Version 5 (modified by Aaron Helsinger, 12 years ago) (diff)


Authorization in GENI

Session leaders

Steve Schwab, Cobham
Ted Faber, ISI
Tom Mitchell, BBN


Tues 2:30 - 4:30 pm


This meeting will seek agreement on an approach to authorization in GENI. A proposed way forward will be presented along with possible alternatives, followed by open discussion.

GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.

There are two proposed solutions in use by current control framework projects, credentials and attributes. Credentials bind a set of roles or privileges with an experimenter and a slice. Attributes denote individual properties of an experimenter and are grouped to determine privileges. There are pros and cons to both approaches. Stakeholders will discuss both approaches and reach consensus on a way forward for authorization in GENI.


ABAC should be added to the GENI AM API as a means of authorization. Aggregates should accept ABAC-style attribute assertions to enable richer authorization policies than are possible with current GENI Credentials. A proposed set of access rules will be presented and a prototype GENI-ABAC integration will be described.


Introduction - Tom Mitchell (5 mins)
Authorization proposal - Steve Schwab/Ted Faber (20 mins)
Invited discussion - Jeff Chase (10 mins)
Invited discussion - Rob Ricci (10 mins)
Open discussion - All (30 mins)
Session wrap-up - Tom Mitchell (15 mins)

Background reading

ProtoGENI Credentials:
ProtoGENI Authentication:
Proposed ABAC rules for GENI:
ABAC integration with the GENI AM API discussion:
GEC 8 ABAC Tutorial Slides:
GEC 8 ABAC Tutorial Slides:
ABAC Project:

Attachments (3)