5 | | == GEC10 Authorization Engineering Meeting == |
| 6 | = GEC 11 Engineering Meeting = |
| 7 | == Meeting Summary == |
| 8 | '''Ted Faber''' reviewed the goals of the Authorization effort within GENI and discussed the status of ABAC integration with ProtoGENI. Ted highlighted challenges that they faced both with ProtoGENI and with the GENI AM API. Ted demonstrated the ABAC integration using omni to access ProtoGENI with ABAC credentials instead of GENI credentials. Ted also discussed helpful tools for using ABAC and next steps (see below) for the authorization effort. Ted's [attachment:wiki:GEC11Authorization:integration.pdf slides] are available on the [wiki:GEC11Authorization session wiki page]. |
| 9 | |
| 10 | Details: |
| 11 | * Status of ABAC integration with ProtoGENI |
| 12 | * ABAC is integrated in both ProtoGENI and omni |
| 13 | * The ProtoGENI slice authority can generate ABAC credentials related to a slice |
| 14 | * The ProtoGENI AM can accept ABAC credentials and use them for authorization decisions |
| 15 | * Challenges faced |
| 16 | * ProtoGENI uses their current credentials for information unrelated to authorization, so the integration requires both current credentials and ABAC credentials |
| 17 | * The AM API uses simple scalar return values and XML-RPC Faults, but ABAC matches better with complex return values (like a structure) in order to communicate why something failed or succeeded |
| 18 | * ABAC tools |
| 19 | * creddy (http://abac.deterlab.net/wiki/Creddy) - a command line tool for credential generation and verification |
| 20 | * crudge (http://abac.deterlab.net/wiki/CrudgeDocs) - a graphical tool to view an ABAC proof or policy |
| 21 | * Java Web Start: http://abac.deterlab.net/java/crudge.jnlp |
| 22 | |
| 23 | '''Jeff Chase''' gave an overview of ORCA from the practical standpoint of an implementer. He went on to describe two unique facets of ORCA's use of ABAC: policy templates and RT1-lite. ORCA uses policy templates to instantiate policies about specific objects, like slices, on demand. RT1-lite is a technique to handle single parameters to ABAC assertions in RT0, a parameter-less version of ABAC as currently implemented in the ABAC library. Jeff also described the trust structure used in ORCA to inform the discussion about GENI trust structure. Jeff's [attachment:wiki:GEC11Authorization:chase-abac-gec11.ppt slides] are available on the [wiki:GEC11Authorization session wiki page]. |
| 24 | |
| 25 | '''Steve Schwab''' discussed next steps for the Authorization effort with respect to control framework integration, tools, and vocabulary (see below). Steve's [attachment:wiki:GEC11Authorization:GEC11-authorization-wrapup-schwab.pdf slides] are available on the [wiki:GEC11Authorization session wiki page]. |
| 26 | |
| 27 | == Proposed Next Steps == |
| 28 | * Continue ProtoGENI ABAC integration |
| 29 | * Assist ORCA with ABAC integration |
| 30 | * Revise APIs |
| 31 | * The Easy Stuff: Widen AM API |
| 32 | * The Hard Stuff: Standardize other Elements |
| 33 | * Define a GENI vocabulary for ABAC authorization |
| 34 | * Continue to develop and revise ABAC tools |
| 35 | * Integrate with prototype identity portal |
| 36 | |
| 37 | |
| 38 | = GEC10 Authorization Engineering Meeting = |