1 | == GEMINI AA Planning ==
|
---|
2 | 101112
|
---|
3 |
|
---|
4 | This document provides details on the AA workflow diagram created by Guilherme.
|
---|
5 | Refer to AA-workflow.png. The proposed model remains relatively unchanged from
|
---|
6 | the diagram.
|
---|
7 |
|
---|
8 | The following discussion assumes a UNIS implementation using ABAC 0.2.2, the
|
---|
9 | current stable release from ISI.
|
---|
10 |
|
---|
11 |
|
---|
12 | ==== BOOTSTRAP PROCESS ====
|
---|
13 |
|
---|
14 | In the context of GENI, the basis for authentication and authorization to an I&M
|
---|
15 | service (e.g., UNIS) is the user certificate and private key. These
|
---|
16 | certificates (cert) are obtained from a trust authority, e.g., Utah or the GPO.
|
---|
17 |
|
---|
18 | - user.pem
|
---|
19 | - user.key
|
---|
20 |
|
---|
21 | For each service that interacts within the I&M system, we want to generate a
|
---|
22 | identity (key pair) to provide access control via proxy certs. Our original
|
---|
23 | approach in LAMP generated a dedicated lampcert for this purpose, which allowed
|
---|
24 | for unrestricted access between services. A proxy cert per service will
|
---|
25 | eventually allow the user (i.e., slice owner) to delegate access to I&M services
|
---|
26 | at different granularities.
|
---|
27 |
|
---|
28 | The proxy certs are signed by the user cert, meaning a proxy cert is validated
|
---|
29 | against the service as if the request was made by the user. However, attributes
|
---|
30 | that are assigned to the service identity can restrict authorized use for each
|
---|
31 | proxy cert.
|
---|
32 |
|
---|
33 | Example of how to create service identity and proxy certificates:
|
---|
34 |
|
---|
35 | $ openssl req -new -config csr.conf -out blipp_service.csr -keyout blipp_service.key
|
---|
36 | $ openssl x509 -req -CAcreateserial -in blipp_service.csr -days 365 \
|
---|
37 | -out blipp_service_ID.pem -CA user.pem -CAkey user.key \
|
---|
38 | -extfile csr.conf -extensions v3_proxy
|
---|
39 |
|
---|
40 | We now have a service proxy cert:
|
---|
41 |
|
---|
42 | - blipp_service_ID.pem
|
---|
43 |
|
---|
44 | The proxy cert is concatenated with the user cert to maintain the chain of trust
|
---|
45 | and is pushed to the service nodes. The service now uses this proxy cert to ask
|
---|
46 | for resources on a service like UNIS.
|
---|
47 |
|
---|
48 | Now that we have proxy certs per service, we need to create ABAC credentials.
|
---|
49 | We use the slice credential to effectively associate the user with the
|
---|
50 | experiment slice when defining ABAC roles and to determine the lifetime (up to
|
---|
51 | slice expiration time) of said roles. While there are a number of ways to
|
---|
52 | create and maintain attributes and policies, the following section outlines a
|
---|
53 | basic approach that is feasible to get working within a relatively short
|
---|
54 | timeframe.
|
---|
55 |
|
---|
56 |
|
---|
57 | ==== UNIS/ABAC implementation for GEC15 ====
|
---|
58 |
|
---|
59 | We define two roles for each slice that UNIS tracks:
|
---|
60 |
|
---|
61 | - slice_admin (rSA)
|
---|
62 | - slice_owner (rSO)
|
---|
63 |
|
---|
64 | The UNIS service is the principal that creates and maintains these roles using
|
---|
65 | libabac. A keystore is maintained that stores the identity and attribute
|
---|
66 | certificates as they are generated. These are actual files written to disk.
|
---|
67 |
|
---|
68 | For a given slice, the first step in the role creation process is when the
|
---|
69 | bootstrapper pushes (HTTP POST) the slice credential (along with user cert) to
|
---|
70 | UNIS. The following attributes are generated:
|
---|
71 |
|
---|
72 | 1. UNIS.rSO <- user
|
---|
73 | This says the UNIS server principle has a role slice_owner (rSO) and the user is
|
---|
74 | a slice owner.
|
---|
75 |
|
---|
76 | 2. UNIS.rSA <- UNIS.rSO
|
---|
77 | This says all slice owners are slice admins. Allows the user to present their
|
---|
78 | own cert when asking for slice admin access.
|
---|
79 |
|
---|
80 | 3. UNIS.rSA <- UNIS.rSO.rSA
|
---|
81 | This says anyone who has the slice owner attribute can delegate slice admin to
|
---|
82 | another entity, an example of a linked role.
