Description:Description of the Related Art
[0002] The data security and access control continue to be major concerns for both consumers and businesses in the rapidly changing world of cloud computing. Scalable and redundant storage infrastructure is offered by OpenStack Swift, a popular object storage system in the OpenStack cloud computing platform. However, the expressiveness and flexibility needed to construct fine-grained, context-aware, and dynamic access control rules are sometimes lacking in its conventional authorization techniques, such as Role-Based Access Control (RBAC) and Access Control Lists (ACLs). Despite being straightforward and effective, RBAC has limitations since it is static; access is usually provided according to predetermined roles rather than the context of the request or the real needs of the users. In a similar vein, ACLs are difficult to scale and manage, particularly in multi-tenant cloud systems with varying and ever-changing access requirements. More flexible and context-sensitive access control paradigms, such attribute-based access control (ABAC) and predicate-based access control (PBAC), have gained popularity as a result of these restrictions.
[0003] Logical predicates, which are propositions that can be assessed as true or untrue, are specified over user traits, resource characteristics, and environmental situations. PBAC is an extension of ABAC. This makes it possible to define policies in more complex ways, supporting clauses such as "permit access if the user is a project owner and the request is made during working hours." Real-time, context-aware access decisions that enhance security and compliance in intricate cloud storage settings are made possible by the dynamic evaluation of these predicate circumstances.
[0004] Secure data sharing and multi-user cooperation have advanced significantly with OpenStack Swift's integration of PBAC. By giving storage managers, the ability to create policies that go beyond basic identity checks, it improves data governance by enabling decisions to be made based on a variety of factors, including user identification, organizational role, data sensitivity, request location, and access time. This guarantees that only when several contextual requirements are met will access to cloud-stored objects be allowed.
[0005] A strong architecture that interfaces with the Keystone identity service, policy assessment engines, and metadata stores containing user and object information is required for the system to carry out this task. Effective predicate evaluation techniques are also necessary to guarantee scalability and reduce latency in large-scale settings. Identity management systems are increasingly being combined with sophisticated policy engines that can evaluate complicated predicates in real-time, according to recent research and industry practices. This is part of a larger trend toward Zero Trust security approaches, in which access is always checked and trust is never presumed. Therefore, a crucial advancement in cloud security is represented by OpenStack Swift's incorporation of a predicate evaluation method. It makes it possible for a storage infrastructure that is more flexible, secure, and policy-driven, which is in line with the dynamic access control requirements of contemporary businesses, especially those that function in collaborative and regulatorily demanding settings.
SUMMARY
[0001] In view of the foregoing, an embodiment herein provides a method for system and method for fine-grained authorization in OpenStack swift using predicate evaluation for identity-based access. In some embodiments, wherein a sophisticated access control system designed for cloud storage environments is shown in the System and Method for Fine-Grained Authorization in OpenStack Swift Using Predicate Evaluation for Identity-Based Access. By incorporating predicate-based access control (PBAC), this solution is specifically made to improve OpenStack Swift's default authorization architecture and allow for attribute-driven and context-aware decision-making. The flexibility and granularity of OpenStack's traditional role-based access control (RBAC) models are constrained, frequently leading to coarse authorization policies that are unable to adjust to changing environmental conditions or identity traits. By adding predicates—logical criteria based on user qualities, resource characteristics, and contextual data like time, location, device, or access purpose—this suggested approach overcomes these drawbacks. In Swift, these predicates are assessed at runtime to decide if a user should be allowed access to a certain object. To guarantee safe and wise access choices, the system architecture consists of elements like a Predicate Evaluation Engine, Policy Decision Point (PDP), and Policy Enforcement Point (PEP).
[0002] In some embodiments, whereas the dynamic identity-based authentication, real-time predicate evaluation, hierarchical policy support, and compatibility with pre-existing OpenStack Swift modules are some of its key characteristics. The system makes sure that access privileges are evaluated based on rich, detailed circumstances that represent operational and security requirements in the real world, rather than just static roles. For instance, a user might only be able to access specific data from a trusted device, during business hours, or from an IP address that has been allowed.
