Enhance OpenStack Access Control via Policy Enforcement Based on XACML

Hao Wei, Joaquin Salvachua Rodriguez, Antonio Tapiador


The cloud computing is driving the future of internet computation, and evolutes the concepts from software to infrastructure. OpenStack is one of promising open-sourced cloud computing platforms. The active developer community and worldwide partners make OpenStack as a booming cloud ecosystem. In OpenStack, it supports JSON file based access control for user authorization. In this paper, we introduce a more powerful and complex access control method, XACML access control mechanism in OpenStack. XACML is an approved OASIS standard for access control language, with the capability of handling all major access control models. It has numerous advantages for nowadays cloud computing environment, include fine-grained authorization policies and implementation independence. This paper puts forward a XACML access control solution in OpenStack, which has Policy Enforcement Point (PEP) embedded in OpenStack cloud service and a XACML engine server with policy storage database. Our implementation allows OpenStack users to choose XACML as an access control method of OpenStack and facilitate the management work on policies.


  1. Anderson, A. (2005). A comparison of two privacy policy languages: Epal and xacml.
  2. Belnap Jr, N. D. (1977). A useful four-valued logic. In Modern uses of multiple-valued logic, pages 5-37. Springer.
  3. Beloglazov, A., Piraghaj, S. F., Alrokayan, M., and Buyya, R. (2012). Deploying openstack on centos using the kvm hypervisor and glusterfs distributed file system. Technical report, Technical Report CLOUDSTR-2012-3, Cloud Computing and Distributed Systems Laboratory, The University of Melbourne.
  4. Erik, R. (2012). Extensible access control markup language (xacml) version 3.0. http://docs.oasisopen.org/xacml/3.0/xacml-3.0-core-spec-cs02- en.html.
  5. Evered, M. and Bögeholz, S. (2004). A case study in access control requirements for a health information system. In Proceedings of the second workshop on Australasian information security, Data Mining and Web Intelligence, and Software InternationalisationVolume 32, pages 53-61. Australian Computer Society, Inc.
  6. Lorch, M., Proctor, S., Lepro, R., Kafura, D., and Shah, S. (2003). First experiences using xacml for access control in distributed systems. In Proceedings of the 2003 ACM workshop on XML security, pages 25-37. ACM.
  7. Mahjoub, M., Mdhaffar, A., Halima, R. B., and Jmaiel, M. (2011). A comparative study of the current cloud computing technologies and offers. In Network Cloud Computing and Applications (NCCA), 2011 First International Symposium on, pages 131-134. IEEE.
  8. Meier, W. (2003). exist: An open source native xml database. In Web, Web-Services, and Database Systems, pages 169-183. Springer.
  9. Ni, Q., Bertino, E., and Lobo, J. (2009). D-algebra for composing access control policy decisions. In Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, pages 298- 309. ACM.
  10. OpenStack (2013a). The nova.openstack.common. policy module. http://docs.openstack.org/developer/nova/api/nova.openstack.common.policy.html.
  11. OpenStack (2013b). Openstack: The open source cloud operating system. http://www.openstack.org/software/.
  12. Ramli, C. D. P. K., Nielson, H. R., and Nielson, F. (2013). The logic of xacml. Science of Computer Programming.
  13. Schubert, L. and Jeffery, K. (2012). Advances in clouds. Technical report, European Union, Tech. Rep.
  14. Sefraoui, O., Aissaoui, M., and Eleuldj, M. (2012). Openstack: toward an open-source solution for cloud computing. International Journal of Computer Applications, 55(3):38-42.
  15. Wen, X., Gu, G., Li, Q., Gao, Y., and Zhang, X. (2012). Comparison of open-source cloud management platforms: Openstack and opennebula. In Fuzzy Systems and Knowledge Discovery (FSKD), 2012 9th International Conference on, pages 2457-2461. IEEE.
  16. WSO2 (2012). Balana xacml for authorization. http://xacmlinfo.org/category/balana/.

Paper Citation

in Harvard Style

Wei H., Salvachua Rodriguez J. and Tapiador A. (2014). Enhance OpenStack Access Control via Policy Enforcement Based on XACML . In Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS, ISBN 978-989-758-028-4, pages 283-289. DOI: 10.5220/0004893802830289

in Bibtex Style

author={Hao Wei and Joaquin Salvachua Rodriguez and Antonio Tapiador},
title={Enhance OpenStack Access Control via Policy Enforcement Based on XACML},
booktitle={Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS,},

in EndNote Style

JO - Proceedings of the 16th International Conference on Enterprise Information Systems - Volume 2: ICEIS,
TI - Enhance OpenStack Access Control via Policy Enforcement Based on XACML
SN - 978-989-758-028-4
AU - Wei H.
AU - Salvachua Rodriguez J.
AU - Tapiador A.
PY - 2014
SP - 283
EP - 289
DO - 10.5220/0004893802830289