AuthStoryBoard: geni.pl

File geni.pl, 12.1 KB (added by chase@cs.duke.edu, 7 years ago)

GENI authorization in Prolog

Line 
1/* GENI authorization.  These statements are directly executable by a prolog simulation.  Subsets of
2   statements may be exchanged as signed logic credentials, e.g., in ABAC or MTL forms.
3   
4   Chase 3/17/13
5
6   Syntactic conventions for Minimalist Trust Logic (MTL) trust atoms:
7
8   - Prolog terms: those starting with capital letters are variables, those starting with small letters are
9     principals or objects.
10
11   - The first parameter of every predicate is a principal who says/believes the trust atom.
12
13   - If a predicate is a capability predicate, i.e., an atom with the predicate represents a role or capability
14     held by a principal (the subject), then its second argument names the subject.
15
16   - A capability predicate that terminates with _ is delegatable by the subject.  Delegatable predicates have
17     forms without the trailing underscore; these forms are not delegatable.
18
19   - The capability predicate form with an appended Q (or Q_) has an additional string parameter that qualifies
20     the predicate to some specific named privilege.  A subject that holds the unqualified form of the predicate
21     holds all of its associated named privileges.  But these privileges may also be delegated individually.
22
23   - Guard predicates are prefixed with guard_.
24
25   The following syntactic conventions help represent events that occur as the prolog simulation
26   runs.  When an object is created: one atom is spoken by the requester to represent the request, and one atom
27   is spoken by a server that accepts the request and creates the object and becomes its "root".  These
28   predicates are not legal MTL: they may have any number of arguments to capture the arguments of the
29   request and the properties of the newly created object.  The naming conventions help to identify these
30   "artificial" predicates and their purpose, and also help yap avoid chasing its tail, which it just
31   cannot seem to help doing if there is any way to do it.
32
33   - In a ground fact that represents a delegation action, the predicate is prefixed with "delegate_".
34     
35   - In a ground fact that represents a request, the predicate is prefixed with "request_". 
36
37   - In a ground fact that represents an object being created (by an authority server for that object type),
38     the predicate is prefixed with "root_". 
39
40*/
41
42/* ----------------------------------------------------------------------------------------------
43   Coordinators and trust structure.
44   Every principal must have local trust in the GENI root ("GOC").
45   The root endorses all coordinator roles.
46   These roles are not delegatable, but they could be.
47 */
48identityProvider(X, I):- geniRoot(X, G), identityProvider(G, I).
49sliceAuthority(X, SA):- geniRoot(X, G), sliceAuthority(G, SA).
50projectAuthority(X, PA):- geniRoot(X, G), projectAuthority(G, PA).
51geniProxy(X, GP):- geniRoot(X, G), geniProxy(G, GP).
52aggregate(X, A):- geniRoot(X, G), aggregate(G, A).
53gmoc(X, GM):- geniRoot(X, G), gmoc(G, GM).
54
55/* ----------------------------------------------------------------------------------------------
56   User attributes asserted by duly authorized identity providers.
57   We distinguish only registered GENI users and PIs.
58   There can be any number of attributes.  They can be used arbitrarily as goals in guard rules,
59   to limit access to users possessing specific attributes.
60*/
61geniUser(X, Y):- identityProvider(X, I), geniUser(I, Y).
62geniPI(X, Y):- identityProvider(X, I), geniPI(I, Y).
63
64/* ----------------------------------------------------------------------------------------------
65   X accepts an object of type T if X trusts the object's self-proclaimed root as an authority
66   for objects of type T.  Note: for each object, the prolog simulation must search for an authority
67   that proclaims itself to be the object's root.  This implies that any principal may
68   proclaim itself the root, and X accepts it iff X trusts it as an authority.  In a "real"
69   system object names are self-certifying: no search, no forgery.
70*/
71qualifiedProject(X, PA, P):- root(PA, PA, P), projectAuthority(X, PA), project(PA, P).
72qualifiedSlice(X, SA, S):- root(SA, SA, S), sliceAuthority(X, SA), slice(SA, S, P).
73
74/* ----------------------------------------------------------------------------------------------
75   PA policy rules for operations on "standard" projects.
76   PAs may choose to issue different rules for other (non-standard) projects.
77   Note: these rules empower delegation of membership to anyone.  The SA guard rules below limit the
78   exercise of some privileges to GENI users only.  Optionally we could limit them to members of
79   the associated project.
80*/
81
82member_(PA, M, P):- standard(PA, P), owner(PA, M, P).
83member_(PA, M, P):- standard(PA, P), delegate_member_(M2, M, P), member_(PA, M2, P).
84member(PA, M, P):- standard(PA, P), member_(PA, M, P).
