Authorization in GENI

Session leaders

Steve Schwab, Cobham
Ted Faber, ISI
Tom Mitchell, BBN

Time

Wed 4:30 - 6 pm

Description

This meeting will seek agreement on an approach to authorization in GENI. A proposed way forward will be presented along with possible alternatives, followed by open discussion.

GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.

There are two proposed solutions in use by current control framework projects, credentials and attributes. Credentials bind a set of roles or privileges with an experimenter and a slice. Attributes denote individual properties of an experimenter and are grouped to determine privileges. There are pros and cons to both approaches. Stakeholders will discuss both approaches and reach consensus on a way forward for authorization in GENI.

Background reading

ProtoGENI Credentials: ​http://www.protogeni.net/trac/protogeni/wiki/Credentials
ProtoGENI Authentication: ​http://www.protogeni.net/trac/protogeni/wiki/AuthImpl
GEC 8 ABAC Tutorial Slides: ​http://groups.geni.net/geni/attachment/wiki/Gec8Workshops/abac-mini-wk-ah-final.ppt
GEC 8 ABAC Tutorial Slides: ​http://groups.geni.net/geni/attachment/wiki/Gec8Workshops/ABAC_Tutorial_v2_faber.pdf
ABAC Project: ​http://abac.deterlab.net
TIED ABAC Model: ​http://groups.geni.net/geni/wiki/TIEDABACModel
TIED ABAC Demo: ​http://groups.geni.net/geni/wiki/TIEDABACDemo

Agenda

TBD