Title: An authorization control framework to enable service composition
1An authorization control framework to enable
service composition
- Takashi Suzuki, Randy H. Katz
- EECS Department
- University of California, Berkeley
- tsuzuki, randy_at_EECS.Berkeley.EDU
2Motivation
- Demand for customized service provisioning for
each individual user ? Web service composition
User Profile
Device Profile
Request
Customized Service
Portal
Location
Time
Loosely coupled Service components
- How to manage authorization for a composed
service which contains various service components
in different administrative domains? ? Need an
authorization control framework to support
flexible and complex service composition.
3Example of composed service
- Customized multimedia content streaming over
mobile networks
Domain 2
- Location
- Device
- Credit
- Preference
- age
Portal
Domain 3
Content Server
3
2
User Profile
Mobile NW (domain 1)
4
1
QoS Manager
Domain 4
6
5
Content Adaptation
Edge Server
7
User
Authorization control function
4Issues to be solved
- Various service components are invoked in a
session.
- Protocol between authorization control server and
service components should be able to carry
various authorization information
- Existing protocols are designed only for specific
services
- (e.g., DIAMETER for network access, COPS for QoS
control)
- ? A generic authorization control protocol
- Portal needs to invoke service components beyond
its local administrative domain
- It needs to get many credentials (tickets) from
external administrative domains.
- Or, each service component need to prepare
multiple authorization rules for different
credentials from external domains.
- ? An authorization control scheme with credential
transformation
5A generic authorization control protocol
- Designed to build a common authorization control
infrastructure
- Based on SOAP/XML
- SOAP
- Lightweight protocol for remote service
invocation
- Firewall-traversal
- Independent of underlying transport protocol, or
security mechanism
- XML based language for authorization information
- Simple but powerful enough to express complex
data structure
- By using schema languages, it becomes possible to
define common authorization control class methods
- New application support by defining new name
space without spoiling interoperability
Authorization control infrastructure
Policy
1,3,5 Service request 2,4,6 Decision request
Authorization control protocol
2
4
6
User
Portal
Service 1
Service 2
1
3
5
6An authorization control function
Authorization rule tree
Authorization Control Function
Rules
XML Parser
DOM
Rule Tree Check
Parameter Verification
Example of SOAP message AuthorizationDecision
Request
Post /AuthorizationDecision HTTP/1.1
Host www.AAAserver.com Content-Type text/xml c
harset"UTF-8" Content-Length nnnn SOAPACTION
"/AuthorizationDecision" xmlnsSOAP-ENV"http//schemas.xmlsoap.org/soap/
envelope/" SOAP-ENVencodingStyle"http//schemas
.xmlsoap.org/soap/encoding/"
ionDecision xmlnsm"AAAServerInterface"
AP-ENVEnvelope
Result
Service Component
Credentials, Conditions
Service Action
SOAP Server
SOAP Client
HTTP Server
HTTP Client
Authorization decision request
Authorization decision response
7Example of SOAP message
(a) AuthorizationDecision Request
(b) AuthorizationDecision Response
HTTP/1.1 200 OK Content-Type text/xml charset"
UTF-8" Content-Length nnnn e xmlnsSOAP-ENV"http//schemas.xmlsoap.org/s
oap/envelope/" SOAP-ENVencodingStyle"http//sch
emas.xmlsoap.org/soap/encoding/"
rizationDecisionResponse xmlnsm"TrustManagementI
nterface"
ody
Post /AuthorizationDecision HTTP/1.1
Host www.AAAserver.com Content-Type text/xml c
harset"UTF-8" Content-Length nnnn SOAPACTION
"/AuthorizationDecision" xmlnsSOAP-ENV"http//schemas.xmlsoap.org/soap/
envelope/" SOAP-ENVencodingStyle"http//schemas
.xmlsoap.org/soap/encoding/"
ionDecision xmlnsm"AAAServerInterface"
AP-ENVEnvelope
8An authorization control scheme with credential
transformation
- Service invocation across domains
Authorization control function
Domain 2
Domain 1
Rule repository
Credential Transformation Rule
Rule repository
Decision request with credentials of domain 1
Credentials
Request with local credentials
Service
User
- Authorization control function dynamically
converts authorization rule hierarchy, according
to credential transformation rules.
- Then it make a authorization decision based on
generated rule.
Transformation Rule
Service
c1
Action
Credential/ Condition
c'1
e'1
c1
c2
e2
c'1
c2
e2
e'1
Authorization rule hierarchy
Dynamically generated rule hierarchy
9An authorization control function with credential
transformation
Transform XML document (authorization rule)
based on XSLT document (transformation rule)
Authorization Decision function
Authorization rule
XML Parser
Transform
DOM
Credential transformation rule
Rule Tree Check
Parameter Verification
Base
Result
Credentials, Conditions
Service, Action
Application specific
Service component
SOAP Server
SOAP Client
Transformation rule described using XSLT
HTTP Server
HTTP Client
Authorization decision request with external
credentials
10Conclusion
- Studied an authorization control framework to
enable service composition across administrative
domains
- A generic authorization control protocol is
needed to support various service components
- Designed SOAP/XML-based protocol so that it meets
the requirements
- Proposed an authorization control scheme with
credential transform
- To reduce overhead of a portal to obtain multiple
credentials (tickets) from external
administrative domains.
- To liberate service providers from preparing
multiple authorization rules for different
administrative domains.
- Future work
- Implement a generic authorization control
protocol and authorization control function.
- Investigate a scalable authorization scheme to
support composed services containing many service
components.