== TIED Evaluation == The Trial Integration Environment in DETER ([http://groups.geni.net/geni/wiki/TIED TIED]) project has integrated the [http://abac.deterlab.net/ Attribute-Based Access Control] from USC/ISI and Sparta (version 0.1.2) implementation with the GENIAPI AM (version 1.0). This integration delivers the ability to set up a multi-aggregate experiment using the GENIAPI to manipulate ProtoGENI resources. The software evaluated was available at the [http://groups.geni.net/geni/wiki/TIED TIED] page as [http://groups.geni.net/geni/attachment/wiki/TIED/abac_geniapi-1.0.tgz abac_geniapi-1.0.tgz] released on 01/06/11. Supporting documentation for ''Design and Integration of ABAC and the GENIAPI AM: Version 1'' can be found [http://groups.geni.net/geni/attachment/wiki/TIED/ABAC_GENIAPIv1.2.pdf here]. Time frame: Evaluation took place between March 23-24, and March 31 2011. == TIED Findings == The installation order of the packages and their pre-requisites are spread across multiple documentation files and information is available in each. Overall documentation captures the required installation. Once installed, there was one issue found with the ABAC Libraries 0.1.2 which was resolved in the latest ABAC 0.1.3 package. Some minor feedback about issues encountered was provided to the ABAC team. == TIED How-to == The ABAC/GENI AM software package evaluation was completed on an Ubuntu 10.04.02 system. This evaluation requires that the following software packages be installed: * GCF GENI AM software [http://trac.gpolab.bbn.com/gcf GCF 1.02] * ABAC libraries [http://abac.deterlab.net/src/abac-0.1.3.tgz ABAC 0.1.3] ^^(see Note 1)^^ * ABAC/GENI AM software [http://groups.geni.net/geni/attachment/wiki/TIED/abac_geniapi-1.0.tgz abac_geniapi 1.0] ^^ Note 1: Initial evaluation was done with ABAC 0.1.2,which had a blocking issue addressed in [http://abac.deterlab.net/src/abac-0.1.3.tgz ABAC 0.1.3] .^^ The capture below show the order the software installed, which was determined from instruction in each of the packages. 1. Installed the prerequisite [http://www.gpolab.bbn.com/local-sw/ GCF 1.2] package and installed as documented at [http://trac.gpolab.bbn.com/gcf/wiki/QuickStart GCF QuickStart] page. 2. Installed the ABAC prerequisites tools as instructed in the INSTALL instructions: {{{ For Java installation instructions, see doc/java_install. Prior to building libabac you must install libstrongswan. Download strongswan-4.4.0 from strongswan.org: http://download.strongswan.org/strongswan-4.4.0.tar.bz2 FreeBSD users: add --with-group=wheel to strongswan ./configure $ tar xjvf strongswan-4.4.0.tar.bz2 $ cd strongswan-4.4.0 $ ./configure --enable-monolithic [FreeBSD: see note above] $ cd src/libstrongswan $ make && sudo make install Be sure to make note of the directory into which you've untarred strongswan-4.4.0.tar.bz2. You will use this in the next step. BUILDING LIBABAC $ STRONGSWAN_SRC_DIR=path/to/strongswan-4.4.0 $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR $ make && sudo make install }}} Downloaded and installed strongswan as instructed above. Was able to follow directions, except had to additionally install the ''GNU Multi Precision library gmp'' (libgmp3c2 and libgmp3-dev). Had to install ''python-pyasn1'' in order for the libABAC configure command to work. Also, ''swig'' is needed for the make to complete. Did not install libssl-dev, as it was installed as part of the GCF package installation. Here is the full list of commands in the order they were executed to get installed abac-0.1.3 and running: {{{ $ wget http://abac.deterlab.net/src/abac-0.1.3.tgz $ tar xvzf abac-0.1.3.tgz $ more abac-0.1.3/doc/INSTALL $ sudo apt-get install libgmp3c2 libgmp3-dev $ sudo apt-get install swig $ cpan cpan[1]> install IO::Socket::SSL cpan[2]> install HTTP::Daemon::SSL cpan[3]> install RPC::XML $ wget http://download.strongswan.org/strongswan-4.4.0.tar.bz2 $ tar xjvf strongswan-4.4.0.tar.bz2 $ cd strongswan-4.4.0 $ ./configure --enable-monolithic $ cd src/libstrongswan $ make && sudo make install $ export STRONGSWAN_SRC_DIR=/home/lnevers/tied/strongswan-4.4.0 $ cd ../../../abac-0.1.3/ $ sudo apt-get install python-pyasn1 $ ./configure --with-strongswan=$STRONGSWAN_SRC_DIR $ make && sudo make install }}} 3. Installed the ABAC/GENI package within the GCF directory structure, note that the untar adds files to the ''src'' directory and delivers an ''ABAC_README''. : {{{ $ mv abac_geniapi-1.0.tgz ../gcf-1.2/. $ cd ../gcf-1.2 $ tar xvzf abac_geniapi-1.0.tgz }}} The ABAC_README file states: {{{ This is a quick start document for the ABAC additions to the GENIAPI AM. More details about the implementation are available in the document at DOCURL and in the code. In addition to the software support for the GENIAPI described at http://trac.gpolab.bbn.com/gcf/wiki/QuickStart the ABAC implementation requires libABAC from http://abac.deterlab.net/. Installing that requires libstrongswan and swig as described in http://abac.deterlab.net/browser/doc/dependencies In addition the code requires pyasn1, available from http://pypi.python.org/pypi/pyasn1/ On FreeBSD that can be installed from the ports collection: $ cd /usr/ports/devel/py-asn1 $ sudo make install Ubuntu: $ sudo apt-get install python-pyasn1 Fedora: $ sudo yum install python-pyasn1 to perform the analog of the GENIAPI test run (from http://trac.gpolab.bbn.com/gcf/wiki/QuickStart ) do the following: unload the ABAC tarfile into the gcf directory. (You have probably done that to get this file). Create the abac policy credentials: $ python src/gen-abac-certs.py Start an ABAC clearing house (all these are from the gcf directory): $ python src/gcf-abac-ch.py In another window start the ABAC enabled AM: $ python src/gcf-abac-am.py In a third window run the test script: $ python ./src/gcf-test-abac.py You will see output similar to the GENIAPI test run. }}} After setting "export LD_LIBRARY_PATH=/usr/local/lib" in the environment, was able to run all commands. Captures are all from withing the ''gcf-1.2'' directory. First, created the ABAC policy credentials: {{{ $ python src/gen-abac-certs.py }}} Start an ABAC clearing house : {{{ $ python src/gcf-abac-ch.py INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem'] INFO:gcf-ch:Registering AM urn:publicid:IDN+geni:gpo:gcf+am1+authority+am at http://localhost:8001 INFO:cred-verifier:Adding trusted cert file ch-cert.pem INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support INFO:gcf-ch:GENI CH Listening on port 8000... }}} In another window started the ABAC enabled AM: {{{ $ python src/gcf-abac-am.py INFO:cred-verifier:Will accept credentials signed by any of 1 root certs found in /home/lnevers/.gcf/trusted_roots: ['/home/lnevers/.gcf/trusted_roots/ch-cert.pem'] INFO:cred-verifier:Adding trusted cert file ch-cert.pem INFO:cred-verifier:Combined dir of 1 trusted certs /home/lnevers/.gcf/trusted_roots into file /home/lnevers/.gcf/trusted_roots/CATedCACerts.pem for Python SSL support INFO:gcf-am:GENI AM Listening on port 8001... }}} And finally, in a third window ran the test script: {{{ $ python ./src/gcf-test-abac.py INFO:gcf-test:CH Server is https://127.0.0.1:8000/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem INFO:gcf-test:AM Server is https://127.0.0.1:8001/. Using keyfile /home/lnevers/.gcf/alice-key.pem, certfile /home/lnevers/.gcf/alice-cert.pem Slice Creation SUCCESS: URN = urn:publicid:IDN+geni:gpo:gcf+slice+5e3c-afa:127.0.0.1%3A8000 Testing GetVersion... passed Testing ListResources... passed Testing CreateSliver... passed Testing SliverStatus... passed Testing ListResources... passed Testing RenewSliver... passed. (Result: True) Testing DeleteSliver... passed Testing ListResources... passed Second Slice URN = urn:publicid:IDN+geni:gpo:gcf+slice+4141-b6c:127.0.0.1%3A8000 Testing ListResources... passed Testing CreateSliver... passed Testing Shutdown... passed }}} '''Note:''' The ABAC Libraries are also available via git repository: {{{ $ /usr/bin/git clone git://abac.deterlab.net/abac.git }}} [[BR]] {{{ #!html Email us with any questions and feedback on this page! }}}