|
---|
83 |
|
---|
84 | NOTE: because we are using RT0, these attributes need to be generated for every
|
---|
85 | slice credential that gets posted. RT2 allows for parameterized objects and
|
---|
86 | could make this more robust, but it's also more complicated and I'm still trying
|
---|
87 | to get my head around it. RT0 is sufficient for an initial implementation.
|
---|
88 |
|
---|
89 | At this point, the keystore contains 4 new entries: 3 attribute files, one for
|
---|
90 | each described above, and the user certificate. The roles defined have a
|
---|
91 | lifespan equal to the slice lifetime, matching what is learned from the slice
|
---|
92 | credential.
|
---|
93 |
|
---|
94 | It is easy to imagine additional roles being defined. Perhaps a read_only (rRO)
|
---|
95 | role:
|
---|
96 |
|
---|
97 | 1. UNIS.rRO <- UNIS.rSO
|
---|
98 | All slice owners are also read only users.
|
---|
99 |
|
---|
100 | 2. UNIS.rRO <- UNIS.rSO.rRO
|
---|
101 | This says slice owners can delegate read only attributes to other entities.
|
---|
102 |
|
---|
103 | Now the user could give some proxy certs read only access instead of slice admin
|
---|
104 | access, for example. Defining how many roles we need and how they are managed
|
---|
105 | will require a broader discussion, and this may be obviated if we defer to a
|
---|
106 | global policy store.
|
---|
107 |
|
---|
108 | Now that the roles for the given slice are defined in UNIS, the bootsrap process
|
---|
109 | can assign attributes to the service proxy certs we generated earlier.
|
---|
110 |
|
---|
111 | Creddy is used to assign attributes:
|
---|
112 |
|
---|
113 | $ creddy --attribute --issuer user.pem --key user.key --role slice_admin \
|
---|
114 | --subject-cert blipp_service_ID.pem --out blipp_service_proxy_attr.der
|
---|
115 |
|
---|
116 | The .der file now defines the following attribute:
|
---|
117 |
|
---|
118 | user.rSA <- blipp_service_ID
|
---|
119 |
|
---|
120 | What's stored in the file is binary but is represented similar to this:
|
---|
121 |
|
---|
122 | $ creddy --roles --cert blipp_service_proxy_attr.der
|
---|
123 | [keyid:62d12b0dcd5a8a9c3bddb175c8033506bb72a8e4].role:slice_admin_for_<UUID><-[keyid:22f6c982dfaadd9a1ef27d27a5e3ff75e511bf80]
|
---|
124 |
|
---|
125 | Because we setup the delegation attribute earlier, UNIS can now say that the
|
---|
126 | BLiPP service has slice admin access because user, who gave the attribute to
|
---|
127 | BLiPP, is a slice owner. In a similar fashion, the slice owner could also
|
---|
128 | delegate slice admin to another user's cert.
|
---|
129 |
|
---|
130 | The bootstrap process needs to send (HTTP POST) these credentials to UNIS so
|
---|
131 | they can be added to the keystore. The new attributes are loaded into the
|
---|
132 | running ABAC context. Requests for resources using delegated proxy or user
|
---|
133 | certs are now checked against this set of attributes. The ABAC resolver will run
|
---|
134 | queries based on the required level of access. For GEC15, the primary check
|
---|
135 | will ask: is slice admin access granted? If so return resource (e.g., topology,
|
---|
136 | metadata), if not, return error.
|
---|
137 |
|
---|
138 |
|
---|
139 | ==== General Usage Notes ====
|
---|
140 |
|
---|
141 | 1. All communication to UNIS is over an SSL socket. The server requires a valid
|
---|
142 | user certificate and checks the issuer against the GENI CA bundle. If a client
|
---|
143 | or service uses a certificate signed by a non-GENI CA, the request will be
|
---|
144 | rejected outright.
|
---|
145 |
|
---|
146 |
|
---|
147 | ==== Outstanding Issues ====
|
---|
148 |
|
---|
149 | 1. Proxy certs are not currently being accepted by creddy in 0.2.2. ABAC dev
|
---|
150 | team is looking into problem. We have tested delegating roles to non-proxy
|
---|
151 | certs, which does work.
|
---|
152 |
|
---|
153 | 2. Current libabac implementation is designed to work with self-signed certs
|
---|
154 | only, for no apparent reason. libabac code has been modified (read hacked) to
|
---|
155 | accept CA-signed certs. ABAC dev team is also aware and looking into solutions.
|
---|
156 |
|
---|
157 |
|
---|
158 | ==== Current Status ====
|
---|
159 |
|
---|
160 | Proof of concept from Guilherme (client/server) code updated to ABAC 0.2.2. Key
|
---|
161 | functionality as described above is working. In-progress tasks include
|
---|
162 | completing HTTPS interface for accepting slice and ABAC credentials and
|
---|
163 | integrating completed code into existing UNIS service. The plan is to have a
|
---|
164 | test instance up and running so others can experiment by pushing their own slice
|
---|
165 | credentials and attributes.