85member(PA, M, P):- standard(PA, P), delegate_member(M2, M, P), member_(PA, M2, P).
86
87memberQ(PA, M, P, PRIV):- standard(PA, P), member(PA, M, P).
88memberQ_(PA, M, P, PRIV):- standard(PA, P), member_(PA, M, P).
89memberQ(PA, M, P, PRIV):- standard(PA, P), delegate_memberQ(M2, M, P, PRIV), memberQ_(PA, M2, P, PRIV).
90memberQ_(PA, M, P, PRIV):- standard(PA, P), delegate_memberQ_(M2, M, P, PRIV), memberQ_(PA, M2, P, PRIV).
91
92
93/* ----------------------------------------------------------------------------------------------
94   SA policy rules for operations on "standard" slices.
95   SAs may choose to issue different rules for other (non-standard) slices.
96   Note: these rules empower delegation of control to anyone.  The aggregate guard rules below limit
97   the exercise of some privileges to GENI users only.  Optionally we could limit them to members
98   of the associated project.
99*/
100controls_(SA, C, S):- standard(SA, S), owner(SA, C, S).
101controls_(SA, C, S):- standard(SA, S), delegate_controls_(C2, C, S), controls_(SA, C2, S).
102controls(SA, C, S):- standard(SA, S), controls_(SA, C, S).
103controls(SA, C, S):- standard(SA, S), delegate_controls(C2, C, S), controls_(SA, C2, S).
104
105controlsQ(SA, C, S, PRIV):- standard(SA, S), controls(SA, C, S).
106controlsQ_(SA, C, S, PRIV):- standard(SA, S), controls_(SA, C, S).
107controlsQ(SA, C, S, PRIV):- standard(SA, S), delegate_controlsQ(C2, C, S, PRIV), controlsQ_(SA, C2, S, PRIV).
108controlsQ_(SA, C, S, PRIV):- standard(SA, S), delegate_controlsQ_(C2, C, S, PRIV), controlsQ_(SA, C2, S, PRIV).
109
110/* Additional SA policy rules for standard slices:
111   Any project member can get info about any slice associated with the project.
112   The PI of a project may query or stop any slice associated with the project.
113   The member cannot delegate that privilege, and delegators may restrict it on a per-member basis.
114   GMOC may query or stop any GENI slice.
115*/
116controlsQ(SA, C, S, "info"):- standard(SA, S), root_slice(SA, S, P, C2),
117              qualifiedProject(SA, PA, P), memberQ(PA, C, P, "info").
118
119controlsQ(SA, C, S, "stop"):- standard(SA, S), root_slice(SA, S, P, C2),
120              qualifiedProject(SA, PA, P), owner(PA, C, P).
121
122controlsQ(SA, C, S, "info"):- standard(SA, S), root_slice(SA, S, P, C2), gmoc(SA, C).
123controlsQ(SA, C, S, "stop"):- standard(SA, S), root_slice(SA, S, P, C2), gmoc(SA, C).
124             
125
126/* ----------------------------------------------------------------------------------------------
127   PA guard policy to create (root) a project.  All projects are "standard".
128   root_project is a "temporary" holder for the new project's properties.
129   Note: in simulation the guard is re-evaluated whenever the project is queried.
130   An optional add-on rule set supports a hierarchy of subprojects.
131*/
132root_project(PA, P, C):- request_project(C, PA, P), projectAuthority(PA, PA), geniPI(PA, C).
133root(PA, PA, P):- root_project(PA, P, C).
134owner(PA, C, P):- root_project(PA, P, C).
135project(PA, P):- root_project(PA, P, C).
136standard(PA, P):- root_project(PA, P, C).
137
138/* ----------------------------------------------------------------------------------------------
139   SA guard policy to create (root) a slice.  All slices are standard.
140   Requests to create a slice may be proxied through a duly authorized GENI proxy.
141   root_slice is a "temporary" holder for the new slice's properties.
142   Note: in simulation the guard is re-evaluated whenever the slice is queried.
143*/
144root_slice(SA, S, P, C):- request_slice(C, SA, S, P), sliceAuthority(SA, SA),
145               qualifiedProject(X, PA, P), memberQ(PA, C, P, "instantiate"), geniUser(X, C).
146root_slice(SA, S, P, C):- proxied_request_slice(PXY, C, SA, S, P), sliceAuthority(SA, SA),
147               geniProxy(SA, PXY), speaksFor(C, PXY, C),
148               qualifiedProject(X, PA, P), memberQ(PA, C, P, "instantiate"), geniUser(X, C).
