OpenStack Identity (keystone)

Attribute Based Access Control Model

Registered by Xin Jin on 2013-06-10

Our motivation is based on discussion of Attribute Based Access Control (ABAC) VS. Role Based Access Cotrol (RBAC) in the mailing list: http://lists.openstack.org/pipermail/openstack-dev/2012-November/003265.html.

In large organization, there are great needs of fine-grained access control over the resources. The current authorization process makes use of only one user attribute namely role. RBAC is not designed to express flexible and dynamic access control. RBAC shows its advantages in administration because of the assumption that role-permission assignment is static.
Attribute based access control (ABAC) is regarded as the candidate to achieve flexible and dynamic access control. Attributes are associated with users (e.g., organization, department, role), objects (i.e., resources) (e.g. owner, size) and environment (e.g. time, location). Access requests are evaluated based on the attributes of involved entities. For instance, for training purpose, a university temporarily allows all full time student users who are currently registered in course CS3423 to login the university cloud (with their school id which has been stored in the cloud) to create virtual machines with only ubuntu images. With ABAC, the IT administrator only needs to insert one policy, compared with the work of creating role, assigning permissions to role, and assigning users to roles explicitly in RBAC model.

This blueprint proposes to implement Attribute based access control (ABAC). The basic scope is to provide mechanisms to configure and enforce ABAC policies. Security architect manages attributes, write and enforce authorization policies on specific scope (e.g., project). Administrators of the cloud manages (admin or delegate) users and their attributes.
Our ultimate goals are: provide the mechanism to configure attribute based access control.
Initial keystone client side command and server APIs have been implemented. Example keystone client commands keystone attribute-create which creates a new attribute, keystone attribute-value-create which defines new allowable for an attribute.

More information is on project page: http://my.cs.utsa.edu/~xjin/abac.htm

Blueprint information

Status:: Complete

Approver:: None

Priority:: Undefined

Drafter:: Xin Jin

Direction:: Needs approval

Assignee:: UTSA-ICS

Definition:: Obsolete

Series goal:: None

Implementation:: Unknown

Milestone target:: None

Completed by: Steve Martinelli on 2016-08-01

Related branches

Related bugs

Sprints

Whiteboard

(stevemar 2016-07-31): I haven't seen any updates or useful links for this blueprint. Please submit a specification to the keystone-specs repository instead.

Related published papers:
1. Jin, X., Krishnan, R., Sandhu, R.: A Unified Attribute-Based Access Control Model Covering DAC, MAC and RBAC. In: DBSec (2012)

2. Xin Jin , Ravi Sandhu , Ram Krishnan, RABAC: Role-centric Attribute-based Access Control, Proceedings of the 6th international conference on Mathematical Methods, Models and Architectures for Computer Network Security: computer network security, October 17-19, 2012, St. Petersburg, Russia

(?)

Work Items

Work items:
Customizing user attributes in keystone: DONE
Customizing Object attributes: INPROGRESS
Configuring and Enforcing authorization policy : TODO
GUI Design: TODO

This blueprint contains Public information

Everyone can see this information.

Subscribers

Adam Heczko

Arvind Tiwari

Dilawar Singh

Duane DeCapite

Joe Savak

Marek Denis

Mathieu Lemay

Ruan HE

Vijay Subramanium