Changes between Version 5 and Version 6 of GeniAuthorization

11/11/11 10:53:52 (10 years ago)



  • GeniAuthorization

    v5 v6  
    44GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.
     6= GEC 12 Engineering Meeting =
     7== Meeting Summary ==
     8'''Ted Faber''' first provided an ABAC introduction and overview. See Ted's [attachment:wiki:GEC12Authorization:vocabulary.pdf slides] on the [wiki:GEC12Authorization session wiki page].
     10'''Ted Faber''' then proposed a simple vocabulary of ABAC attributes to use in the GENI AM API. Base operations require attributes that name the operations (like AM.!CreateSliver). Researchers get attributes like !ProjectLeader(project), !ProjectMember(project) - which are delegatable. Other attributes include things like USC.Supervises(person), USC.student, PG.!SliceAuthority, PG.!AggregateManager, SA.Creator(slice). There was some debate about whether an 'Endorses' attribute is useful and specific enough.
     11Details are in Ted's [attachment:wiki:TIED:ABAC_Vocabulary_1.0.pdf ABAC vocabulary document]. Ted's [attachment:wiki:GEC12Authorization:vocabulary.pdf slides] are available on the [wiki:GEC12Authorization session wiki page].
     13'''Jeff Chase''' spoke (remotely) about the status of ABAC integration in ORCA and identified a few key issues relating to ABAC authorization in GENI. The prototype ABAC integration in Orca is complete. Credential management remains an issue both in that integration and in the design for ABAC in GENI. ORCA has built a prototype persistent credential storage/retrieval service to fill this gap. Jeff is concerned about the representation of slice credentials, the nascent definition of the Clearinghouse, and credential management with respect to renewal and revocation. Jeff reviewed his 6 point minimal definition of a clearinghouse, defining it as a credentialing authority. In Jeff's view, actions must be tied to a key that CH/GMOC can associate with a human, actions must be in terms of a slice that can be mapped to a project leader, aggregates must log actions, including actor and slice, and share logs with GMOC/CH as needed, and GMOC/CH must be able to learn the full delegation chain when needed. This led to some debate about whether by deployment choice anything needed to be centralized relative to these points. Jeff's [attachment:wiki:GEC12Authorization:GEC12-chase-auth.pdf slides] are available on the [wiki:GEC12Authorization session wiki page].
     15'''David Cheperdak''' of the U. of Victoria gave an invited talk about his plans to integrate ABAC into !PlanetLab/SFA. David's [attachment:"wiki:GEC12Authorization:GEC-12 ABAC Presentation - Final.pdf" slides] are available on the [wiki:GEC12Authorization session wiki page].
     17'''Richard Kagan''' of Infoblox gave an invited talk on IF-MAP. IF-MAP is a set of interfaces for a scalable, expandable data store that they are proposing for use in GENI. Richard's [attachment:"wiki:GEC12Authorization:IF-MAP GEC12.pdf" slides] are available on the [wiki:GEC12Authorization session wiki page].
    619= GEC 11 Engineering Meeting =