Cassandra distributed access control policies with tunable expressiveness

Cassandra: Distributed Access Control Policies with Tunable Expressiveness

Moritz Y. Becker Peter Sewell
Computer Laboratory, University of Cambridge
JJ Thomson Avenue, Cambridge, United Kingdom
{moritz.becker, peter.sewell}@cl.cam.ac.uk

Abstract attributes about entities holding them. In systems support-
ing trust negotiation [19], peers establish trust between
We study the specification of access control policy in each other by exchanging sets of suitable credentials. A
large-scale distributed systems. Our work on real-world policy specification language is used to define a system’s
policies has shown that standard policy idioms such as role security policy, a set of rules specifying the security goals
hierarchy or role delegation occur in practice in many sub- in a high-level language. This approach separates pol-
tle variants. A policy specification language should there- icy from implementation, simplifies security administration
fore be able to express this variety of features smoothly, and facilitates policy evolution.
rather than add them as specific features in an ad hoc way, The diversity of emerging applications with widely dif-
as is the case in many existing languages. fering security requirements has led to the development of a
We present Cassandra, a role-based trust management variety of increasingly expressive policy specification lan-
system with an elegant and readable policy specification guages (e.g. [5, 6, 9, 11, 14, 13, 12, 7]). Existing ones are
language based on Datalog with constraints. The expres- extended to accommodate more complex policies. For ex-
siveness (and computational complexity) of the language ample, the role-based trust management language RT0 [14]
can be adjusted by choosing an appropriate constraint do- was extended to RT1 to handle parameterised roles, and
main. With just five special predicates, we can easily ex- to RT T to express separation of duties [13]. Another ex-
C
press a wide range of policies including role hierarchy, tension of RT , RT1 [12], provides constructs for limiting
role delegation, separation of duties, cascading revoca- the range of role parameters using constraints. However,
tion, automatic credential discovery and trust negotiation. adding constructs to a language in an ad hoc fashion to in-
Cassandra has a formal semantics for query evaluation and crease its expressiveness has several disadvantages. Firstly,
for the access control enforcement engine. We use a goal- it is unlikely that the extension will cover all policies of in-
oriented distributed policy evaluation algorithm that is ef- terest; secondly, the semantics and implementations of the
ficient and guarantees termination. Initial performance re- language have to be changed; thirdly, languages with many
sults for our prototype implementation have been promis- constructs are harder to understand and to reason about;
ing. and lastly, policy evaluation usually becomes computa-
tionally more expensive with increasing expressiveness (in
some cases, the language is even Turing-complete).
1. Introduction We have designed a trust management system,
Cassandra, in which the expressiveness of the policy speci-
The emergence of wide-area network-based services fication language can be adjusted by selecting an appropri-
poses new and challenging problems to security manage- ate constraint domain. The advantage of this approach is
ment. The networks in question are generally heteroge- that the expressiveness (and hence the computational com-
neous, decentralised and large-scale, with possibly millions plexity) can be chosen depending on the requirements of
of autonomous entities (which may be individuals, agents, the application, and can easily be changed without having
organisations or other administrative domains) that wish to to change the language semantics. In our prototype imple-
share their resources in a secure and controlled fashion. mentation of Cassandra, a constraint domain is a separate
Collaborating entities may be mutual strangers at first, thus module that can be plugged into the policy evaluation en-
access control cannot be based on identity, as it is the case gine. We have identified a condition on constraint domains,
in traditional approaches. constraint compactness, which ensures that policy evalua-
In the trust management approach [5], authorisation is tion is decidable and guaranteed to terminate.
based on credentials, digitally signed certificates asserting By factoring out the constraint domain, the language

Proceedings of the Fifth IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY’04)
0-7695-2141-X/04 $ 20.00 © 2004 IEEE

ing a credential that can be used to support another request
Cassandra Entity remote query somewhere else. The access control engine handles the re-
C quest by invoking the policy evaluation engine, which in
Policy