[0003] In some embodiments, wherein the approach reduces the dangers of over-privileged access while improving scalability, accountability, and policy flexibility. It conforms with contemporary cloud security frameworks and facilitates smooth interaction with federated identity management systems. Overall, by providing a strong, expandable, and flexible paradigm that complements the dynamic nature of cloud-based data sharing and multi-tenant scenarios, this fine-grained authorization method greatly improves OpenStack Swift's security posture.
[0004] These and other aspects of the embodiments herein will be better appreciated and understood when considered in conjunction with the following description and the accompanying drawings. It should be understood, however, that the following descriptions, while indicating preferred embodiments and numerous specific details thereof, are given by way of illustration and not of limitation. Many changes and modifications may be made within the scope of the embodiments herein without departing from the spirit thereof, and the embodiments herein include all such modifications.

BRIEF DESCRIPTION OF THE DRAWINGS
[0001] The embodiments herein will be better understood from the following detailed description with reference to the drawings, in which:
[0002] FIG. 1 illustrates a method for system and method for fine-grained authorization in OpenStack swift using predicate evaluation for identity-based access according to an embodiment herein.
DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS
[0001] The embodiments herein and the various features and advantageous details thereof are explained more fully with reference to the non-limiting embodiments that are illustrated in the accompanying drawings and detailed in the following description. Descriptions of well-known components and processing techniques are omitted so as to not unnecessarily obscure the embodiments herein. The examples used herein are intended merely to facilitate an understanding of ways in which the embodiments herein may be practiced and to further enable those of skill in the art to practice the embodiments herein. Accordingly, the examples should not be construed as limiting the scope of the embodiments herein.
[0002] FIG. 1 illustrates a method for system and method for fine-grained authorization in OpenStack swift using predicate evaluation for identity-based access according to an embodiment herein. In some embodiments, the suggested approach offers a sophisticated and expandable method for integrating fine-grained authorization into the well-known object storage service OpenStack Swift. Conventional Swift access control systems lack contextual adaptation and are mainly role-based and coarse-grained. This system uses predicate-based evaluation to get around these restrictions, enabling dynamic policy enforcement based on a variety of contextual and identification characteristics, including time, location, user role, device type, access history, and resource sensitivity. The Predicate Evaluation Engine (PEE), the decision-making element at the centre of this architecture. This engine is in charge of deciphering and comparing the dynamic properties of incoming requests with sophisticated access predicates that are tied to policies. It is used in conjunction with an Attribute Provider Module (APM), which gathers and validates both static and dynamic attributes from external context sources, including temporal data providers or geolocation services, as well as identity providers.
[0003] In some embodiments, a Policy Enforcement Point (PEP), which is integrated into the middleware layer of the Swift proxy server, intercepts user requests before they may access resources stored in OpenStack Swift. Lightweight but essential, the PEP serves as the first gatekeeper and sends the request information to the Policy Decision Point (PDP). The Predicate Evaluation Engine, which is integrated with the PDP, compares the request to the specified access control policies kept in the Policy Repository. The high-level predicate language used to write policies in this system provides contextual functions (e.g., current_time (), user_location ()), comparison expressions (>, <, ==), and logical operations (AND, OR, NOT). These predicates provide for finer control because they are linked to resources and identity types. "Allow read access to financial_reports/ if user. Department == 'Finance' AND current_time () between 09:00 and 17:00 AND user_location () == 'Office'" is an example of a policy could say.
[0004] In some embodiments, the user is authenticated by an Identity Provider (IdP), usually OpenStack Keystone, to start the authorization process. A token containing the user's attributes, roles, and optional contextual metadata is produced during the authentication process. Swift's proxy layer receives this token along with the access request, extracts it, and forwards it to the PDP. To add real-time contextual attributes to this request, the PDP makes use of the Attribute Provider Module. To retrieve information like the current time, user location determined by IP or GPS, device fingerprinting details, or past access patterns, the Attribute Provider Module communicates with external APIs. After being organized and normalized, this data is sent to the Predicate Evaluation Engine as an Attribute Set.
