Controlling Collaborative Systems
description
Transcript of Controlling Collaborative Systems
![Page 1: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/1.jpg)
Controlling Collaborative Systems
-Srinivas Krishnan
Dept of Computer Science
UNC-Chapel Hill
![Page 2: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/2.jpg)
Collaborative Systems
Shared Resource
Access Control
Access Control
![Page 3: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/3.jpg)
Requirements for Access Control Systems
The access control operations must be idempotent
Scalability: Need to support N-users, as well as distributed
resources Preferred Goals
Transparency Ease of Administration
![Page 4: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/4.jpg)
Requirements for Access Control Systems
Access Control Systems are built in layers
Permissions
Notifications
AUDIT
![Page 5: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/5.jpg)
Access Matrix
.• Access specified on a per object basis
•Each user is given certain permissions
• To scale this further Access Control Lists are used
•Systems that use AMs: Grove, RTCAL (central admin provides the permissions to all objects)
![Page 6: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/6.jpg)
ACL and CCL
•Access Control Matrices are linked together to form ACLs for each object
•Capability Lists are the opposite of ACLS, where users maintain which objects they have access to.
ACLCCL
![Page 7: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/7.jpg)
Pros and Cons of ACLs
Easy to implement and maintain Dynamic changing of rights hard Needs knowledge of each users needs
before hand. Not always possible in a collaborative
environment Also each user/object needs to be explicitly
given permissions
![Page 8: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/8.jpg)
Role Based Access Control (Sandhu et al)
Permissions are assigned to roles User authenticates in a 2 step process
Users Roles
Request
Role
Permissions
Resources
![Page 9: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/9.jpg)
RBAC (cont)
Notion of a session Bound to a single user accessing the resource
and the roles he needs Needs a policy in place generic enough to
accommodate all accesses Did not allow for migration of roles within a
single session
![Page 10: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/10.jpg)
Spatial Access Control
Divides collaborative environment into spaces
Collaborative Environment
Collaborative Environment
Space
Collaborative Environment
Space
Collaborative Environment
Space
![Page 11: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/11.jpg)
Spatial Access Control
Uses an access graph to allow for traversal between the various spaces
Further we can provide constraints in movement from space to space
SpaceA
SpaceB
SpaceC
User1 User1
User2
![Page 12: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/12.jpg)
Test Setting Taking the Test
Correction Results
ProfessorStudent Student
Student
StudentProfessor
![Page 13: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/13.jpg)
Implementation Issues
Order of updates and notification matter Cannot depend on a global clock to be
synchronized
Permissions
Give Access to Bob (Op1)
Remove Access to Bob (Op2)
![Page 14: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/14.jpg)
Solution for Order of Updates Most fine-grained locking operations require “Total-Ordering”
Perform Operation
Check Update Counter
Remote Counter
> Local < LocalAdopt Remote Counter X
=
![Page 15: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/15.jpg)
Fine-Grained Access Control
Traditional Modes do not scale too well for N-users needing dynamic rights
Fast provision of permissions Optimistic Locks and Access Control can
provide native performance
![Page 16: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/16.jpg)
Optimistic Control
“Make the user ask forgiveness not permission”
A similar system exists in UNIX with sudo. However, changes are permanent
Resource
John
Everyday access
John
Move Resource
Fire in Building
Access Denied
![Page 17: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/17.jpg)
Optimistic Access Control
Needs different points of entry
Resource
Access Control
AUDIT
Normal Entry
ElevatedEntry
![Page 18: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/18.jpg)
Optimistic Control
Guaranteed Protection
No Protection
Transaction
Transaction New State
New State Compensating
![Page 19: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/19.jpg)
Auditing Optimism
Verification Classes
Integrity Rules must be verified at all times
ResourceTransaction Compensation
Verify
Users
![Page 20: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/20.jpg)
Logger
Simple Optimistic Access Control
File
AuthModules
TransactionChecker
Write to File
PTP LOG
Verify
Log
![Page 21: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/21.jpg)
Case-Study: P2P Collaborative Systems
MOTION: Provides Access Control in a P2P environment No Centralized Access Control
Scalability: N-Users N-Auth Modules Dynamic Entry & Exit of Users
Role Based Access Control L1 peer & L2 peer L1 peers protect resources
![Page 22: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/22.jpg)
Architecture
![Page 23: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/23.jpg)
Improving Motion
Requester L1/L2 Peer
Distributed Search
L1/L2 Peer
Perform Op
Peer
![Page 24: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/24.jpg)
Summary
Access Control essential for maintaining a secure Collaborative Environment
Access Control can introduce lag and degrade a user’s experience
Optimistic Access Control algorithms can be used to allow user’s to experience native performance
![Page 25: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/25.jpg)
References: Tolone, W., Ahn, G., Pai, T., and Hong, S. 2005. Access control in collaborative
systems. ACM Comput. Surv. 37, 1 (Mar. 2005), 29-41. Povey, D. 2000. Optimistic security: a new access control paradigm. In
Proceedings of the 1999 Workshop on New Security Paradigms (Caledon Hills, Ontario, Canada, September 22 - 24, 1999). NSPW '99. ACM Press, New York, NY, 40-45.
Chengzheng Sun, "Optional and Responsive Fine-Grain Locking in Internet-Based Collaborative Systems," IEEE Transactions on Parallel and Distributed Systems ,vol. 13, no. 9, pp. 994-1008, September, 2002.
Fenkam, P.; Dustdar, S.; Kirda, E.; Reif, G.; Gall, H., "Towards an access control system for mobile peer-to-peer collaborative environments," Enabling Technologies: Infrastructure for Collaborative Enterprises, 2002. WET ICE 2002. Proceedings. Eleventh IEEE International Workshops on , vol., no.pp. 95- 100, 2002
Strom, R.; Banavar, G.; Miller, K.; Prakash, A.; Ward, M., "Concurrency control and view notification algorithms for collaborative replicated objects," Computers, IEEE Transactions on , vol.47, no.4pp.458-471, Apr 1998
![Page 26: Controlling Collaborative Systems](https://reader033.fdocuments.in/reader033/viewer/2022061502/56814502550346895db1cc99/html5/thumbnails/26.jpg)
Questions ?