TIED: Trial Integration Environment in DETER
Principal Investigator: John Wroclawski email@example.com
Co-Principal Investigator: Terry Benzel firstname.lastname@example.org
Ted Faber faber@ISI.EDU
- University of Southern California Information Sciences Institute, Marina del Rey
The scope of work on this project is to develop and evangelize a control framework that particularly emphasizes usability across different communities, through federation, rich trust/security models, and similar enabling mechanisms.
- TIED: S4.a Deploy prototype integrated ABAC authorization system (Completed on time 11/05/11)
- TIED: S4.b Deploy prototype integrated ABAC authorization system (Completed on time 11/05/11)
- TIED: S4.c Deploy prototype integrated ABAC authorization system (Completed on time 11/05/11)
- TIED: S4.d Deploy prototype integrated ABAC authorization system (Completed on time 11/05/11)
- TIED: S4.e Cross-control-framework authorization policies and tools (Due 03/01/12 (late))
- TIED: S4.f Cross-control-framework authorization policies and tools (Due 03/01/12 (late))
- TIED: S4.g Cross-control-framework authorization policies and tools (Completed on time 03/13/12)
- TIED: S4.h Production deployment (Due 03/01/12 (late))
- TIED: S4.i Production deployment (Due 07/01/12 (late))
- TIED: S4.j Production deployment (Due 09/30/12 (late))
Project Technical Documents
TIED is based on the TIED/DETER federation system, which allows a researcher to construct experiments that span testbeds by dynamically acquiring resources from other testbeds and configuring them into a single experiment. As closely as possible that experiment will mimic a single DETER/Emulab experiment.
This model fundamentally supports creation of cohesive experiments (slices) from independently administered resources (components/aggregates). Because resources are independently administered and serve different communities, the authorization system needs to support a rich delegation structure, formal semantics, efficient negotiation, and clear auditing. The ABAC system meets those requirements; TIED is integrating this into the federation system.
To make use of widely distributed components it is helpful to establish guaranteed network connections between them. TIED is addressing this by federating with testbeds that represent dynamically allocatable wide-area network resources. The prototyping plan is to use DRAGON interfaces to configure these resources.
- The TIED/DETER Federation architecture and implementation
- Information about the TIED/DETER federation system, including overview, detailed user and developer documentation, pointers to published papers, and released code.
- The TIED Clearinghouse
- Description of how the TIED stsyem provides GENI clearinghouse functionality, including how to join
- The ABAC model in TIED
- Discussion of ABAC concepts and how they relate to TIED implementation
- An ABAC demo
- A worked example of ABAC applied to a GENI scenario. Also shows the TIED attribute explorer.
- ProtoGENI Plug-in
- A description of the design for the upcoming TIED/ProtoGENI subsystem.
- Release of fedd 3.00
- Release of fedd that includes the ProtoGENI plugin (as per milestone S2.c). It also includes information for developers who want to write their own plug-ins.
- Preliminary Review of the GENIAPI as Control Framework Interoperability Architecture and TIED Federation Plug-In Candidate
- This discusses the GENIAPI both from the perspective of TIED using it, and more broadly as an interoperation architecture.
- GENIAPI support
- We have three screencast videos on line that demonstrate the creation and manipulation of an experiment using both DETER resources and ProtoGENI resources that are manipulated through the GENIAPI interface. These are multi-megabyte files in mpeg format, and we have linked to them below rather than attach them to the wiki
In addition we have completed a report on the directions for improving the GENIAPI to make it easier to support PlanetLab plug-ins under TIED using the GENIAPI. The report also includes a revised discussion of the role of the control framework and the aggregate managers as we see them, based partially on feedback from the e-mail exchange and discussions the earlier report touched off.
- GENIAPI AM/ABAC integration
- We have integrated libabac v 0.1.2 with the current GENIAPI AM v1.2 reference implementation (actually the tarball works with the git version as of 6 Jan 2011). The resulting system makes all authorization decisions based on TIED self-validating identities and ABAC credentials. It passes the tests shipped with the GCF reference implementation. The only direct modification to the GENIAPI AM code was a few lines to request a 'list' credential in ListResources. The difficulty that led to this change is described in the design document and the change is backward compatible.
We have a tarfile of our code (relative to the gcf directory in the GCF release) available and a document describing the design and lessons from the work. Instructions on initializing the ABAC policies and running the code are in the tarfile in the ABAC_README file.
- ABAC rules for GENI authorization
This is a set of machine readable ABAC rules that represent our proposal for encoding the GENI authorization in ABAC rules. The milestone actually calls for rules usable with the code in the previous milestone, but that code was delivered with such rules. These rules represent a cleaner instantiation of the rules that would require some reimplementation to incorporate.
The attached document both explains those rules to an audience knowledgable in ABAC, and stands alone as an introduction to both ABAC and GENI authorization. Playing that dual role makes it a little longer than a simple description of the rules.
- ABAC Vocabulary
This is a document that tries to capture the group consensus on a global attribute vocabulary for carrying out authorization decisions in GENI. It lays out the problem, proposes a vocabulary for authorization and gives two sample policies.
- GENIAPI changes for ABAC support
This is a brief document outlining the changes to the GENIAPI necessary to support ABAC credentials and interactions. More thinking on these lines has happened in the dev mailing list.
Spiral 2 Project Review Slides
GPO Liaison System Engineer
Heidi Picher Dempsey email@example.com
- TIED_GENIAPI_v1.2.pdf (258.4 kB) -
Preliminary Review of the GENIAPI as Control Framework Interoperability Architecture and TIED Federation Plug-In Candidate, added by firstname.lastname@example.org on 08/13/10 17:59:28.
- TIED QPR 06-30-10-v1.txt (10.8 kB) -
Q2 2010 QSR, added by email@example.com on 08/26/10 17:04:59.
- Spiral 2 Project Review - TIED.pdf (0.8 MB) -
Spiral 2 Project Review slides in PDF format, added by firstname.lastname@example.org on 08/30/10 12:47:39.
- Spiral 2 Project Review - TIED.pptx (0.7 MB) -
Spiral 2 Project Review slides in pptx format, added by email@example.com on 08/30/10 12:48:36.
- TIED_PlanetLab_GENIAPI.pdf (327.1 kB) -
Review of GENIAPI and its role in a TIED/PlanetLab Plug-in, added by firstname.lastname@example.org on 10/17/10 00:52:45.
- abac_geniapi-1.0.tgz (26.0 kB) -
ABAC/GENIAPI code, added by email@example.com on 01/06/11 21:28:52.
- ABAC_GENIAPIv1.2.pdf (175.5 kB) - added by firstname.lastname@example.org on 01/06/11 21:29:41.
- ABAC_Rules_v1.2.pdf (210.6 kB) -
Description of ABAC rules, added by email@example.com on 02/14/11 21:46:35.
- GENI_ABAC_rules.tgz (189.6 kB) -
ABAC rules, added by firstname.lastname@example.org on 02/14/11 21:47:01.
- Strawman_v1.1.pdf (148.3 kB) -
GENI API Strawman 1.1, added by email@example.com on 04/04/11 19:04:14.
- ABAC_Vocabulary_1.0.pdf (238.2 kB) -
GENI Vocabulary, added by firstname.lastname@example.org on 11/01/11 01:41:43.
- ABAC_GENIAPI_changes_1.2.pdf (197.1 kB) - added by email@example.com on 11/01/11 01:42:09.