accumulo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kevin Smith <kevintrentsm...@gmail.com>
Subject Re: "NOT" operator in visibility string
Date Mon, 14 Apr 2014 21:02:06 GMT
I was recently talking to Aaron Cordova, and he asked me to chime into this
thread, based on some of the work that I have done and graduate work that I
have done in the access control space.

Mixing positive and negative authorizations for visibility is certainly
doable; however, there are some challenges related to doing so.

When you give people the possibility of combining positive and negative
access control policies, you also give them the potential to creating
conflicts that could (1) make something invisible to everyone [perfect
security?], or (2) make something visible to everyone..

And someone could do both of these, unintentionally.

Ex1: A simple policy like *(A & !A) *will make something non-accessible
(and this trivial to see).  At the same time, a complex policy like
*((A|B)&(C|D)&(E|F)&(G|!A))* could *potentially* resolve to a policy that
would deny everyone access, because in the case of someone who doesn't have
B or G (and someone who has C|D and E|F),  *A* and *!A* would cancel
themselves out.

Ex2: In the same way, someone could build another policy that might resolve
to something like* (A|!A) *which would resolve to no security at all.

So if you were to build a system that mixed negative and positive
operators, I think there would be a need to have a *policy resolver* to
make sure that a well-intentioned developer was not accidentally disabling
security or making something completely invisible and useless to everyone.
 You can see that there is a lot of academic research on conflict
resolution when it comes to mixing positive and negative authorizations
(see paper below):

https://www.site.uottawa.ca/~luigi/papers/09_adi_bouzida_hattak.pdf

The above paper doesn't make a case for NOT mixing positive and negative
authorizations, but you can see that by not mixing them, you can avoid a
number of pitfalls. With some work, any negative authorization statements
can be re-written as positives. I've had to do this for a number of systems
for RBAC (which only does positive authorizations).

Anyway - just something to think about. I hope this helps!

Kevin T. Smith

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message