{"title":"Access control for a modular, extensible storage service","authors":"J. Bacon, R. Hayton, S. Lo, K. Moody","doi":"10.1109/SDNE.1994.337771","DOIUrl":null,"url":null,"abstract":"We have designed and built a modular and extensible multi service storage architecture (MSSA) which allows evolution from, and compatibility with, traditional applications. The MSSA comprises a two-level hierarchy of storage servers with value-adding service layers above them. We present the access control mechanism of the MSSA. Access control lists (ACLs) are used to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal-specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery. We report on experiences with a prototype implementation of the scheme and suggest some optimisations.<<ETX>>","PeriodicalId":174691,"journal":{"name":"Proceedings of IEEE Workshop on Services for Distributed and Networked Environments","volume":"2 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1994-06-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of IEEE Workshop on Services for Distributed and Networked Environments","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SDNE.1994.337771","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5
Abstract
We have designed and built a modular and extensible multi service storage architecture (MSSA) which allows evolution from, and compatibility with, traditional applications. The MSSA comprises a two-level hierarchy of storage servers with value-adding service layers above them. We present the access control mechanism of the MSSA. Access control lists (ACLs) are used to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal-specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery. We report on experiences with a prototype implementation of the scheme and suggest some optimisations.<>
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