Access Control Engine
invoke
perform action turn queries the local Cassandra policy. The expressive-
Evaluator query ness of the policy specification language depends on the
activate role
globally chosen constraint domain, C, an independent mod-
Interface
modify Policy
deactivate role (rules & credentials) ule that is plugged into the policy evaluation engine. As
policies can refer to policies of other entities, policy eval-
request credential
grant access Resources uation may trigger queries of remote policies (possibly the
(Actions) requester’s) over the network. The answer of the policy
evaluation engine is used by the access control engine to
decide whether the request is to be granted. As a result of
a request, the local policy may be modified. For example,
Figure 1. Cassandra components.
if a role is activated, this new fact is put into the policy;
similarly, deactivation of roles causes facts to be removed
syntax and semantics are kept small and simple. In par- from the policy.
ticular, Cassandra has no explicit provisions for standard Cassandra’s policy specification language is based on
policy idioms such as role hierarchy, separation of duties DatalogC , a generic extension of negation-free Datalog
or delegation; instead, it is truly policy-neutral in that it (Prolog without function symbols) where the expressive-
can encode such idioms (and many variants). Its expres- ness can be tuned by varying the constraint domain param-
siveness suffices for policies found in highly complex real- eter C [10]. A DatalogC rule is of the form
world applications; this has been shown by our work on a p0 (e0 ) ← p1 (e1 ), .., pn (en ), c
large-scale security policy for a national electronic health where the pi are predicate names and the ei are (possi-
record system [3]. bly empty) expression tuples (that may contain variables)
In §2 we give an informal overview of Cassandra’s pol- matching the parameter types of the predicate. p0 (e0 ) is
icy specification language. Unlike most other systems, the head of the rule, and the sequence of predicates on the
Cassandra not only formally specifies the policy language right hand side of the arrow is the body of the rule; c is a
but also the access control semantics governing the dy- constraint on the parameters occuring in the rest of the rule.
namic behaviour of an entire Cassandra network. This Intuitively, to deduce the head of a rule, all body predicates
operational semantics is described in §3. §4 shows how must be deducable in such a way that the constraint is also
examples of standard policies, including role validity peri- satisfied. A set of DatalogC rules can then be interpreted as
ods, role hierarchy, separation of duties, role delegation and the deductive closure of the set.
trust negotiation policies, can be expressed in Cassandra. The constraint of a rule, c, is a formula from some fixed
The policy specification language and semantics are for- constraint domain C, a language of first order formulae
mally defined and an algorithm for policy evaluation is containing at least true, false and the identity predicate
given in §5. §6 briefly discusses our case study on secu- “=” between C-expressions (variables, entities and possibly
rity policies for a national electronic health record system. other constructs). It must be closed under variable renam-
We also discuss our prototype implementation and prelim- ing, conjunction (∧) and disjunction (∨). Furthermore, it
inary experimental results. Finally we discuss related work must be equipped with an interpretation that defines when
and conclude. formulae are satisfied.
The expressiveness of DatalogC depends on the chosen
2. Policy specification overview constraint domain C. For example, the least expressive con-
straint domain is the one where the only atomic constraints
Cassandra is a trust management system allowing a po- are equalities between variables and constants. Choosing
tentially large network of entities to share their resources this trivial constraint domain reduces the expressiveness of
under well-defined restrictions, specified by local access the language to standard Datalog or Horn clauses without
control policies, even if they are mutual strangers. Every function symbols. More powerful constraint domains often
entity runs its own copy of a Cassandra service, which include boolean, arithmetic and set constraints, and make
acts as a protective layer around the resources. Figure 1 use of more complex expressions such as tuples, set expres-
shows the internal components of a Cassandra service. In- sions and (side-effect free) function applications (e.g. to ac-
teraction with other entities is done via the interface that cess the current time). The computational complexity of
defines requests for performing an action (i.e. accessing a evaluating DatalogC programs increases with expressive-
resource), activating and deactivating a role, and request- ness: with set constraints it is already possible to encode

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

the Hamiltonian cycle problem, and thus all NP-complete context. Intuitively, if a predicate loc@iss.p(e) appears in
problems. Care must be taken not to choose a constraint the body of a rule in E’s policy, and loc is equal to E,
domain that is too expressive as this can result in programs it is deduced locally from E’s policy (if iss is not equal
in which queries are undecidable. We will later introduce to E, this must be a foreign credential). If, however, loc
the notion of constraint compactness to restrict constraint is not equal to E, this means that the authority over the
domains to those that guarantee termination of queries. predicate is delegated to the remote entity loc, so E re-
In Cassandra, access control is role-based, and roles, as quests a credential iss.p(e) from loc over the network. loc
well as actions, are parameterised. Role-based access con- will allow this only if her local policy lets her deduce both
trol (RBAC) [17, 8] was initially introduced to simplify se- canReqCred(E, iss.p(e)) and iss.p(e). If these conditions
curity administration of large enterprises. In the context of are met, a credential containing iss.p(e) (issued and signed
distributed trust management, roles can more generally be by iss) is sent back to E. A more formal treatment of the
used as a representation of authenticated subject attributes language semantics is given in §5.1.
in decentralised access control [13]. Formally, a role is a
typed role name applied to an expression (that may con- 3. Access Control Semantics
tain variables) of a matching type, e.g. Manager(Sales-
dept). Similarly, an action is an action name applied to an
Cassandra acts as a protective layer around the shared
expression, e.g. Read-file(file). For the remainder of the
resources, allowing network access only through an inter-
paper, variables will be written in small letters and italics
face. This interface defines requests for performing an ac-
(e.g. f ile), generic constants in italics but capitalised (e.g.
tion, activating a role, deactivating a role, and for request-
some entity E), and concrete constants in typewriter font
ing a credential. Incoming requests are checked by the ac-
(e.g. Sales-dept).
cess control engine against the local policy (Figure 1). En-
Policies are specified by rules defining predicates that tities can support their requests by submitting credentials
govern access control decisions: permits defines who can to the service; the service will then use the assertions in the
perform which action; canActivate specifies who can acti- credentials along with its own local policy to evaluate the
vate which roles (and thus implicitly defines the role mem- query. Granting a request can have side-effects on policies,
bership relation); hasActivated specifies who is currently e.g. when a role is activated, a corresponding hasActivated
active in which role; canDeactivate specifies who can re- credential rule is added to the policy.
voke which role; isDeactivated is used to define automat- We have formally specified the operational semantics of
ically triggered role revocation; and finally, canReqCred the access control engine by a labelled transition system
rules specify the conditions to be satisfied before the ser- where the labels are the requests and the transitions are be-
vice is willing to issue and disclose a credential. User- tween sets of policies of all entities. Due to lack of space,
defined auxiliary predicates are also allowed. we will only give a brief overview of the request defini-
In the trust management approach, access control de- tions.
cisions are based on credentials asserting properties about
Performing an action. Suppose the requester E at-
the holders. In Cassandra, the properties asserted by cre-
tempts to perform the (parameterised) action A on S’s
dentials are (constrained) predicates. Therefore, in order
Cassandra service. E’s request is granted if permits(E, A)
to satisfy a predicate in a rule body, either the predicate
is deducible from S’s policy (and submitted credentials).
can be deduced from the local policy or it is asserted by
a foreign credential issued and signed by some other en- Role activation. Suppose E attempts to activate the (pa-
tity. Such credentials are either already stored locally, or rameterised) role R on S’s Cassandra service. The request
are submitted to the service, or automatically fetched by the is granted if the role has not already been activated and if
service from some other entity. To put constraints on the is- canActivate(E, R) can be deduced from S’s policy (and
suer and the storage location of credentials, each Cassandra submitted credentials). As a result of this transition, the
predicate has an issuer and a location (constant or vari- corresponding hasActivated credential rule is added to S’s
able) parameter, and is written loc@iss.p(e). For example, policy.
Alice@UCam.canActivate(Alice, Student(Maths)) is a Role deactivation. Suppose E requests to deactivate
predicate asserting that Alice is a Maths student. If this V ’s role R on S’s Cassandra service. The request is
predicate is part of a rule body, Cassandra can contact Al- granted if V is really currently active in the role R and
ice over the network (unless this is Alice’s local policy) and if canDeactivate(E, V, R) is deducible from S’s policy
request the corresponding credential issued by the Univer- (and submitted credentials). Depending on the local policy
sity of Cambridge. rules, this deactivation may also trigger the deactivation of
We will often write iss.p(e) as shorthand for other role activations in S’s policy (local cascading deacti-
E@iss.p(e) and p(e) for E@E.p(e), if E is clear from the vation). For this purpose, we need to compute the set of all

