1 | /* GENI authorization. These statements are directly executable by a prolog simulation. Subsets of |
---|
2 | statements may be exchanged as signed logic credentials, e.g., in ABAC or MTL forms. |
---|
3 | |
---|
4 | Chase 3/17/13 |
---|
5 | |
---|
6 | Syntactic conventions for Minimalist Trust Logic (MTL) trust atoms: |
---|
7 | |
---|
8 | - Prolog terms: those starting with capital letters are variables, those starting with small letters are |
---|
9 | principals or objects. |
---|
10 | |
---|
11 | - The first parameter of every predicate is a principal who says/believes the trust atom. |
---|
12 | |
---|
13 | - If a predicate is a capability predicate, i.e., an atom with the predicate represents a role or capability |
---|
14 | held by a principal (the subject), then its second argument names the subject. |
---|
15 | |
---|
16 | - A capability predicate that terminates with _ is delegatable by the subject. Delegatable predicates have |
---|
17 | forms without the trailing underscore; these forms are not delegatable. |
---|
18 | |
---|
19 | - The capability predicate form with an appended Q (or Q_) has an additional string parameter that qualifies |
---|
20 | the predicate to some specific named privilege. A subject that holds the unqualified form of the predicate |
---|
21 | holds all of its associated named privileges. But these privileges may also be delegated individually. |
---|
22 | |
---|
23 | - Guard predicates are prefixed with guard_. |
---|
24 | |
---|
25 | The following syntactic conventions help represent events that occur as the prolog simulation |
---|
26 | runs. When an object is created: one atom is spoken by the requester to represent the request, and one atom |
---|
27 | is spoken by a server that accepts the request and creates the object and becomes its "root". These |
---|
28 | predicates are not legal MTL: they may have any number of arguments to capture the arguments of the |
---|
29 | request and the properties of the newly created object. The naming conventions help to identify these |
---|
30 | "artificial" predicates and their purpose, and also help yap avoid chasing its tail, which it just |
---|
31 | cannot seem to help doing if there is any way to do it. |
---|
32 | |
---|
33 | - In a ground fact that represents a delegation action, the predicate is prefixed with "delegate_". |
---|
34 | |
---|
35 | - In a ground fact that represents a request, the predicate is prefixed with "request_". |
---|
36 | |
---|
37 | - In a ground fact that represents an object being created (by an authority server for that object type), |
---|
38 | the predicate is prefixed with "root_". |
---|
39 | |
---|
40 | */ |
---|
41 | |
---|
42 | /* ---------------------------------------------------------------------------------------------- |
---|
43 | Coordinators and trust structure. |
---|
44 | Every principal must have local trust in the GENI root ("GOC"). |
---|
45 | The root endorses all coordinator roles. |
---|
46 | These roles are not delegatable, but they could be. |
---|
47 | */ |
---|
48 | identityProvider(X, I):- geniRoot(X, G), identityProvider(G, I). |
---|
49 | sliceAuthority(X, SA):- geniRoot(X, G), sliceAuthority(G, SA). |
---|
50 | projectAuthority(X, PA):- geniRoot(X, G), projectAuthority(G, PA). |
---|
51 | geniProxy(X, GP):- geniRoot(X, G), geniProxy(G, GP). |
---|
52 | aggregate(X, A):- geniRoot(X, G), aggregate(G, A). |
---|
53 | gmoc(X, GM):- geniRoot(X, G), gmoc(G, GM). |
---|
54 | |
---|
55 | /* ---------------------------------------------------------------------------------------------- |
---|
56 | User attributes asserted by duly authorized identity providers. |
---|
57 | We distinguish only registered GENI users and PIs. |
---|
58 | There can be any number of attributes. They can be used arbitrarily as goals in guard rules, |
