| 5 | | Although this space focuses on authorization, it also bears on related topics that are often intertwined with GENI "control framework architecture". The various testbeds predating GENI evolved various authorization structures to meet the practical needs of testbed deployments. Much of the activity in the GENI control framework space (e.g., the SFA effort) is best understood as an exercise in retrofitting federation support onto these testbeds, so that we may interconnect them. At the same time, the GPO has envisioned a system with strong central control and safety restraints, e.g., through a "Clearinghouse" that performs various authorization functions centrally. The challenge of bridging the gap has led GENI architects to spend a lot of time talking about authorization structure. Some very large GPO Control Framework documents that circulated in 2009 deal almost exclusively with authorization. |
| | 5 | This space also bears on federation topics that are often intertwined with GENI "control framework architecture". The various testbeds predating GENI evolved various authorization structures to meet the practical needs of testbed deployments. One theme of GENI has been retrofitting federation support onto these testbeds, so that we may interconnect them. At the same time, the project managers have envisioned a system with strong central control and safety restraints, e.g., through a Clearinghouse that bundles various identity and authorization functions. GENI architects spend a lot of time talking about how to bridge the gaps among various view of how to manage identity and authorize projects and slices in a world of interconnected testbeds. Similarly, discussions about GENI federation architecture are often dealing with issues of trust policy disguised as architectural questions. |
| 7 | | One goal of this work is to cleanly separate the authorization entities that were bundled together in the Clearinghouse and various testbed frameworks (identity management and authorization of GENI projects and slices), and separate them from questions of control framework architecture. Once they are separated, we can see that authorization in GENI is an exercise in applying well-understood principles of federated identity, trust management, delegation logic, and role-based trust. Work on these topics in the decade preceding GENI yielded key research breakthroughs and reasonably mature tools. There have also been large investments in federated identity deployments: Shibboleth, SAML, inCommon. |
| | 7 | One goal of this work is to disentangle these topics and separate them from questions of control framework architecture. Once they are separated, we can see that authorization in GENI is an exercise in applying well-understood principles of federated identity, trust management, delegation logic, and role-based trust. Work on these topics in the decade preceding GENI yielded key research breakthroughs and reasonably mature tools. GENI can also leverage the large investments in federated identity deployments (Shibboleth, SAML, inCommon). By applying these early works, we can simplify implementations and free the architects to focus on what is really new in GENI: unified control of diverse virtual infrastructure services. Discussions of trust policy and governance can go forward separately from these architecture discussions. |
| | 9 | * Background slides on GENI federation architecture |
| | 10 | * Tutorial slides on role-based trust and ABAC |
| | 11 | * Deconstructing the GENI Federation |
| | 12 | * A Tale of Two Federations |
| | 13 | * Building the GENI Federation with ABAC |
| | 14 | * The GENI Federation with ABAC: Going Deeper |
| | 15 | * Slides on naming and credential management |
| | 16 | |
| | 17 | These slides are part of an ongoing discussion with other collaborators in GENI. It's a work in progress, but it will feel "done" soon. It needs proper acknowledgment for major collaborators, including Ted Faber at ISI and my student Prateek Jaipuria, funding sources (NSF through multiple lines, and RENCI), and related work. It is my intent that any contributions, ideas, and content from this work shall be unrestricted in the public domain. My slides are available for use under Creative Commons CC-BY Attribution license. I appreciate attribution for ideas, but feel free to steal the art (as I have done). |
| | 18 | |
| | 19 | |
