| | 5 | |
| | 6 | = GEC 13 Engineering Meeting = |
| | 7 | == Summary == |
| | 8 | GEC 13 marked the completion of the ABAC evaluation period in the software track of the GECs over the last year. There were a number |
| | 9 | of invited talks by individuals or projects that have spent time evaluating ABAC and prototyping ABAC integration. After the invited talks |
| | 10 | there was open discussion and a sense of the room was taken. ABAC was adopted as the long-term authorization framework for GENI. |
| | 11 | |
| | 12 | == Introduction == |
| | 13 | '''Steve Schwab''' introduced the session and set the stage for invited talks and open discussion prior to a decision on authorization in GENI. |
| | 14 | |
| | 15 | == Invited Talks == |
| | 16 | '''Andy Bavier''' discussed work done by '''David Cheperdak''' to prototype ABAC integration in SFA to support GENI Cloud. There are plans |
| | 17 | to integrate ABAC support as an experimental feature in the near future. Andy sees some potential benefits to ABAC as the underlying authorization framework. |
| | 18 | While !PlanetLab is willing to support ABAC if the GENI community agrees to adopt it, !PlanetLab is not pushing for ABAC. |
| | 19 | See [attachment:wiki:GEC13Agenda/Authorization:gec13-abac-sfa.pptx Andy's slides] on the |
| | 20 | [wiki:GEC13Agenda/Authorization session wiki page] for more information. |
| | 21 | |
| | 22 | '''Rob Ricci''' presented the ProtoGENI view of ABAC. The ProtoGENI team has looked at Ted Faber's ABAC integration with the ProtoGENI aggregate |
| | 23 | manager software. They feel comfortable adopting this code and merging it into the ProtoGENI codebase. Rob enumerated a few concerns about |
| | 24 | adopting ABAC in GENI. He mentioned the possible combinatorial explosion of attributes in RT0/RT1-lite examples, and the lack of high-level |
| | 25 | documentation available for developers, administrators, and users. Rob closed by saying that ABAC has potential, and ProtoGENI supports |
| | 26 | making ABAC an optional authorization framework for GENI. He cautioned that new ABAC work would not jump to the front of the ProtoGENI |
| | 27 | development queue, so it may take ProtoGENI a while to support ABAC. |
| | 28 | See [attachment:wiki:GEC13Agenda/Authorization:pgeni-abac-gec13.pdf Rob's slides] on the |
| | 29 | [wiki:GEC13Agenda/Authorization session wiki page] for more information. |
| | 30 | |
| | 31 | '''Jeff Chase''' spoke in strong support of ABAC for GENI. Jeff summarized a number of efforts underway by the ORCA team to explore fielding |
| | 32 | ABAC as an authorization system. Jeff also summarized his work to describe authorization in the GENI architecture via his [wiki:AuthStoryBoard Authorization Storyboard]. |
| | 33 | The ORCA team has prototyped "POD", a credential storage system (demonstrated on Tuesday night at the demo session), and the possible |
| | 34 | transport of relatively dynamic policies within a federation. Finally, Jeff espoused the virtues of a declarative policy and attribute system like ABAC. |
| | 35 | See [attachment:wiki:GEC13Agenda/Authorization:gec13-auth-chase.ppt Jeff's slides] on the |
| | 36 | [wiki:GEC13Agenda/Authorization session wiki page] for more information. |
| | 37 | |
| | 38 | '''Ted Faber''' described the recent work of the ABAC team to add support for RT1 and RT2 logics in libabac. Ted gave an overview of specific features |
| | 39 | that are enabled by these higher order logics. These features are currently at the alpha stage and the ABAC team intends to release these features |
| | 40 | in the near future. Ted also discussed new tools for viewing and debugging ABAC policies. Both tools were demonstrated on Tuesday night |
| | 41 | at the demo session. See [attachment:wiki:GEC13Agenda/Authorization:RT2.pdf Ted's slides] on the |
| | 42 | [wiki:GEC13Agenda/Authorization session wiki page] for more information. |
| | 43 | |
| | 44 | '''Tom Mitchell''' reviewed the GPO evaluation of ABAC. ABAC was integrated into the prototype identity portal demonstrated at [wiki:GEC11Identity GEC 11], and the portal |
| | 45 | can generate both existing slice credentials and related ABAC attribute credentials. The GPO also explored the ABAC toolset for generating credentials |
| | 46 | (both command line and Python) and running the ABAC prover (via Python). Finally, the GPO did some timing tests of ABAC proofs with large chains |
| | 47 | (up to 1,000 attributes) and with many decoy attributes (up to 8,000). Performance was linear and all tests resolved in under 6 milliseconds. The GPO |
| | 48 | was in favor of adopting ABAC as the authorization framework for GENI. Tom cautioned, however, that the GPO would have limited time to work on |
| | 49 | ABAC deployment in the coming months, making a slow rollout likely. |
| | 50 | See [attachment:wiki:GEC13Agenda/Authorization:AuthDecision.pdf Tom's slides] on the |
| | 51 | [wiki:GEC13Agenda/Authorization session wiki page] for more information. |
| | 52 | |
| | 53 | == Open Discussion == |
| | 54 | '''Adam Slagell''' spoke in favor of ABAC. Adam was originally opposed to ABAC due to the complexity, but he says he has become a convert. He likes |
| | 55 | the elegance of ABAC, and now supports its use in GENI. |
| | 56 | |
| | 57 | '''Max Ott''' was opposed to ABAC adoption. He feels that GENI has plenty of issues and problems to solve, and should not add |
| | 58 | a new authorization mechanism to the list as well. Although he likes the elegance of ABAC, he also finds it "big and scary", and |
| | 59 | is very concerned about the lack of debugging tools that will be necessary if GENI relies on ABAC for authorization. |
| | 60 | |
| | 61 | '''Larry Peterson''' asked if there were existing use cases that could not be handled by current authorization, or if this effort is focused on possible future |
| | 62 | requirements that may or may not come to pass. Several attendees responded that there were several use cases on the near-term horizon in the |
| | 63 | architecture and instrumentation & measurement arenas that are likely to require richer authorization. Larry also asked if aggregates can keep |
| | 64 | their policies private or if they must publish/expose those policies. The response from the audience was that aggregates could keep their policies |
| | 65 | private. |
| | 66 | |
| | 67 | == Sense of the Room == |
| | 68 | '''Tom Mitchell''' took the sense of the room. Speakers were largely in favor (to different degrees) of ABAC. Although there were some dissenting voices, |
| | 69 | they were the clear minority. As such, the proposal to adopt ABAC as the long-term authorization in GENI was passed. |
| | 70 | |
| | 71 | == Next Steps == |
| | 72 | '''Tom Mitchell''' discussed open issues related to GENI rollout of ABAC. The topic areas included: |
| | 73 | * Vocabulary and Policy |
| | 74 | * Revocation or expiration |
| | 75 | * Attribute distribution |
| | 76 | * Policy distribution |
| | 77 | * Tools and infrastructure |
| | 78 | * Aggregate integration |
| | 79 | Tom also proposed a notional timeline for rollout. See [attachment:wiki:GEC13Agenda/Authorization:AuthFuture.pdf Tom's slides] on the |
| | 80 | [wiki:GEC13Agenda/Authorization session wiki page] for more information. |
| | 81 | |
| | 82 | Continuing discussions are anticipated. Stay tuned to the wiki pages and the dev mailing list for more info. |
| | 83 | |
