Changes between Version 2 and Version 3 of TIEDCredentials


Ignore:
Timestamp:
04/18/13 21:00:11 (11 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • TIEDCredentials

    v2 v3  
    2020The only type of GENI credential currently in use is the "privilege" credential.  This credential assigns a principal (called the owner) one or more privileges with respect to another principal (called the target).  The credential has an implicit issuer, the signer of the credential.  The privileges are strings meaningful to the implementation.  There is also a bit that allows delegation of the privilege.  This section describes how to represent the semantics of the GENI credentials in ABAC statements.  Libabac will import a GENI credential into ABAC statements internally and use those statements to make authorization decisions; the AM (relying party) will import the credentials and policy into libabac and ask libabac for the authorization decision.
    2121
    22 The AM is trying to prove that the Owner who is asking to exercise a privilege on Target is authorized with respect to the AM.
     22The AM's decision to allow Owner to exercize privilege on Target is expressed in ABAC as asking the prover if Owner has the AM.privilege(Target) attribute.  For each Issuer that the AM trusts to authorize privilege(Target) the AM's policy includes the rule:
     23
     24{{{
     25AM.privilege(Target) <- Issuer.privilege(Target)
     26}}}
    2327
    2428Each GENI credential directly translates into one or more ABAC statements. In the simplest case, each of these statements assigns the owner a privilege with respect to the Target according to the issuer. In ABAC RT1 notation this is
     
    2630{{{
    2731Issuer.privilege(Target) <- Owner
    28 }}}
    29 
    30 for each privilege in the credential.  This can be expressed in [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"] as:
    31 
    32 {{{
    33 Issuer.privilege_Target <- Owner
    3432}}}
    3533
     
    4442
    4543{{{
    46 Issuer.privilege_Target <- Owner
    47 Issuer.can_delegete_privilege_Target <- Owner
     44Issuer.privilege(Target) <- Owner
     45Issuer.can_delegete_privilege(Target) <- Owner
    4846}}}
    4947
    50 An
     48Each AM will include this line in its policy:
    5149
    5250{{{
    53 Issuer.privilege_Target <- Issuer.can_delegate
     51Issuer.privilege(Target) <- Issuer.can_delegate_privilege(Target).privilege(Target)
     52}}}
    5453
     54That says that AM will treat a statement from a delegator as a statement from the issuer with respect to privilege on target.
    5555
     56When converting a delegated credential into ABAC, both the credential itself and the credential in the parent element are imported using the rules above.  This recurses.
     57
     58This can be expressed in [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"]