| Multi-tenancy is one of the key features of cloud computing. In order to protect data security and privacy for each customer (tenant), cloud service providers (CSPs) apply multi-tenant schemes to their shared services. Basically, a tenant, in its lifespan, owns a share of on-demand cloud resources such as users, virtual machine (VM) instances and storage containers. With the service-oriented architecture (SOA), all the services in a cloud need to support multi-tenancy and conform with a consolidated authorization model. We call such models as multi-tenant access control (MTAC) models which are compatible with the features of the cloud, namely, centralized facility, agility, homogeneity and out-sourcing trust. MTAC models should be able to address both intra-tenant and cross-tenant accesses. The former provides authorization schemes for single-tenant scenarios. The latter enables collaboration among tenants, which is an emerging trend of cloud evolution.;Multi-domain access control in traditional environments has been researched in various aspects such as role-based models, policy composition and decomposition, enforcement models and so on. However, the prior work is not directly applicable in the cloud environment or requires extra infrastructure for operation and administration. Furthermore, it is challenging for existing multi-domain models to encompass attribute-based access control (ABAC) which provides more expressiveness and flexibility especially meaningful in the cloud.;In this dissertation, we present a systematic research of MTAC models with a top-down approach. Our contributions are categorized into three layers: policy, enforcement and implementation (PEI). Starting from the policy (P) layer at the top, we propose a suite of MTAC models including role-based models, attribute-based models and cross-tenant trust models. The role-based models, MT-RBAC and MTAS, extend the traditional RBAC model to function in multi-tenant cloud environment and integrate two kinds of trust relations between tenants. Cross-tenant trust models provide a taxonomy of trust relations in terms of authorization for cross-tenant accesses. The trust models are also applicable to the attribute-based model, MT-ABAC, which similarly extends the ABAC alpha model by means of cross-tenant trust. The P layer work builds a theoretical foundation and a framework of trust relations in cloud-based collaborative access control.;The enforcement (E) layer in the middle addresses the architecture of how the policies in the upper layer can be enforced to the implementations in the lower layer. Since the cloud has logically centralized infrastructure, we propose a novel Multi-Tenant Authorization as a Service (MTAaaS) to accommodate all the multi-tenant access control needs in a centralized service. The performance and scalability of this service is assured by the cloud. In this setting, the policies are stored in the central service along with the policy decision point (PDP). Each cloud service has a policy enforcement point (PEP) sending access requests to the PDP and enforcing responses from the PDP in a multi-tenant fashion. This architecture is prototyped using XACML implementation in cloud environment.;The implementation (I) layer at the bottom integrates the MTAC models into the real-world cloud system. We investigate OpenStack, one of the most popular open-source cloud systems and extend its identity service, Keystone, with a domain-trust module which enables multi-domain access control for OpenStack services. The domains in OpenStack are identical with tenants from our point of view. The results of experiments show minimum performance overhead with this newly introduced functionality. |