[0005] In some embodiments, the predicate evaluation engine obtains the pertinent access policies from the Policy Repository after receiving the Attribute Set and the access request. The resource identifier, request method (GET, PUT, DELETE), and user role are taken into consideration when choosing policies. These policies' predicates are parsed by the evaluation engine, which then binds them to the attributes provided in the Attribute Set. A rules engine is used to analyse each predicate, returning a Boolean result that indicates whether or not access should be allowed. The PDP notifies the PEP of the permit decision if the predicate evaluates to true. After that, the PEP permits the request to be sent to the relevant Swift storage node. A suitable HTTP status code, like 403 Forbidden, is delivered to the user along with a reject response if the evaluation is unsuccessful. This system's modular nature is one of its main advantages. Multiple predicate forms, such as domain-specific languages (DSLs), JSON-based logic trees, and potential integration with machine learning models for adaptive policy creation, are supported by the Predicate Evaluation Engine. Organizations can customize the policy's language and structure to meet their operational needs because to its versatility.
[0006] The system facilitates auditing, policy versioning, and real-time enforcement. An Audit Logger Module records the complete context of each decision, including who sought access, to what resource, with which attributes, and the result. This module logs all access requests and predicate evaluations. Debugging policy conflicts, compliance reporting, and forensic analysis all depend on this record. The system has a Distributed Policy Cache to manage scalability in distributed situations. This cache reduces latency by storing frequently used policies and recently evaluated predicates, and it is synced across different nodes. An intelligent invalidation method in the cache guarantees consistency without causing undue overhead.
[0007] The system uses delegated authorization, which lets project managers or department heads, among other trusted parties, generate temporary access grants. Administrator-established meta-policies must be followed by these delegated policies, which are scoped by time, resource, and user group. Predicates are also used to express the delegated policies, and the same process is used to evaluate them. Both administrative and user-facing components are provided by the system's User Interface Layer. Using a graphical user interface (GUI) that facilitates drag-and-drop predicate building, administrators can establish, modify, and cancel policies. A Policy Compiler supports this interface, converting GUI-generated rules into executable policy objects. A dashboard informs users of the resources they can access, the conditions that apply, and the reasons behind their access. This openness lessens misunderstanding and increases trust.
[0008] The system is made to cause the least amount of disturbance to current Swift configurations when it comes to deployment. The PEP and PDP can be introduced as modular components because of its integration with Swift through the middleware plug-in architecture. Keystone-compatible tokens are used for identity integration, while RESTful APIs and agent-based data collectors are used for attribute gathering. A fundamental aspect of the system is security. Attribute data is encrypted both in transit and at rest, and all communication between the PEP, PDP, Attribute Provider, and Policy Repository components is protected by mutual TLS. To stop abuse or policy probing attacks, the system validates input and allows rate-limiting.
[0009] Redundant PDP instances and failover techniques are used to address fault tolerance. Requests are sent to a backup node without affecting service in the event that a PDP instance fails. Attribute providers are similarly replicated, and their availability is continuously tracked. To guarantee endurance, the audit records are duplicated throughout data centers. To sum up, this approach is a reliable, adaptable, and scalable way to implement context-sensitive, identity-aware, fine-grained access control in OpenStack Swift. Its modular architecture guarantees simplicity of integration, maintenance, and future extension, while its use of predicate evaluation enables dynamic enforcement. , Claims:I/We Claim:
1. A method for system and method for fine-grained authorization in OpenStack swift using predicate evaluation for identity-based access, wherein the method comprising:
comprising a predicate evaluation engine configured to enforce access control decisions by evaluating user identity attributes and resource metadata against access control predicates defined in policy rules;
receiving a storage access request, extracting user attributes from an identity provider, matching said attributes against stored predicate-based access control policies, and granting or denying access based on evaluation outcomes.
2. The method of claim 1, wherein the predicate evaluation is performed dynamically at the time of request, enabling context-aware authorization based on parameters such as user roles, access time, IP address, and requested object metadata.
3. The system of claim 1, further comprising a policy management interface that allows administrators to define, update, and revoke predicate-based authorization rules without modifying underlying storage infrastructure or application logic.