Role and attribute based collaborative administration of intra-tenant cloud IaaS

Abstract

Cloud Infrastructure as a Service (IaaS), where traditional IT infrastructure resources such as compute, storage and networking are owned by a cloud service provider (CSP) and offered as on-demand virtual resources to customers (tenants), is the fastest maturing service model in cloud computing. The transformation of physical resources into virtual offers great flexibility to CSP customers including network based remote collaborative administration. This flexibility can be fully availed only if complemented by commensurately flexible access control to the customers remote IT resources by the customer's IT users. Since customer policies in this regard can vary greatly, the CSP needs a flexible model to accommodate diverse policy requirements. In this paper, we investigate attribute-based access control (ABAC) in cloud IaaS. In ABAC, access requests are evaluated based on the attributes of cloud tenant users and those of objects such as virtual machines, storage volumes, networks, etc. We investigate the access control models supported by commercial IaaS providers such as Amazon AWS and opensource OpenStack, as well as other models in the literature, which mostly use role-based access control (RBAC). We demonstrate their limitations and motivate the need for ABAC support to realize the true potential of IaaS. Building on prior published ABAC models we define a formal ABAC model suitable for IaaS. As proof-of-concept we implement this model in OpenStack, a widely-used open source cloud IaaS software platform. We discuss enforcement alternatives in this context and partially evaluate their performance.