Changes between Initial Version and Version 1 of GIR3.1_TIED


Ignore:
Timestamp:
03/31/11 12:12:36 (9 years ago)
Author:
lnevers@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GIR3.1_TIED

    v1 v1  
     1== TIED Evaluation ==
     2
     3The Trial Integration Environment in DETER ([http://groups.geni.net/geni/wiki/TIED TIED]) project has integrated the [http://abac.deterlab.net/ Attribute-Based Access Control] from USC/ISI and Sparta (version 0.1.2) implementation  with the GENIAPI AM (version 1.0).  This integration delivers the ability to set up a multi-aggregate experiment using the GENIAPI to manipulate ProtoGENI resources.  The software evaluated was available at the [http://groups.geni.net/geni/wiki/TIED TIED] page as [http://groups.geni.net/geni/attachment/wiki/TIED/abac_geniapi-1.0.tgz abac_geniapi-1.0.tgz] released on 01/06/11.  Supporting documentation for ''Design and Integration of ABAC and the GENIAPI AM: Version 1'' can be found [http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_GENIAPIv1.2.pdf here].
     4
     5Time frame: Evaluation took place between March 23-24, and March 31 2011.
     6
     7== TIED Findings ==
     8
     9The installation order of the packages and their pre-requisites are spread across multiple documentation files and information is available in each.  Overall documentation captures
     10the required installation.  Once installed, there was one issue found with the ABAC Libraries 0.1.2 which was resolved in the latest ABAC 0.1.3 package.
     11Some minor feedback about issues encountered was provided to the ABAC team.
     12
     13== TIED How-to ==
     14
     15The ABAC/GENI AM software package evaluation was completed on an Ubuntu 10.04.02 system. This evaluation requires that the following software packages be installed:
     16
     17   * GCF GENI AM software [http://trac.gpolab.bbn.com/gcf GCF 1.02]
     18   * ABAC libraries [http://abac.deterlab.net/src/abac-0.1.3.tgz ABAC 0.1.3] ^^(see Note 1)^^
     19   * ABAC/GENI AM software [http://groups.geni.net/geni/attachment/wiki/TIED/abac_geniapi-1.0.tgz abac_geniapi 1.0]
     20
     21   ^^ Note 1: Initial evaluation was done with ABAC 0.1.2,which had a blocking issue addressed in [http://abac.deterlab.net/src/abac-0.1.3.tgz ABAC 0.1.3] .^^
     22
     23The capture below show the order the software installed, which was determined from instruction in each of the packages.
     24
     251. Installed the prerequisite [http://www.gpolab.bbn.com/local-sw/ GCF 1.2] package and installed as documented at [http://trac.gpolab.bbn.com/gcf/wiki/QuickStart GCF QuickStart] page.
     26
     272. Installed the ABAC prerequisites tools as instructed in the INSTALL instructions:
     28
     29{{{
     30  For Java installation instructions, see doc/java_install.
     31
     32  Prior to building libabac you must install libstrongswan.
     33
     34  Download strongswan-4.4.0 from strongswan.org:
     35     http://download.strongswan.org/strongswan-4.4.0.tar.bz2
     36
     37  FreeBSD users: add --with-group=wheel to strongswan ./configure
     38
     39  $ tar xjvf strongswan-4.4.0.tar.bz2
     40  $ cd strongswan-4.4.0
     41  $ ./configure --enable-monolithic    [FreeBSD: see note above]
     42  $ cd src/libstrongswan
     43  $ make && sudo make install
     44
     45  Be sure to make note of the directory into which you've untarred
     46  strongswan-4.4.0.tar.bz2. You will use this in the next step.
     47
     48  BUILDING LIBABAC
     49
     50  $ STRONGSWAN_SRC_DIR=path/to/strongswan-4.4.0
     51  $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR
     52  $ make && sudo make install
     53
     54}}}
     55
     56Downloaded and installed strongswan as instructed above. Was able to follow directions, except had to additionally install the ''GNU Multi Precision library gmp'' (libgmp3c2 and libgmp3-dev).  Had to install ''python-pyasn1'' in order for the libABAC configure command to work. Also, ''swig'' is needed for the make to complete. Did not install libssl-dev, as it was installed as part of the GCF package installation. Here is the full list of commands in the order they were executed to get installed abac-0.1.3 and running:
     57{{{
     58  $ wget http://abac.deterlab.net/src/abac-0.1.3.tgz 
     59  $ tar xvzf abac-0.1.3.tgz
     60  $ more abac-0.1.3/doc/INSTALL
     61  $ sudo apt-get install libgmp3c2 libgmp3-dev
     62  $ sudo apt-get install swig
     63  $ cpan
     64  cpan[1]> install IO::Socket::SSL
     65  cpan[2]> install HTTP::Daemon::SSL
     66  cpan[3]> install RPC::XML
     67  $ wget http://download.strongswan.org/strongswan-4.4.0.tar.bz2
     68  $ tar xjvf strongswan-4.4.0.tar.bz2
     69  $ cd strongswan-4.4.0
     70  $ ./configure --enable-monolithic
     71  $ cd src/libstrongswan
     72  $ make && sudo make install
     73  $ export STRONGSWAN_SRC_DIR=/home/lnevers/tied/strongswan-4.4.0
     74  $ cd ../../../abac-0.1.3/
     75  $ sudo apt-get install python-pyasn1
     76  $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR
     77  $ make && sudo make install
     78  }}}
     79
     803. Installed the ABAC/GENI package within the GCF directory structure, note that the  untar adds files to the ''src'' directory and delivers an ''ABAC_README''. :
     81
     82{{{
     83  $ mv abac_geniapi-1.0.tgz  ../gcf-1.2/.
