Designing Fast and Scalable XACML Policy Evaluation Engines

IEEE TRANSACTIONS ON COMPUTERS, MANUSCRIPT ID XXXX 6Note that in processing a policy whose rule combiningalgorithm is First-Applicable, for a single-valued request decomposedfrom a multi-valued request, we do not need tocompute all the original XACML rules that the single-valuedrequest matches; instead, we only need to compute the firstoriginal XACML rule that the single-valued request matches.The reason is as follows. Let X = 〈X 1 ,···, X n 〉 be a policywhose combining algorithm is First-Applicable. Let O(Q i ) bethe set of all the original XACML rules that Q i matches, andF(Q i ) be the first original XACML rules that Q i matches.Because the XACML rule with the smallest sequence numberin ∪ k i=1 O(Q i) is the same as the XACML rule with thesmallest sequence number in {F(Q 1 ),···,F(Q k )}, this ruleis essentially the XACML rule that determines the decisionfor Q. Therefore, for each Q i , we only need to compute thefirst original XACML rule that Q i matches.[1,4]Permit-OverridesV 1V 3V 2[1,2][3,4]First-ApplicableFirst-ApplicableR 1 : Professordeny R 2 : Studentpermit R 3 : Studentdeny R 4 : ProfessorpermitFig. 5: An example structure treeExample: Suppose a multi-valued request Q is “a person,who is both a professor and a student, wants to access asystem”, and the structure tree of the given XACML policy isin Fig. 5. We first decompose this multi-valued request intotwo single-valued requests, Q 1 : “a professor wants to accessthe system”, and Q 2 : “a student wants to access the system”.Second, we compute the set of all the original rules that Q 1or Q 2 matches, which is O = {R 1 ,R 2 ,R 3 ,R 4 }. Next, we usethis set and the structure tree in Fig. 5 to find the final decisionfor request Q. Because the rule combining algorithm at nodeV 2 is First-Applicable, and the decision of R 1 is deny and thedecision of R 2 is permit, the decision resolved at node V 2 isdeny. Similarly, the decision resolved at V 3 is deny. Becausethe policy combining algorithm at nodeV 1 is Permit-Overridesand the decisions resolved at node V 2 and V 3 are deny, thedecision resolved at node V 1 is deny. Thus, Q’s decision isdeny.F. All-match to First-match ConversionProblem: For each single-valued request decomposed from amulti-valued request, we may need to compute all the originalXACML rules that the single-valued request matches. To avoidscanning the entire rule list, our idea is to convert a rulesequence following the all-match semantics to an equivalentsequence of rules following the first-match semantics. Moreformally, given a policy (or policy set) X = 〈X 1 ,···,X n 〉where eachX i has been normalized to X i ′ , andX’s combiningalgorithm A is either Permit-Overrides or Deny-Overrides,we want to convert 〈X 1 ′ |···|X′ n 〉, which is denoted as〈R 1 ,···,R g 〉 following the all-match semantics, to a sequenceof range rules Y = 〈Y 1 ,···,Y m 〉 following the first-matchsemantics such that for each single-valued request Q, thedecision of the first matching rule in Y should contain twocomponents. First, it should contain the indexes of all the rulesthat Q matches in 〈R 1 ,···,R g 〉. Such information is neededwhen we process multi-valued requests. Second, it shouldcontain the decision that X makes for Q. Such information isneeded when we process single-valued requests. This problemis particularly challenging because of the multi-dimensionalityof XACML rules. That is, each rule has multiple attributes.Solution: We design the effect of each first-match rule usinga new data structure called an origin block (OB). The originblock ϕ dec of a rule consists of two components ϕ and dec,where ϕ is either one original XACML rule or a set of originblocks, and dec is the winning decision of ϕ. The winningdecision of a rule’s origin block is the decision that the rulemakes for any single-valued request that matches the rule.Thus, for a single-valued request not decomposed from amulti-valued request, the winning decision is used to computethe final decision for the request; for a single-valued requestdecomposed from a multi-valued request, the original XACMLrules are used to compute the final decision for the multivaluedrequest. An example OB is [[R 5 ] p ,[R 8 ] d ] p , where ddenotes deny and p denotes permit.To convert all-match rules to first-match rules, we use policydecision diagrams as the core data structure. Let 〈X 1 ,···,X n 〉be a policy (or policy set). For each i, let X i ′ be the normalizationresult of X i . Let 〈R 1 ,···,R g 〉 denote 〈X 1 ′ |···|X′ n 〉.We first convert the all-match rule set 〈R 1 ,···,R g 〉 to anequivalent partial PDD. A partial PDD has all the propertiesof a PDD except the completeness property. An all-match ruleset 〈R 1 ,···,R g 〉 and a partial PDD are equivalent if and onlyif the following two conditions hold. First, for eachR i denotedas (F 1 ∈ S 1 )∧···∧(F z ∈ S z ) → OB and each decision pathP denoted as (F 1 ∈ S 1)∧···∧(F ′ z ∈ S z) ′ → OB ′ , either R iand P are non-overlapping (i.e., ∃(1 ≤ j ≤ z), S j ∩S ′ j = ∅)′or P is a subset of R i (i.e., ∀(1 ≤ j ≤ z), S j ⊆ S j ); inthe second case, R i ’s origin block is included in P’s terminalnode. InP’s terminal node, we define the source ofR i ’s originblock to be h i if R i ∈ X hi . Second, using P (or R i ) to denotethe set of requests that match P (or R i ), the union of all therules in 〈R 1 ,···,R g 〉 is equal to the union of all the paths inthe partial PDD.After a partial PDD is constructed, we generate a rulefrom each decision path. As the generated rules are nonoverlapping,the order of the generated rules is immaterial.For each generated rule, let OB denote its origin block, wefirst classify the origin blocks in OB based on their sources;second, we combine all the origin blocks in the same groupinto one origin block whose winning decision is the decision ofthe block with the smallest source because the rules in eachX i ′ follow the first-match semantics; third, we compute thewinning decision for OB based on the combining algorithmof 〈X 1 ,···,X n 〉. Finally, the resulting sequence of generatedrules is the sequence of first-match rules. The pseudocodeof the all-match to first-match conversion algorithm is inAlgorithm 2. Note that in this paper we use e.t to denotethe node that e points to.Example: Fig. 6 shows the partial PDD converted fromthe all-match rule sequence 〈R 1 ,R 2 〉 in Fig. 3(b), and Fig.7 shows the first-match rules generated from Fig. 6.G. Unifying Rule/Policy Combining AlgorithmsProblem: In sequential range rule representation, thereis only one rule combining algorithm, which is First-Applicable. However, XACML supports four rule (or policy)combining algorithms: First-Applicable, Only-One-Applicable,Deny-Overrides, and Permit-Overrides. The key challenge in