Changes between Version 2 and Version 3 of GeniAuthorization

04/11/11 15:30:23 (13 years ago)



  • GeniAuthorization

    v2 v3  
    33GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.
    5 [wiki:GEC10Auth GEC10 meeting]
     5== GEC10 Authorization Engineering Meeting ==
     7At GEC10 there was an [wiki:GEC10Auth authorization engineering meeting] which discussed a proposal by Steve Schwab (ISI) and Ted Faber (ISI) to incorporate Attribute Based Access Control and its viability as a GENI authorization framework. Steve and Ted recommended ABAC as an authorization mechanism for GENI that would enable richer authorization decisions, use declarative policies, and improve logging and forensic support. Jeff Chase (Duke, ORCA) and Rob Ricci (Utah, Emulab/ProtoGENI) gave their perspectives on the proposal based on their experience as GENI control framework developers.
     9== Community Agreement ==
     11The meeting concluded with a community agreement to try ABAC for at most one year. Specifically:
     12 * ABAC should be added to the GENI AM API as an alternative means of authorization
     13  * Does not replace existing credentials
     14  * Allow gaining experience with ABAC
     15 * An existing aggregate should be ABAC-enabled
     16  * Aggregates are not required to add ABAC support
     17  * Allow gaining experience with ABAC
     18  * ProtoGENI AM is the likely first target
     19  * Experience and proposed next steps to be reported at GEC11
     20 * Limit the ABAC 'experiment' to 1 year
     21  * Either select it or reject it within that time frame
     23== Next Steps ==
     25  * ISI: Integrate ABAC assertion handling into ProtoGENI AM (w/GPO support)
     26  * ISI: Implement existing access rules as ABAC assertions
     27  * ISI: Issue ABAC assertions for existing users
     28  * ISI: Explore richer assertions and policy rules within ProtoGENI code base
     29  * ISI: Report results by GEC11
     31== Getting Involved ==
     33If you have questions or comments on the status of the authorization work, please email the GENI developers list (dev at or Tom Mitchell (tmitchell at