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

hasActivated credential rules in S’s policy for which a cor- canActivate(x, Doc()) ←
responding isDeactivated credential can be derived under canActivate(x, CertDoc(t)),
the assumption isDeactivated(V, R). The role activations CurTime() − Years(1) ≤ t ≤ CurTime()
in this set are then removed from S’s policy. Auxiliary roles. Sometimes a role is used solely to ex-
press some property about its members and can be used
Requesting Credentials. Suppose E requests the cre-
without prior activation. In this rule, a logged-in user can
dential I.p(x) ← c (a digital certificate asserting p(x) ← c,
read a file provided that the system can deduce she is the
issued and signed by I) from S. S’s service first computes
owner of that file. Ownership is here expressed with the
the answer to the query canReqCred(E, I.p(x)) ← c. The
auxiliary Owner role that need not be activated.
answer is a constraint c0 restricting the values that x can
permits(x, Read(f ile)) ←
take.
hasActivated(x, Login()),
If I and S are identical, the answer c1 of the query canActivate(x, Owner(f ile))
p(x) ← c0 is computed, and, if c1 is satisfiable, the new
credential S.p(x) ← c1 is issued and sent to E. If I and Role hierarchy. In this variant of parameterised role hi-
S are different, this means that the requested credential is a erarchy, members of a superior role (Engineer working
foreign credential held by S, so it cannot be freshly issued in some department) are automatically also members of a
and signed. In this case, S sends E all her credentials of more basic role (Employee working in the same depart-
the form I.p(x) ← c2 such that c2 is at least as restrictive ment).
canActivate(x, Employee(dep)) ←
as c0 .
canActivate(x, Engineer(dep))

Separation of duties. In this common example for sepa-
4. Standard policies
ration of duties, a payment transaction requires two phases,
initiation and authorisation, which have to be executed
Unlike other policy specification languages, Cassandra by two different people. The rule implements the dy-
does not have special constructs for expressing standard namic and parameterised variant of separation of duties: an
policies such as role hierarchies, separation of duties or Authoriser of a payment must not have activated the
delegation. Indeed, we can show that Cassandra, equipped Init role for the same payment. This restriction is imple-
with a sufficiently powerful constraint domain, can express mented by the user-defined countInitiators predicate. Its
these policies in a concise and readable way. Having no definition is given by the second rule, an example of an ag-
constructs in the language for specific policy idioms not gregate rule. The count z aggregate operator counts how
only keeps the language and its semantics small and sim- many different values of z satisfy the body. Therefore, the
ple; it also avoids the necessity of having to constantly parameter n is 0 only if x has not activated the Init role
extend the language. Furthermore, our work on policies for the same payment.
for a national electronic health record infrastructure has canActivate(x, Authoriser(payment)) ←
shown that, in large-scale real-world applications, these countInitiators(n, x, payment), n = 0
“standard” policies occur in many variants and combina- countInitiators(count z , x, payment) ←
tions with subtle but significant semantic differences [3]. hasActivated(z, Init(payment)), z = x
Cassandra was designed in such a way that the whole range Role delegation. Here, an administrator can delegate her
of policy variants can be expressed without additional fea- role to somebody else by activating the DelegateAdm
tures. It should be noted that Cassandra was designed role for the delegatee. The delegatee can then subsequently
specifically for authorisation policies; in particular, we do activate the administrator role. The first parameter of the
not deal with obligation policies specifying the automatic administrator role specifies who the delegator was. The
triggering of actions (as in [7]). second parameter n is an integer for restricting the length of
In the following, we show how standard policies can be the delegation chain: the delegatee can activate the admin-
written in Cassandra. istrator role only with a “rank” n that is strictly less than
the delegator’s rank n but must be at least 0. Setting the
Role validity periods. In the following rule, a certified
parameter to 1 for non-delegated administrators (i.e. those
doctor (with certification issued at time t) is also member
at the top of a delegation chain) amounts to non-transitive
of the role Doc() if t is at most one year ago. This is an
delegation. Removing the constraint on n in the second
example where the freshness requirement of a certification
rule results in unbounded delegation chains.
is set by the acceptor, not by the certificate issuer (as rec- canActivate(x, DelegateAdm(y, n)) ←
ommended in [16]). The chosen constraint domain must hasActivated(x, Adm(z, n))
contain a (side-effect free) built-in function that returns the canActivate(y, Adm(x, n )) ←
current time, and integer order constraints. hasActivated(x, DelegateAdm(y, n)), 0 ≤ n < n

