroupsnotonlybyname2,thengroupscreatedindependentlyinpartitionedcomponentswillbein-terpretedasdi erentgroupsandnomergeandpolicyreconciliationwillberequired.

Fromthepreviousscenariositisapparentthatthepolicyframeworkshouldspecifyandprovidesupportfortheselectionofanewgroupcontroller.Thereareseveraleventsthatcandrivesuchaneed:

aclientorservercrashed:Theclientthatcrashedwasthegroupcontroller,ortheserverthatcrashedwasservingthegroupcontroller3.

anetworkpartitionoccurred:Thegroupcon-trollerwillenduponlyinonenetworkcomponent,whiletheothercomponentswillneedtoselectanewgroupcontroller.

anetworkmergeoccurredandpolicyreconcili-ationwaspossible:Inthiscasethenewmerge

2One

possibilityistoaddalsotheidenti eroftheserver

thatrepresentstheentirecon gurationofserversinanetworkcomponent.

3Ourfailuremodelassumesthatclientsarenotredirectedwhentheservertheyareconnectedtocrashes,soalltheclientsconnectedtothatserverwillfailtoo.