| 1 | == TIED Evaluation == |
| 2 | |
| 3 | The Trial Integration Environment in DETER ([http://groups.geni.net/geni/wiki/TIED TIED]) project has integrated the [http://abac.deterlab.net/ Attribute-Based Access Control] from USC/ISI and Sparta (version 0.1.2) implementation with the GENIAPI AM (version 1.0). This integration delivers the ability to set up a multi-aggregate experiment using the GENIAPI to manipulate ProtoGENI resources. The software evaluated was available at the [http://groups.geni.net/geni/wiki/TIED TIED] page as [http://groups.geni.net/geni/attachment/wiki/TIED/abac_geniapi-1.0.tgz abac_geniapi-1.0.tgz] released on 01/06/11. Supporting documentation for ''Design and Integration of ABAC and the GENIAPI AM: Version 1'' can be found [http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_GENIAPIv1.2.pdf here]. |
| 4 | |
| 5 | Time frame: Evaluation took place between March 23-24, and March 31 2011. |
| 6 | |
| 7 | == TIED Findings == |
| 8 | |
| 9 | The installation order of the packages and their pre-requisites are spread across multiple documentation files and information is available in each. Overall documentation captures |
| 10 | the required installation. Once installed, there was one issue found with the ABAC Libraries 0.1.2 which was resolved in the latest ABAC 0.1.3 package. |
| 11 | Some minor feedback about issues encountered was provided to the ABAC team. |
| 12 | |
| 13 | == TIED How-to == |
| 14 | |
| 15 | The ABAC/GENI AM software package evaluation was completed on an Ubuntu 10.04.02 system. This evaluation requires that the following software packages be installed: |
| 16 | |
| 17 | * GCF GENI AM software [http://trac.gpolab.bbn.com/gcf GCF 1.02] |
| 18 | * ABAC libraries [http://abac.deterlab.net/src/abac-0.1.3.tgz ABAC 0.1.3] ^^(see Note 1)^^ |
| 19 | * ABAC/GENI AM software [http://groups.geni.net/geni/attachment/wiki/TIED/abac_geniapi-1.0.tgz abac_geniapi 1.0] |
| 20 | |
| 21 | ^^ Note 1: Initial evaluation was done with ABAC 0.1.2,which had a blocking issue addressed in [http://abac.deterlab.net/src/abac-0.1.3.tgz ABAC 0.1.3] .^^ |
| 22 | |
| 23 | The capture below show the order the software installed, which was determined from instruction in each of the packages. |
| 24 | |
| 25 | 1. Installed the prerequisite [http://www.gpolab.bbn.com/local-sw/ GCF 1.2] package and installed as documented at [http://trac.gpolab.bbn.com/gcf/wiki/QuickStart GCF QuickStart] page. |
| 26 | |
| 27 | 2. Installed the ABAC prerequisites tools as instructed in the INSTALL instructions: |
| 28 | |
| 29 | {{{ |
| 30 | For Java installation instructions, see doc/java_install. |
| 31 | |
| 32 | Prior to building libabac you must install libstrongswan. |
| 33 | |
| 34 | Download strongswan-4.4.0 from strongswan.org: |
| 35 | http://download.strongswan.org/strongswan-4.4.0.tar.bz2 |
| 36 | |
| 37 | FreeBSD users: add --with-group=wheel to strongswan ./configure |
| 38 | |
| 39 | $ tar xjvf strongswan-4.4.0.tar.bz2 |
| 40 | $ cd strongswan-4.4.0 |
| 41 | $ ./configure --enable-monolithic [FreeBSD: see note above] |
| 42 | $ cd src/libstrongswan |
| 43 | $ make && sudo make install |
| 44 | |
| 45 | Be sure to make note of the directory into which you've untarred |
| 46 | strongswan-4.4.0.tar.bz2. You will use this in the next step. |
| 47 | |
| 48 | BUILDING LIBABAC |
| 49 | |
| 50 | $ STRONGSWAN_SRC_DIR=path/to/strongswan-4.4.0 |
| 51 | $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR |
| 52 | $ make && sudo make install |
| 53 | |
| 54 | }}} |
| 55 | |
| 56 | Downloaded and installed strongswan as instructed above. Was able to follow directions, except had to additionally install the ''GNU Multi Precision library gmp'' (libgmp3c2 and libgmp3-dev). Had to install ''python-pyasn1'' in order for the libABAC configure command to work. Also, ''swig'' is needed for the make to complete. Did not install libssl-dev, as it was installed as part of the GCF package installation. Here is the full list of commands in the order they were executed to get installed abac-0.1.3 and running: |
| 57 | {{{ |
| 58 | $ wget http://abac.deterlab.net/src/abac-0.1.3.tgz |
| 59 | $ tar xvzf abac-0.1.3.tgz |
| 60 | $ more abac-0.1.3/doc/INSTALL |
| 61 | $ sudo apt-get install libgmp3c2 libgmp3-dev |
| 62 | $ sudo apt-get install swig |
| 63 | $ cpan |
| 64 | cpan[1]> install IO::Socket::SSL |
| 65 | cpan[2]> install HTTP::Daemon::SSL |
| 66 | cpan[3]> install RPC::XML |
| 67 | $ wget http://download.strongswan.org/strongswan-4.4.0.tar.bz2 |
| 68 | $ tar xjvf strongswan-4.4.0.tar.bz2 |
| 69 | $ cd strongswan-4.4.0 |
| 70 | $ ./configure --enable-monolithic |
| 71 | $ cd src/libstrongswan |
| 72 | $ make && sudo make install |
| 73 | $ export STRONGSWAN_SRC_DIR=/home/lnevers/tied/strongswan-4.4.0 |
