Changes between Version 5 and Version 6 of TIEDCredentials


Ignore:
Timestamp:
04/19/13 14:51:23 (11 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDCredentials

    v5 v6  
    3939"Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the privilege credentials.
    4040
     41== GENI Policy in ABAC ==
    4142
     43Here we describe the ABAC rules that describe the GENI policy as it stands.  The policy and credential formats are somewhat entwined, and we cannot speak of one completely without the other. This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"] encoding of RT1 single parameter attributes.  (In a nutshell, an RT0 lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter).
    4244
    43 implement a credential format compatible with existing [GeniApiCredentials GENI credentials] that can be passed into AM calls and that can be used to implement the "speaks-for" relation.  Though importing ABAC into GENI also requires portability improvements to [http://abac.deterlab.net libabac], this page addresses the credential issues.
     45We give the ABAC as RT1, and explain how the RT0 lite conversion will happen later. 
    4446
    45 "Speaks-for" allows a user to delegate to a tool the right to act on their behalf without giving the tool direct access to the user's [GeniApiIdentifiers GENI identity].
     47Unlike the description above, we first describe how to encode a policy that supports "speaks-for" and then add delegation.  Speaks for is actually the simpler rule.
    4648
    47 [GeniApiCredentials Existing GENI credential] formats do not allow the full expressiveness of ABAC, but they have two very useful features:
     49== Expressing GENI privileges with speaks-for in ABAC ==
    4850
    49  * The privilege assignment that they express can be written in ABAC
    50  * They include a type field that can be used to extend them to express more ABAC statements
     51For a given request at an Aggregate Manager, the Manager knows the principal making the request, the target of the request, and which privilege is required to execute it.  It has a prover initialized with its policy (an ABAC context in [http://abac.deterlab.net libabac] terms).  It adds any credentials in the request and asks the prover a yes/no question - "does the principal making this request have the proper privilege?"
    5152
    52 Our initial plan is to pass credentials in the existing GENI credential format between entities and to import those statements into the ABAC prover at relying parties.  That prover will be used to make the authorization decision.
     53The first thing to encode in ABAC is "the proper privilege."  The ABAC attribute {{{AM.privilege(Target)}}} means that AM believes principals in that set have privilege with respect to Target.  For example, the resolve on a slice S would be {{{AM.resolve(S)}}}.  When a principal (P) requests an operation that requires resolve rights on slice S, the Manager (AM) asks the prover if P is a member of {{{AM.resolve(S)}}} (or in other words, if P has the {{{AM.resolve(S)}}} attribute).
    5354
    54 Encoding the policies may require more expressive ABAC rules than a GENI credential can encode.  In the very short term, we can use the X.509 based formats to encode those more complex ABAC rules.  In very short order we will define types of the existing credential formats to encode these rules.
    55 
    56 The rest of this page discusses the short term modifications to libabac that will be needed to support the existing GENI credentials.
    57 
    58 == GENI "privilege" credentials ==
    59 
    60 The only type of GENI credential currently in use is the "privilege" credential.  This credential assigns a principal (called the owner) one or more privileges with respect to another principal (called the target).  The credential has an implicit issuer, the signer of the credential.  The privileges are strings meaningful to the implementation.  There is also a bit that allows delegation of the privilege.  This section describes how to represent the semantics of the GENI credentials in ABAC statements.  Libabac will import a GENI credential into ABAC statements internally and use those statements to make authorization decisions; the AM (relying party) will import the credentials and policy into libabac and ask libabac for the authorization decision.
    61 
    62 The AM's decision to allow Owner to exercize privilege on Target is expressed in ABAC as asking the prover if Owner has the AM.privilege(Target) attribute.  For each Issuer that the AM trusts to authorize privilege(Target) the AM's policy includes the rule:
     55Aggregate Managers do not issue these credentials to users.  They are elements of the local policy, encoded in a configuration file. While ABAC allows delegation here, for now lets assume a series of simple delegations.  There are a set of issuers that each Aggregate Manager believes.  For each Issuer that AM believes, it has a rule like this:
    6356
    6457{{{
     