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

With the following rule, the delegated role is automatically its CertHealthOrg credential, signed by the registration
revoked if the delegation role of the delegator is deacti- authority of East England, to certified EHR servers.
vated. canReqCred(x, y.canActivate(z, CertHealthOrg()) ←
isDeactivated(y, Adm(x, n )) ← x@auth.canActivate(x, CertEHRServ()),
isDeactivated(x, DelegateAdm(y, n)) y = RegAuthEastEngland ∧ z = Addenbrookes,
auth ∈ RegAuthorities()
However, we need to specify who is allowed to deactivate
a delegation role. In grant-dependent revocation (first rule The x@auth prefix specifies that the required credential
below), only the delegator herself has this power. In grant- must be signed by some registration authority and that it is
independent revocation (second rule below), every admin- to be retrieved automatically from x; in this case, x will
istrator (who has at least as high a rank as the delegator) have been instantiated to be the EHR server. The EHR
can deactivate the delegation. server will in turn have canReqCred policy rules specifying
canDeactivate(x, z, DelegateAdm(y, n)) ← x = z
to whom its CertEHRServ credential may be disclosed.
canDeactivate(x, z, DelegateAdm(y, n)) ←
As this example shows, a simple request can trigger mul-
hasActivated(x, Adm(w, n )), n ≤ n
tiple phases of credential exchanges between two or more
A rather paranoid policy may specify cascading revocation: entities over the network until a sufficient level of mutual
if a delegated administrator is revoked from her role, all her trust has been established.
delegation must also be revoked recursively.
isDeactivated(x, DelegateAdm(y, n)) ←
isDeactivated(z, DelegateAdm(x, n )) 5. Language semantics and evaluation
The trust management system Oasis [21] has a language This section defines the syntax and semantics of
construct for role appointment, a generalisation of role del- Cassandra’s policy specification language. We also de-
egation. Our work on real-world policies suggests that vari- scribe a goal-oriented algorithm for evaluating policy
ants of general appointment are indeed far more frequent queries that is sound and complete with respect to the lan-
than role delegation [3]. Appointment and other stateful guage, and discuss a condition for guaranteed termination
policies can be expressed in Cassandra in a very similar of query evaluation.
way as shown above for delegation.
Automatic trust negotiation & credential discovery. 5.1. Language Semantics
Suppose the following rule is part of the policy of a server
holding the electronic health records (EHR) for some part
of the UK’s population. To activate the doctor role, x must Each entity Eloc on the network protects its resources
be a certified doctor in some health organisation org, and with a (possibly empty) Cassandra policy, a finite set of
furthermore the organisation must be a certified health or- Cassandra policy rules of the form
ganisation. Both requirements must be satisfied in the form
Eloc @Eiss .p0 (e0 ) ←
of credentials signed by some entity auth belonging to a
loc1 @iss1 .p1 (e1 ), .., locn @issn .pn (en ), c.
locally defined set of registration authorities.
canActivate(x, Doc(org)) ←
The location and the issuer of the rule, Eloc and Eiss , are
auth.canActivate(x, CertDoc(org)),
entity constants, and the loci and issi are entities or entity
org@auth.canActivate(org, CertHealthOrg()),
auth ∈ RegAuthorities() typed variables. The pi (ei ) are well-typed predicates, and c
is a constraint from the globally chosen constraint domain
In the rule above, there is no location prefix in front of the C.
first body predicate, so the doctor certification credential A rule with empty body of the form
is required to already be in the local policy or have been
submitted by x together with the role activation request. Eloc @Eiss .p0 (e0 ) ← c
No automatic credential requests are issued the credential
is not found. On the other hand, there is a location prefix is called a credential rule or just a credential. (These cor-
org in front of the second body predicate: the health organ- respond to facts in Logic Programming.) If it is sent over
isation credential is automatically requested from org, or, the network, it can be thought of as a certificate asserting
more precisely, the entity the variable org stands for during p0 (e0 ), signed and issued by Eiss , and belonging to and
actual evaluation. However, the health organisation (say, stored at Eloc . The location and the issuer of a rule are usu-
Addenbrooke’s Hospital) will allow this retrieval request ally identical; only in the case of a credential rule can they
only if its canReqCred policy allows it. With the follow- be different, as Eloc may hold a foreign credential signed
ing rule, Addenbrooke’s specifies that it is willing to reveal by a different entity Eiss .