     84  $ cd ../gcf-1.2
     85  $ tar xvzf abac_geniapi-1.0.tgz
     86}}}
     87
     88The ABAC_README file states:
     89
     90{{{
     91  This is a quick start document for the ABAC additions to the GENIAPI AM.
     92  More details about the implementation are available in the document at
     93  DOCURL and in the code.
     94
     95  In addition to the software support for the GENIAPI described at
     96  http://trac.gpolab.bbn.com/gcf/wiki/QuickStart the ABAC implementation
     97  requires libABAC from http://abac.deterlab.net/.  Installing that
     98  requires libstrongswan and swig as described in
     99  http://abac.deterlab.net/browser/doc/dependencies
     100
     101  In addition the code requires pyasn1, available from
     102  http://pypi.python.org/pypi/pyasn1/
     103
     104  On FreeBSD that can be installed from the ports collection:
     105
     106  $ cd /usr/ports/devel/py-asn1
     107  $ sudo make install
     108
     109  Ubuntu:
     110
     111  $ sudo apt-get install python-pyasn1
     112
     113  Fedora:
     114
     115  $ sudo yum install python-pyasn1
     116
     117  to perform the analog of the GENIAPI test run (from
     118  http://trac.gpolab.bbn.com/gcf/wiki/QuickStart ) do the following:
     119
     120  unload the ABAC tarfile into the gcf directory.  (You have probably done
     121  that to get this file).
     122
     123  Create the abac policy credentials:
     124
     125  $ python src/gen-abac-certs.py
     126
     127  Start an ABAC clearing house (all these are from the gcf directory):
     128
     129  $ python src/gcf-abac-ch.py
     130
     131  In another window start the ABAC enabled AM:
     132
     133  $ python  src/gcf-abac-am.py
     134
     135  In a third window run the test script:
     136
     137  $ python ./src/gcf-test-abac.py
     138
     139  You will see output similar to the GENIAPI test run.
     140
     141}}}
     142
     143After setting "export LD_LIBRARY_PATH=/usr/local/lib" in the environment, was able to run all commands.  Captures are all from withing the ''gcf-1.2'' directory.
     144First, created the ABAC policy credentials:
     145{{{
     146$ python src/gen-abac-certs.py
     147}}}
     148Start an ABAC clearing house :
     149{{{
     150$ python src/gcf-abac-ch.py
     151INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem']
     152INFO:gcf-ch:Registering AM urn:publicid:IDN+geni:gpo:gcf+am1+authority+am at http://localhost:8001
     153INFO:cred-verifier:Adding trusted cert file ch-cert.pem
     154INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support
     155INFO:gcf-ch:GENI CH Listening on port 8000...
     156}}}
     157In another window started the ABAC enabled AM:
     158{{{
     159$ python  src/gcf-abac-am.py
     160INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem']
     161INFO:cred-verifier:Adding trusted cert file ch-cert.pem
     162INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support
     163INFO:gcf-am:GENI AM Listening on port 8001...
     164}}}
     165And finally, in a third window ran the test script:
     166{{{
     167$ python ./src/gcf-test-abac.py
     168INFO:gcf-test:CH Server is https://127.0.0.1:8000/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem
     169INFO:gcf-test:AM Server is https://127.0.0.1:8001/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem
     170Slice Creation SUCCESS: URN = urn:publicid:IDN+geni:gpo:gcf+slice+5e3c-afa:127.0.0.1%3A8000
     171Testing GetVersion... passed
     172Testing ListResources... passed
     173Testing CreateSliver... passed
     174Testing SliverStatus... passed
     175Testing ListResources... passed
     176Testing RenewSliver... passed. (Result: True)
     177Testing DeleteSliver... passed
     178Testing ListResources... passed
     179Second Slice URN = urn:publicid:IDN+geni:gpo:gcf+slice+4141-b6c:127.0.0.1%3A8000
     180Testing ListResources... passed
     181Testing CreateSliver... passed
     182Testing Shutdown... passed
     183}}}
     184
     185'''Note:''' The ABAC Libraries are also available via git repository:
     186{{{
     187 $  /usr/bin/git clone git://abac.deterlab.net/abac.git
     188}}}
     189