A Framework for Role-Based Access Control in Group Communica(7)

In this paper we analyze the requirements access control mechanisms must fulfill in the context of group communication and define a framework for supporting fine-grained access control in client-server group communication systems. Our framework combines ro

groupwillhavetoselectoneofthegroupstobemergedcontroller,asthenewgroupcontroller.WhilewewanttheGCStomakethedecisions,wewouldliketoprovidetheapplicationwiththeabilitytospecifythepolicy.De ninghowfailuresshouldbehandledcanbedonebytheapplication.Ofcoursesomedefaultpoliciescanbeused,incaseanapplica-tiondoesnotwanttodealwithit.Faultscana ectclientsaswellasservers,soafailurehandlingpolicyshouldbede nedforbothclientsandservers.

Belowwearguewhyafailurehandlingpolicyisre-quiredforbothclientsandservers.Considerthecaseofselectinganewgroupcontroller.Ifagroupcon-trolleralreadyexists,changingthegroupcontrollercanbeachievedbyasimpleroledelegation.Incaseagroupismerged,severallegitimategroupcontrollerswillexist(oneforeachsubgroup),the“oldest”con-trollerwillbeselectedasthenewgroupcontroller.Aninterestingcaseiswhenthegroupcontrollerfailedandthereisnoauthoritythatcanperformtheroledelegation.Inthiscasewecande neanexten-sionoftheroleoftheclientasagroupcontrollertotheserverthatheisconnectedto,sotheservercantemporarilytakeovertheroleofthegroupcontrollerandjustdeterministicallyselect(actingasadelega-tor)anewgroupcontrollerfromalistprovidedbytheapplication.Iftheapplicationdidnotprovidesuchalist,thiswillbeperceivedasafatalfailureandtheservercanjustdecidedestroyingthegroup.

Now,considerthattheserveritselfcrashed.Inthiscase,thesetofserversmustdecidewhichoneofthemwilltakeoverthetaskofselectingthenewgroupcon-troller.Thiscanbedoneinseveralways,theeasiestisforexampletodeterministicallyselectanyoftheservers(let’ssaythe rst).Iftheapplicationwantstorestrictthistoaparticularsetofservers,itcanpro-videanorderedsetofpotentialtake-overserversorapercentageifavotingpolicyisdesired.

5RelatedWork

Thereareseveralgroupcommunicationsystemsthatconsideredaccesscontrol.TheEnsemblese-curegroupcommunicationsystem[24,25]assumesthe‘fortress’modelwhereanattackcancomeonlyfromoutside.Thesystemusesasymmetric-keybasedkeydistributionschemeandusesAccessControlList(ACL)asaccesscontrolmechanism.TheACListreatedasreplicateddatawithinthegroup.

In[2]accesscontrolingroupsisprovidedbyus-inganauthorizationservice,Akenti[27],whichrelies

onX509[22].Themethodusedistohaveallgroupmembersregisteringwiththeauthorizationserviceo -linetoobtainamembershipcerti catesignedbytheAkentiserver,andthenwhenthegroupmembershipchanges,everymemberveri esthemembershipcer-ti cateandthepersonalcerti cateofeverymember.Theapproachreliesonidentityforaccesscontrolandprovidesacoarsegranularityforaccesscontrol.

Relevanttoourwork,butsomehoworthogonalistheAntigone[17]framework.Antigoneprovidesapolicyframeworkthatallows exibleapplication-levelgroupsecuritypoliciesinamorerelaxedmodelthantheoneusuallyprovidedbygroupcommunicationsys-tems.Alsorelevanttoourworkis[11]thatde nesgen-eralrequirementsandcomponentsforasecuregrouppolicy.

Mostofthesystemsdescribedaboveprovideac-cesscontrolbasedonidentityofparticipantsanddonotdiscusshowfailurescana ecttheenforcementofpolicies.Asopposetoabovedescribedschemesourapproachisnotidentity-based.Instead,wetakead-vantageofrole-basedaccesscontrol[26,10]andRT[15],afamilyofRole-basedTrust-managementlan-guages,tode nea ne-grainedaccesscontrolframe-workforgroupcommunicationsystems.Suchsystemshavebothscalabilityandfault-tolerancerequirements.Wereasonedabouthowtheserequirementscanbemetwhileproviding exibilitytotheapplicationinde n-ingspeci cpolicies.

6Conclusions

Inthispaperwehaveanalyzedtherequirementsaccesscontrolmechanismsmustful llinthecontextofgroupcommunicationandde nedaframeworkforsupporting ne-grainedaccesscontrolforgroups.Ourframeworkcombinesrole-basedaccesscontrolmecha-nismswithenvironmentparameters(time,IPaddress,etc.)toprovidepolicysupportforawiderangeofap-plicationswithverydi erentrequirements.Inordertoprovideboth exiblepolicyande cientenforcement,weusethegroupcommunicationserverstodecideandenforceaccesscontrol.Weidentifythesetofallpossi-blegroupoperationsthatcanbecontrolledandde nethegrouppolicyasamappingbetweenrolesandop-erationsusingcontextasconstraints.Inaddition,wesuggestawayinwhichfailurepolicycanalsobespec-i edbytheapplication.

Severalthingsremaintobeaddressedinfuturework.Theyinclude:providinga“user-friendly”inter-faceforourframeworksothatpoliciescanbegener-atedinanautomaticwaybasedonuserspeci cations