== Control Framework Working Group Meeting at GEC4 == The [http://www.geni.net/GEC4/GEC4.html 4th GENI Engineering Conference] was held in Miami, FL from March 31 to April 2, 2009. The [GeniControl Control Framework WG] met on Wednesday, April 1, 3:30pm - 5:30pm. == Audio Clips == [attachment:GEC4_ControlWG_1of2.mp3 Audio Part 1] (MP3, 50MB)[[br]] [attachment:GEC4_ControlWG_2of2.mp3 Audio Part 2] (MP3, 53MB) == Meeting Minutes == * Welcome from WG co-chair: John Wroclawski * RSpecs in GENI (60 min) * Larry Peterson presented a set of proposed design principles and a suggested tactical approach. * Slides: [http://groups.geni.net/geni/attachment/wiki/GEC4CFWGAgenda/geni_rspec.pdf] * Larry presented these options discovered in the Cluster B meeting: * Option 1) In the data structure (the RSpec approach). Tools help make simple things easy. * Option 2) In the interface (the WSDL approach). Ask the aggregate for its capabilities, e.g., GetResources(Any) returns a list of capabilities, and additional calls. Make additional queries as needed. * Really, no way to make complexity go away. * Questions from floor, and discussion: [ ] * Security architecture in GENI: (60 min) * This overview was organized by Steve Schwab and John Wroclawski * Security architecture document by Steve Schwab: [http://groups.geni.net/geni/attachment/wiki/GENISecurity/GENI-SEC-ARCH-0.4.pdf GENI-SEC-ARCH-0.4] * Slides by Steve Schwab: [http://groups.geni.net/geni/attachment/wiki/GEC4CFWGAgenda/GENISecurityArchitecture-GEC4-ss1.pdf] * Cluster B (PlanetLab) report by Larry Peterson: * Planet lab follows the SFA, which uses credentials (certificates), that include privileges. * A researcher can delegate privilege via a credential to another researcher. * Security is expilicit; delegation is explicit; all through credentials. * Cluster C (ProtoGENI) report by Robert Ricci: [http://groups.geni.net/geni/attachment/wiki/GEC4CFWGAgenda/pgeni-security-gec4.pdf] * Cluster D (ORCA) report by Jeff Chase: * ORCA uses actors, which have public key pairs; signed messages are passed between actors * An actor runs on behalf of a particular identity. * An actor can use shibboleth to identify an individual. * Expect attribute based access control, e.g, in ORCA, can delegate privilege, and policy module signs ticket for particular user and a particular resource. * ORCA currently using wss4j module to sign with keys, but has to pass certificates; perhaps move to SAML approach * Cluster E (ORBIT) report by Max Ott: [http://groups.geni.net/geni/attachment/wiki/GEC4CFWGAgenda/GEC4%20Orbit%20Security.pdf] * Cluster A (TIED) report by Ted Faber: [http://groups.geni.net/geni/attachment/wiki/GEC4CFWGAgenda/Security_v2.pdf] * Questions from floor, and discussion: [ ] Questions or comments should be sent to the WG Co-Chairs, the WG System Engineer, or to the WG mailing list: '''Chairs''': [mailto:llp@princeton.edu Larry Peterson], [mailto:jtw@isi.edu John Wroclawski] '''Working Group System Engineer''': [mailto:hmussman@bbn.com Harry Mussman] '''Send email to WG Mail List''': [mailto:control-wg@geni.net WG Mail List]