09-11-2012, 04:20 PM
Cooperative Secondary Authorization Recycling
Cooperative Secondary.pdf (Size: 2.44 MB / Downloads: 30)
Abstract
As enterprise systems, Grids, and other distributed applications scale up and become increasingly complex, their
authorization infrastructures—based predominantly on the request-response paradigm—are facing the challenges of fragility and poor
scalability. We propose an approach where each application server recycles previously received authorizations and shares them with
other application servers to mask authorization server failures and network delays. This paper presents the design of our cooperative
secondary authorization recycling system and its evaluation using simulation and prototype implementation. The results demonstrate
that our approach improves the availability and performance of authorization infrastructures. Specifically, by sharing authorizations,
the cache hit rate—an indirect metric of availability—can reach 70 percent, even when only 10 percent of authorizations are cached.
Depending on the deployment scenario, the average time for authorizing an application request can be reduced by up to a factor of
two compared with systems that do not employ cooperation.
INTRODUCTION
ARCHITECTURES of modern access control solutions [1], [2],
[3], [4], [5] are based on the request-response paradigm,
illustrated in the dashed box in Fig. 1. In this
paradigm, a policy enforcement point (PEP) intercepts
application requests, obtains access control decisions (a.k.a.
authorizations) from the policy decision point (PDP), and
enforces those decisions.
In large enterprise systems, PDPs are commonly implemented
as logically centralized authorization servers, providing
important benefits: consistent policy enforcement across
multiple PEPs and reduced administration costs of authorization
policies. As with all centralized architectures, this
architecture has two critical drawbacks: the PDP is a single
point of failure, as well as a potential performance bottleneck.
The single point of failure property of the PDP leads to
reduced availability: the authorization server may not be
reachable due to a failure (transient, intermittent, or
permanent) of the network, of the software located in the
critical path (e.g., OS), of the hardware, or even from a
misconfiguration of the supporting infrastructure. A conventional
approach to improving the availability of a
distributed infrastructure is failure masking through redundancy
of either information or time or through physical
redundancy [6]. However, redundancy and other general
purpose fault-tolerant techniques for distributed systems
scale poorly and become technically and economically
infeasible when the number of entities in the system reaches
thousands [7], [8].
SECONDARY AND APPROXIMATE AUTHORIZATION
MODEL (SAAM)
SAAM [11] is a general framework for making use of
cached PDP responses to compute approximate responses for
new authorization requests. An authorization request is a
tuple ðs; o; a; c; iÞ, where s is the subject, o is the object, a is
the access right, c is the request contextual information, and
i is the request identifier. Two requests are equivalent if they
only differ in their identifiers. An authorization response to
request ðs; o; a; c; iÞ is a tuple ðr; i;E; dÞ, where r is the
response identifier, i is the corresponding request identifier,
d is the decision, and E is the evidence. The evidence is a list
of response identifiers that were used for computing a
response and can be used to verify the correctness of the
response.
In addition, SAAM defines the primary, secondary,
precise, and approximate authorization responses. The
primary response is a response made by the PDP, and the
secondary response is a response produced by an SDP. A
response is precise if it is a primary response to the request
in question or a response to an equivalent request. Otherwise,
if the SDP infers the response based on the responses
to other requests, the response is approximate.
Discovery Service
One essential component enabling cooperative SDPs to share
their authorizations is the discovery service (DS), which
helps an SDP find other SDPs that might be able to resolve a
request. A naive approach to implementing the discovery
functionality is request broadcasting: whenever an SDP
receives a request from its PEP, it broadcasts the request to all
other cooperating SDPs. All SDPs attempt to resolve the
request, and the PEP enforces the response it receives first.
This approach is straightforward and might be effective
when the number of cooperating SDPs is small, and the cost
of broadcasting is low. However, it has two important
drawbacks. First, it inevitably increases the load on all SDPs.
Second, it causes high traffic overhead when SDPs are
geographically distributed. To address these two drawbacks,
we introduced the DS to achieve a selective requests
distribution: an SDP in CSAR selectively sends requests only
to those SDPs that are likely to be able to resolve them.
Consistency
Similar to other distributed systems employing caching,
CSAR needs to deal with cache consistency issues. In our
system, SDP caches may become inconsistent when access
control policy changes at the PDP. In this section, we
describe how consistency is achieved in CSAR.
We first state our assumptions relevant to the access
control systems. We assume that the PDP makes decisions
using an access control policy stored persistently in a policy
store of the authorization server. In practice, the policy store
can be a policy database or a collection of policy files. We
further assume that security administrators deploy and
update policies through the policy administration point
(PAP), which is consistent with theXACMLarchitecture [16].
To avoid modifying existing authorization servers and
maintain backward compatibility, we further add a policy
change manager (PCM), collocated with the policy store. The
PCM monitors the policy store, detects policy changes, and
informs the SDPs about the changes. The refined architecture
of the authorization server is presented in Fig. 3.
CONCLUSION
As distributed systems scale up and become increasingly
complex, their access control infrastructures face new
challenges. Conventional request-response authorization
architectures become fragile and scale poorly to massive
scale. Caching authorization decisions has long been used
to improve access control infrastructure availability and
performance. In this paper, we build on this idea and on the
idea of inferring approximate authorization decisions at
intermediary control points and propose a cooperative
approach to further improve the availability and performance
of access control solutions. Our CSAR approach
exploits the increased hit rate offered by a larger distributed
cooperative cache of access control decisions. We believe
that this solution is especially practical in distributed
systems involving cooperating parties or replicated services
due to the high overlap in their user/resource spaces and
the need for consistent policy enforcement.