    6659}}}
    6760
    68 Each GENI credential directly translates into one or more ABAC statements. In the simplest case, each of these statements assigns the owner a privilege with respect to the Target according to the issuer. In ABAC RT1 notation this is
     61There is one of those rules for each privilege it understands
    6962
    7063{{{
    71 Issuer.privilege(Target) <- Owner
    72 }}}
     64AM.resolve(Target) <- Issuer.resolve(Target)
     65AM.info(Target) <- Issuer.info(Target)
     66}}}
    7367
    7468
    75 Each privilege has a flag indicating whether the owner can further delegate the privilege to others by creating a similar credential and signing it.  The new credential includes the credential that is the basis for delegation in the new credential's parent element.  This recurses. 
     69Issuers, such as Slice Authorities and Clearinghoses, issue credentials to users.  Here we describe how libabac will translate a credential into multiple ABAC statements inside the prover.
    7670
    77 Encoding these in ABAC is accomplished in two ways:
    78  * the right to delegate is encoded in an ABAC credential
    79  * the rules for valid delagation (that the delegator must have the privilege and the right to delegate) is expressed in the AM policies.
    80 
    81 An undelegated credential that can be delegated expands into ABAC statements of the form:
    82 
    83 {{{
    84 Issuer.privilege(Target) <- Owner
    85 Issuer.can_delegete_privilege(Target) <- Owner
    86 }}}
    87 
    88 Each AM will include this line in its policy:
    89 
    90 {{{
    91 Issuer.privilege(Target) <- Issuer.can_delegate_privilege(Target).privilege(Target)
    92 }}}
    93 
    94 That says that AM will treat a statement from a delegator as a statement from the issuer with respect to privilege on target.
    95 
    96 When converting a delegated credential into ABAC, both the credential itself and the credential in the parent element are imported using the rules above.  This recurses.
    97 
    98 This can be expressed in [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"]
    99 
    100 == "Speaks-For" and Delegation ==
    101 
    102 Existing GENI credentials support delegation of privileges.  Each privilege in a credential has a flag indicating whether the owner can further delegate the privilege to others by creating a similar credential and signing it.  The new credential includes the credential that is the basis for delegation in the new credential's parent element.  This recurses.
    103 
    104 One can imagine a system where a user gets only delegatable resources from Slice Authorities, AMs and other resource controllers and delegates them to tools for use.  This has two major drawbacks:
    105 
    106  * Resource controllers must issue delegatable resources or force users to share identity with tools
    107  * Asking a tool to summarize the data about all resouces a user holds at a given source would require delegating rights to access each resource individually, which is cumbersome
    108 
    109 The solution that GENI is adopting is a "speaks-for" privilege.  A credential bestowing that privilege from a user to a tool (a principal with a GID) allows the tool to act as the user.  As with all privileges, it has an expiration, so this is not a complete aliasing.  "Speaks-for" is independent of delegation, and by default GENI resource controllers will support it.
    110 
    111 == Expressing GENI privileges with speaks-for in ABAC ==
    112 
    113 Here we describe the ABAC rules that describe the GENI policy as it stands.
    114 This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"] encoding of RT1 single parameter attributes.  (In a nutshell, an RT0 lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter).
    115 
    116 For a given request at an Aggregate Manager, the Manager knows the principal making the request, the target of the request, and which privilege is required to execute it.  It has a prover initialized with its policy (an ABAC context in [http://abac.deterlab.net libabac] terms).  It adds any credentials in the request and asks the prover a yes/no question - "does the principal making this request have the proper privilege?"
    117 
    118 The first thing to encode in ABAC is "the proper privilege."  The ABAC attribute {{{AM.privilege(Target)}}} means that AM believes principals in that set have privilege with respect to Target.  For example, the resolve on a slice S would be {{{AM.resolve(S)}}}.  When a principal (P) requests an operation that requires resolve rights on slice S, the Manager (AM) asks the prover if P is a member of {{{AM.resolve(S)}}} (or in other words, if P has the {{{AM.resolve(S)}}} attribute).
    119 
    120 Aggregate Managers do not issue these credentials themselves, so there are rules about who they believe.  While ABAC allows delegation here, for now lets assume a series of simple delegations.  There are a set of issuers that each Aggregate Manager believes.  For each Issuer that AM believes, it has a rule like this:
    121 
    122 {{{
    123 AM.privilege(Target) <- Issuer.privilege(Target)
    124 }}}
    125 
    126 Issuers, such as Slice Authorities and Clearinghoses, issue credentials to users.  Because GENI allows all privileges to be passed around by "speaks-for" the ABAC for issuing a privilege to a user (P) looks like:
     71Because GENI allows all privileges to be passed around by "speaks-for" the ABAC for issuing a privilege to a user (P) looks like:
    12772
    12873{{{
     
    13277}}}
    13378
    134 The Issuer says that anyone that speaks for P has the privilege.  The Issuer says P speaks for itself.  The Issuer says that anyone P says speaks for P speaks for P.  When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC.
     79The Issuer says that anyone that speaks for P has the privilege.  The Issuer says P speaks for itself.  The Issuer says that anyone P says speaks for P speaks for P.  When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC.  The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential.
    13580
    13681When a user (P) issues a speaks-for credential for a tool (T), that credential encodes the following ABAC rule:
     
    14085}}}
    14186
    142 To be concrete: if (in GENI terms) AM trusts Issuer about {{{resolve}}} on {{{Target}}}, Issuer has handed P a GENI credential assigning {{{resolve}}} on {{{Target}}}, and P has issued a "speaks-for" credential to tool T, and T makes a request including both credentials, AM has the following ABAC rules:
     87Note that this interprets the same credential format (GENI privilege credential) differently depending on the privilege being assigned (speaks-for).  This is because of the implicit semantics of "speaks-for" buried in its definition.
     88
     89To be concrete: if (in GENI terms) AM trusts Issuer about {{{resolve}}} on {{{Target}}}, Issuer has handed P a GENI credential assigning {{{resolve}}} on {{{Target}}}, and P has issued a "speaks-for" credential to tool T, and T makes a request including both credentials, AM has the following ABAC rules in its prover:
    14390
    14491{{{
    145 AM.resolve(Target) <- Issuer.resolve(Target)
    146 Issuer.resolve(Target) <- Issuer.speaks_for(P)
    147 Issuer.speaks_for(P) <- P
    148 Issuer.speaks_for(P) <- P.speaks_for(P)
    149 P.speaks_for(P) <- T
     92AM.resolve(Target) <- Issuer.resolve(Target)                 /* from static policy and RT1 lite expansion */
     93Issuer.resolve(Target) <- Issuer.speaks_for(P)               /* From Issuer GENI privilege credential */
     94Issuer.speaks_for(P) <- P                                    /* From Issuer GENI privilege credential */
     95Issuer.speaks_for(P) <- P.speaks_for(P)                      /* From Issuer GENI privilege credential */
     96P.speaks_for(P) <- T                                         /* From User GENI privilege credential (speaks_for) */
    15097}}}
    15198
    152 When AM asks its prover if T can proceed (is in {{{AM.resolve(Target)}}}, the proof chain looks like:
     99When AM asks its prover if T can proceed (if T is in {{{AM.resolve(Target)}}}, the proof chain looks like:
    153100
    154101{{{