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

We will omit the prefix Eloc from a rule if it is clear from equal to some
the context, and also Eiss , loci and issi if they are equal to (ci ∧ yloc= Eloc ∧ yiss= Eiss )
Eloc . such that Eloc @Eiss .q(y) ← ci is already in I.
Access control decisions are based on policy
queries which have the same form as credentials: Alternatively, yloc may refer to some remote entity
Eloc @Eiss .p0 (e0 ) ← c. The answer to a query is a set Eloc = Eloc , so Pi has to be deduced from Eloc ’s policy.
of constraints ci such that Eiss .p0 (e0 ) ← c ∧ ci can be As this amounts to a credential request and Eloc ’s creden-
deduced from Eloc ’s policy. For example, the query tials are protected by canReqCred rules, the corresponding
canReqCred predicate must also be satisfied, as well as Pi
UCam@UCam.canActivate(x, Student(subj)) ← itself. In this case, ci is some constraint in
subj = Maths ∃C xe . (ci ∧ ci ∧ yloc= Eloc ∧
may return the constraints {x = Alice, x = Bob}, and yiss= Eiss ∧ xe= Eloc )
the query such that both credentials
Eloc @Eloc .canReqCred(xe , yiss .q(y)) ← ci and
UCam@UCam.canActivate(x, Student(subj)) ←
x = Alice ∧ subj = Maths Eloc @Eiss .q(y) ← ci are already in I.
The consequence operator TP (I) is continuous on the
would simply return {true}. powerset of credentials and thus has a unique least fixed-
The semantics of a policy is defined by the set of all cre- n
point n≥0 TP (∅) which we call the fixed-point semantics
dentials that can be deduced from it. To formally define the of P. It coincides with our intuitive notion of deductive
notion of deduction, we extend the notion of consequence closure of the policy rules.
operator known from constraint logic programming [18]. Sometimes we need to know not only whether a pred-
We construct a consequence operator TP , where P is the icate can be satisfied but also how often. For example, it
finite union of the policies of all entities. Given a set of is often necessary to know that nobody has activated a cer-
credentials I (which we distinguish only up to variable re- tain role, i.e. the corresponding hasActivated predicate can
naming), TP (I) returns the set of all credentials that can be satisfied 0 times. For these purposes, we define rules
be deduced from I and the policies in P in one step. with aggregation operators [15]. (These require the con-
The definition of TP assumes the existence of two com- straint domain C to contain equalities over set and integer
putable operations on C-constraints, ∃C and ⇒C . ∃C x. (c) constants and variables.) A Cassandra aggregation rule is
computes the existential quantifier elimination of x and re- of the form
turns the set of conjuncts in the disjunctive normal form
Eloc @Eloc .p(aggop x , y) ← Eloc @iss.q(x), c
(DNF) of the result. If V is a set of variables, we also write
∃C (c) for the set of conjuncts in the DNF of c, with all where the aggregation operator aggop is either group or
−V
free variables apart from the ones in V existentially elimi- count. The predicate q(x) is required to be one that can
nated. (This is in effect a projection of c onto the variables be satisfied with only finitely many different parameters on
V .) Eloc , and x must contain x. If the operator is group, the
⇒C is a computable subsumption relation on C- first argument of p stands for the finite set of all different
constraints: if c1 ⇒C c2 returns true then c1 is subsumed values of x such that the rule body can be satisfied. If the
by c2 , i.e. all substitutions that satisfy c1 also satisfy c2 . operator is count, it stands for the cardinality of that set.
Then the consequence operator TP (I) is defined to con- For example,
tain all credentials of the form Eloc @Eiss .p(x) ← c0 (for getSetOfActiveDoctors(group x , spcty) ←
some entities Eloc , Eiss ) if I contains no other credential hasActivated(x, Doctor(spcty))
that already subsumes it: if Eloc @Eiss .p(x) ← c0 ∈ I and finds the set of all active doctors with specialty spcty.
c0 ⇒C c0 then c0 = c0 ; and furthermore, if there is some
matching rule 5.2. Evaluation
Eloc @Eiss .p(x) ← P1 , .., Pn , c
in P (i.e. in the policy of Eloc ) such that there is a constraint Recall that the access control engine makes access con-
c0 with the following property: trol decisions by invoking the policy evaluation engine,
c0 ∈ ∃C (c1 ∧ .. ∧ cn ), and c0 is satisfiable, for some
−x
which queries the local policy. We now describe the al-
constraints c1 , .., cn , such that each ci is a contribution from gorithms used in the policy evaluation engine.
Pi . We say ci is a contribution from Pi ≡ yloc @yiss .q(y) In deductive databases, queries are usually evaluated
if one of the following two cases hold. against a model that is pre-computed with a bottom-up
Either yloc is taken to be local, so Pi has to be deduced algorithm that, starting from basic facts, iteratively adds
from Eloc ’s own local policy. This means that ci must be derived facts until the fixed-point semantics is reached.

