=== Authorization === ==== Organizers ==== Steve Schwab and Ted Faber, ''USC/ISI'' ==== Time ==== Tues 1:00 - 2:00 pm ==== Description ==== GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use. In this session, ISI will report out on their effort to implement ABAC authorization within ProtoGENI. Then the group will discuss next steps in evaluating ABAC authorization in comparison to the current GENI credentials. ==== Agenda ==== 1. Introduction and GEC 10 Summary (5 mins) 1. Progress update and demo (10 mins) 1. Trust Structures (15 mins) * Who trusts whom to say what? * Attributes for the GENI AM API 1. Tools (10 mins) * Credential generation * Credential storage * Credential management (display, verification) 1. Implementation road map (15 mins) * Aggregate policies * Credential expiration policies * API modifications 1. Summary and Wrap-up (5 mins) ==== Background Reading ==== * [http://abac.deterlab.net/ ABAC Project home page] * [attachment:geni-abac.pdf Authorization and Trust Structure in GENI: A Perspective on the Role of ABAC] by Jeff Chase * [wiki:GeniAuthorization Authorization Design Activities wiki page]