---|
59 | to limit access to users possessing specific attributes. |
---|
60 | */ |
---|
61 | geniUser(X, Y):- identityProvider(X, I), geniUser(I, Y). |
---|
62 | geniPI(X, Y):- identityProvider(X, I), geniPI(I, Y). |
---|
63 | |
---|
64 | /* ---------------------------------------------------------------------------------------------- |
---|
65 | X accepts an object of type T if X trusts the object's self-proclaimed root as an authority |
---|
66 | for objects of type T. Note: for each object, the prolog simulation must search for an authority |
---|
67 | that proclaims itself to be the object's root. This implies that any principal may |
---|
68 | proclaim itself the root, and X accepts it iff X trusts it as an authority. In a "real" |
---|
69 | system object names are self-certifying: no search, no forgery. |
---|
70 | */ |
---|
71 | qualifiedProject(X, PA, P):- root(PA, PA, P), projectAuthority(X, PA), project(PA, P). |
---|
72 | qualifiedSlice(X, SA, S):- root(SA, SA, S), sliceAuthority(X, SA), slice(SA, S, P). |
---|
73 | |
---|
74 | /* ---------------------------------------------------------------------------------------------- |
---|
75 | PA policy rules for operations on "standard" projects. |
---|
76 | PAs may choose to issue different rules for other (non-standard) projects. |
---|
77 | Note: these rules empower delegation of membership to anyone. The SA guard rules below limit the |
---|
78 | exercise of some privileges to GENI users only. Optionally we could limit them to members of |
---|
79 | the associated project. |
---|
80 | */ |
---|
81 | |
---|
82 | member_(PA, M, P):- standard(PA, P), owner(PA, M, P). |
---|
83 | member_(PA, M, P):- standard(PA, P), delegate_member_(M2, M, P), member_(PA, M2, P). |
---|
84 | member(PA, M, P):- standard(PA, P), member_(PA, M, P). |
---|
85 | member(PA, M, P):- standard(PA, P), delegate_member(M2, M, P), member_(PA, M2, P). |
---|
86 | |
---|
87 | memberQ(PA, M, P, PRIV):- standard(PA, P), member(PA, M, P). |
---|
88 | memberQ_(PA, M, P, PRIV):- standard(PA, P), member_(PA, M, P). |
---|
89 | memberQ(PA, M, P, PRIV):- standard(PA, P), delegate_memberQ(M2, M, P, PRIV), memberQ_(PA, M2, P, PRIV). |
---|
90 | memberQ_(PA, M, P, PRIV):- standard(PA, P), delegate_memberQ_(M2, M, P, PRIV), memberQ_(PA, M2, P, PRIV). |
---|
91 | |
---|
92 | |
---|
93 | /* ---------------------------------------------------------------------------------------------- |
---|
94 | SA policy rules for operations on "standard" slices. |
---|
95 | SAs may choose to issue different rules for other (non-standard) slices. |
---|
96 | Note: these rules empower delegation of control to anyone. The aggregate guard rules below limit |
---|
97 | the exercise of some privileges to GENI users only. Optionally we could limit them to members |
---|
98 | of the associated project. |
---|
99 | */ |
---|
100 | controls_(SA, C, S):- standard(SA, S), owner(SA, C, S). |
---|
101 | controls_(SA, C, S):- standard(SA, S), delegate_controls_(C2, C, S), controls_(SA, C2, S). |
---|
102 | controls(SA, C, S):- standard(SA, S), controls_(SA, C, S). |
---|
103 | controls(SA, C, S):- standard(SA, S), delegate_controls(C2, C, S), controls_(SA, C2, S). |
---|
104 | |
---|
105 | controlsQ(SA, C, S, PRIV):- standard(SA, S), controls(SA, C, S). |
---|
106 | controlsQ_(SA, C, S, PRIV):- standard(SA, S), controls_(SA, C, S). |
---|
107 | controlsQ(SA, C, S, PRIV):- standard(SA, S), delegate_controlsQ(C2, C, S, PRIV), controlsQ_(SA, C2, S, PRIV). |
---|
108 | controlsQ_(SA, C, S, PRIV):- standard(SA, S), delegate_controlsQ_(C2, C, S, PRIV), controlsQ_(SA, C2, S, PRIV). |
---|
109 | |
---|
110 | /* Additional SA policy rules for standard slices: |
---|
