Share on Facebook Tweet on Twitter Share on LinkedIn Share by email
Policy-based Access Control for Weakly Consistent Replication

Ted Wobber, Thomas L. Rodeheffer, and Douglas B. Terry

Abstract

Combining access control with weakly consistent replication presents a challenge if the resulting system is to support eventual consistency. If authorization policy can be temporarily inconsistent, any given operation may be permitted at one node and yet denied at another. This is especially troublesome when the operation in question involves a change in policy. Without a careful design, permanently divergent state can result.

We describe and evaluate the design and implementation of an access control system for weakly consistent replication where peers are not uniformly trusted. Our system allows for the specification of fine-grained access control policy over a collection of replicated items. Policies are expressed using a logical assertion framework and access control decisions are logical proofs. Policy can grow to encompass new nodes through fine-grain delegation of authority. Eventual consistency of the replicated data is preserved despite the fact that access control policy can be temporarily inconsistent.

Details

Publication typeInproceedings
Published inProceedings of EuroSys 2010
PublisherAssociation for Computing Machinery, Inc.

Previous versions

Ted Wobber, Thomas L. Rodeheffer, and Douglas B. Terry. Policy-based Access Control for Peer-to-Peer Replication, 24 July 2009.

> Publications > Policy-based Access Control for Weakly Consistent Replication