Changes between Version 4 and Version 5 of GeniAuthorization


Ignore:
Timestamp:
08/25/11 11:20:00 (8 years ago)
Author:
tmitchel@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GeniAuthorization

    v4 v5  
     1[[PageOutline]]
    12= Authorization =
    23
    34GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.
    45
    5 == GEC10 Authorization Engineering Meeting ==
     6= GEC 11 Engineering Meeting =
     7== Meeting Summary ==
     8'''Ted Faber''' reviewed the goals of the Authorization effort within GENI and discussed the status of ABAC integration with ProtoGENI. Ted highlighted challenges that they faced both with ProtoGENI and with the GENI AM API. Ted demonstrated the ABAC integration using omni to access ProtoGENI with ABAC credentials instead of GENI credentials. Ted also discussed helpful tools for using ABAC and next steps (see below) for the authorization effort. Ted's [attachment:wiki:GEC11Authorization:integration.pdf slides] are available on the [wiki:GEC11Authorization session wiki page].
     9
     10Details:
     11 * Status of ABAC integration with ProtoGENI
     12  * ABAC is integrated in both ProtoGENI and omni
     13  * The ProtoGENI slice authority can generate ABAC credentials related to a slice
     14  * The ProtoGENI AM can accept ABAC credentials and use them for authorization decisions
     15 * Challenges faced
     16  * ProtoGENI uses their current credentials for information unrelated to authorization, so the integration requires both current credentials and ABAC credentials
     17  * The AM API uses simple scalar return values and XML-RPC Faults, but ABAC matches better with complex return values (like a structure) in order to communicate why something failed or succeeded
     18 * ABAC tools
     19  * creddy (http://abac.deterlab.net/wiki/Creddy) - a command line tool for credential generation and verification
     20  * crudge (http://abac.deterlab.net/wiki/CrudgeDocs) - a graphical tool to view an ABAC proof or policy
     21   * Java Web Start: http://abac.deterlab.net/java/crudge.jnlp
     22
     23'''Jeff Chase''' gave an overview of ORCA from the practical standpoint of an implementer. He went on to describe two unique facets of ORCA's use of ABAC: policy templates and RT1-lite. ORCA uses policy templates to instantiate policies about specific objects, like slices, on demand. RT1-lite is a technique to handle single parameters to ABAC assertions in RT0, a parameter-less version of ABAC as currently implemented in the ABAC library. Jeff also described the trust structure used in ORCA to inform the discussion about GENI trust structure. Jeff's [attachment:wiki:GEC11Authorization:chase-abac-gec11.ppt slides] are available on the [wiki:GEC11Authorization session wiki page].
     24
     25'''Steve Schwab''' discussed next steps for the Authorization effort with respect to control framework integration, tools, and vocabulary (see below). Steve's [attachment:wiki:GEC11Authorization:GEC11-authorization-wrapup-schwab.pdf slides] are available on the [wiki:GEC11Authorization session wiki page].
     26
     27== Proposed Next Steps ==
     28 * Continue ProtoGENI ABAC integration
     29 * Assist ORCA with ABAC integration
     30 * Revise APIs
     31  * The Easy Stuff: Widen AM API
     32  * The Hard Stuff: Standardize other Elements
     33 * Define a GENI vocabulary for ABAC authorization
     34 * Continue to develop and revise ABAC tools
     35 * Integrate with prototype identity portal
     36
     37
     38= GEC10 Authorization Engineering Meeting =
    639
    740At GEC10 there was an [wiki:GEC10Auth authorization engineering meeting] which discussed a proposal by Steve Schwab (ISI) and Ted Faber (ISI) to incorporate Attribute Based Access Control and its viability as a GENI authorization framework. Steve and Ted recommended ABAC as an authorization mechanism for GENI that would enable richer authorization decisions, use declarative policies, and improve logging and forensic support. Jeff Chase (Duke, ORCA) and Rob Ricci (Utah, Emulab/ProtoGENI) gave their perspectives on the proposal based on their experience as GENI control framework developers.
     
    2962  * ISI: Report results by GEC11
    3063
    31 == Getting Involved ==
     64= Getting Involved =
    3265
    3366If you have questions or comments on the status of the authorization work, please email the GENI developers list (dev at geni.net) or Tom Mitchell (tmitchell at bbn.com).