Changes between Version 4 and Version 5 of AuthStoryBoard


Ignore:
Timestamp:
12/06/11 12:16:08 (12 years ago)
Author:
chase@cs.duke.edu
Comment:

new slide decks linked in, more tinkering with text

Legend:

Unmodified
Added
Removed
Modified

  • AuthStoryBoard

    v4 v5  
    33This page is the portal to a series of ppt twitters dealing with GENI's emerging federated authorization system, with a strong dose of advocacy for declarative trust management using a role-based trust delegation logic (ABAC).  A ppt twitter is a powerpoint deck with a soft limitation of 20 slides.
    44
    5 This space also bears on federation topics that are often intertwined with GENI control framework architecture.  The various testbeds predating GENI evolved their own authorization structures to meet the practical needs of testbed deployments.  One theme of GENI has been retrofitting federation support onto these testbeds, so that we may interconnect them.  At the same time, the project managers have envisioned a system with strong central control and safety restraints, e.g., through a Clearinghouse that bundles various identity and authorization functions.  GENI architects spend a lot of time dealing with issues of trust policy disguised as architectural questions.
     5This work is a product of the [wiki:GeniAuthorization GENI Authorization Project].
     6
     7This work also bears on federation topics that are often intertwined with GENI control framework architecture.  The various testbeds predating GENI evolved their own authorization structures to meet the practical needs of testbed deployments.  One theme of GENI has been retrofitting federation support onto these testbeds, so that we may interconnect them.  At the same time, the project managers have envisioned a system with strong central control and safety restraints, e.g., through a Clearinghouse that bundles various identity and authorization functions.  GENI architects spend a lot of time dealing with issues of trust policy disguised as architectural questions.
    68
    79One goal of this work is to disentangle these topics and separate them from questions of control framework architecture.  Once they are separated, we can see that authorization in GENI is an exercise in applying well-understood principles of federated identity and role-based trust management.  Work on these topics in the decade preceding GENI yielded key research breakthroughs and reasonably mature tools.  GENI can also leverage the large investments in federated identity deployments (Shibboleth, SAML, inCommon).  By applying these other works, we can simplify implementations and free the architects to focus on what is really new in GENI: unified control of diverse virtual infrastructure services.   We can also allow planning of trust policy and governance to go forward separately from the architecture discussions. 
    810
    9  * Background slides on GENI federation architecture
    10  * Tutorial slides on role-based trust and ABAC
     11 * [attachment:wiki:AuthStoryBoard:geni-fed-basics.ppt Background slides on GENI federation architecture]
     12 * [attachment:wiki:AuthStoryBoard:geni-abac-basics.ppt Tutorial slides on role-based trust and ABAC]
    1113 * [attachment:wiki:AuthStoryBoard:geni-fed-intro.ppt Deconstructing the GENI Federation]
    1214 * [attachment:wiki:AuthStoryBoard:geni-fed-tale.ppt A Tale of Two Federations]
    13  * Building the GENI Federation with ABAC
     15 * [attachment:wiki:AuthStoryBoard:geni-fed-tm.ppt Building the GENI Federation with ABAC]
    1416 * The GENI Federation with ABAC: Going Deeper
    1517 * Slides on naming and credential management
    1618
    17 Note that these slides are ORCA-free: ORCA always viewed authorization policy as a plug-in.  ORCA is not a testbed.
     19Note that these slides are ORCA-free: ORCA always viewed authorization policy as a plug-in.  To deploy ORCA, it is necessary to combine it with an authorization framework and trust structure.  That is what this series of slides is about.
    1820
    1921These slides are part of an ongoing discussion with other collaborators in GENI.  It's a work in progress, but it will feel "done" soon.  It needs proper acknowledgment for major collaborators, including Ted Faber at ISI and my student Prateek Jaipuria, funding sources (NSF through multiple lines, and RENCI), and related work.  It is my intent that any contributions, ideas, and content from this work shall be unrestricted in the public domain.  My content on this page is available for use under Creative Commons CC-BY Attribution license.  I appreciate attribution for ideas, but feel free to steal my art (as I have stolen from others).