{"title":"stabables:联邦系统的类似防火墙的策略引擎","authors":"S. Bhatia, A. Bavier, L. Peterson, Soner Sevinc","doi":"10.1109/ICDCS.2011.58","DOIUrl":null,"url":null,"abstract":"Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of Planet Lab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called {\\tt sfatables}, that is patterned after the {\\tt iptables} mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a {\\tt firewall} and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.","PeriodicalId":6300,"journal":{"name":"2012 IEEE 32nd International Conference on Distributed Computing Systems","volume":"3 2 1","pages":"467-476"},"PeriodicalIF":0.0000,"publicationDate":"2011-06-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"sfatables: A Firewall-like Policy Engine for Federated Systems\",\"authors\":\"S. Bhatia, A. Bavier, L. Peterson, Soner Sevinc\",\"doi\":\"10.1109/ICDCS.2011.58\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of Planet Lab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called {\\\\tt sfatables}, that is patterned after the {\\\\tt iptables} mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a {\\\\tt firewall} and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.\",\"PeriodicalId\":6300,\"journal\":{\"name\":\"2012 IEEE 32nd International Conference on Distributed Computing Systems\",\"volume\":\"3 2 1\",\"pages\":\"467-476\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2011-06-20\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2012 IEEE 32nd International Conference on Distributed Computing Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/ICDCS.2011.58\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2012 IEEE 32nd International Conference on Distributed Computing Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ICDCS.2011.58","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
sfatables: A Firewall-like Policy Engine for Federated Systems
Recent efforts to federate computation and communication resources across organizational boundaries face a challenge in establishing the policies by which one organization's users can access resources in other organizations. This paper describes an approach to defining, communicating, analyzing, and enforcing resource allocation policies in this new setting. Our approach was designed to address the needs of Planet Lab, but we demonstrate through a range of examples that it is general enough to accommodate a diverse collection of computing facilities. Our policy engine is implemented in a specific tool chain, called {\tt sfatables}, that is patterned after the {\tt iptables} mechanism used to define packet processing policies for network traffic. The interface to our policy engine thus uses the familiar paradigm of a {\tt firewall} and provides a flexible interface for resource owners to specify access policies for their resources. Our implementation makes it possible to precisely document policies, query, and analyze them.