Background

From spring quarter '09 discussions:

Goals

RAMCloud is designed as a cluster service. As such multi-tenancy is an important consideration. Multi-tenancy implies:

We'll need some sort of secure authentication, as well as access control to constrain users of RAMCloud. We will also need to consider threats from other hosts.

Internal RC Security

Assumptions

If we don't trust the network, we'll likely need heavy crypto, which is contrary to our performance goals.

Authentication Proposal

Performance is paramount, so we must ensure that authentication and access control mechanisms are efficient (in time and space).

Two isomorphic proposals work as follows:

  1. Clients authenticate with an authorization service and are returned a >= 64-bit secret.
    1. The secret is passed with each RPC. Masters verify the secrets with the authentication services and cache results in a hash table for speed.
  2. Clients authenticate with an authorization service, but are returned an encrypted or signed token that identifies their principal. The master can verify the self-certifying token and need not contact the authorization service itself.

Trade-offs between the two are size of the secret or tokens and the cost of crypto vs. a hash table lookup (the former may be very fast due to data being in cache and new SSE AES instructions, the latter will likely not miss the cpu cache due to a high level of temporal locality in accesses and a relatively small number of principals accessing each machine).

Protection Granularity

Two obvious choices:

Per-object seems like overkill and would potentially incur a great deal of space overhead. Per-table, however, is efficient and easily implemented.

Access Control

Types of Actions:

If we choose a more complex access control structure, a question arises as to how users are organized. For example:

Conclusions

Interesting bits

Questions