ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications

Sauwens, Martijn; Beni, Emad Heydari; Jannes, Kristof; Lagaisse, Bert; Joosen, Wouter

doi:10.1007/978-3-030-91431-8_13

Cited by 2 publications

(5 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Compared to the previous work on authorization in microservice-based applications, which maintain a primarily technical focus on performing authorization, we provide a systematic approach to create authorization artifacts [14,15]. This approach can support developers in reducing the reported complexity of ABAC [28] while gaining a uniform understanding of what to authorize.…”

Section: Discussionmentioning

confidence: 99%

“…In the case of the policy presented in lines 7 through 12, an HTTP header containing the subject's identifier is returned. This is called partial evaluation and allows the actual microservice to perform the filtering and return the correct fleet objects (see [15]). Another option is to tell the microservice which objects to return by filtering with Rego within the OPA.…”

Section: Methodsmentioning

confidence: 99%

“…Each microservice has an IAM module that communicates with the authorization orchestrator and enforces decisions. Sauwens et al [15] describe a distributed authorization middleware called ThunQ that can perform authorization decisions early (i.e., when the first service is reached) and lazily (i.e., evaluating decisions only when possible). ThunQ allows authorization decisions to be made at the microservice level by including a query modifier.…”

Section: State Of the Artmentioning

confidence: 99%

“…Authorization for microservice-based applications has been primarily researched as a technical aspect of evaluating and enforcing authorization decisions in the microservice architecture [14,15]. The loose coupling of microservices offers a separation of concerns between business logic and authorization logic.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

User Authorization in Microservice-Based Applications

Sänger,

Abeck

2023

Software

View full text Add to dashboard Cite

Microservices have emerged as a prevalent architectural style in modern software development, replacing traditional monolithic architectures. The decomposition of business functionality into distributed microservices offers numerous benefits, but introduces increased complexity to the overall application. Consequently, the complexity of authorization in microservice-based applications necessitates a comprehensive approach that integrates authorization as an inherent component from the beginning. This paper presents a systematic approach for achieving fine-grained user authorization using Attribute-Based Access Control (ABAC). The proposed approach emphasizes structure preservation, facilitating traceability throughout the various phases of application development. As a result, authorization artifacts can be traced seamlessly from the initial analysis phase to the subsequent implementation phase. One significant contribution is the development of a language to formulate natural language authorization requirements and policies. These natural language authorization policies can subsequently be implemented using the policy language Rego. By leveraging the analysis of software artifacts, the proposed approach enables the creation of comprehensive and tailored authorization policies.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Methodsmentioning

confidence: 99%

Section: State Of the Artmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

User Authorization in Microservice-Based Applications

Sänger,

Abeck

2023

Software

View full text Add to dashboard Cite

show abstract

“…BC technology is used to support auditing the distributed training procedures in federated learning to improve the reliability of the entire training process, together with Exchange-FedAvg proposed to improve the training efficiency. ABAC and PBAC to authorize access from subjects to objects in micro-service system, and their design supports policies selectivity according to attribute counts and thus ensures dynamic controls [99]. Generally, access control designs based on the prevalent models gain much attention in applying ZTA, and mostly focuses on reliability and the extension of features in making control decision.…”

Section: Bc-enabled Ddlmentioning

confidence: 99%

Secured Scalable Blockchain Networks for Trustworthy Distributed Deep Learning in VANETs

View full text Add to dashboard Cite

Distributed deep learning (DDL) within vehicular ad hoc networks (VANETs) holds profound significance in developing smart applications, such as intelligent transport systems and autonomous driving, where multiple parties are coordinated to leverage the training capability and acquisitive intelligence. Blockchain (BC) is a distribution technology promising for trustworthy DDL, holding the divide-and-conquer concept with decentralized management and consensus algorithms to reduce the exposure of sensitive controllers and thus the risks of malicious system-wide attacks. Moreover, zero trust architecture (ZTA) concepts are promoted as innovative cybersecurity solution which can be integrated with BC to address the resource-limited and infrastructure-less issues to augment the strength of DDL in VANETs. In this dissertation, the BC and ZTA potential is explored to construct reliable VANETs for trustworthy data sharing and thus to support significant within-VANET DDL and relevant applications. Firstly, virtualized distributed ledger technology (vDLT) is developed as the multimedia BC platform, followed by vDLT-based VANETs built to solve the unsteady communication; secondly, vDLT is improved to transmit and secure traffic events in VANETs; subsequently, a vDLT-based DDL system is proposed to enhance object detection (OD) inside VANETs; finally, ZTA and sharding scheme are enabled in vDLT-based VANETs for improved protection. Generally, vDLT runs with virtualized resource and sharding supports for scalability improvement, along with multi-layered consensus algorithm and an adaptable hierarchical and decentralized PBAC (hdPBAC) access control i model to agilely protect the DDL procedures and relevant DDL-related applications.The proposed system has been developed, including the vDLT system, the multimedia streaming over vDLT in fixed networks and VANETs, a precursory vDLT-based DDL system for OD purpose, and the integration of ZTA into scalable-BC-based VANETs.The evaluation results show the feasibility of proposed design and demonstrate the significance of performance improvements. First and foremost, I would like to express my deepest appreaciation to my supervisor, Prof. Richard Yu, who have been working with his wholehearted dedication to supervise my PhD study. His immense knowledge and cutting-edge insights have been encouraging me of elevating my academic research quality. He have also endearvored to find fundings to support my study and daily life to keep my work proceeding smoothly. Without his invaluable advice and continous supports, the achievements during my study would have been impossible. Words are powerless to express my gratitude to him, and I will maintain my grateful heart constantly and sincerely. I am also grateful to Prof. Omair Shafiq for his valuable comments and suggestions on my research and his knowledge and experience in engineering shared for my improvements. Additionally, I would like to thank Prof. Ashraf Matrawy, Prof. Rong Liu, and Prof. Azzedine Boukerche for serving in my dissertation ...

show abstract

ThunQ: A Distributed and Deep Authorization Middleware for Early and Lazy Policy Enforcement in Microservice Applications

Cited by 2 publications

References 30 publications

User Authorization in Microservice-Based Applications

User Authorization in Microservice-Based Applications

Secured Scalable Blockchain Networks for Trustworthy Distributed Deep Learning in VANETs

Contact Info

Product

Resources

About