An authorization control framework to enable service composition

1
An authorization control framework to enable
service composition

• Takashi Suzuki, Randy H. Katz
• EECS Department
• University of California, Berkeley
• tsuzuki, randy_at_EECS.Berkeley.EDU

2
Motivation

• Demand for customized service provisioning for
  each individual user ? Web service composition

User Profile
Device Profile
Request
Customized Service
Portal
Location
Time
Loosely coupled Service components

• How to manage authorization for a composed
  service which contains various service components
  in different administrative domains? ? Need an
  authorization control framework to support
  flexible and complex service composition.

3
Example of composed service

• Customized multimedia content streaming over
  mobile networks

Domain 2

• Location
• Device
• Credit
• Preference
• age

Portal
Domain 3
Content Server
3
2
User Profile
Mobile NW (domain 1)
4
1
QoS Manager
Domain 4
6
5
Content Adaptation
Edge Server
7
User
Authorization control function
4
Issues to be solved

• Various service components are invoked in a
  session.
  
• Protocol between authorization control server and
  service components should be able to carry
  various authorization information
  
• Existing protocols are designed only for specific
  services
  
• (e.g., DIAMETER for network access, COPS for QoS
  control)
  
• ? A generic authorization control protocol
• Portal needs to invoke service components beyond
  its local administrative domain
  
• It needs to get many credentials (tickets) from
  external administrative domains.
  
• Or, each service component need to prepare
  multiple authorization rules for different
  credentials from external domains.
  
• ? An authorization control scheme with credential
  transformation

5
A generic authorization control protocol

• Designed to build a common authorization control
  infrastructure
  
• Based on SOAP/XML
• SOAP
• Lightweight protocol for remote service
  invocation
  
• Firewall-traversal
• Independent of underlying transport protocol, or
  security mechanism
  
• XML based language for authorization information
• Simple but powerful enough to express complex
  data structure
  
• By using schema languages, it becomes possible to
  define common authorization control class methods
  
  
• New application support by defining new name
  space without spoiling interoperability

Authorization control infrastructure
Policy
1,3,5 Service request 2,4,6 Decision request
Authorization control protocol
2
4
6
User
Portal
Service 1
Service 2
1
3
5
6
An authorization control function
Authorization rule tree
Authorization Control Function
Rules
XML Parser
DOM
Rule Tree Check
Parameter Verification
Example of SOAP message AuthorizationDecision
Request
Post /AuthorizationDecision HTTP/1.1
Host www.AAAserver.com Content-Type text/xml c
harset"UTF-8" Content-Length nnnn SOAPACTION
"/AuthorizationDecision"   xmlnsSOAP-ENV"http//schemas.xmlsoap.org/soap/
envelope/" SOAP-ENVencodingStyle"http//schemas
.xmlsoap.org/soap/encoding/"

ionDecision xmlnsm"AAAServerInterface"




AP-ENVEnvelope
Result
Service Component
Credentials, Conditions
Service Action
SOAP Server
SOAP Client
HTTP Server
HTTP Client
Authorization decision request
Authorization decision response
7
Example of SOAP message
(a) AuthorizationDecision Request
(b) AuthorizationDecision Response
HTTP/1.1 200 OK Content-Type text/xml charset"
UTF-8" Content-Length nnnn   e xmlnsSOAP-ENV"http//schemas.xmlsoap.org/s
oap/envelope/" SOAP-ENVencodingStyle"http//sch
emas.xmlsoap.org/soap/encoding/"
rizationDecisionResponse xmlnsm"TrustManagementI
nterface"


ody
Post /AuthorizationDecision HTTP/1.1
Host www.AAAserver.com Content-Type text/xml c
harset"UTF-8" Content-Length nnnn SOAPACTION
"/AuthorizationDecision"   xmlnsSOAP-ENV"http//schemas.xmlsoap.org/soap/
envelope/" SOAP-ENVencodingStyle"http//schemas
.xmlsoap.org/soap/encoding/"

ionDecision xmlnsm"AAAServerInterface"




AP-ENVEnvelope
8
An authorization control scheme with credential
transformation

• Service invocation across domains

Authorization control function
Domain 2
Domain 1
Rule repository
Credential Transformation Rule
Rule repository
Decision request with credentials of domain 1
Credentials
Request with local credentials
Service
User

• Authorization control function dynamically
  converts authorization rule hierarchy, according
  to credential transformation rules.
  
• Then it make a authorization decision based on
  generated rule.

Transformation Rule
Service
c1
Action
Credential/ Condition
c'1
e'1
c1
c2
e2
c'1
c2
e2
e'1
Authorization rule hierarchy
Dynamically generated rule hierarchy
9
An authorization control function with credential
transformation
Transform XML document (authorization rule)
based on XSLT document (transformation rule)
Authorization Decision function
Authorization rule
XML Parser
Transform
DOM
Credential transformation rule
Rule Tree Check
Parameter Verification
Base
Result
Credentials, Conditions
Service, Action
Application specific
Service component
SOAP Server
SOAP Client
Transformation rule described using XSLT
HTTP Server
HTTP Client
Authorization decision request with external
credentials
10
Conclusion

• Studied an authorization control framework to
  enable service composition across administrative
  domains
  
• A generic authorization control protocol is
  needed to support various service components
  
• Designed SOAP/XML-based protocol so that it meets
  the requirements
  
• Proposed an authorization control scheme with
  credential transform
  
• To reduce overhead of a portal to obtain multiple
  credentials (tickets) from external
  administrative domains.
  
• To liberate service providers from preparing
  multiple authorization rules for different
  administrative domains.
  
• Future work
• Implement a generic authorization control
  protocol and authorization control function.
  
• Investigate a scalable authorization scheme to
  support composed services containing many service
  components.