GAA-API Main Functions

The GAA-API provides a general-purpose execution environment in which EACLs are evaluated. Next we provide a brief description of the main GAA-API functions.

The gaa_get_object_policy_info function is called to obtain the security policy associated with the object. It takes the target object and authorization database as input and returns an ordered list of EACLs.

The gaa_check_authorization function checks whether the requested right is authorized under the specified policy. This function takes the retrieved policy (an ordered list of EACLs), requested access right and contextual information as input. The contextual information is matched to the requirements, specified in the conditions of the relevant EACL entries (only the EACL entries where the the requested right appears are evaluated). For example, this information can be represented by a set of credentials, e.g., an X.509 identity certificate. The output lists all matching policy rights and associated conditions, with flags set to indicate whether each condition was evaluated and/or met. If the access is granted, the output includes the time period for which the result is valid.

gaa_execution_control performs policy enforcement during operation execution. This function checks whether the mid-conditions associated with the granted access right are met.

gaa_post_execution_actions performs policy enforcement after the operation completes. This function enforces the post-conditions associated with the granted access.

The GAA-API supports registering condition evaluation functions for different condition types (e.g., time or location). The configuration file lists concrete functions that implement the conditions. The file is read at the GAA-API initialization time and the functions are registered with the specific conditions. The read vs. write distinction shows up implicitly in the condition type. A condition evaluation function registered with a condition type knows whether the condition is read or write. It then parses the condition value and calls the concrete functions that implement the abstract read and write operations.

The GAA-API is structured to support the addition of modules for evaluation of new conditions. Currently this is done using a configuration file.

The gaa_check_authorization, gaa_execution_control and gaa_post_execution_actions functions return the evaluation status GAA_S_YES/GAA_S_NO/GAA_S_MAYBE).

This status is obtained during the evaluation of conditions in the relevant EACL entries:

Uncertainty GAA_S_MAYBE. is introduced into our framework by lack of adequate information to evaluate the condition, e.g., due to a network failure. Another source of uncertainty is inability to find the corresponding condition evaluation function, is not implemented or not registered with the GAA-API. Sometimes, it is convenient to return some of the conditions unevaluated for further evaluation by the calling application.