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

This would not be an acceptable evaluation strategy for existing answer d, combine it with the current constraint
Cassandra: firstly, the constraints may contain (side-effect and call the Clause Resolution procedure on the remaining
free) function calls that depend on the environment, for ex- predicates in the list, or the Answer Projection procedure,
ample for getting the current time, and therefore cannot be if the remaining list is empty. We also need to store the in-
pre-computed; secondly, the fact that rule bodies can refer formation that this query waits for answers from the proof
to remote predicates would require a distributed form of of P ← c .
bottom-up evaluation which would be highly impractical; If, however, no such P ← c exists yet, we need
and thirdly, the model would have to be re-computed after to spawn a new query for P ← c and wait for its an-
every activation or deactivation of roles as role activation swers. If the location of P is remote, a credential request
and deactivation modify policies. is sent to the remote entity. The remote entity will then
The standard SLD top-down resolution algorithm call its Query Projection procedure on the list containing
known from Logic Programming (e.g. Prolog) is not suit- canReqCred(Eloc , P ) and P with the constraint c.
able either as it may run into infinite loops even when the
fixed-point semantics is finite. Instead, Cassandra uses a Answer Projection. This procedure is called when the
modified version of Toman’s memoing algorithm for evalu- list of body predicates is empty. The remaining constraint
ating constraint extensions of Datalog [18]. Based on SLG is then projected onto the free variables of the query pred-
resolution, it combines advantages of both the top-down icate. The resulting constraints are stored in the answers
and the bottom-up approaches: it is goal-oriented and yet table and propagated to all queries currently waiting for
preserves the termination properties of the bottom-up al- such answers, and execution is resumed there. If the wait-
gorithms by memoing (tabling) already seen subgoals and ing party is a remote entity, the answers are sent to it over
their answers. To solve a subgoal for which a table en- the network in the form of credentials. The remote entity
try already exists, the algorithm uses the tabled answers as will then invoke its Answer Projection procedure on these
solutions; whenever new answers are added for the entry, answers.
they are automatically propagated to other waiting evalua-
On exit, the table entry for the original query will be
tion branches. If no relevant entry exists for the subgoal, a
populated with all its answers. The algorithm is sound and
new table entry is created and populated. We have extended
complete with respect to the language semantics.
the algorithm in [18] to deal with goals referring to remote
As in other database applications, we require query eval-
entities.
uation to always terminate. Clearly, if the chosen constraint
Suppose the query Eloc @Eiss .p0 (x0 ) ← c0 is to be
domain C is too expressive, it is possible to write poli-
evaluated by the Cassandra service of Eloc . Evaluation is
cies and queries that are uncomputable. Often, the features
started by calling the Clause Resolution procedure on the
that make it too expressive seem rather innocuous at first
query.
glance. For example, constraint domains with untyped tu-
Clause Resolution. Find all policy rules with a matching ple constructors or with negative gap-order constraints of
head, i.e. of the form the form x − c < y (where c is a positive integer constant)
Eloc @Eiss .p0 (x0 ) ← P1 , .., Pn , c1 . enable the construction of undecidable policies.
For all such c1 , compute c2 ≡ c0 ∧ c1 if the result is sat- Constraint compactness [18] is a sufficient condition on
isfiable. If the rule body is non-empty (n ≥ 1), call the constraint domains to guarantee a finite and hence com-
Query Projection procedure on the list P1 , .., Pn , c2 . Other- putable fixed-point semantics for any finite global policy
wise call the Answer Projection procedure on the combined set P. A constraint domain C is said to be constraint com-
constraint c2 . pact if any infinite set of C-constraints in which only finitely
many variables and constants occur has a finite subset sub-
Query Projection. This procedure operates on a list of suming the entire set, that is, for every constraint c in the
predicates P1 , .., Pn and a constraint c. Using the ∃C opera- infinite set there is a constraint c in the finite set such that
tion, project the constraint onto the free variables of the first c ⇒C c .
predicate P1 in the list and compute the DNF constraint set. Unfortunately, constraint compactness severely restricts
For all ci from this set, call the Answer Propagation proce- the expressiveness of the constraint language and is also
dure on P1 ← ci , and the (possibly empty) list of remaining often hard to prove. We use static groundness analysis [1]
predicates, P2 , .., Pn . to restrict policies in such a way that variables occuring in
Answer Propagation. This procedure operates on a sub- specific constructs will always have been grounded (so a
goal P ← c, and a list of remaining predicates P2 , .., Pn . unique value can be deduced for each) by the time exis-
Check whether we have already encountered a query P ← tential quantifier elimination is performed on them, given
c such that c ⇒C c , in which case the current goal can the query patterns from §3 (e.g. canActivate queries are al-
be solved using answers from that query. For each already ways fully grounded), so these constructs can be ignored.

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

We also use static groundness analysis to ensure that the constraints[3]. It is constraint-compact and thus guarantees
location prefix of body predicates becomes ground by the query termination, but its relatively high expressiveness
time we evaluate it: otherwise the evaluator would have to still makes it possible in principle to write policies that are
query many different entities (all, in the worst case), which prohibitively expensive to evaluate. However, such policies
is clearly unpractical. do not seem to occur in practice, as the recursion depth is
usually small and variables are instantiated to ground val-
6. Discussion ues early on.

Implementation and performance. A prototype of
EHR case study. Cassandra’s design process was par- Cassandra has been implemented in OCaml. The code is
tially guided by our case study [3] on an access control factored into independent modules as depicted in Figure
policy for a national electronic health record (EHR) sys- 1. In particular, constraint domain implementations can be
tem. The background of the case study is the British Na- plugged into the policy evaluation engine as separate mod-
tional Health Service’s current plan to develop an electronic ules, as long as they provide fundamental operations of pro-
data spine that will contain “cradle-to-grave” medical data jection, satisfiability and subsumption checking. We have
for all patients in England. The project is highly risky and implemented the constraint domain used for the EHR case
challenging for several reasons: it is extremely large-scale study, including a type inference mechanism that allows us
with 100 million records and billions of accesses per year; to omit explicit variable typing.
the requirements are likely to change frequently, in partic- At the time of writing, role deactivation and credential
ular those concerning access control; and it is inherently requests and the static groundness analyser are still in the
distributed with interacting health organisations, registra- process of being implemented. Furthermore, the current
tion authorities and the data-spine. These challenges can prototype only simulates the distributed system, and issued
best be met by a distributed trust management system that credentials are implemented without encryption and public
allows policies to be specified in a sufficiently expressive key signatures.
high-level language. The prototype was tested with the policies from the EHR
In our case study, we propose a distributed three-level case study. The system behaved as expected and handled
infrastructure to cope with the large scale. Based on official all requests, including the most complex ones, within frac-
specification documents, we have developed Cassandra tions of a second. The preliminary results suggest that
policies for the entire infrastructure. Our proposed poli- Cassandra is indeed suitable for large-scale real-world ap-
cies contain a total of 310 rules, define 58 parameterised plication. Of course, authoritative results can only be pro-
roles and implement all the required access control rules. duced after completion of a more complete and optimised
The requirements are not only highly complex but also implementation and under more realistic settings; we have
contain principles unseen in traditional access control mod- for example so far only tested the system with up to 10,000
els. For example, the policies need to handle explicit pa- patients [3].
tient consent, third-party disclosure consent, individualised Our experiments have highlighted another requirement
access decisions (e.g. a patient could prohibit access to for policy-based trust management systems that neither our
record items concerning a certain medical subject to a spe- nor existing systems currently fulfil: human users expect
cific doctor), appointment of agents acting on a patient’s textual justifications of access control decisions, especially
behalf and workgroup-based access control (e.g. based on if their request is denied; they feel rather frustrated and
ward or consultant team membership). helpless if the answer is simply “request denied”, espe-
One of the main lessons learnt from the case study is that cially if the policy is complex or unknown to the user. Such
standard policy idioms such as role appointment occur in explanations could be collected from annotations of policy
many different variants. We thus had to design Cassandra rules used during deduction. The problem is non-trivial as
in such a way that it could express all of these elegantly. deduction proofs can be long and access denials can have
Our approach was to identify the small number of underly- many and far-reaching reasons. More worryingly, the tex-
ing primitives concerning role membership, activation and tual justification may reveal more (and perhaps, sensitive)
deactivation, and to base the language solely on those. The information than could have been deduced from the fact
distributed nature of the EHR policies also necessitated fea- of request denial alone: consider, for example, a response
tures for automatic credential discovery and credential pro- such as “access denied because your daughter has prohib-
tection (automatic trust negotiation). ited you from accessing all her records with the subject
For the case study, we devised a sufficiently expressive ‘abortion’ ”.
constraint domain containing tuple expressions and pro-
jections, disequalities, integer order inequalities, built-in Related work. A large amount of work has been done
functions to access state-dependent data and set inclusion on security policy specification in a non-trust-management

