wiki:ABAC-QSR-1Q2010

Version 1 (modified by Vic Thomas, 10 years ago) (diff)

--

ABAC Project Status Report

Period: Jan 2010 - Mar 2010

I. Major accomplishments

Development of the requirements document for supporting ProtoGENI using ABAC.

First draft of the ABAC API describing the functions and parameters to be supported in the initial ABAC package.

A. Milestones achieved

ABAC: S2.a, S2.b.

B. Deliverables made

During this period, we posted deliverables on the wiki for two deliverables. The “ABAC Requirements for ProtoGENI” milestone deliverable was satisfied by the document ‘geni-rbac-req-0.5a.pdf’ and the “DIAC prototype software design and interfaces v1.0” was satisfied by the document ‘geni-diac-api-0.92.pdf’.

II. Description of work performed during last quarter

Our work consisted of studying the current ProtoGENI system, including its design documents and current and soon-to-be-released software elements, with an eye toward identifying the necessary support and extensions to the current ABAC implementation that will be required so that ABAC (Attributed Based Access Control) may be used within the ProtoGENI control framework to support authorization decisions.

To understand the scope of our work, our approach is to examine the ProtoGENI as-built implementation, which is itself a moving target as enhancements are made to the spiral 1 prototype throughout spiral 2. The ProtoGENI implementation provides a number of functions that map into the SFA API, albeit with ProtoGENI specific parameters, usage, and refinements. A successful integration of ABAC must provide the ability to interpose a policy decision (authorization check) on each invocation of the control framework API exposed by ProtoGENI.

In addition, the ABAC implementation is itself a faithful realization of the RT-0 attribute logic and models developed by the original ABAC project and documented in a series of papers. We have described how the ABAC Web Services implementation will be extended to provide an API (described as Web Services, WSDL) that is well-defined and natural for use by ProtoGENI software elements and potentially other GENI projects or researcher users.

To facilitate better interactions with the ProtoGENI project, we have been regularly attending the cluster’s bi-weekly meetings. This included presenting and discussing our ABAC and ABAC Web Services API at one of the meetings, as well as closely following the introduction of other changes and components in the spiral 2 ProtoGENI system.

A. Activities and findings

We have determined, in conjunction with Rob Ricci at Utah, that it would be undesirable to immediately “merge in” the ABAC WS implementation within the mainline ProtoGENI implementation. ProtoGENI is itself in flux, but also poses a challenge for testing in that there is at the moment only one full-blown instance of this control framework running (co-located with the Utah Emulab) and our project funding is insufficient to enable us to stand up a “toy” ProtoGENI control framework for independent test and integration.

Instead, we have honed in on the ProtoGENI Reference Component Manager (Reference CM) implementation as a viable candidate for our first proof-of-concept integration. Towards this end, we are approximately 50% of the way complete in standing up a small (2-node) Emulab/ProtoGENI experiment consisting of ABAC WS implementations as trust negotiators and an instances of the ReferenceCM. The ReferenceCM and a toy client of that ReferenceCM will make use of the ABAC WS to perform trust negotiations. Trust negotiation is the term used in the ABAC vernacular to refer to a series of attribute credential exchanges leading to a ‘policy check decision’ whereby authorization is granted, or alternately denied, based on the set of attribute credentials possessed by the client requestor, and the policy encoded within a second set of attribute credentials loaded into the server-side ABAC WS implementation (the server-side trust negotiator.)

B. Project participants

The following SPARTA staff are participating in the ABAC project: Stephen Schwab, Jay Jacobs.

C. Publications (individual and organizational)

None.

D. Outreach activities

Jay Jacobs and Stephen Schwab attended GEC-7 at Duke University. Jay Jacobs presented a talk on ABAC in the Experimental Services Working Group. We hope this leads to a solution whereby two of the experimental services that face security (authorization) challenges are able to study our ReferenceCM implementation and integration with ABAC WS and adopt ABAC WS within ProtoGENI to meet their own needs.

E. Collaborations

We are also collaborating with Jeff Chase at Duke University, and in particular in discussions to shed light on how SFA may be revised to accommodate control framework designs using authorization schemes such as ABAC and Shibboleth alongside the current identity credential based schemes employeed by PlanteLab and ProtoGENI.

F. Other Contributions

Under separate funding, the DETER TIED project continue to make progress on the integration of ABAC WS within the DETER Federation framework.