Changes between Version 10 and Version 11 of TIEDCredentials
- Timestamp:
- 04/19/13 19:21:09 (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDCredentials
v10 v11 59 59 For a given request at an Aggregate Manager, the Manager knows the principal making the request, the target of the request, and which privilege is required to execute it. It has a prover initialized with its policy (an ABAC context in [http://abac.deterlab.net libabac] terms). It adds any credentials in the request and asks the prover a yes/no question - "does the principal making this request have the proper privilege?" 60 60 61 The first thing to encode in ABAC is "the proper privilege." The ABAC attribute {{{AM.privilege(Target)}}} means that AM believes principals in that set have privilege with respect to Target. For example, the resolve on a slice S would be {{{AM.resolve(S)}}}. When a principal (P) requests an operation that requires resolve rights on slice S, the Manager (AM) asks the prover if P is a member of {{{AM.resolve(S)}}} (or in other words, if P has the {{{AM.resolve(S)}}} attribute).61 The first thing to encode in ABAC is "the proper privilege." The ABAC attribute {{{AM.privilege(Target)}}} means that AM believes principals in that set have privilege with respect to Target. For example, the privilege to issue resolve on a slice S would be the ABAC attribute/set {{{AM.resolve(S)}}}. When a principal (P) requests an operation that requires resolve rights on slice S, the Manager (AM) asks the prover if P is a member of {{{AM.resolve(S)}}} (or in other words, if P has the attribute {{{AM.resolve(S)}}} attribute). 62 62 63 Aggregate Managers do not issue these credentials to users. They are elements of the local policy, encoded in a configuration file. While ABAC allows delegation here, for now letsassume a series of simple delegations. There are a set of issuers that each Aggregate Manager believes. For each Issuer that AM believes, it has a rule like this:63 Aggregate Managers do not issue credentials conferring {{{AM.privilege()}}} to users. They are inferred from ABAC rules in the local policy, encoded in a configuration file. While ABAC allows delegation here, for now we assume a series of simple delegations. There are a set of issuers that each Aggregate Manager believes. For each Issuer that AM believes, it has a rule like this: 64 64 65 65 {{{ … … 77 77 Issuers, such as Slice Authorities and Clearinghoses, issue credentials to users. Here we describe how libabac will translate a credential into multiple ABAC statements inside the prover. 78 78 79 Because GENI allows all privileges to be passed around by "speaks-for" the ABAC forissuing a privilege to a user (P) looks like:79 Because GENI allows all privileges to be transferred around by "speaks-for" the ABAC translation of a credential issuing a privilege to a user (P) looks like: 80 80 81 81 {{{ … … 87 87 The Issuer says that anyone that speaks for P has the privilege. The Issuer says P speaks for itself. The Issuer says that anyone P says speaks for P speaks for P. When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC. The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential. 88 88 89 When a user (P) issues a speaks-for credential for a tool (T), that credential encodes the following ABAC rule:89 When a user (P) issues a speaks-for credential for a tool (T), that credential is translated into ABAC as: 90 90 91 91 {{{ … … 93 93 }}} 94 94 95 Note that this interprets the same credential format (GENI privilege credential) differently depending on the privilege being assigned (speaks-for). This is because of the implicit semantics of "speaks-for" buried in its definition. 95 Note that this interprets the same credential format (GENI privilege credential) differently depending on the privilege being assigned (speaks-for). This is because of the implicit semantics of "speaks-for" buried in its definition. "Speaks-for" can affect any credential, so it permeates the policy. One way to see this is to note that speaks_for appears on the right side of rules generated for all other privileges. 96 96 97 To be concrete: if (in GENI terms) AM trusts Issuer about {{{resolve}}} on {{{Target}}}, Issuer has handed P a GENI credential assigning {{{resolve}}} on {{{Target}}}, and P has issued a "speaks-for" credential to tool T, and T makes a request including both credentials, AM has the following ABAC rules in its prover: 97 To be concrete: if (in GENI terms) 98 * AM trusts Issuer about {{{resolve}}} on {{{Target}}} 99 * Issuer has handed P a GENI credential assigning {{{resolve}}} on {{{Target}}} 100 * P has issued a "speaks-for" credential to tool T 101 * T makes a request including both credentials 102 103 AM has the following ABAC rules in its prover: 98 104 99 105 {{{