Information Technology Reference
In-Depth Information
VRBAC: An Extended RBAC Model
for Virtualized Environment and Its Conflict
Checking Approach
Yang Luo
1
,
3
,YazhuoLi
1
,
3
, Qing Tang
1
,
3
,ZhaoWei
1
,
3
, and Chunhe Xia
1
,
2
,
3
1
Beijing Key Laboratory of Network Technology
2
State Key Laboratory of Virtual Reality Technology and Systems
3
School of Computer Science and Engineering, Beihang University,
Beijing, China
veotax@sae.buaa.edu.cn, lyzalexandra@126.com, tangiqingkd@sina.com,
wz@cse.buaa.edu.cn, xch@buaa.edu.cn
Abstract.
This paper extends RBAC's authorizing ability via adding
domain and virtual machine features aiming at applying in the virtu-
alized scenarios. We define a new model named VRBAC in which au-
thorized users can migrate or copy virtual machines from one domain to
another without causing a conflict. Subjects can also share permissions of
not only resources but also virtual machines with other subjects from the
same or different domains. Three types of conflicts in VRBAC policies
are discussed and described in form of description logic, which provides
extra access to reasoning engines and facilitates the conflict checking
procedure. Based on Active Directory and Xen Cloud Platform, VRBAC
model visualization and its conflict checking can be enforced within the
prototype system. The experimental results indicate that all conflicts
can be effectively detected and the literal report generated can provide
conflict details such as conflict types, positions and causes as guidance
for further conflict resolution.
Keywords:
virtualization, RBAC, policy conflict, description logic.
1 Introduction
As an approach to manage system access to authorized users, RBAC model has
been widely used in most practical collaborative environments and also success-
fully applied in many of the systems such as Microsoft Active Directory, SELinux,
FreeBSD and so on[1]. In recent years, virtualization is known as one of the most
popular technologies. Most companies intend to transfer their services and data
into the virtualized network without abandoning the existing RBAC mechanism,
however, due to some intrinsic characteristics of virtualization, the original RBAC
model are not applicable any more. Therefore we need a new authorization frame-
work which remains compatible with currently existing RBAC model.
Aiming at the shortage of the authorization mechanism in the virtualized
environment, we propose the virtualized RBAC model, abbreviated as VRBAC,