149root_slice(SA, S, P, C):- proxied_request_slice(PXY, C, SA, S, P), sliceAuthority(SA, SA),
150               geniProxy(SA, PXY), speaksForOn(C, PXY, C, P),
151               qualifiedProject(X, PA, P), memberQ(PA, C, P, "instantiate"), geniUser(X, C).
152
153root(SA, SA, S):- root_slice(SA, S, P, C).
154owner(SA, C, S):- root_slice(SA, S, P, C).
155slice(SA, S, P):- root_slice(SA, S, P, C).
156standard(SA, S):- root_slice(SA, S, P, C).
157
158/* ----------------------------------------------------------------------------------------------
159   Aggregate guards
160
161   Aggregate guard policy to create a sliver in a slice.
162   Note: in simulation the guard is re-evaluated whenever the sliver is queried.
163*/
164root_sliver(A, SV, SL):- request_sliver(C, A, SV, SL), qualifiedSlice(A, SA, SL),
165               controlsQ(SA, C, SL, "instantiate"), geniUser(A, C).
166
167/* Aggregate guard policy for client C to get info about a slice SL on this aggregate.
168*/
169guard_slice_info(A, C, SL):- qualifiedSlice(A, SA, SL), controlsQ(SA, C, SL, "info").
170
171/* Aggregate guard policy for client C to stop a slice SL on this aggregate.
172   Note: does not require GENI user.
173*/
174guard_slice_stop(A, C, SL):- qualifiedSlice(A, SA, SL), controlsQ(SA, C, SL, "stop").
175
176/* Aggregate operator can query or stop any slice on this aggregate.
177*/
178guard_slice_stop(A, C, SL):- operator(A, C).
179guard_slice_info(A, C, SL):- operator(A, C).
180
181
182/* ----------------------------------------------------------------------------------------------
183   Sample aggregate guards for proxied requests to change the state of a slice.
184   Requests to operate on a slice may be proxied through a duly authorized GENI proxy.
185   This is easier in the real system because the guard can check speaksFor authorization
186   first and then use the standard guards.
187
188   Aggregate guard policy to create a sliver in a slice.
189   Note: in simulation the guard is re-evaluated whenever the sliver is queried.
190*/
191proxied_root_sliver(A, SV, SL, C, PXY):- proxied_request_sliver(PXY, C, A, SV, SL), qualifiedSlice(A, SA, SL),
192               geniProxy(A, PXY), controlsQ(SA, C, SL, "instantiate"), geniUser(A, C).
193root_sliver(A, SV, SL):- proxied_root_sliver(A, SV, SL, C, PXY), speaksFor(C, PXY, C).
194root_sliver(A, SV, SL):- proxied_root_sliver(A, SV, SL, C, PXY), speaksForOn(C, PXY, C, SL).
195
196root_sliver(A, SV, SL):- proxied_request_sliver(PXY, C, A, SV, SL), qualifiedSlice(A, SA, SL),
197               geniProxy(A, PXY), controlsQ(SA, C, SL, "instantiate"), geniUser(A, C),
198               slice(SA, SL, P), speaksForOn(C, PXY, C, P).
199
200/* ----------------------------------------------------------------------------------------------
201   Here are some facts for a scenario
202*/
203
204sliceAuthority(g, sa).
205identityProvider(g, idp).
206projectAuthority(g, pa).
207aggregate(g, exo).
208
209geniRoot(sa, g).
210geniRoot(pa, g).
211geniRoot(exo, g).
212
213geniUser(idp, alice).
214geniUser(idp, bob).
215geniUser(idp, cary).
216geniUser(idp, drd).
217geniUser(idp, earl).
218geniUser(idp, frank).
219
220geniPI(idp, drd).
221
222request_project(drd, pa, p).
223delegate_member(drd, alice, p).
224request_slice(alice, sa, s, p).
225request_sliver(alice, exo, sv1, s).
226
227delegate_controls_(alice, bob, s).
228request_sliver(bob, exo, sv2, s).
229
230delegate_controls(bob, cary, s).
231request_sliver(cary, exo, sv3, s).
232
233delegate_controlsQ(bob, earl, s, "instantiate").
234request_sliver(earl, exo, sv4, s).
235
236delegate_member(drd, bob, p).
237
238
239delegate_member_(drd, cary, p).
240delegate_member(cary, frank, p).
241
242geniProxy(g, pxy).
243speaksFor(bob, pxy, bob).
244proxied_request_sliver(pxy, bob, exo, sv5, s).
245speaksForOn(alice, pxy, alice, p).
246proxied_request_slice(pxy, alice, sa, s2, p).
247proxied_request_sliver(pxy, alice, exo, sv6, s2).
248
249delegate_controlsQ(bob, frank, s, "instantiate").
250speaksForOn(frank, pxy, frank, s).
251request_sliver(frank, exo, sv7, s).
252
253