High-performance authorization infrastructures

From NetSysLab

Jump to: navigation, search

Authorization protects application resources by allowing only authorized entities to access them. Existing authorization solutions are widely based on the request-response model, where a policy enforcement point intercepts application requests, obtains authorization decisions from a remote policy decision point, and enforces those decisions. This model enables sharing the decision point as an authorization service across multiple applications. But, with many requests and resources, using a single shared decision point presents the risk of introducing a bottleneck and/or a single point of failure. In this project, we propose and evaluate three approaches to addressing these problems.

The first approach introduces and evaluates the mechanisms for authorization recycling in role-based access control systems. The algorithms that support these mechanisms allow a local secondary decision point to not only reuse previously-cached decisions but also infer new decisions based on two simple rules, thereby masking possible failures of the central authorization service and reducing the network delays. Our evaluation results suggest that authorization recycling improves the availability and performance of distributed access control solutions.

The second approach explores a cooperative authorization recycling system, where each secondary decision point shares its ability of making decisions with others through a discovery service. Our system does not require cooperating secondary decision points to trust each other. To maintain cache consistency at multiple secondary decision points, we propose the alternative mechanisms for propagating update messages. Our evaluation results suggest that cooperation further improves the availability and performance of authorization infrastructures.

The third approach examines the use of a publish-subscribe channel for delivering authorization requests and responses between policy decision points and enforcement points. By removing enforcement points' dependance on a particular decision point, this approach helps improve system availability, which is confirmed by our analytical analysis, and reduce system administration/development overhead. We also propose several subscription schemes for different deployment environments and study them using a prototype system.

We also show that combining these three approaches can further improve the authorization system availability and performance, for example, by achieving a unified cooperation framework and using speculative authorizations.


[6] Qiang Wei, Towards Improving the Availability and Performance of Enterprise Authorization Systems, PhD dissertation, October 2009, link

[5] Authorization Recycling in Hierarchical RBAC Systems, Qiang Wei, Konstantin Beznosov, Jason Crampton, Matei Ripeanu, ACM Transactions on Information and System Security (accepted) pdf

[4] Cooperative Secondary Authorization Recycling, Qiang Wei, Matei Ripeanu, Konstantin Beznosov, IEEE Transactions on Parallel and Distributed Systems, vol.20, (3), pp275-288, February 2009. pdf

[3] Authorization Using the Publish-Subscribe Model, Qiang Wei, Matei Ripeanu, and Konstantin Beznosov; 6th IEEE International Symposium on Parallel and Distributed Processing and Applications (ISPA), Sydney, Australia, December 2008. (acceptance rate 36%) pdf slides

[2] Authorization Recycling in RBAC Systems, Qiang Wei, Konstantin Beznosov, Jason Crampton, Matei Ripeanu, ACM Symposium on Access Control Models and Technologies (SACMAT'08), Estes Park, CO, June 11-13, 2008. (acceptance rate 22%)pdf slides

[1] Cooperative Secondary Authorization Recycling, Qiang Wei, Matei Ripeanu, Konstantin Beznosov, 16th IEEE International Symposium on High Performance Distributed Computing (HPDC), Monterey Bay, CA, June 2007. (acceptance rate 20%) abstractpdf slides