Changes between Version 11 and Version 12 of AuthStoryBoard


Ignore:
Timestamp:
12/15/11 09:24:19 (12 years ago)
Author:
chase@cs.duke.edu
Comment:

Broke up the bullet list

Legend:

Unmodified
Added
Removed
Modified
  • AuthStoryBoard

    v11 v12  
    77This work also bears on federation topics that are often intertwined with GENI control framework architecture.  The various testbeds predating GENI evolved their own authorization structures to meet the practical needs of testbed deployments.  One theme of GENI has been retrofitting federation support onto these testbeds, so that we may interconnect them.  At the same time, the project managers have envisioned a system with strong central control and safety restraints, e.g., through a Clearinghouse that bundles various identity and authorization functions.  GENI architects spend a lot of time dealing with issues of trust policy disguised as architectural questions.
    88
    9 One goal of this work is to disentangle these topics and separate them from questions of control framework architecture.  Once they are separated, we can see that authorization in GENI is an exercise in applying well-understood principles of federated identity and role-based trust management.  Work on these topics in the decade preceding GENI yielded key research breakthroughs and reasonably mature tools.  GENI can also leverage the large investments in federated identity deployments (Shibboleth, SAML, inCommon).  By applying these other works, we can simplify implementations and free the architects to focus on what is really new in GENI: unified control of diverse virtual infrastructure services.   We can also allow planning of trust policy and governance to go forward separately from the architecture discussions.  Here are the PowerPoint slide decks:
     9One goal of this work is to disentangle these topics and separate them from questions of control framework architecture.  Once they are separated, we can see that authorization in GENI is an exercise in applying well-understood principles of federated identity and role-based trust management.  Work on these topics in the decade preceding GENI yielded key research breakthroughs and reasonably mature tools.  GENI can also leverage the large investments in federated identity deployments (Shibboleth, SAML, inCommon).  By applying these other works, we can simplify implementations and free the architects to focus on what is really new in GENI: unified control of diverse virtual infrastructure services.   We can also allow planning of trust policy and governance to go forward separately from the architecture discussions.
    1010
    11  * [attachment:wiki:AuthStoryBoard:geni-fed-basics.ppt Background slides on GENI federation architecture]
     11These slide decks outline an architectural view of GENI and other federated testbeds that may inter-operate or overlap in various ways.  These slides are ABAC-free.
     12
    1213 * [attachment:wiki:AuthStoryBoard:geni-fed-intro.ppt Deconstructing the GENI Federation]
    1314 * [attachment:wiki:AuthStoryBoard:geni-fed-tale.ppt A Tale of Two Federations]
    14  * [attachment:wiki:AuthStoryBoard:geni-abac-basics.ppt Tutorial slides on role-based trust and ABAC]
     15
     16These slide decks show how to specify instances of the federation architecture using ABAC.  They illustrate with sample policies that are suitable for a GENI deployment with strong central control.  Other deployments may use different policies, and the policies for any deployment may change with time.
     17
    1518 * [attachment:wiki:AuthStoryBoard:geni-fed-tm.ppt Building the GENI Federation with ABAC]
    1619 * [attachment:wiki:AuthStoryBoard:geni-abac-deeper.ppt The GENI Federation with ABAC: Going Deeper]
     20
     21These slide decks provide some additional background.  I would use some of them for talks for a non-GENI audience.  The slides on credentials address various practical challenges raised by the trust management approach.
     22 * [attachment:wiki:AuthStoryBoard:geni-fed-basics.ppt Background slides on GENI federation architecture]
     23 * [attachment:wiki:AuthStoryBoard:geni-abac-basics.ppt Tutorial slides on role-based trust and ABAC]
    1724 * [attachment:wiki:AuthStoryBoard:certstore.ppt Slides on credential management]
    1825
    19 Note that these slides are ORCA-free: ORCA always viewed authorization policy as a plug-in.  To deploy ORCA, it is necessary to combine it with an authorization framework and trust structure.  These slides are about an authorization framework and trust structure suitable for GENI deployment.  It has no ORCA dependency, and should be compatible with other control frameworks as well.
     26Note that all of these slides are ORCA-free: ORCA always viewed authorization policy as a plug-in.  To deploy ORCA, it is necessary to combine it with an authorization framework and trust structure.  These slides are about an authorization framework and trust structure suitable for GENI deployment.  It has no ORCA dependency, and should be compatible with other control frameworks as well.
    2027
    21 These slides are part of an ongoing discussion with other collaborators in GENI.  It's a work in progress, but it will feel "done" soon.  It needs proper acknowledgment for major collaborators, including Ted Faber and Prateek Jaipuria, funding sources (NSF through multiple lines, and RENCI), and related work.
     28These slides are part of an ongoing discussion with other collaborators.  It's a work in progress, but it will feel "done" soon.  It needs proper acknowledgment for major collaborators, including Ted Faber and Prateek Jaipuria, funding sources (NSF through multiple lines, and RENCI), and related work.
    2229
    2330This is a shared work.  Jeff Chase: "My content on this page is available for use under Creative Commons CC-BY Attribution license.  I appreciate attribution for ideas, but feel free to steal my art (as I have stolen from others)."