Changes between Version 8 and Version 9 of GeniAuthorization


Ignore:
Timestamp:
12/06/11 08:07:42 (12 years ago)
Author:
chase@cs.duke.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GeniAuthorization

    v8 v9  
    1111Details are in Ted's [attachment:wiki:TIED:ABAC_Vocabulary_1.0.pdf ABAC vocabulary document]. Ted's [attachment:wiki:GEC12Authorization:vocabulary.pdf slides] are available on the [wiki:GEC12Authorization session wiki page].
    1212
    13 '''Jeff Chase''' spoke (remotely) about the status of ABAC integration in ORCA and identified a few key issues relating to ABAC authorization in GENI. The prototype ABAC integration in Orca is complete. Credential management remains an issue both in that integration and in the design for ABAC in GENI. ORCA has built a prototype persistent credential storage/retrieval service to fill this gap. Jeff is concerned about the representation of slice credentials, the nascent definition of the Clearinghouse, and credential management with respect to renewal and revocation. Jeff reviewed his 6 point minimal definition of a clearinghouse, defining it as a credentialing authority. In Jeff's view, actions must be tied to a key that CH/GMOC can associate with a human, actions must be in terms of a slice that can be mapped to a project leader, aggregates must log actions, including actor and slice, and share logs with GMOC/CH as needed, and GMOC/CH must be able to learn the full delegation chain when needed. This led to some debate about whether by deployment choice anything needed to be centralized relative to these points. Jeff's [attachment:wiki:GEC12Authorization:GEC12-chase-auth.pdf slides] are available on the [wiki:GEC12Authorization session wiki page].
     13'''Jeff Chase''' spoke (remotely) about the status of ABAC integration in ORCA and identified a few key issues relating to ABAC authorization in GENI. The prototype ABAC integration in Orca is complete. Credential management remains an issue both in that integration and in the design for ABAC in GENI. ORCA has built a prototype persistent credential storage/retrieval service to fill this gap. Jeff is concerned about the representation of slice credentials, the nascent definition of the Clearinghouse, and credential management with respect to renewal and revocation. Jeff reviewed his 6 point minimal definition of a clearinghouse, defining it as a credentialing authority. In Jeff's view, actions must be tied to a key that CH/GMOC can associate with a human, actions must be in terms of a slice that can be mapped to a project leader, aggregates must log actions, including actor and slice, and share logs with GMOC/CH as needed, and GMOC/CH must be able to learn the full delegation chain when needed. This led to some debate about whether by deployment choice anything needed to be centralized relative to these points. Jeff's [attachment:wiki:GEC12Authorization:GEC12-chase-auth.pdf slides] are available on the [wiki:GEC12Authorization session wiki page].  See also the [wiki:AuthStoryBoard Authorization Storyboard].
    1414
    1515'''David Cheperdak''' of the U. of Victoria gave an invited talk about his plans to integrate ABAC into !PlanetLab/SFA. David's [attachment:"wiki:GEC12Authorization:GEC-12 ABAC Presentation - Final.pdf" slides] are available on the [wiki:GEC12Authorization session wiki page].