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

context. For instance, Barker [2] uses constraint logic pro- from both issuer and the subject entity. A distinctive fea-
gramming to encode RBAC policies in a non-distributed ture of the RT framework is that RT credentials contain a
environment; as such, his approach does not deal with cre- link to a so-called Application Domain Specification Doc-
dentials, trust management and trust negotiation. Policy- ument (ADSD) that defines a common vocabulary (types
Maker [5] introduced the trust management paradigm, and of role parameters, natural language descriptions of role
its successor, KeyNote [4] defined the first policy specifi- names etc.) for collaborating entities.
cation language. Since then, many other trust management SD3 is another Datalog-based trust management system
systems have been proposed for policy specification and [11]. Similar to Cassandra, SD3 predicates can be prefixed
distributed access control (e.g. SPKI/SDSI [6], QCM [9], with an issuer (a public key), thereby delegating author-
SD3 [11], RT [13], Oasis [21], Ponder[7]). ity of predicate definition to that key. A predicate can fur-
The Cassandra policy specification language was in- ther be tagged with an IP address which is used to refer to
spired by Oasis, a role-based trust management system in a remote policy. SD3 is a very general system that does
which Datalog-based rules specify which credentials are not specify any access control meaning for any predicates
prerequisite for role activation and deactivation [21]. Oasis and can be viewed as Cassandra without constraints, roles
has a special construct for role appointment, which was in- and access control semantics. SD3 passes the proof tree
troduced as a useful generalisation of the delegation mech- from its highly optimised policy evaluation engine through
anisms found in many other languages. Our case study sup- a simple and small proof checker to reduce the size of its
ports the claim that role appointment (and its variants) is a trusted computing base. This would be a technique that
very useful policy idiom. Oasis is the only other system could also be applied to Cassandra.
we are aware of that supports cascading role revocation. Its The problem of trust negotiation has been addressed in
revocation mechanism works even across the network be- [19], where various different negotiation strategies (which,
tween collaborating entities. This is implemented using a when and in which order credentials are disclosed) are dis-
distributed event infrastructure. Another difference is that cussed. Their Credential Access Policy (CAP) corresponds
in Oasis, revocation is triggered whenever a specified sub- to Cassandra’s canReqCred rules specifying the prerequi-
set of the role activation prerequisites ceases to hold. In sites for credential disclosure. Cassandra’s uniform treat-
contrast, role deactivations in Cassandra are allowed to be ment of rules during evaluation gives us trust negotiation
triggered by conditions that have nothing to do with the role almost “for free”, with a negotiation strategy similar to
activation prerequisites. Oasis does not deal with automatic their “Parsimonious Strategy”. It has been pointed out
credential discovery and trust negotiation. It also does not that this strategy can leak information about possession of
possess a full formal semantics and does not guarantee ter- credentials without actually disclosing them. The “Eager
mination of queries. Strategy” does not have this problem but is less efficient.
[20] prevents the problem by adding another policy protec-
The RT family of role-based trust management lan-
tion layer. [22] argue that entities should be given the free-
guages [13] bears some similarities to our system. In RT,
dom to choose their own negotiation policy. They identify
the Datalog-based rules, or credentials, as they are called,
a large family of strategies that are mutually compatible.
specify only the role membership relation: either directly,
by role hierarchy, by (direct or attribute-based) delegation
of authority, or any combination of these. The subjects of Conclusions and future work. We have developed a
the rule head and the body conditions are implicitly the trust management system, Cassandra, with a role-based
same, which is sufficient to express delegation but not con- policy specification language in which the expressiveness
venient for appointment policies. In RT’s youngest off- can be tuned according to need by choosing an appropriate
C
spring, RT1 [12], rules are translated into DatalogC . Con- constraint domain. Apart from management of role permis-
straints are used only to define a range on each role param- sions, activations and (cascading) deactivations, the system
eter; constraints between two parameters are not permitted also uniformly provides flexible automatic credential re-
in order to keep policies more comprehensible and to guar- trieval and automatic trust negotiation. With the constraint
antee tractability. We find that a more liberal use of con- domain we devised for the EHR case study, Cassandra’s
straints is useful and necessary, as our EHR policy shows, expressiveness surpasses that of existing systems while pre-
and can still be efficient in practice. RT roles are prefixed serving a strong termination property. The policy language
with the issuing entity, just like Cassandra’s predicates are, is small, simple and devoid of any redundant constructs
but do not specify the location where a matching creden- such as delegation or hierarchies and yet it can express
tial may be found. RT solves this by statically specifying a wide variety of policies. Cassandra, including the lan-
for each role name whether credentials defining such roles guage, the access control engine and the goal-oriented dis-
are stored with the issuer or the subject. Our EHR pol- tributed policy evaluation algorithm, is fully and formally
icy has rules in which predicates have locations different specified and thus amenable to formal reasoning.

