=== Authorization in GENI === ==== Session leaders ==== Steve Schwab, ''Cobham''[[br]] Ted Faber, ''ISI''[[br]] Tom Mitchell, ''BBN'' ==== Time ==== Tues 2:30 - 4:30 pm ==== Description ==== This meeting will seek agreement on an approach to authorization in GENI. A proposed way forward will be presented along with possible alternatives, followed by open discussion. GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use. There are two proposed solutions in use by current control framework projects, credentials and attributes. Credentials bind a set of roles or privileges with an experimenter and a slice. Attributes denote individual properties of an experimenter and are grouped to determine privileges. There are pros and cons to both approaches. Stakeholders will discuss both approaches and reach consensus on a way forward for authorization in GENI. ==== Proposal ==== ABAC should be added to the GENI AM API as a means of authorization. Aggregates should accept ABAC-style attribute assertions to enable richer authorization policies than are possible with current GENI credentials. A [http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_Rules_v1.2.pdf proposed set of access rules] will be presented and a [http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_GENIAPIv1.2.pdf prototype GENI-ABAC integration] will be described. ==== Agenda ==== Introduction - Tom Mitchell (5 mins)[[BR]] Authorization proposal - Steve Schwab/Ted Faber (30 mins)[[BR]] Break (30 mins)[[BR]] Invited discussion - Jeff Chase (10 mins)[[BR]] Invited discussion - Rob Ricci (10 mins)[[BR]] Open discussion - All (25 mins)[[BR]] Session wrap-up - Tom Mitchell (10 mins)[[BR]] ==== Background reading ==== Proposed ABAC Rules for GENI Authorization: http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_Rules_v1.2.pdf Sec 2 summarizes current GENI credentials [[br]] Sec 4 introduces ABAC [[br]] Sec 5 a prototype ABAC implementation of GENI authorization [[br]] ABAC integration with the GENI AM API discussion: http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_GENIAPIv1.2.pdf [[br]] ProtoGENI Credentials: http://www.protogeni.net/trac/protogeni/wiki/Credentials [[br]] ProtoGENI Authentication: http://www.protogeni.net/trac/protogeni/wiki/AuthImpl [[br]] ==== Further reading ==== GEC 8 ABAC Tutorial Slides: http://groups.geni.net/geni/attachment/wiki/Gec8Workshops/abac-mini-wk-ah-final.ppt [[br]] GEC 8 ABAC Tutorial Slides: http://groups.geni.net/geni/attachment/wiki/Gec8Workshops/ABAC_Tutorial_v2_faber.pdf [[br]] ABAC Project: http://abac.deterlab.net [[br]] TIED ABAC Model: http://groups.geni.net/geni/wiki/TIEDABACModel [[br]] TIED ABAC Demo: http://groups.geni.net/geni/wiki/TIEDABACDemo [[br]]