*5.4.2 Prototype implementation*

The first stage of **ABACsh** deployment in Openstack is to be implemented on nova component. **ABACsh** PDP part will be implemented as a prototype.

## • **Scope and Assumption.**

IaaS access control tenant scope can be a single tenant [5], multi-tenant [54–56] and collaborating parties a cross-clouds [57, 58]. The implementation scope of access control in this chapter is within single tenant whereas its hypothesis is applicable to multi-tenant and cross-clouds as the big concept behind **ABACsh** is user-id free and attributes-based. The proposed **ABACsh** is not replacing OpenStack RBAC in this stage. Instead, it allows fine-grained access control and opens prospective avenues to replace RBAC in the near feature.

**47**

*An Intelligent Access Control Model*

• **OpenStack Testbed**.

*Proposed ABACsh for Openstack nova.*

**Figure 7.** *Telemeter process.*

**Figure 6.**

the LAN users.

• **Data flow**.

OpenStack aids in deploying IaaS cloud. **Figure 8** shows the deployed testbed in this chapter. It is installed in three machines using Ubuntu 16.04 LTS as an operating system and OpenStack Ocata the latest release (Feb2017). One machine is configured as a controller which provides OpenStack main server in addition to networking services (neutron), keystone, nova and glance. The Two other machines are configured as compute nodes where virtual machines are hosted. The machines specification is Intel Core i5–4460 CPU Processor 3.20GHz \_ 4, 15.5 GiB memory, 235 GB Disk and 2 NICs cards. The testbed networking consists of two LANs: management network and data network. The management network traffics the Openstack service communication where data network connects the communication of the virtual machine. This IaaS is a private cloud where OpenStack services and the VMs are accessed by

Nova policy engine is embedded within its configuration files, therefore it is considered as one of OpenStack's limitations. However, the default policies can be overwritten if policy.json is enabled. Policy.json can be configured to call an external policy engine through URL. The token hold information that can be passed from OpenStack keystone to **ABACsh** policy engine via RESET GET-call. Nova PEP receives an access decision from **ABACsh** policy engine via RESET POST-call. **ABACsh** policy engine use a forward-chaining algorithm to produce an access control decision. The access control reasoning takes facts which are subject and object attributes, in addition to the system and context attributes.

*DOI: http://dx.doi.org/10.5772/intechopen.95459*