| 74 | $ cd ../../../abac-0.1.3/ |
| 75 | $ sudo apt-get install python-pyasn1 |
| 76 | $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR |
| 77 | $ make && sudo make install |
| 78 | }}} |
| 79 | |
| 80 | 3. Installed the ABAC/GENI package within the GCF directory structure, note that the untar adds files to the ''src'' directory and delivers an ''ABAC_README''. : |
| 81 | |
| 82 | {{{ |
| 83 | $ mv abac_geniapi-1.0.tgz ../gcf-1.2/. |
| 84 | $ cd ../gcf-1.2 |
| 85 | $ tar xvzf abac_geniapi-1.0.tgz |
| 86 | }}} |
| 87 | |
| 88 | The ABAC_README file states: |
| 89 | |
| 90 | {{{ |
| 91 | This is a quick start document for the ABAC additions to the GENIAPI AM. |
| 92 | More details about the implementation are available in the document at |
| 93 | DOCURL and in the code. |
| 94 | |
| 95 | In addition to the software support for the GENIAPI described at |
| 96 | http://trac.gpolab.bbn.com/gcf/wiki/QuickStart the ABAC implementation |
| 97 | requires libABAC from http://abac.deterlab.net/. Installing that |
| 98 | requires libstrongswan and swig as described in |
| 99 | http://abac.deterlab.net/browser/doc/dependencies |
| 100 | |
| 101 | In addition the code requires pyasn1, available from |
| 102 | http://pypi.python.org/pypi/pyasn1/ |
| 103 | |
| 104 | On FreeBSD that can be installed from the ports collection: |
| 105 | |
| 106 | $ cd /usr/ports/devel/py-asn1 |
| 107 | $ sudo make install |
| 108 | |
| 109 | Ubuntu: |
| 110 | |
| 111 | $ sudo apt-get install python-pyasn1 |
| 112 | |
| 113 | Fedora: |
| 114 | |
| 115 | $ sudo yum install python-pyasn1 |
| 116 | |
| 117 | to perform the analog of the GENIAPI test run (from |
| 118 | http://trac.gpolab.bbn.com/gcf/wiki/QuickStart ) do the following: |
| 119 | |
| 120 | unload the ABAC tarfile into the gcf directory. (You have probably done |
| 121 | that to get this file). |
| 122 | |
| 123 | Create the abac policy credentials: |
| 124 | |
| 125 | $ python src/gen-abac-certs.py |
| 126 | |
| 127 | Start an ABAC clearing house (all these are from the gcf directory): |
| 128 | |
| 129 | $ python src/gcf-abac-ch.py |
| 130 | |
| 131 | In another window start the ABAC enabled AM: |
| 132 | |
| 133 | $ python src/gcf-abac-am.py |
| 134 | |
| 135 | In a third window run the test script: |
| 136 | |
| 137 | $ python ./src/gcf-test-abac.py |
| 138 | |
| 139 | You will see output similar to the GENIAPI test run. |
| 140 | |
| 141 | }}} |
| 142 | |
| 143 | After setting "export LD_LIBRARY_PATH=/usr/local/lib" in the environment, was able to run all commands. Captures are all from withing the ''gcf-1.2'' directory. |
| 144 | First, created the ABAC policy credentials: |
| 145 | {{{ |
| 146 | $ python src/gen-abac-certs.py |
| 147 | }}} |
| 148 | Start an ABAC clearing house : |
| 149 | {{{ |
| 150 | $ python src/gcf-abac-ch.py |
| 151 | INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem'] |
| 152 | INFO:gcf-ch:Registering AM urn:publicid:IDN+geni:gpo:gcf+am1+authority+am at http://localhost:8001 |
| 153 | INFO:cred-verifier:Adding trusted cert file ch-cert.pem |
| 154 | INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support |
| 155 | INFO:gcf-ch:GENI CH Listening on port 8000... |
| 156 | }}} |
| 157 | In another window started the ABAC enabled AM: |
| 158 | {{{ |
| 159 | $ python src/gcf-abac-am.py |
| 160 | INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem'] |
| 161 | INFO:cred-verifier:Adding trusted cert file ch-cert.pem |
| 162 | INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support |
| 163 | INFO:gcf-am:GENI AM Listening on port 8001... |
| 164 | }}} |
| 165 | And finally, in a third window ran the test script: |
| 166 | {{{ |
| 167 | $ python ./src/gcf-test-abac.py |
| 168 | INFO:gcf-test:CH Server is https://127.0.0.1:8000/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem |
| 169 | INFO:gcf-test:AM Server is https://127.0.0.1:8001/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem |
| 170 | Slice Creation SUCCESS: URN = urn:publicid:IDN+geni:gpo:gcf+slice+5e3c-afa:127.0.0.1%3A8000 |
| 171 | Testing GetVersion... passed |
| 172 | Testing ListResources... passed |
| 173 | Testing CreateSliver... passed |
| 174 | Testing SliverStatus... passed |
| 175 | Testing ListResources... passed |
| 176 | Testing RenewSliver... passed. (Result: True) |
| 177 | Testing DeleteSliver... passed |
| 178 | Testing ListResources... passed |
| 179 | Second Slice URN = urn:publicid:IDN+geni:gpo:gcf+slice+4141-b6c:127.0.0.1%3A8000 |
| 180 | Testing ListResources... passed |
| 181 | Testing CreateSliver... passed |
| 182 | Testing Shutdown... passed |
| 183 | }}} |
| 184 | |
| 185 | '''Note:''' The ABAC Libraries are also available via git repository: |
| 186 | {{{ |
| 187 | $ /usr/bin/git clone git://abac.deterlab.net/abac.git |
| 188 | }}} |
| 189 | |