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

We plan to use Cassandra’s formal framework to prove [9] C. A. Gunter and T. Jim. Policy-directed certificate re-
security properties about specific policies. Along the same trieval. Software - Practice and Experience, 30(15):1609–
lines, we wish to formalise a low-level model of Cassandra 1640, 2000.
that specifies the underlying network protocols, the pub- [10] J. Jaffar and M. J. Maher. Constraint logic programming:
lic key infrastructure and the design of certificates. We will a survey. Journal of Logic Programming, 19/20:503–581,
1994.
also investigate possibilities for making answers to requests
[11] T. Jim. SD3: A trust management system with certified
more descriptive and user-friendly without leaking sensi- evaluation. In Proceedings of the 2001 IEEE Symposium
tive information. on Security and Privacy, pages 106–115, 2001.
To gather more reliable test results, we need to build a [12] N. Li and J. C. Mitchell. Datalog with constraints: A foun-
complete prototype that is truly distributed and uses digital dation for trust management languages. In Proceedings of
certificates for sending credentials over the network. We the 5th International Symposium on Practical Aspects of
hope to improve efficiency by using a standard relational Declarative Languages, pages 58–73, 2003 2003.
database for policy rule lookups. Such an implementation [13] N. Li, J. C. Mitchell, and W. H. Winsborough. Design of a
role-based trust management framework. In Proceedings of
will enable us to test real-world policies in a more realistic
the 2002 IEEE Symposium on Security and Privacy, pages
setting, with millions of role activations and entities that
114–130, 2002.
interact via an unreliable network. [14] N. Li, W. H. Winsborough, and J. C. Mitchell. Distributed
credential chain discovery in trust management: extended
Acknowledgments We acknowledge support from a abstract. In ACM Conference on Computer and Communi-
cations Security, pages 156–165, 2001.
Gates Cambridge Scholarship (Becker), a Royal Society
[15] P. Revesz. Introduction to constraint databases. Springer
University Research Fellowship (Sewell), EPSRC grant Verlag, 2002.
GRN24872, and EC FET-GC project IST-2001-33234 [16] R. L. Rivest. Can we eliminate certificate revocations lists?
PEPITO. The authors thank Arne Heizmann for corrections In Financial Cryptography, pages 178–183, 1998.
and comments. We also thank the reviewers for their valu- [17] R. Sandhu. Rationale for the RBAC96 family of access con-
able comments. trol models. In Proceedings of the 1st ACM Workshop on
Role-Based Access Control, 1997.
[18] D. Toman. Memoing evaluation for constraint extensions of
References datalog. Constraints, 2(3/4):337–359, 1997.
[19] W. Winsborough, K. Seamons, and V. Jones. Automated
[1] N. Baker and H. Sondergaard. Definiteness analysis for trust negotiation. In DARPA Information Survivability Con-
CLP(R). In Australian Computer Science Conference, ference and Exposition, volume 1, pages 88–102, 2000.
pages 321–332, 1993. [20] W. H. Winsborough and N. Li. Towards practical auto-
mated trust negotiation. In Proceedings of the 3rd Inter-
[2] S. Barker and P. J. Stuckey. Flexible access control
national Workshop on Policies for Distributed Systems and
policy specification with constraint logic programming.
Networks, pages 92–103, 2002.
ACM Transactions on Information and System Security,
[21] W. Yao, K. Moody, and J. Bacon. A model of OASIS
6(4):501–546, 2003.
role-based access control and its support of active secu-
[3] M. Y. Becker and P. Sewell. Cassandra: Flexible trust
rity. ACM Transactions on Information and System Secu-
management, applied to electronic health records. In Pro-
rity, 5(4), 2002.
ceedings of the 17th IEEE Computer Security Foundations [22] T. Yu, M. Winslett, and K. E. Seamons. Supporting struc-
Workshop, June 2004. To appear. tured credentials and sensitive policies through interopera-
[4] M. Blaze, J. Feigenbaum, and A. D. Keromytis. KeyNote: ble strategies for automated trust negotiation. ACM Trans-
Trust management for public-key infrastructures (position actions on Information and System Security, 6(1):1–42,
paper). Lecture Notes in Computer Science, 1550:59–63, 2003.
1999.
[5] M. Blaze, J. Feigenbaum, and J. Lacy. Decentralized trust
management. In IEEE Symposium on Security and Privacy,
pages 164–173, 1996.
[6] D. Clarke, J.-E. Elien, C. Ellison, M. Fredette, A. Morcos,
and R. L. Rivest. Certificate chain discovery in SPKI/SDSI.
Journal of Computer Security, 9(4):285–322, 2001.
[7] N. Damianou, N. Dulay, E. Lupu, and M. Sloman. The
Ponder policy specification language. In Policy Workshop,
2001.
[8] D. F. Ferraiolo, R. Sandhu, S. Gavrila, D. R. Kuhn, and
R. Chandramouli. Proposed NIST standard for role-based
access control. 4, (3):224–274, 2001.

0-7695-2141-X/04 $ 20.00 © 2004 IEEE

Cassandra distributed access control policies with tunable expressiveness

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Ähnlich wie Cassandra distributed access control policies with tunable expressiveness

Ähnlich wie Cassandra distributed access control policies with tunable expressiveness (20)

Mehr von João Gabriel Lima

Mehr von João Gabriel Lima (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Cassandra distributed access control policies with tunable expressiveness