Configuration-Language Based Access Control

[gabriel-weaver]

Experience with a crudely delegated user interface to our internally developed configuration management system convinced us that delegated access to configuration systems was worth pursuing properly. This paper outlines our approach to authorising access both to individual aspects of configurations and to collections of configurations. We advocate the use of authorisation of some kind on configuration changes and we believe that the system of authorising primitive manipulations of a configuration representation outlined herein could be accommodated by a number of existing configuration systems. The authorisation system described is still experimental and we regret that real world experience of the system in use with end users is not yet available.

http://www.usenix.org/event/lisa08/tech/full_papers/higgs/higgs_html/

Conversation with Colin Higgs at LISA 2011.

[gabriel-weaver]

Vanbrabant, Bart; Peeraer, Joris; Joosen, Wouter. Fine-grained access control for the Puppet configuration language, Large Installations Systems Administration (LISA) conference edition, Boston, MA, US, 4-9 December 2011 (Accepted)

Vanbrabant et al. use an AST-based differencing engine to generate semantic changes for an access control system.

Conversation with Tim Nelson and Bart Vanbrabant at LISA 2011