Applications
Principals and privileges
Download 0.74 Mb.
|
krip 3
Principals and privilegesHails specifies policy in terms of principals who are al- lowed to read or write data. There are four types of prin- cipal. Users are principals, identified by user-names (e.g., alice). Remote web sites that an app may communi- cate with are principals, identified by URL (e.g., http:/ /maps.google.com:80/). Each VC has a unique princi- pal, by convention starting with prefix “@”, and each MP has a unique principal starting “ ” (e.g., @Bookmark and GitStar for the components in Figure 1). An example policy an MP may want to enforce is “user alice’s mailing address can be read only by alice or by http://maps.google.com:80/.” Such a policy would allow a VC to present alice her own address (when she views her profile) or to fetch a google map of her address and present it to her, but not to disclose the address or map to anyone else. For maximum flexibility, read and write permissions can each be expressed using arbitrary con- junctions and disjunctions of principals. Enforcing such policies requires knowing what principals an app repre- sents locally and what principals it is communicating with remotely. Remote principals are ascertained as one would expect. Hails uses a standard cookie-based authentication facility; a browser presenting a valid session cookie represents the logged-in user’s principal. When VCs or MPs initiate out- going requests to URLs, Hails considers the remote server to act on behalf of the URL principal of the web site. Within the confines of Hails, code itself can act on be- half of principals. The trusted Hails runtime supports un- forgeable objects called privileges with which code can assert the authority of principals. Hails passes appropriate privilege objects to MPs and VCs upon dynamically load- ing their code. For example, the GitStar MP is granted the GitStar privilege. When a user wishes to use GitStar to manager her data, the policy on the data in question must specify GitStar as a reader and writer so as to give Git- Star permission to read the data and write it to its database should it chose to exercise its GitStar privileges. Download 0.74 Mb. Do'stlaringiz bilan baham: 
|