BestHub
Sign in
Information Security 5 min read

How PML Unifies Multi‑Cloud Access Control with Minimal Overhead

This article introduces PML, a meta‑model based access control policy language and its enforcement mechanism PML‑EM, which abstracts away cloud‑specific policy syntaxes, supports BLP, RBAC, ABAC, and demonstrates low performance and code overhead when implemented on OpenStack.

Open Source Tech Hub
Open Source Tech Hub
Open Source Tech Hub
How PML Unifies Multi‑Cloud Access Control with Minimal Overhead

To protect cloud resources and prevent data leaks, cloud platforms traditionally require each provider to design its own security policy language and access control mechanism, forcing users to learn multiple syntaxes and increasing development costs for providers.

The paper proposes a meta‑model based policy language called PML and an enforcement module PML‑EM . PML can express major models such as BLP, RBAC, and ABAC, while PML‑EM is independent of specific policy languages, access‑control models, and programming languages, thereby reducing both user and provider effort.

PML‑EM was implemented on the OpenStack cloud platform. Experiments show that evaluating a PML policy adds only 4.8% overhead compared to native OpenStack policies, and the code intrusion is about 0.42% of the existing codebase.

Model

r = sub, obj, act
p = sub, obj, act
g = _, _
e = some(where (p.eft == allow))
m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)

Policy

p, role:user, user, add
p, role:user, user, update
p, role:user, user, delete
p, role:admin, user, add
p, role:admin, user, update
p, role:admin, user, delete
p, role:admin, book, add
p, role:admin, book, update
p, role:admin, book, delete
g, user001, role:admin
g, user002, role:user

Request

user001, user, add
user001, user, update
user001, user, delete
user001, book, add
user001, book, update
user001, book, delete
user002, user, add
user002, user, update
user002, user, delete
user002, book, add
user002, book, update
user002, book, delete

Enforcement Result

true
true
true
true
true
true
true
true
true
false
false
false

The accompanying screenshot illustrates the policy enforcement interface, and references include the Casbin policy editor and a related journal article.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

OpenStackcloud securitypolicy languagePML
Open Source Tech Hub
Written by

Open Source Tech Hub

Sharing cutting-edge internet technologies and practical AI resources.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment