ACCoRDT

A CRDT for Access Control in distributed settings

Author
Affiliation
Pierre-Antoine Rault

INRIA

To deal with different rights among users in a fully distributed collaboration group, we propose a mecanism relying on CRDTs to manage a shared access control policy, named Access Control Commutative Replicated Data Type (ACCoRDT). This works extends a Rault (2021) proposal, later conceptualized in a 2022 workshop paper.

Rault, Pierre-Antoine. 2021. “Présentation.” https://slides.com/pierre-antoinerault/deck-these-1.

ACCoRDT provides an interface to prepare and integrate operations locally, in order to evaluate the proposal’s claims in selected scenarios.

It is not meant to be integrated in third-party production code.

Install

pip install accordt

How to use

from crdt.dag import DAG  # for a right, we gather policy op. in a DAG

D = DAG()
D.add_op("a1", ["0"])  # add a policy op.
D.add_op("b1", ["0"])  # add a concurrent op.
D.add_op("b2", ["b1"])  # add an op. depending on b1
print(D.pol)
print(D.edges(nbunch=D.pol))
['0', 'a1', 'b1', 'b2']

[('0', 'a1'), ('0', 'b1'), ('b1', 'b2')]

It is then easy to get the evaluation of operation validity:

D.eval()  # get the last valid op. representing policy value
'a1'

Multiple rights

When dealing with more than one right, we use a higher level class, CRDTp, which will orchestrate DAG classes for each operation received or emitted, and provide a unified interface to evaluate them.

from crdt.sites import Site
from crdt.crdt import CRDTp

order = ["A", "B"]
A = Site(label="A", order=order)
B = Site(label="B", order=order)
crdt = CRDTp(site_from=A)
a1 = crdt.prepare(site_to=B, right="write")
print(a1.__dict__)
{
    'site_from': Site(A),
    'num': 1,
    'site_to': Site(B),
    'right': 'write',
    'sign': '-',
    'deps': ['0'],
    'last': None,
    'missing': []
}

For conflicting rights accross DAGs, i.e. removing one Site’s ability to edit policy in concurrence with that Site emitting an operation, we provide more examples in our test cases.

Document operations validity

While the policy evolves, operations not impacting the policy can be affected by it and be forbidden a posteriori, i.e. with a conflicting policy change removing or adding a right after the fact, a document operation can become forbidden (resp. allowed).

Removing a document operation’s effect is out of the scope of this \(CRDT_{p}\), but tracking transitions of document operations’ status (forbidden/allowed) is. This way other \(CRDT_{d}\) can inverse (resp. apply) the effect of a document operation whose status changed.