wiki:GeniAuthorization

Version 11 (modified by Aaron Helsinger, 7 years ago) (diff)

--

Authorization

GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.

For current authorization credentials used in the GENI AM API, see GeniApiCredentials. Longer term, ABAC credentials are expected to be the mechanism used for authorization. See also discussions in the GENI Software Architecture.

This page needs improvements, to provide a better summary.

GEC 13 Engineering Meeting

Summary

GEC 13 marked the completion of the ABAC evaluation period in the software track of the GECs over the last year. There were a number of invited talks by individuals or projects that have spent time evaluating ABAC and prototyping ABAC integration. After the invited talks there was open discussion and a sense of the room was taken. ABAC was adopted as the long-term authorization framework for GENI.

Introduction

Steve Schwab introduced the session and set the stage for invited talks and open discussion prior to a decision on authorization in GENI.

Invited Talks

Andy Bavier discussed work done by David Cheperdak to prototype ABAC integration in SFA to support GENI Cloud. There are plans to integrate ABAC support as an experimental feature in the near future. Andy sees some potential benefits to ABAC as the underlying authorization framework. While PlanetLab is willing to support ABAC if the GENI community agrees to adopt it, PlanetLab is not pushing for ABAC. See Andy's slides on the session wiki page for more information.

Rob Ricci presented the ProtoGENI view of ABAC. The ProtoGENI team has looked at Ted Faber's ABAC integration with the ProtoGENI aggregate manager software. They feel comfortable adopting this code and merging it into the ProtoGENI codebase. Rob enumerated a few concerns about adopting ABAC in GENI. He mentioned the possible combinatorial explosion of attributes in RT0/RT1-lite examples, and the lack of high-level documentation available for developers, administrators, and users. Rob closed by saying that ABAC has potential, and ProtoGENI supports making ABAC an optional authorization framework for GENI. He cautioned that new ABAC work would not jump to the front of the ProtoGENI development queue, so it may take ProtoGENI a while to support ABAC. See Rob's slides on the session wiki page for more information.

Jeff Chase spoke in strong support of ABAC for GENI. Jeff summarized a number of efforts underway by the ORCA team to explore fielding ABAC as an authorization system. Jeff also summarized his work to describe authorization in the GENI architecture via his Authorization Storyboard. The ORCA team has prototyped "POD", a credential storage system (demonstrated on Tuesday night at the demo session), and the possible transport of relatively dynamic policies within a federation. Finally, Jeff espoused the virtues of a declarative policy and attribute system like ABAC. See Jeff's slides on the session wiki page for more information.

Ted Faber described the recent work of the ABAC team to add support for RT1 and RT2 logics in libabac. Ted gave an overview of specific features that are enabled by these higher order logics. These features are currently at the alpha stage and the ABAC team intends to release these features in the near future. Ted also discussed new tools for viewing and debugging ABAC policies. Both tools were demonstrated on Tuesday night at the demo session. See Ted's slides on the session wiki page for more information.

Tom Mitchell reviewed the GPO evaluation of ABAC. ABAC was integrated into the prototype identity portal demonstrated at GEC 11, and the portal can generate both existing slice credentials and related ABAC attribute credentials. The GPO also explored the ABAC toolset for generating credentials (both command line and Python) and running the ABAC prover (via Python). Finally, the GPO did some timing tests of ABAC proofs with large chains (up to 1,000 attributes) and with many decoy attributes (up to 8,000). Performance was linear and all tests resolved in under 6 milliseconds. The GPO was in favor of adopting ABAC as the authorization framework for GENI. Tom cautioned, however, that the GPO would have limited time to work on ABAC deployment in the coming months, making a slow rollout likely. See Tom's slides on the session wiki page for more information.

Open Discussion

Adam Slagell spoke in favor of ABAC. Adam was originally opposed to ABAC due to the complexity, but he says he has become a convert. He likes the elegance of ABAC, and now supports its use in GENI.

