CSE592: Security Policy Frameworks Scott Stoller, 18oct2007 Revised API for Cassandra the revised API supports addition and deletion of all rules and facts. the old API allows addition and deletion only of role activation facts. Benefits: (1) general administrative policies can be expressed. (2) facts can be added to and deleted from auxiliary relations directly, instead of encoding them as role activations and deactivations. special relations ----------------- permits(e,a): entity e may perform action a canReqCred(e, cred): e is authorized to obtain credentials that match cred, where cred has the form iss.p(args) <- constraint. delete(r(args)): the fact r(args) is being deleted. this replaces the isDeactivated predicate. special actions --------------- addRule(rule) deleteRule(rule) note: addRule and deleteRule can be used to add and delete facts, which are rules with no hypotheses. facts may be represented equivalently as "r(Args) :- true" or "r(args)". API --- e:doAction(a) e:requestCredential(cred) note: the action a may be one of the special actions above, or an application-specific action. pseudo-code for API operations ------------------------------ e:doAction(a): if not (P |- permits(e,a)) then return "denied" else match a with addRule(r): if r is in P then skip (or return "error") else insert r in P deleteRule(r): if r is not in P then skip (or return "error") else delete r from P if r is a fact then // process cascading deletions add delete(r) to P D = {delete(f) | P |- delete(f)} for each delete(f) in D delete f from P if present otherwise: perform action a on the resource return "done" P |- f : fact f is derivable from policy P [see previous notes for an alternative semantics for cascading deletion.] e: requestCredential(iss.p(args) <- cReq): same pseudo-code as with the old API. Implementation of original Cassandra API ---------------------------------------- to demonstrate that this new API is as expressive as the old API, we show to implement the old API using the new API. e:doAction(a): as above e:requestCredential(cred): as above e:activate(r): e:doAction(addRule(hasActivated(e,r) <- true)) e:deActivate(e1,r): e:doAction(deleteRule(hasActivated(e1,r) <- true)) Existing Cassandra policies need to be re-written as follows. replace each rule of the form canActivate(e,r) <- hyps with permits(e, addRule(hasActivated(e,r) <- true)) <- hyps replace each occurrence of isDeactivated(e,r) with delete(hasActivated(e,r)) example ------- The manager of a department can appoint members of the dept. old version: canActivate(mgr, AppointEmployee(e, dept)) :- hasActivated(mgr, Manager(dept)) canActivate(e, Employee(dept)) :- hasActivated(mgr, AppointEmployee(e, dept)) new version: permits(mgr, addRule(AppointEmployee(e, dept, mgr)) :- hasActivated(mgr, Manager(dept)) canActivate(e, Employee(dept)) :- AppointEmployee(e, dept, mgr) we still use hasActivated for Manager(dept), since role activation better supports least privilege. example ------- A user being removed from the Employee role should also be removed from the Manager role. old version: isDeactivated(e, Manager(dept)) :- isDeactivated(e, Employee(dept)). new version: delete(hasActivated(e, Manager(dept))) :- delete(hasActivated(e, Employee(dept)).