111 | Any project member can get info about any slice associated with the project. |
---|
112 | The PI of a project may query or stop any slice associated with the project. |
---|
113 | The member cannot delegate that privilege, and delegators may restrict it on a per-member basis. |
---|
114 | GMOC may query or stop any GENI slice. |
---|
115 | */ |
---|
116 | controlsQ(SA, C, S, "info"):- standard(SA, S), root_slice(SA, S, P, C2), |
---|
117 | qualifiedProject(SA, PA, P), memberQ(PA, C, P, "info"). |
---|
118 | |
---|
119 | controlsQ(SA, C, S, "stop"):- standard(SA, S), root_slice(SA, S, P, C2), |
---|
120 | qualifiedProject(SA, PA, P), owner(PA, C, P). |
---|
121 | |
---|
122 | controlsQ(SA, C, S, "info"):- standard(SA, S), root_slice(SA, S, P, C2), gmoc(SA, C). |
---|
123 | controlsQ(SA, C, S, "stop"):- standard(SA, S), root_slice(SA, S, P, C2), gmoc(SA, C). |
---|
124 | |
---|
125 | |
---|
126 | /* ---------------------------------------------------------------------------------------------- |
---|
127 | PA guard policy to create (root) a project. All projects are "standard". |
---|
128 | root_project is a "temporary" holder for the new project's properties. |
---|
129 | Note: in simulation the guard is re-evaluated whenever the project is queried. |
---|
130 | An optional add-on rule set supports a hierarchy of subprojects. |
---|
131 | */ |
---|
132 | root_project(PA, P, C):- request_project(C, PA, P), projectAuthority(PA, PA), geniPI(PA, C). |
---|
133 | root(PA, PA, P):- root_project(PA, P, C). |
---|
134 | owner(PA, C, P):- root_project(PA, P, C). |
---|
135 | project(PA, P):- root_project(PA, P, C). |
---|
136 | standard(PA, P):- root_project(PA, P, C). |
---|
137 | |
---|
138 | /* ---------------------------------------------------------------------------------------------- |
---|
139 | SA guard policy to create (root) a slice. All slices are standard. |
---|
140 | Requests to create a slice may be proxied through a duly authorized GENI proxy. |
---|
141 | root_slice is a "temporary" holder for the new slice's properties. |
---|
142 | Note: in simulation the guard is re-evaluated whenever the slice is queried. |
---|
143 | */ |
---|
144 | root_slice(SA, S, P, C):- request_slice(C, SA, S, P), sliceAuthority(SA, SA), |
---|
145 | qualifiedProject(X, PA, P), memberQ(PA, C, P, "instantiate"), geniUser(X, C). |
---|
146 | root_slice(SA, S, P, C):- proxied_request_slice(PXY, C, SA, S, P), sliceAuthority(SA, SA), |
---|
147 | geniProxy(SA, PXY), speaksFor(C, PXY, C), |
---|
148 | qualifiedProject(X, PA, P), memberQ(PA, C, P, "instantiate"), geniUser(X, C). |
---|
149 | root_slice(SA, S, P, C):- proxied_request_slice(PXY, C, SA, S, P), sliceAuthority(SA, SA), |
---|
150 | geniProxy(SA, PXY), speaksForOn(C, PXY, C, P), |
---|
151 | qualifiedProject(X, PA, P), memberQ(PA, C, P, "instantiate"), geniUser(X, C). |
---|
152 | |
---|
153 | root(SA, SA, S):- root_slice(SA, S, P, C). |
---|
154 | owner(SA, C, S):- root_slice(SA, S, P, C). |
---|
155 | slice(SA, S, P):- root_slice(SA, S, P, C). |
---|
156 | standard(SA, S):- root_slice(SA, S, P, C). |
---|
157 | |
---|
158 | /* ---------------------------------------------------------------------------------------------- |
---|
159 | Aggregate guards |
---|
160 | |
---|
161 | Aggregate guard policy to create a sliver in a slice. |
---|
162 | Note: in simulation the guard is re-evaluated whenever the sliver is queried. |
---|
163 | */ |
---|
164 | root_sliver(A, SV, SL):- request_sliver(C, A, SV, SL), qualifiedSlice(A, SA, SL), |
---|
165 | controlsQ(SA, C, SL, "instantiate"), geniUser(A, C). |
---|
166 | |
---|
167 | /* Aggregate guard policy for client C to get info about a slice SL on this aggregate. |
---|
168 | */ |
---|
169 | guard_slice_info(A, C, SL):- qualifiedSlice(A, SA, SL), controlsQ(SA, C, SL, "info"). |
