Access control for a modular, extensible storage service

We have designed and built a modular and extensible multi service storage architecture (MSSA) which allows evolution from, and compatibility with, traditional applications. The MSSA comprises a two-level hierarchy of storage servers with value-adding service layers above them. We present the access control mechanism of the MSSA. Access control lists (ACLs) are used to allow fine grained expression of policy together with capabilities for efficient runtime access after a once-off ACL check. Our capabilities are principal-specific and transient and their design ensures that access to objects is via the correct service hierarchy; for example, a directory object may only be manipulated via a directory service. The implementation of this protection is stateless at the servers above the storage service. The scheme also provides a convenient means to delegate rights for an object, temporarily, to an unprivileged server, for example a print-server. The fact that our capabilities are short-lived alleviates the requirement for selective revocation and crash recovery. We report on experiences with a prototype implementation of the scheme and suggest some optimisations