Changes between Version 9 and Version 10 of GeniAuthorization

03/19/12 14:17:44 (8 years ago)



  • GeniAuthorization

    v9 v10  
    44GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.
     6= GEC 13 Engineering Meeting =
     7== Summary ==
     8GEC 13 marked the completion of the ABAC evaluation period in the software track of the GECs over the last year. There were a number
     9of invited talks by individuals or projects that have spent time evaluating ABAC and prototyping ABAC integration. After the invited talks
     10there was open discussion and a sense of the room was taken. ABAC was adopted as the long-term authorization framework for GENI.
     12== Introduction ==
     13'''Steve Schwab''' introduced the session and set the stage for invited talks and open discussion prior to a decision on authorization in GENI.
     15== Invited Talks ==
     16'''Andy Bavier''' discussed work done by '''David Cheperdak''' to prototype ABAC integration in SFA to support GENI Cloud. There are plans
     17to integrate ABAC support as an experimental feature in the near future. Andy sees some potential benefits to ABAC as the underlying authorization framework.
     18While !PlanetLab is willing to support ABAC if the GENI community agrees to adopt it, !PlanetLab is not pushing for ABAC.
     19See [attachment:wiki:GEC13Agenda/Authorization:gec13-abac-sfa.pptx Andy's slides] on the
     20[wiki:GEC13Agenda/Authorization session wiki page] for more information.
     22'''Rob Ricci''' presented the ProtoGENI view of ABAC. The ProtoGENI team has looked at Ted Faber's ABAC integration with the ProtoGENI aggregate
     23manager software. They feel comfortable adopting this code and merging it into the ProtoGENI codebase. Rob enumerated a few concerns about
     24adopting ABAC in GENI. He mentioned the possible combinatorial explosion of attributes in RT0/RT1-lite examples, and the lack of high-level
     25documentation available for developers, administrators, and users. Rob closed by saying that ABAC has potential, and ProtoGENI supports
     26making ABAC an optional authorization framework for GENI. He cautioned that new ABAC work would not jump to the front of the ProtoGENI
     27development queue, so it may take ProtoGENI a while to support ABAC.
     28See [attachment:wiki:GEC13Agenda/Authorization:pgeni-abac-gec13.pdf Rob's slides] on the
     29[wiki:GEC13Agenda/Authorization session wiki page] for more information.
     31'''Jeff Chase''' spoke in strong support of ABAC for GENI. Jeff summarized a number of efforts underway by the ORCA team to explore fielding
     32ABAC as an authorization system. Jeff also summarized his work to describe authorization in the GENI architecture via his [wiki:AuthStoryBoard Authorization Storyboard].
     33The ORCA team has prototyped "POD", a credential storage system (demonstrated on Tuesday night at the demo session), and the possible
     34transport of relatively dynamic policies within a federation. Finally, Jeff espoused the virtues of a declarative policy and attribute system like ABAC.
     35See [attachment:wiki:GEC13Agenda/Authorization:gec13-auth-chase.ppt Jeff's slides] on the
     36[wiki:GEC13Agenda/Authorization session wiki page] for more information.
     38'''Ted Faber''' described the recent work of the ABAC team to add support for RT1 and RT2 logics in libabac. Ted gave an overview of specific features
     39that are enabled by these higher order logics. These features are currently at the alpha stage and the ABAC team intends to release these features
     40in the near future. Ted also discussed new tools for viewing and debugging ABAC policies. Both tools were demonstrated on Tuesday night
     41at the demo session. See [attachment:wiki:GEC13Agenda/Authorization:RT2.pdf Ted's slides] on the
     42[wiki:GEC13Agenda/Authorization session wiki page] for more information.
     44'''Tom Mitchell''' reviewed the GPO evaluation of ABAC. ABAC was integrated into the prototype identity portal demonstrated at [wiki:GEC11Identity GEC 11], and the portal
     45can generate both existing slice credentials and related ABAC attribute credentials. The GPO also explored the ABAC toolset for generating credentials
     46(both command line and Python) and running the ABAC prover (via Python). Finally, the GPO did some timing tests of ABAC proofs with large chains
     47(up to 1,000 attributes) and with many decoy attributes (up to 8,000). Performance was linear and all tests resolved in under 6 milliseconds. The GPO
     48was in favor of adopting ABAC as the authorization framework for GENI. Tom cautioned, however, that the GPO would have limited time to work on
     49ABAC deployment in the coming months, making a slow rollout likely.
     50See [attachment:wiki:GEC13Agenda/Authorization:AuthDecision.pdf Tom's slides] on the
     51[wiki:GEC13Agenda/Authorization session wiki page] for more information.
     53== Open Discussion ==
     54'''Adam Slagell''' spoke in favor of ABAC. Adam was originally opposed to ABAC due to the complexity, but he says he has become a convert. He likes
     55the elegance of ABAC, and now supports its use in GENI.
     57'''Max Ott''' was opposed to ABAC adoption. He feels that GENI has plenty of issues and problems to solve, and should not add
     58a new authorization mechanism to the list as well. Although he likes the elegance of ABAC, he also finds it "big and scary", and
     59is very concerned about the lack of debugging tools that will be necessary if GENI relies on ABAC for authorization.
     61'''Larry Peterson''' asked if there were existing use cases that could not be handled by current authorization, or if this effort is focused on possible future
     62requirements that may or may not come to pass. Several attendees responded that there were several use cases on the near-term horizon in the
     63architecture and instrumentation & measurement arenas that are likely to require richer authorization. Larry also asked if aggregates can keep
     64their policies private or if they must publish/expose those policies. The response from the audience was that aggregates could keep their policies
     67== Sense of the Room ==
     68'''Tom Mitchell''' took the sense of the room. Speakers were largely in favor (to different degrees) of ABAC. Although there were some dissenting voices,
     69they were the clear minority. As such, the proposal to adopt ABAC as the long-term authorization in GENI was passed.
     71== Next Steps ==
     72'''Tom Mitchell''' discussed open issues related to GENI rollout of ABAC. The topic areas included:
     73 * Vocabulary and Policy
     74 * Revocation or expiration
     75 * Attribute distribution
     76 * Policy distribution
     77 * Tools and infrastructure
     78 * Aggregate integration
     79Tom also proposed a notional timeline for rollout. See [attachment:wiki:GEC13Agenda/Authorization:AuthFuture.pdf Tom's slides] on the
     80[wiki:GEC13Agenda/Authorization session wiki page] for more information.
     82Continuing discussions are anticipated. Stay tuned to the wiki pages and the dev mailing list for more info.
    685= GEC 12 Engineering Meeting =