Information Technology Reference
In-Depth Information
Constraints are mainly used to restrict the behaviors of VRBAC instances or
so-called policies. A better knowledge about constraints will help analyze cor-
responding conflicts problems. Besides most of the original RBAC constraints
which still fit for virtualized network, some new ones specially for virtualized net-
work must be presented, including domain constraint, VM migration constraint,
separation of duties constraint and so on.
Considering that there's one-to-one correspondence between constraints and
conflicts, we'd like to skip constraints part here and introduce conflicts classifi-
cation directly in the next section.
4 Conflict Checking for VRBAC Policies
As the RBAC-like model is usually represented in form of policies, the violation
of the constraints in VRBAC could lead to conflicts in the policy level. In an
attempt to tackle these conflicts, a conflict checking model based on description
logic and Semantic Web Rule Language (SWRL) is proposed. We will describe
it after conflict classification.
4.1 Classification of VRBAC Conflicts
According to the VRBAC model we defined, the conflicts of VRBAC policies can
be categorized into 3 types: Domain Conflict (Dom-C), VM Migration Conflict
(Mig-C) and Separation of Duties Conflict (SoD-C).
Dom-C is a kind of conflict that occurs when a domain resource or virtual
machine has been assigned to a role or user from another domain which isn't in
friend relationship with the former. Denote it as
DOM
−
C
,thenweget
DOM
−
C
=
{
(
r, re
)
|
r
∈
Roles
∪
Users
∧
re
∈
Resources
∪
VMs
∧
has permission
(
r, re
)
∧
diff
(
r.dom, re.dom
)
,where
has permission
indicates the PA relationship and
the next
diff
predicate means that
r
and
re
belongs to different domains. An
example of Dom-C in the context of inter-domain cooperation is depicted in Fig.
2.
r
A
3
inherits the permission of
r
B
1
which belongs to neither the same domain
or a friendly one. These conflicts, if remain undetected and unresolved, would
expose the cooperating system to numerous vulnerabilities and risks pertaining
to the security and privacy of their data and resources.
Mig-C takes place when a virtual machine is about to be migrated or repli-
cated from one domain to another, which would probably lead to a naming error
for resource authentication. So a checking process running in background context
is necessary for handling a missing or a second virtual machine in some domain.
We denote this conflict as
MIG
}
−
C
,wehave
MIG
−
C
=
{
(
vm
1
,vm
2
)
|
vm
1
∈
VMs
.Thefol-
lowing example in Fig. 3 illustrates the Mig-C conflict. When the migrating
operation from
v
A
1
to
v
B
1
is done,
v
B
1
has acquired exactly the same identity
with
v
A
1
owing to replication enforcing mechanism. Users who own permissions
to
v
A
1
in Domain A will implicitly gain the access to
v
B
1
which obviously be-
longs to another domain, Domain B. These unwanted sharing between domains
would violate the securities of individual domains of the multi-domain system.
∧
vm
2
∈
VMs
∧¬
diff
(
vm
1
,vm
2
)
∧
diff
(
vm
1
.dom, vm
2
.dom
)
}
