Google Git
Sign in
apache / incubator-teaclave-website / refs/heads/asf-site / . / assets / js / 80.5da4cdab.js
blob: bf630cc1a57f4506e06f04a8c632919bb0762096 [file] [log] [blame]
(window.webpackJsonp=window.webpackJsonp||[]).push([[80],{425:function(e,a,t){"use strict";t.r(a);var s=t(11),n=Object(s.a)({},(function(){var e=this,a=e.$createElement,t=e._self._c||a;return t("ContentSlotsDistributor",{attrs:{"slot-key":e.$parent.slotKey}},[t("h1",{attrs:{id:"access-control-in-teaclave"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#access-control-in-teaclave"}},[e._v("#")]),e._v(" Access Control in Teaclave")]),e._v(" "),t("p",[e._v("Access control in multi-party computation, by its nature, is set-centric. Unlike\nin traditional settings where only one entity, group, or role is involved in an\naction, in multi-party computation tasks an access is approved or denied by\ncombining the decisions of all stakeholders. Ownership is also set-like, because\nthe result of a joint computation task very likely belongs to all parties that\nhave provided data.")]),e._v(" "),t("p",[e._v("We found that access control models in conventional systems like RBAC and ABAC\nare not powerful enough to govern data usages in Teaclave. Therefore, we\ninvented our own access control model and mechanism.")]),e._v(" "),t("h2",{attrs:{id:"model"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#model"}},[e._v("#")]),e._v(" Model")]),e._v(" "),t("p",[e._v("The access control model of Teaclave is configured through the file\n"),t("a",{attrs:{href:"https://github.com/apache/incubator-teaclave/blob/master/services/access_control/model.conf",target:"_blank",rel:"noopener noreferrer"}},[e._v("model.conf")]),e._v(".\nThe file has three sections:")]),e._v(" "),t("ul",[t("li",[e._v("requests")]),e._v(" "),t("li",[e._v("terms")]),e._v(" "),t("li",[e._v("matchers")])]),e._v(" "),t("p",[e._v("Before diving into the details about how our access control model works, we\nrecommend readers learn about "),t("a",{attrs:{href:"https://en.wikipedia.org/wiki/Logic_programming",target:"_blank",rel:"noopener noreferrer"}},[e._v("logic programming")]),e._v("\nfirst, because our\nmodel configuration language is actually a home-baked tiny logic programming\nlanguage.")]),e._v(" "),t("h3",{attrs:{id:"request"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#request"}},[e._v("#")]),e._v(" request")]),e._v(" "),t("p",[e._v('A request is a query that should be answered by the access control service. The\nresponse is either "approved" or "denied." A request is defined as a tuple of\nany arity. For example,')]),e._v(" "),t("div",{staticClass:"language- extra-class"},[t("pre",{pre:!0,attrs:{class:"language-text"}},[t("code",[e._v("[requests]\ntask_access_data = task, data\n")])])]),t("p",[e._v("defines a request called "),t("code",[e._v("task_access_data")]),e._v(" which contains two fields named\n"),t("code",[e._v("task")]),e._v(" and "),t("code",[e._v("data")]),e._v(". This request can mean a task with the id "),t("code",[e._v("task")]),e._v(" wants to\naccess a piece of data hosted by Teaclave whose id is "),t("code",[e._v("data")]),e._v(".")]),e._v(" "),t("h3",{attrs:{id:"term"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#term"}},[e._v("#")]),e._v(" term")]),e._v(" "),t("p",[e._v("Terms are relations over certain domains. Each term can be viewed as a table\nstoring facts about the entities revelant to the access control logic. For\nexample,")]),e._v(" "),t("div",{staticClass:"language- extra-class"},[t("pre",{pre:!0,attrs:{class:"language-text"}},[t("code",[e._v("[terms]\ndata_owner = data, usr\ntask_participant = task, usr\n")])])]),t("p",[e._v("For the "),t("code",[e._v("task_access_data")]),e._v(" request, there are three relevant domains: "),t("code",[e._v("data")]),e._v(",\n"),t("code",[e._v("usr")]),e._v(", and "),t("code",[e._v("task")]),e._v(". Furthermore, two relations are required by Teaclave to make\na decision, which are")]),e._v(" "),t("ul",[t("li",[t("code",[e._v("data_owner")]),e._v(" relation over ("),t("code",[e._v("data")]),e._v(" X "),t("code",[e._v("usr")]),e._v("), denoting which user owns\na piece of data.")]),e._v(" "),t("li",[t("code",[e._v("task_participant")]),e._v(" relation over ("),t("code",[e._v("task")]),e._v(" X "),t("code",[e._v("usr")]),e._v("), denoting which\nusers are the participants of a joint computation task.")])]),e._v(" "),t("p",[e._v("An instance of the database describing the two terms could be")]),e._v(" "),t("div",{staticClass:"language- extra-class"},[t("pre",{pre:!0,attrs:{class:"language-text"}},[t("code",[e._v("data_owner data_1, usr_1\ndata_owner data_2, usr_1\ndata_owner data_2, usr_2\n\ntask_participant task_1 usr_1\ntask_participant task_1 usr_2\n")])])]),t("p",[e._v("The facts stored in this database instance indicate that "),t("code",[e._v("data_1")]),e._v(" is owned\nexclusively by "),t("code",[e._v("usr_1")]),e._v(", while "),t("code",[e._v("data_2")]),e._v(" is owned by "),t("code",[e._v("usr_1")]),e._v(" and "),t("code",[e._v("usr_2")]),e._v("\ntogether. The facts also indicates that "),t("code",[e._v("task_1")]),e._v(" has two participants, i.e.,\n"),t("code",[e._v("usr_1")]),e._v(" and "),t("code",[e._v("usr_2")]),e._v(".")]),e._v(" "),t("h3",{attrs:{id:"matcher"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#matcher"}},[e._v("#")]),e._v(" matcher")]),e._v(" "),t("p",[e._v("The core logic used by Teaclave to resolve a request is defined as a matcher.\nWe define the matcher for "),t("code",[e._v("task_access_data")]),e._v(" request as the following")]),e._v(" "),t("div",{staticClass:"language- extra-class"},[t("pre",{pre:!0,attrs:{class:"language-text"}},[t("code",[e._v("[matcher]\ntask_access_data = data_owner(task_access_data.data, _) <= task_participant(task_access_data.task, _)\n")])])]),t("p",[t("code",[e._v("data_owner(task_access_data.data, _)")]),e._v(" and\n"),t("code",[e._v("task_participant(task_access_data.task, _)")]),e._v(" are term queries. The return value\nof "),t("code",[e._v("data_owner(task_access_data.data, _)")]),e._v(" is a subset of the "),t("code",[e._v("usr")]),e._v(" domain,\nwhere each value "),t("code",[e._v("u")]),e._v(" in the fact meets the condition that")]),e._v(" "),t("div",{staticClass:"language- extra-class"},[t("pre",{pre:!0,attrs:{class:"language-text"}},[t("code",[e._v("data_owner task_access_data.data u\n")])])]),t("p",[e._v("is in the terms database. "),t("code",[e._v("_")]),e._v(" is called the query wild card and "),t("code",[e._v("<=")]),e._v(" is the\nsubset operator. Therefore, the matcher basically means that, "),t("em",[e._v("the request for\n"),t("code",[e._v("task")]),e._v(" to access "),t("code",[e._v("data")]),e._v(" is approved only if all owners of "),t("code",[e._v("data")]),e._v(" are have\narticipated in "),t("code",[e._v("task")])]),e._v(".")]),e._v(" "),t("h2",{attrs:{id:"implementation"}},[t("a",{staticClass:"header-anchor",attrs:{href:"#implementation"}},[e._v("#")]),e._v(" Implementation")]),e._v(" "),t("p",[e._v("The access control module of Teaclave is implemented as a standalone service.\nOther components should send RPC requests to the service and get access control\ndecisions as RPC responses.")]),e._v(" "),t("p",[e._v("The model configuration parser and request resolution engine are written in\nPython, powered by MesaPy. The access control service of Teaclave is a nice\nshowcase of what MesaPy is capable of.")]),e._v(" "),t("p",[e._v("The implementation is purely experimental at this point. The performance is not\noptimized and the engine is likely not robust enough to avoid crashes while\ndealing with badly shaped requests. Contributions are welcome!")])])}),[],!1,null,null,null);a.default=n.exports}}]);