---|
170 | |
---|
171 | /* Aggregate guard policy for client C to stop a slice SL on this aggregate. |
---|
172 | Note: does not require GENI user. |
---|
173 | */ |
---|
174 | guard_slice_stop(A, C, SL):- qualifiedSlice(A, SA, SL), controlsQ(SA, C, SL, "stop"). |
---|
175 | |
---|
176 | /* Aggregate operator can query or stop any slice on this aggregate. |
---|
177 | */ |
---|
178 | guard_slice_stop(A, C, SL):- operator(A, C). |
---|
179 | guard_slice_info(A, C, SL):- operator(A, C). |
---|
180 | |
---|
181 | |
---|
182 | /* ---------------------------------------------------------------------------------------------- |
---|
183 | Sample aggregate guards for proxied requests to change the state of a slice. |
---|
184 | Requests to operate on a slice may be proxied through a duly authorized GENI proxy. |
---|
185 | This is easier in the real system because the guard can check speaksFor authorization |
---|
186 | first and then use the standard guards. |
---|
187 | |
---|
188 | Aggregate guard policy to create a sliver in a slice. |
---|
189 | Note: in simulation the guard is re-evaluated whenever the sliver is queried. |
---|
190 | */ |
---|
191 | proxied_root_sliver(A, SV, SL, C, PXY):- proxied_request_sliver(PXY, C, A, SV, SL), qualifiedSlice(A, SA, SL), |
---|
192 | geniProxy(A, PXY), controlsQ(SA, C, SL, "instantiate"), geniUser(A, C). |
---|
193 | root_sliver(A, SV, SL):- proxied_root_sliver(A, SV, SL, C, PXY), speaksFor(C, PXY, C). |
---|
194 | root_sliver(A, SV, SL):- proxied_root_sliver(A, SV, SL, C, PXY), speaksForOn(C, PXY, C, SL). |
---|
195 | |
---|
196 | root_sliver(A, SV, SL):- proxied_request_sliver(PXY, C, A, SV, SL), qualifiedSlice(A, SA, SL), |
---|
197 | geniProxy(A, PXY), controlsQ(SA, C, SL, "instantiate"), geniUser(A, C), |
---|
198 | slice(SA, SL, P), speaksForOn(C, PXY, C, P). |
---|
199 | |
---|
200 | /* ---------------------------------------------------------------------------------------------- |
---|
201 | Here are some facts for a scenario |
---|
202 | */ |
---|
203 | |
---|
204 | sliceAuthority(g, sa). |
---|
205 | identityProvider(g, idp). |
---|
206 | projectAuthority(g, pa). |
---|
207 | aggregate(g, exo). |
---|
208 | |
---|
209 | geniRoot(sa, g). |
---|
210 | geniRoot(pa, g). |
---|
211 | geniRoot(exo, g). |
---|
212 | |
---|
213 | geniUser(idp, alice). |
---|
214 | geniUser(idp, bob). |
---|
215 | geniUser(idp, cary). |
---|
216 | geniUser(idp, drd). |
---|
217 | geniUser(idp, earl). |
---|
218 | geniUser(idp, frank). |
---|
219 | |
---|
220 | geniPI(idp, drd). |
---|
221 | |
---|
222 | request_project(drd, pa, p). |
---|
223 | delegate_member(drd, alice, p). |
---|
224 | request_slice(alice, sa, s, p). |
---|
225 | request_sliver(alice, exo, sv1, s). |
---|
226 | |
---|
227 | delegate_controls_(alice, bob, s). |
---|
228 | request_sliver(bob, exo, sv2, s). |
---|
229 | |
---|
230 | delegate_controls(bob, cary, s). |
---|
231 | request_sliver(cary, exo, sv3, s). |
---|
232 | |
---|
233 | delegate_controlsQ(bob, earl, s, "instantiate"). |
---|
234 | request_sliver(earl, exo, sv4, s). |
---|
235 | |
---|
236 | delegate_member(drd, bob, p). |
---|
237 | |
---|
238 | |
---|
239 | delegate_member_(drd, cary, p). |
---|
240 | delegate_member(cary, frank, p). |
---|
241 | |
---|
242 | geniProxy(g, pxy). |
---|
243 | speaksFor(bob, pxy, bob). |
---|
244 | proxied_request_sliver(pxy, bob, exo, sv5, s). |
---|
245 | speaksForOn(alice, pxy, alice, p). |
---|
246 | proxied_request_slice(pxy, alice, sa, s2, p). |
---|
247 | proxied_request_sliver(pxy, alice, exo, sv6, s2). |
---|
248 | |
---|
249 | delegate_controlsQ(bob, frank, s, "instantiate"). |
---|
250 | speaksForOn(frank, pxy, frank, s). |
---|
251 | request_sliver(frank, exo, sv7, s). |
---|
252 | |
---|
253 | |
---|