A chain calling in coordination for multi-tenant collaborative cloud services

摘要

Currently, a cloud service is widely available but its access control is usually limited and tied only to its tenancy in isolation. To take full advantage from cloud services, multiple tenancies with some level of mutual trust would seek to collaborate and share their resources. However, building a collaborative application from inter-related chain callings to various services on a single or multiple cloud systems encounters an access control challenge and it becomes a big barrier to its adoption. To provide an appropriate fine grained chain calling authorization, this paper proposes an extension to Multi-Tenant Authorization System Model (MTAS), named “Chain Calling Coordination in MTAS” (C-MTAS). In the MTAS, a service with several chain callings would require the model to break a tenant's role into too many sub-roles with a limited trust scope. This would increase unintentional number of roles that could lead to breaches. It would be also hard to maintain. We, instead, propose to separate a tenant element to make a non-redundant, clear and simplified set of roles and permissions. The benefit of our model to the MTAS is shown by applying both models to the same concrete scenario. We found that our model gives a cleaner and smaller set of rules as compared to the MTAS's. We also illustrate how to use our model via a practically feasible example policy in the XACML format. The prototype system is built as an Authorization as a Service (AaaS) platform, a middle layer on the part of the cloud services, which can be used by the same or across providers. Finally, it is tested on different hardware sets. The results showed that the model could be scalable.