Project Number

1609

Project Title

TIED: Trial Integration Environment in DETER

a.k.a. DETER

Technical Contacts

Principal Investigator: John Wroclawski  jtw@isi.edu

Co-Principal Investigator: Terry Benzel  tbenzel@isi.edu

Ted Faber  faber@ISI.EDU

Participating Organizations

Scope

The scope of work on this project is to develop and evangelize a control framework that particularly emphasizes usability across different communities, through federation, rich trust/security models, and similar enabling mechanisms.

Milestones

Spiral 4

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

  • Error: Failed to load processor MilestoneDate
    No macro or processor named 'MilestoneDate' found

Project Technical Documents

TIED is based on the  TIED/DETER federation system, which allows a researcher to construct experiments that span testbeds by dynamically acquiring resources from other testbeds and configuring them into a single experiment. As closely as possible that experiment will mimic a single DETER/Emulab experiment.

This model fundamentally supports creation of cohesive experiments (slices) from independently administered resources (components/aggregates). Because resources are independently administered and serve different communities, the authorization system needs to support a rich delegation structure, formal semantics, efficient negotiation, and clear auditing. The  ABAC system meets those requirements; TIED is integrating this into the federation system.

To make use of widely distributed components it is helpful to establish guaranteed network connections between them. TIED is addressing this by federating with testbeds that represent dynamically allocatable wide-area network resources. The prototyping plan is to use DRAGON interfaces to configure these resources.

 The TIED/DETER Federation architecture and implementation
Information about the TIED/DETER federation system, including overview, detailed user and developer documentation, pointers to published papers, and released code.
The TIED Clearinghouse
Description of how the TIED stsyem provides GENI clearinghouse functionality, including how to join
The ABAC model in TIED
Discussion of ABAC concepts and how they relate to TIED implementation
An ABAC demo
A worked example of ABAC applied to a GENI scenario. Also shows the TIED attribute explorer.
ProtoGENI Plug-in
A description of the design for the upcoming TIED/ProtoGENI subsystem.
 Release of fedd 3.00
Release of fedd that includes the ProtoGENI plugin (as per milestone S2.c). It also includes  information for developers who want to write their own plug-ins.

We have also prepared a document explaining where to find the information required for a GENI Integration Release 2.1 inclusion on the  fedd website.

 Preliminary Review of the GENIAPI as Control Framework Interoperability Architecture and TIED Federation Plug-In Candidate
This discusses the GENIAPI both from the perspective of TIED using it, and more broadly as an interoperation architecture.
GENIAPI support
We have three screencast videos on line that demonstrate the creation and manipulation of an experiment using both DETER resources and ProtoGENI resources that are manipulated through the GENIAPI interface. These are multi-megabyte files in mpeg format, and we have linked to them below rather than attach them to the wiki The files are large enough that they seem to confuse some browser players. You may have to hit the play button in your browser a few times or download the file to local storage and run a player.

In addition we have completed a report Download on the directions for improving the GENIAPI to make it easier to support  PlanetLab plug-ins under TIED using the GENIAPI. The report also includes a revised discussion of the role of the control framework and the aggregate managers as we see them, based partially on feedback from the e-mail exchange and discussions the  earlier report touched off.

GENIAPI AM/ABAC integration
We have integrated  libabac v 0.1.2 with the current  GENIAPI AM v1.2 reference implementation (actually the tarball works with the git version as of 6 Jan 2011). The resulting system makes all authorization decisions based on TIED self-validating identities and ABAC credentials. It passes the tests shipped with the GCF reference implementation. The only direct modification to the GENIAPI AM code was a few lines to request a 'list' credential in ListResources. The difficulty that led to this change is described in the design document and the change is backward compatible.

We have a tarfile of our code Download (relative to the gcf directory in the GCF release) available and a document Download describing the design and lessons from the work. Instructions on initializing the ABAC policies and running the code are in the tarfile in the ABAC_README file.

ABAC rules for GENI authorization

This is a set of machine readable ABAC rules that represent our proposal for encoding the GENI authorization in ABAC rules. The milestone actually calls for rules usable with the code in the previous milestone Download, but that code was delivered with such rules. These rules represent a cleaner instantiation of the rules that would require some reimplementation to incorporate.

The attached document Download both explains those rules to an audience knowledgable in ABAC, and stands alone as an introduction to both ABAC and GENI authorization. Playing that dual role makes it a little longer than a simple description of the rules.

ABAC Vocabulary

This is a document Download that tries to capture the group consensus on a global attribute vocabulary for carrying out authorization decisions in GENI. It lays out the problem, proposes a vocabulary for authorization and gives two sample policies.

GENIAPI changes for ABAC support

This is a brief document Download outlining the changes to the GENIAPI necessary to support ABAC credentials and interactions. More thinking on these lines has happened in the dev mailing list.

 Quarterly Status Reports

Spiral 2 Project Review Slides

 PDF or  PPTX

GPO Liaison System Engineer

Heidi Picher Dempsey  hdempsey@geni.net

Related Projects

Attachments