Ted Wobber, Thomas L. Rodeheffer, and Douglas B. Terry
24 July 2009
Enforcing authorization policy for operations that read and write distributed datasets can be tricky under the simplest of circumstances. Enforcement is too often dependent on implementation specifics and on policy detail that is inextricable from the data under management. When datasets are distributed across replicas in a weakly-consistent fashion, for example when updates to policy and data propagate lazily, the problem becomes substantially harder. Specifically, if disjoint replicas can make different decisions about the permissibility of a potential modification due to temporary policy inconsistencies, then permanently divergent state can result. In this paper, we describe and evaluate the design and implementation of an access-control system for weakly consistent replication where peer replicas are not uniformly trusted. Our system allows for the specification of fine-grained access control policy over a collection of replicated items. Policies are expressed using a logical assertion framework and access control decisions are logical proofs. Policy can grow organically to encompass new replicas through delegation. Eventual consistency is preserved despite the fact that access control policy can be temporarily inconsistent.