Extended Access Control Lists (EACLs)

The policy language that we implemented is called Extended Access Control List (EACL). The EACL is a simple policy language designed to describe user-level authorization policy. An EACL is associated with an object (or a group of objects) to be protected and specifies positive and negative access rights with optional set of associated conditions.

A condition block defines a conjunction of a totally ordered set of conditions. Conditions are evaluated in the order they appear within a condition block. The total order property is important to deal with possible side effects caused by the condition evaluation.

An EACL entry (EACE) consists of:

Note that a condition block can be empty. If all condition blocks in an EACL entry are empty, the right is granted unconditionally. An example of a practical policy with empty condition blocks is: "anyone can read file index.html".

An EACL consists of an ordered set of disjunctive EACL entries. An EACL representation supports disjunction and conjunction of conditions to activate different control modes.

To simplify the implementation of a condition block, we allow only a conjunction of conditions in a condition block. Therefore, an EACL is equivalent to a disjunctive normal form consisting of a disjunction of conjunctions where no conjunction contains a disjunction.

Evaluation of an EACL starts from the first to the last in the list of EACL entries. The resolution of inconsistent authorization is based on ordering. The authorizations which already have been examined take precedence over new authorizations.

EACL Syntax

We use the Backus-Naur Form to denote the elements of our EACL language. Items inside round brackets, () are optional. Curly brackets, {}, surround items that can repeat zero or more times. A vertical line, |, separates alternatives. Items inside double quotes are the terminal symbols.

An EACL is specified according to the following format:

eacl ::= eacl_mode {eacl_entry} 
eacl_entry ::= (entry_mode) (priority) positive_access_right conditions | 
(entry_mode) (priority) negative_access_right conditions
positive_access_right ::= "pos_access_right" def_auth value
negative_access_right ::= "neg_access_right" def_auth value
conditions ::= pre_conds mid_conds rr_conds post_conds
pre_conds  ::= condition
mid_conds  ::= condition
rr_conds   ::= condition
post_conds ::= condition
eacl_mode  ::= "0"|"1"|"2"
entry_mode ::= "0"|"1"|"2"
priority   ::= "order" numeric_string  numeric_string
condition  ::= cond_type  def_auth  value 
cond_type  ::= alphanumeric_string
def_auth   ::= alphanumeric_string
value      ::= alphanumeric_string

Next we present an example of an EACL that governs access to a host.

Entry 1 specifies that Tom can not login to the host.

Entries 2 and 3 mean that logins from the specified IP address range are permitted, using either X509 or Kerberos for authentication if the number of previous login attempts during the day does not exceed 3. If the request fails, the number of the failed logins for the user should be updated. The connection duration time must not exceed 8 hours.

Entry 4 means that anyone, without authentication, can check the status of the host if he connects from the specified IP address range.

Entry 5 specifies that host shut downs are permitted, using Kerberos for authentication. If the request succeeds, the user ID must be logged. If the operation fails, the sysadmin must be notified by e-mail.

# EACL for host malta.isi.edu 
eacl_mode 0 # composition mode is set to expand 

# EACL entry 1 
neg_access_right        test          host_login
pre_cond_access_id_USER KerberosV.5   tom@ORGB.EDU

# EACL entry 2
pos_access_right         test    host_login
pre_cond_location        IPsec
pre_cond_access_id_user  X509    "/C=US/O=Trusted/OU=orgb.edu/CN=partnerB"
pre_cond_threshold       local   <=3failures/day/failed_log
rr_cond_update_log       local   on:failure/failed_log/info:userID
mid_cond_duration        local   <=8hrs

# EACL entry 3 
pos_access_right         test        host_login
pre_cond_location        IPsec
pre_cond_access_id_user  KerberosV.5 partnerb@ORGB.EDU
pre_cond_threshold       local       <=3failures/day/failed_log
rr_cond_update_log       local       on:failure/failed_log/info:userID
mid_cond_duration        local       >=8hrs

# EACL entry 4
pos_access_right         test   host_check_status
pre_cond_location        IPsec

# EACL entry 5 
pos_access_right         test        host_shut_down
pre_cond_access_id_group KerberosV.5 trusted@ORGA.EDU
rr_cond_audit            local       on:success/info:userID 
post_cond_notify         local       email/to:sysadmin/on:failure