Pluggable Authorization and Distributed Enforcement with pam_xacml

Access control is a critical functionality in distributed systems. Services and resources must be protected from unauthorized access. The prevalent practice is that service specific policies reside at the services and govern the access control. It is hard to keep distributed authorization policies consistent with the global security policy of an organization. A recent trend is to unify the different policies in one coherent authorization policy. XACML is a prominent XML standard for formulating authorization rules and for implementing different authorization models. Unifying authorization policies requires an integration of the authorization method with a large application base. The XACML standard does not provide a strategy for the integration of XACML with existing applications. We present pam xacml, an authorization extension for the Pluggable Authentication Modules (PAM). We argue how existing applications can leverage XACML without modification and state the benefits of using our extended version of the authorization API for PAM. Our experimental results quantify the impact of security and connection establishment of using remote Policy Decision Points (PDP). Our approach provides a method for introducing XACML authorization into existing applications and is an important step towards unified authorization policies.