wiki:ABAC-QSR-2Q2010

Version 1 (modified by Vic Thomas, 9 years ago) (diff)

--

ABAC Project Status Report

Period: April 2010 - June 2010

I. Major accomplishments

Development of the requirements document for supporting ProtoGENI using ABAC.

First draft of the ABAC API describing the functions and parameters to be supported in the initial ABAC package.

Initial build of ABAC WS software.

Initial creation of ABAC WS and ReferenceCM node images on PrototGENI.

A. Milestones achieved

No contract milestones were slated for this quarter. However, we did get our software sufficiently complete so we could begin integration testing with the ProtoGENI ReferenceCM.

B. Deliverables made

None.

II. Description of work performed during last quarter

Our work consisted of studying the current ProtoGENI system, primarily the ReferenceCM (Component Manager) implementation so that ABAC (Attributed Based Access Control) may be used within the ProtoGENI control framework to support authorization decisions. Essentially all of the work in the past quarter is focused on building and configuring a reproducible node image with all ABAC and ReferenceCM software and dependencies (external software package) to enable us to integrate and test a ProtoGENI proof-of-use scenario in which ABAC policy is used to authorize or deny access to operations requested by sample clients of the ReferenceCM.

The ProtoGENI implementation provides a number of functions that map into the SFA API, albeit with ProtoGENI specific parameters, usage, and refinements. A successful integration of ABAC must provide the ability to interpose a policy decision (authorization check) on each invocation of the control framework API exposed by ProtoGENI. Our goal is to demonstrate and share a worked example of an end-to-end collection of software components that does so, albeit only for those API calls supported by the ReferenceCM. In principle, any other ProtoGENI software component or cluster member project could adapt the invocation of ABAC Web Services (ABAC WS) for authorization checks.

To facilitate better interactions with the ProtoGENI project, we have been regularly attending the cluster’s bi-weekly meetings. This included presenting and discussing our ABAC and ABAC Web Services API at one of the meetings, as well as closely following the introduction of other changes and components in the spiral 2 ProtoGENI system.

A. Activities and findings

We have determined, in conjunction with Rob Ricci at Utah, that it would be undesirable to immediately “merge in” the ABAC WS implementation within the mainline ProtoGENI implementation. ProtoGENI is itself in flux, but also poses a challenge for testing in that there is at the moment only one full-blown instance of this control framework running (co-located with the Utah Emulab) and our project funding is insufficient to enable us to stand up a “toy” ProtoGENI control framework for independent test and integration.

Instead, we have honed in on the ProtoGENI Reference Component Manager (Reference CM) implementation as a viable candidate for our first proof-of-concept integration. Essentially all of the software to support such a proof of concept experiment is complete, and the remaining work is in debugging configurations and installation procedures. Additionally, there is a modest amount of work in developing simple example authorization policies, encoding those policies in ABAC credentials (X.509v2), and in creating test scenarios to exercise the ABAC trust negotiation engines.

We also examined the requirements of the INSTOOLS project with respect to authorization, and believe that it would be a good candidate to make use of ABAC authorization. However, we don’t expect to commence any work on that front until spiral 3 due to limited funding. Similarly, the OnTimeMeasure project from Ohio State has similar authorization needs, which we expect may be addressed in the future by ABAC integration.

B. Project participants

The following SPARTA staff are participating in the ABAC project: Stephen Schwab, Jay Jacobs.

C. Publications (individual and organizational)

None.

D. Outreach activities

None, beyond ProtoGENI cluster calls. However, Stephen Schwab also attended a GENI-FIRE federation workshop in Princeton at which many aspect of distributed authorization and ABAC were discussed.

E. Collaborations

We are also collaborating with Jeff Chase at Duke University, and in particular in discussions to shed light on how SFA may be revised to accommodate control framework designs using authorization schemes such as ABAC and Shibboleth alongside the current identity credential based schemes employeed by PlanetLab and ProtoGENI. We have also had extensive discussions with Ken Klingenstein regarding the implementation details of Shibboleth and related software used to introduce Shibboleth-based authorization into the ORCA control framework.

F. Other Contributions

Under separate funding, the DETER TIED project continues to make progress on the integration of ABAC within the DETER Federation framework. However, a decision was made by DETER project staff to re-implement ABAC mechanisms in a new from-scratch version of the software.