wiki:GIR3.1_TIED

Version 1 (modified by lnevers@bbn.com, 8 years ago) (diff)

--

TIED Evaluation

The Trial Integration Environment in DETER (TIED) project has integrated the Attribute-Based Access Control from USC/ISI and Sparta (version 0.1.2) implementation with the GENIAPI AM (version 1.0). This integration delivers the ability to set up a multi-aggregate experiment using the GENIAPI to manipulate ProtoGENI resources. The software evaluated was available at the TIED page as abac_geniapi-1.0.tgz released on 01/06/11. Supporting documentation for Design and Integration of ABAC and the GENIAPI AM: Version 1 can be found here.

Time frame: Evaluation took place between March 23-24, and March 31 2011.

TIED Findings

The installation order of the packages and their pre-requisites are spread across multiple documentation files and information is available in each. Overall documentation captures the required installation. Once installed, there was one issue found with the ABAC Libraries 0.1.2 which was resolved in the latest ABAC 0.1.3 package. Some minor feedback about issues encountered was provided to the ABAC team.

TIED How-to

The ABAC/GENI AM software package evaluation was completed on an Ubuntu 10.04.02 system. This evaluation requires that the following software packages be installed:

Note 1: Initial evaluation was done with ABAC 0.1.2,which had a blocking issue addressed in ABAC 0.1.3 .

The capture below show the order the software installed, which was determined from instruction in each of the packages.

  1. Installed the prerequisite GCF 1.2 package and installed as documented at GCF QuickStart page.
  1. Installed the ABAC prerequisites tools as instructed in the INSTALL instructions:
  For Java installation instructions, see doc/java_install.

  Prior to building libabac you must install libstrongswan.

  Download strongswan-4.4.0 from strongswan.org:
     http://download.strongswan.org/strongswan-4.4.0.tar.bz2

  FreeBSD users: add --with-group=wheel to strongswan ./configure

  $ tar xjvf strongswan-4.4.0.tar.bz2
  $ cd strongswan-4.4.0
  $ ./configure --enable-monolithic    [FreeBSD: see note above]
  $ cd src/libstrongswan
  $ make && sudo make install

  Be sure to make note of the directory into which you've untarred
  strongswan-4.4.0.tar.bz2. You will use this in the next step.

  BUILDING LIBABAC

  $ STRONGSWAN_SRC_DIR=path/to/strongswan-4.4.0
  $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR
  $ make && sudo make install

Downloaded and installed strongswan as instructed above. Was able to follow directions, except had to additionally install the GNU Multi Precision library gmp (libgmp3c2 and libgmp3-dev). Had to install python-pyasn1 in order for the libABAC configure command to work. Also, swig is needed for the make to complete. Did not install libssl-dev, as it was installed as part of the GCF package installation. Here is the full list of commands in the order they were executed to get installed abac-0.1.3 and running:

  $ wget http://abac.deterlab.net/src/abac-0.1.3.tgz  
  $ tar xvzf abac-0.1.3.tgz
  $ more abac-0.1.3/doc/INSTALL
  $ sudo apt-get install libgmp3c2 libgmp3-dev
  $ sudo apt-get install swig 
  $ cpan 
  cpan[1]> install IO::Socket::SSL
  cpan[2]> install HTTP::Daemon::SSL
  cpan[3]> install RPC::XML
  $ wget http://download.strongswan.org/strongswan-4.4.0.tar.bz2
  $ tar xjvf strongswan-4.4.0.tar.bz2
  $ cd strongswan-4.4.0
  $ ./configure --enable-monolithic 
  $ cd src/libstrongswan
  $ make && sudo make install
  $ export STRONGSWAN_SRC_DIR=/home/lnevers/tied/strongswan-4.4.0
  $ cd ../../../abac-0.1.3/
  $ sudo apt-get install python-pyasn1 
  $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR
  $ make && sudo make install
  1. Installed the ABAC/GENI package within the GCF directory structure, note that the untar adds files to the src directory and delivers an ABAC_README. :
  $ mv abac_geniapi-1.0.tgz  ../gcf-1.2/.
  $ cd ../gcf-1.2
  $ tar xvzf abac_geniapi-1.0.tgz 

The ABAC_README file states:

  This is a quick start document for the ABAC additions to the GENIAPI AM.
  More details about the implementation are available in the document at
  DOCURL and in the code.

  In addition to the software support for the GENIAPI described at
  http://trac.gpolab.bbn.com/gcf/wiki/QuickStart the ABAC implementation
  requires libABAC from http://abac.deterlab.net/.  Installing that
  requires libstrongswan and swig as described in
  http://abac.deterlab.net/browser/doc/dependencies

  In addition the code requires pyasn1, available from
  http://pypi.python.org/pypi/pyasn1/

  On FreeBSD that can be installed from the ports collection:

  $ cd /usr/ports/devel/py-asn1
  $ sudo make install

  Ubuntu:

  $ sudo apt-get install python-pyasn1

  Fedora:

  $ sudo yum install python-pyasn1

  to perform the analog of the GENIAPI test run (from
  http://trac.gpolab.bbn.com/gcf/wiki/QuickStart ) do the following:

  unload the ABAC tarfile into the gcf directory.  (You have probably done
  that to get this file).

  Create the abac policy credentials:

  $ python src/gen-abac-certs.py

  Start an ABAC clearing house (all these are from the gcf directory):

  $ python src/gcf-abac-ch.py 

  In another window start the ABAC enabled AM:

  $ python  src/gcf-abac-am.py 

  In a third window run the test script:

  $ python ./src/gcf-test-abac.py 

  You will see output similar to the GENIAPI test run.

After setting "export LD_LIBRARY_PATH=/usr/local/lib" in the environment, was able to run all commands. Captures are all from withing the gcf-1.2 directory. First, created the ABAC policy credentials:

$ python src/gen-abac-certs.py

Start an ABAC clearing house :

$ python src/gcf-abac-ch.py 
INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem']
INFO:gcf-ch:Registering AM urn:publicid:IDN+geni:gpo:gcf+am1+authority+am at http://localhost:8001
INFO:cred-verifier:Adding trusted cert file ch-cert.pem
INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support
INFO:gcf-ch:GENI CH Listening on port 8000...

In another window started the ABAC enabled AM:

$ python  src/gcf-abac-am.py 
INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem']
INFO:cred-verifier:Adding trusted cert file ch-cert.pem
INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support
INFO:gcf-am:GENI AM Listening on port 8001...

And finally, in a third window ran the test script:

$ python ./src/gcf-test-abac.py 
INFO:gcf-test:CH Server is https://127.0.0.1:8000/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem
INFO:gcf-test:AM Server is https://127.0.0.1:8001/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem
Slice Creation SUCCESS: URN = urn:publicid:IDN+geni:gpo:gcf+slice+5e3c-afa:127.0.0.1%3A8000
Testing GetVersion... passed
Testing ListResources... passed
Testing CreateSliver... passed
Testing SliverStatus... passed
Testing ListResources... passed
Testing RenewSliver... passed. (Result: True)
Testing DeleteSliver... passed
Testing ListResources... passed
Second Slice URN = urn:publicid:IDN+geni:gpo:gcf+slice+4141-b6c:127.0.0.1%3A8000
Testing ListResources... passed
Testing CreateSliver... passed
Testing Shutdown... passed

Note: The ABAC Libraries are also available via git repository:

 $  /usr/bin/git clone git://abac.deterlab.net/abac.git