|
---|
166 |
|
---|
167 |
|
---|
168 | ==== 9/28 UPDATES ====
|
---|
169 |
|
---|
170 | 1. Worked with ABAC team to allow the use of certs other than self-signed certs.
|
---|
171 | Issue was with how they were verifying signatures. These changes are making
|
---|
172 | their way into the next ABAC release.
|
---|
173 |
|
---|
174 | 2. Email exchange with ABAC team about supporting proxy certificates. libabac
|
---|
175 | uses http://www.strongswan.org/ to handle certificates, which apparently doesn't
|
---|
176 | recognize x.509 proxy extensions in current releases. It's possible to disable
|
---|
177 | the strongswan check for critical extensions, and this works fine from the
|
---|
178 | perspective of ABAC, but it's not an ideal solution.
|
---|
179 |
|
---|
180 | 3. Now that key technical issues with ABAC are addressed, I have been
|
---|
181 | integrating this AA model into UNIS and the bootstrap process. UNIS has
|
---|
182 | endpoints for registering the slice credential and adding ABAC credentials.
|
---|
183 | AuthZ checks are made on the basis of whether the UNIS resource is associated
|
---|
184 | with a given slice and if the ABAC query says that the presented user cert has
|
---|
185 | access to the slice.
|
---|
186 |
|
---|
187 |
|
---|
188 | ==== 9/28 NOTES ====
|
---|
189 |
|
---|
190 | One of Jim's points was that ABAC doesn't really care about who signed the
|
---|
191 | certificates, if they they are proxied, etc. and we could make things simpler
|
---|
192 | with services generating their own certs. That's completely valid, and ABAC does
|
---|
193 | only care about generating proof graphs using identities and the given
|
---|
194 | attributes. However, the ABAC implementation itself (libabac) has
|
---|
195 | responsibility for deciding how to verify the x.509 certificates used to build
|
---|
196 | those identities and attributes. As I noted above, the 0.2.2 libabac
|
---|
197 | implementation only accepted self-signed certs when I started on this, which I
|
---|
198 | really didn't understand, and the ISI ABAC team was happy to fix their
|
---|
199 | verification methods.
|
---|
200 |
|
---|
201 | My point is, ABAC is one thing, how we deal with certificates and chain of trust
|
---|
202 | in GEMINI AA is another. For example, the GEMINI services we are building are
|
---|
203 | accessed via SSL/TLS, and this includes the existing LAMP portal and old UNIS.
|
---|
204 | To even establish a secure connection, we currently require that the client
|
---|
205 | (i.e. "user") certificate be signed by a trusted authority. The service
|
---|
206 | verifies the user cert against a CA store, or "genica.bundle", that you can pull
|
---|
207 | from a clearing house like boss.emulab.net. At this level, this has nothing to
|
---|
208 | do with ABAC.
|
---|
209 |
|
---|
210 | One of the main reasons proxy certificates came up, is that you can't do the
|
---|
211 | above check with self-signed certificates unless you add every new "issuer" (the
|
---|
212 | self-signer) cert to the CA store. With a proxy cert, the service verifies that
|
---|
213 | the proxy cert was signed by the GENI user cert, which was in turn signed by a
|
---|
214 | trusted root (e.g. Utah).
|
---|
215 |
|
---|
216 | Of course, this is not the only way to do things. We could have our SSL/TLS
|
---|
217 | services in GEMINI accept any certificate, no matter who signed it, and let ABAC
|
---|
218 | figure out if it's valid or not for a particular GEMINI role. I think this
|
---|
219 | would work as well, but the caveat is we would not have a way to verify who
|
---|
220 | those certs are really identifying since they would not be signed by an
|
---|
221 | authority. A middle-ground approach could introduce a GEMINI CA for signing
|
---|
222 | service certs used in our workflow.
|
---|
223 |
|
---|
224 | What we don't get from the above approaches is the services acting on behalf of
|
---|
225 | the slice owner who created the experiment, the service certs would only mean
|
---|
226 | something to ABAC. You can't have a service with its auto-generated cert say to
|
---|
227 | another service outside of GEMINI "you can trust me, I'm really Harry making
|
---|
228 | this request" because there's no chain of trust outside of what's defined in
|
---|
229 | GEMINI ABAC. The real question is, do we need to make those kinds of requests?
|
---|
230 | My current answer is: maybe this is not required because no other external
|
---|
231 | service will even accept proxy certs at the moment, but why not do it and have
|
---|
232 | that flexibility if we can.
|
---|