Cassandra: distributed access control policies with tunable expressiveness

Moritz Y. Becker


We study the specification of access control policy in

large-scale distributed systems. Our work on real-world

policies has shown that standard policy idioms such as role

hierarchy or role delegation occur in practice in many subtle

variants. A policy specification language should therefore

be able to express this variety of features smoothly,

rather than add them as specific features in an ad hoc way,

as is the case in many existing languages.

We present Cassandra, a role-based trust management

system with an elegant and readable policy specification

language based on Datalog with constraints. The expressiveness

(and computational complexity) of the language

can be adjusted by choosing an appropriate constraint domain.

With just five special predicates, we can easily express

a wide range of policies including role hierarchy,

role delegation, separation of duties, cascading revocation,

automatic credential discovery and trust negotiation.

Cassandra has a formal semantics for query evaluation and

for the access control enforcement engine. We use a goaloriented

distributed policy evaluation algorithm that is efficient and guarantees termination. Initial performance results

for our prototype implementation have been promising.


Publication typeInproceedings
Published in5th IEEE International Workshop on Policies for Distributed Systems and Networks (POLICY)
> Publications > Cassandra: distributed access control policies with tunable expressiveness