VRBAC: An Extended RBAC Model for Virtualized Environment and Its Conflict Checking Approach - Frontiers in Internet Technologies - page 204

Information Technology Reference

In-Depth Information

Tabl e 1. Report of Conflict Checking

No. Type Position

Cause

Alice ∈ NRDC 1001 ∩ NSFC 0902

∧permitRWX ( NRDC 1001 ,FileX )

∧denyRWX ( NSFC 0902 ,FileX )

Group:: NRDC1001

Group:: NSFC0902

1

SoD

hasV M ( KLBNT,VM 06) ∧ withDom

( VM 06 ,JSI ) ∧¬friend ( KLBNT,JSI )

2

Mig VM:: NRDC VM06

Jeffery ∈ NRDC 1102 ∩ VCTF 1209

∧permitR ( VCTF 1209 ,FileZ )

∧denyR ( NRDC 1102 ,FileZ )

Group:: NRDC1102

Group:: VCTF1209

3

SoD

Carrie ↆ NSFC 0902 ∧ withDom

( NSFC 0902 ,KLBNT ) ∧ withDom (

Carrie,JSI ) ∧¬friend ( KLBNT,JSI )

4

Dom User:: Carrie

controlled below 20 seconds with parallel processing enabled. Also the conflict

report generated by VVCC also relieves the burden of administrators by reducing

the time of conflict resolution for nearly 90%.

Tabl e 2. Consequence of Comparative Experiment

Conflict Number Checking time (s) Solving Time (s)

Type Manual VVCC Manual

VVCC Manual VVCC

Dom-C

15

24

425

12

320

25

Mig-C

2

7

236

19

462

32

SoD-C

17

53

968

11

594

41

6 Discussion and Conclusion

In the practice of the virtualization, the complexity of administrative tasks for

cross-domain VMs has exceeded the expressing power of existing access control

framework. In this paper, VRBAC model, which is extended from RBAC, is

proposed to fill the gap in authorization aspect. VRBAC has been enhanced

with two new concepts, VM and Domain, including corresponding constrains in

comparison with original RBAC model. Also, according to the conflict classifica-

tion, a conflict checking approach is presented to figure out the type, cause and

location of conflicts. Experimental results show that our prototype system ac-

tually facilitates the administrators of virtualized network in aspects of alerting

unauthorized access danger and helping improve the safety of the access control

system.

Acknowledgments. This work was supported by the National Natural Science

Foundation of China under Grant No. 61170295, the Co-Funding Project of

Beijing Municipal Education Commission under Grant No.JD100060630 and the

Project of National Ministry under Grant No.A2120110006.

Next Page

Frontiers in Internet Technologies

Search WWH ::

Custom Search

Home