From: Syunsuke HAYASHI <syunsuke@jp.fujitsu.com>
To: xen-devel@lists.xensource.com
Subject: Finer access control framework over users, domains and operations.
Date: Mon, 19 May 2008 15:17:02 +0900 [thread overview]
Message-ID: <48311B5E.2060100@jp.fujitsu.com> (raw)
Hi, all
We propose an access control framework which considers users, domains
and operations.
The current implementation exclusively allows root to control guest
domains.
Guest administrators have to switch to root so they can bring their own
guest domains up and down.
To solve this problem, Xen should introduce a framework where the root's
privileges are split into restricted roles.
Every guest administrator controls concerning guest domains with a part
of the least privilege with these roles supplied.
Figure 1 presents an example of the access control.
+--------+ +--------+ +-------+
| userA | | userB | | root |
+--+--+--+ +--------+ +---+---+
operation | | operation | delegate the authority
to VM1 | | to VM2 v to userA
+---------+--+----------------+ +-------+-------+
| Access Control Module +----+ ACL Policy DB |
+---------+--+----------------+ +---------------+
| |
+------+ +-----+
|pass |fail
v v
+---+---+ +---+---+
| VM1 | | VM2 |
+-------+ +-------+
Figure 1. An example of the access control by a domain administrator
The Access Control Module (ACM) determines if an operation is permitted
based on the Access Control Policy DB.
Concretely, when a user is going to submit a comand to VM, the ACM
checks if the tuple (user, command, VM) is valid with respect to the ACL
Policy DB.
For example, as depicted in figure 1, userA can operate VM1 but cannot
operate VM2 because the ACL Policy DB states so.
Figure 2 shows the control path of Xen and the location of ACM in our
implementation.
Marked as "*" are the developed ACMs for this framework.
They are secured-xm, secured-libvirt and virt-manager.
Secured-xen-API is under development, though.
[Others] [console/shell] [virt-manager*]
(GUI/CLI) (CLI) (CLI) (GUI)
v v v v
[Dom0] | | | |
(Xen-API) (xm) (virsh) (libvirt-API)
| | | |
+-------------+--*+ +----+------*+ +-+---------+----*+
| secured-xen-API | | secured-xm | | secured-libvirt |
+=================+ +============+ +=================+
| xen-API | | xm | | libvirt(API) |
+-------------+---+ +----+-------+ +-+--+------+-----+
| | | | |
| | +-------+ | |
| | | | |
v v v v |
+-+----------+---+-+ +----+----+ |
| xend |<=>|xenstored| |
+-------+----------+ +---------+ |
| |
v |
+-------+-------+ |
| libxc | |
+-------+-------+ |
| |
v v
+-------+--------------------------+-+
| ioctl |
+------------------------------------+
Figure 2. Control path of Xen and Access Control Modules
We internally discussed which component should have ACM feature and
concluded xm/libvirt are the best.
But there was at least one another candidate, which was ioctl.
The brief summary is:
xm/libvirt approach:
* is able to keep implementations simple because a xen operation to be
controlled has one-to-one relation to a xm/libvirt command (pros.).
* requires each individual implementation for xm and libvirt (cons.).
ioctl approach:
* supports both xend and libvirt in a single implementaion (pros.).
* is complecated in terms of implementation because some xen operations
have one-to-many relations to ioctls. We have to resolve what xen
operation is submitted at the ioctl layer (cons.).
Since we are interested in the framework that realizes access control in
terms of user, operation and domain, xm/libvirt approach handling these
entities in a straightforward way seems promising.
Configuration files define entities and relations based on Role-based
Access Control (RBAC) model[1].
The concrete model employed here is:
USERS <--(UA)--> ROLES <--(PA)--> PRMS(OBS,OPS)
Term definitions are follows.
- USERS: a set of users
- ROLES: a set of roles
- PRMS(Permissions): the permission to the role
- OBS(Objects): the objects which applies ACL
- OPS(Operations): operation to the object
- UA(User Assignment): define user role relation
- PA(Permission Assignment): define role and permission relation
These entities and relations are defined in the separate two files:
UA file:
defines the relations between user and role, as well as user names.
PA file:
defines the relations between role and permission, as well as
operations and VM names.
An example is at the end of this document.
Root is responsible for editing UA and PA file to give a user a
permission to control a certain VM.
Here we show the example of UA and PA definition files.
[UA file]
<?xml version="1.0" ?>
<UserConfiguration>
<User name="hostManager"> <-- User account name
<UserRole role="HostOSManager"/> <-- Role name
</User>
<User name="user-admin">
<UserRole role="Administrator"/>
<UserRole role="PolicyManager"/>
</User>
</UserConfiguration>
[PA file]
<?xml version="1.0" ?>
<RolePolicyDefinition>
<Role name="HostOSManager"> <-- Role name
<ManageVM type="individual"> <-- "individual" means for one guest VM
<VM name="Domain-0"/> <-- VM name for operating
</ManageVM>
<ControlOperation>
<Accept>
<operation id="2"/> <-- Operation ID allowed to execute
<operation id="3"/>
<operation id="4"/>
.................
<operation id="62"/>
<operation id="63"/>
</Accept>
</ControlOperation>
</Role>
<Role name="Administrator">
<ManageVM type="individual">
<VM name="Domain-0"/>
</ManageVM>
<ControlOperation>
<Accept>
<operation id="16"/>
</Accept>
</ControlOperation>
</Role>
<Role name="PolicyManager">
<ManageVM type="individual">
<VM name="Domain-0"/>
</ManageVM>
<ControlOperation>
<Accept>
<operation id="16"/>
</Accept>
</ControlOperation>
</Role>
</RolePolicyDefinition>
References
==========================
[1] David F.Ferraiolo. et al., “Proposed NIST Standard for Role-Based
Access Control”, ACM Transaction on Institute and System Security,
Vol.4, No.3, August 2001, pp224-274.
Any comments are welcome.
Please let us know if there is a mailing list more appropriate than this
ML.
Best regards,
Syunsuke HAYASHI
Yutaka EZAKI
Masaki KANNO
Atsushi SAKAI
next reply other threads:[~2008-05-19 6:17 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-19 6:17 Syunsuke HAYASHI [this message]
2008-05-19 10:21 ` Finer access control framework over users, domains and operations Ian Jackson
2008-05-30 9:59 ` Syunsuke HAYASHI
2008-05-30 13:41 ` Ian Jackson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48311B5E.2060100@jp.fujitsu.com \
--to=syunsuke@jp.fujitsu.com \
--cc=xen-devel@lists.xensource.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.