SDAC: A New Software-Defined Access Control Paradigm for Cloud-Based Systems

摘要

A cloud-based system usually runs in multiple geographically distributed datacenters, making the deployment of effective access control models extremely challenging. This paper presents a novel software-defined paradigm, called SDAC, to achieve scoped, flexible and dynamic access control. In particular, SDAC enables the tenant-specific generation of access control model and policy (SMPolicy in short), as well as their dynamic configuration by the cloud-hosting applications. To achieve that, SDAC uses an access control meta-model to initiate and customize different SMPolicies. Also, SDAC is decoupled into control plane and policy plane, allowing the global SMPolicy generated at the control plane to be efficiently propagated to the policy plane and enforced locally in different datacenters. As such, the local SMPolicy of a tenant can be synchronized with its global SMPolicy only when it's necessary, e.g., a user or a role cannot be identified. To validate the feasibility and effectiveness of SDAC, we implement a prototype in a carrier grade datacenter. The experimental results demonstrate that SDAC can achieve the desirable properties, maintain the throughput at a reasonable level regardless of the varying number of tenants, users, and datacenters, highly preserving scalability and adaptability.