Version 2 (modified by Stephen Schwab, 13 years ago) (diff)


ABAC Project Status Report

Period: Dec 2010 - March 2011

I. Major accomplishments

Working in conjunction with the ProtoGENI and ORCA control frameworks and GPO staff, we conducted a series of teleconferences and on-line email discussions to work out a plan for integrating ABAC authorization frameworks into both control frameworks. This plan was written up, posted on the GSAT wiki page, discussed and approved in the software track meetings at GEC11.

A. Milestones achieved

The plans for ABAC integration into a control framework were posted, with ProtoGENI being in mutual agreement to work with us in achieving integration and inter-operability with ABAC. ORCA will also pursue a different plan, leading to integration of ABAC with somewhat different policy structure and enforcement in that control framework. This satisfies the 2.b deliverable, Plans for Integration of ABAC into a Control Framework.

The current ABAC implementation was presented as a poster at the demo session of GEC10, and in conjunction with our status and presentation of plans for integration, serve to meet the 2.c demonstration and outreach milestone.

B. Deliverables made

A plan for integration of ABAC into ProtoGENI and ORCA was posted on the GENI wiki, under the GENI Security Architecture (GSAT) wiki page.

II. Description of work performed during last quarter

The work performed since the last GEC consisted of analyzing and working through the various issues and concerns of the control frameworks (ProtoGENI, ORCA) with regards to features and limitations of the current ABAC implementation. Based on written examples of ABAC policies for the current authorization semantics enforced by the SFA approach (primarily in ProtoGENI and PlanetLab), we identified features that must be added to ABAC, or tools that must be or should be developed for ABAC, so that the GENI developers, operators and research users can transition successfully to this distributed authorization approach.

A. Activities and findings

The primary findings regarding ABAC is that there is now a recognition that the current hardwired credentials, while useful for getting control frameworks up and running, are not ideal for the long run. While the control frameworks could continue to operate using only these credential formats, it is acceptable to switch to something better and more flexible, if this can be accomplished without disrupting on-going operations or impacting users.

Secondarily, there are some features of a mature ABAC implementation that while not required in a theoretical sense for a proof-of-concept, are essential for adoption by the community. The feature that is key in this regard is the ability to have common web-based XML tools read GENI ABAC credentials and display them in a meaningful way to users. ABAC currently is using X.509 credentials, which make them opaque to most of these XML based tools. Examining the alternatives, we will investigate whether a SAML/XMLSIG approach can be used to carry equivalent information and enforce equivalent authenticity and integrity properties for ABAC credentials while simultaneously making them inspectable by end users. We will also investigate whether human-readable XML encoded strings can be bound within ABAC credentials, as an effective means of making the credential contents visible, or whether a web service to render X.509 ABAC credentials into XML-encoded contents for human consumption is a superior approach.

Finally, we are moving forward on a development schedule to demonstrate increasing ABAC integration within control frameworks at GEC11 and GEC12, with an ultimate goal of phasing out the original credential formats within one year if ABAC can become mature enough to meet all authorization and community usability needs.

B. Project participants

The following SPARTA staff are participating in the ABAC project: Stephen Schwab.

C. Publications (individual and organizational)


D. Outreach activities


E. Collaborations

We are continuing collaborations with Rob Ricci, Utah in the ProtoGENI proejct and Jeff Chase at Duke University in the ORCA control framework.

F. Other Contributions