Changes between Version 6 and Version 7 of TIEDCredentials
- Timestamp:
- 04/19/13 18:39:08 (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDCredentials
v6 v7 12 12 * Importing the information from GENI credentials into the ABAC prover 13 13 14 Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy. We can encode the generic parts of the policy into a configuration file on the aggregate manager once. For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM. This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT 0lite template]. Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.14 Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy. We can encode the generic parts of the policy into a configuration file on the aggregate manager once. For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM. This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT1-lite template]. Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats. 15 15 16 16 Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules. The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question. Our plan is to use existing GENI credential formats in the short term, but to add new formats in the long term. The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future. … … 41 41 == GENI Policy in ABAC == 42 42 43 Here we describe the ABAC rules that describe the GENI policy as it stands. The policy and credential formats are somewhat entwined, and we cannot speak of one completely without the other. This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT 0 lite"] encoding of RT1 single parameter attributes. (In a nutshell, an RT0lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter).43 Here we describe the ABAC rules that describe the GENI policy as it stands. The policy and credential formats are somewhat entwined, and we cannot speak of one completely without the other. This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT1-lite"] encoding of RT1 single parameter attributes. (In a nutshell, an RT1-lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter). 44 44 45 We give the ABAC as RT1, and explain how the RT 0lite conversion will happen later.45 We give the ABAC as RT1, and explain how the RT1-lite conversion will happen later. 46 46 47 47 Unlike the description above, we first describe how to encode a policy that supports "speaks-for" and then add delegation. Speaks for is actually the simpler rule. … … 109 109 {{{ 110 110 Issuer.privilege(Target) <- Issuer.can_delegate_privilege(Target).privilege(Target) 111 Issuer.can_delegate_privilege(T ) <- Issuer.speaks_for(P)111 Issuer.can_delegate_privilege(Target) <- Issuer.speaks_for(P) 112 112 }}} 113 113 114 The issuer says that anyone in the {{{Issuer.can_delegate_privilege(Target)}}} set can assign {{{Issuer.privilege(Target)}}} and that any principal who speaks for P (including P) is in that set. 114 The issuer says that anyone in the {{{Issuer.can_delegate_privilege(Target)}}} set can assign {{{Issuer.privilege(Target)}}} and that any principal who speaks for P (including P) is in that set. This formulation implies that "speaks-for" works for delegation as well. A tool that can speak for a user can delegate on that user's behalf. If the second line is: 115 116 {{{ 117 Issuer.can_delegate_privilege(Target) <- P 118 }}} 119 120 then only the user can delegate. 121 122 == RT1-lite templates for AMs == 123 124 One of the things RT1-lite must do is to generate RT0 statements for new parameterizations of the RT1 statements. In this system, an RT0 statement of the form 125 126 {{{ 127 AM.privilege_Target <- Issuer.privilege_Target 128 }}} 129 130 Needs to be created and added to the ABAC context the first time each (privilege, Target) pair is encountered by AM. This is the code stub mentioned in the introduction. 131 Similar stubs will be needed by other resource controllers. 132 133 = Conclusions = 134 135 This has described the implementation strategy for GENI privilege credentials using existing credential formats and implementing "speaks-for." Most of the development is focused on accepting existing GENI privilege credentials and translating them into ABAC. We have also laid out the ABAC that reflects the existing GENI authorization strategy at AMs.