Max Ott was opposed to ABAC adoption. He feels that GENI has plenty of issues and problems to solve, and should not add a new authorization mechanism to the list as well. Although he likes the elegance of ABAC, he also finds it "big and scary", and is very concerned about the lack of debugging tools that will be necessary if GENI relies on ABAC for authorization.

Larry Peterson asked if there were existing use cases that could not be handled by current authorization, or if this effort is focused on possible future requirements that may or may not come to pass. Several attendees responded that there were several use cases on the near-term horizon in the architecture and instrumentation & measurement arenas that are likely to require richer authorization. Larry also asked if aggregates can keep their policies private or if they must publish/expose those policies. The response from the audience was that aggregates could keep their policies private.

Sense of the Room

Tom Mitchell took the sense of the room. Speakers were largely in favor (to different degrees) of ABAC. Although there were some dissenting voices, they were the clear minority. As such, the proposal to adopt ABAC as the long-term authorization in GENI was passed.

Next Steps

Tom Mitchell discussed open issues related to GENI rollout of ABAC. The topic areas included:

  • Vocabulary and Policy
  • Revocation or expiration
  • Attribute distribution
  • Policy distribution
  • Tools and infrastructure
  • Aggregate integration

Tom also proposed a notional timeline for rollout. See Tom's slides on the session wiki page for more information.

Continuing discussions are anticipated. Stay tuned to the wiki pages and the dev mailing list for more info.

GEC 12 Engineering Meeting

Meeting Summary

Ted Faber first provided an ABAC introduction and overview. See Ted's slides on the session wiki page.

Ted Faber then proposed a simple vocabulary of ABAC attributes to use in the GENI AM API. Base operations require attributes that name the operations (like AM.CreateSliver). Researchers get attributes like ProjectLeader(project), ProjectMember(project) - which are delegatable. Other attributes include things like USC.Supervises(person), USC.student, PG.SliceAuthority, PG.AggregateManager, SA.Creator(slice). There was some debate about whether an 'Endorses' attribute is useful and specific enough. Details are in Ted's ABAC vocabulary document. Ted's slides are available on the session wiki page.

Jeff Chase spoke (remotely) about the status of ABAC integration in ORCA and identified a few key issues relating to ABAC authorization in GENI. The prototype ABAC integration in Orca is complete. Credential management remains an issue both in that integration and in the design for ABAC in GENI. ORCA has built a prototype persistent credential storage/retrieval service to fill this gap. Jeff is concerned about the representation of slice credentials, the nascent definition of the Clearinghouse, and credential management with respect to renewal and revocation. Jeff reviewed his 6 point minimal definition of a clearinghouse, defining it as a credentialing authority. In Jeff's view, actions must be tied to a key that CH/GMOC can associate with a human, actions must be in terms of a slice that can be mapped to a project leader, aggregates must log actions, including actor and slice, and share logs with GMOC/CH as needed, and GMOC/CH must be able to learn the full delegation chain when needed. This led to some debate about whether by deployment choice anything needed to be centralized relative to these points. Jeff's slides are available on the session wiki page. See also the Authorization Storyboard.

David Cheperdak of the U. of Victoria gave an invited talk about his plans to integrate ABAC into PlanetLab/SFA. David's slides are available on the session wiki page.

Richard Kagan of Infoblox gave an invited talk on IF-MAP. IF-MAP is a set of interfaces for a scalable, expandable data store that they are proposing for use in GENI. Richard's slides are available on the session wiki page.

GEC 11 Engineering Meeting

Meeting Summary

Ted Faber reviewed the goals of the Authorization effort within GENI and discussed the status of ABAC integration with ProtoGENI. Ted highlighted challenges that they faced both with ProtoGENI and with the GENI AM API. Ted demonstrated the ABAC integration using omni to access ProtoGENI with ABAC credentials instead of GENI credentials. Ted also discussed helpful tools for using ABAC and next steps (see below) for the authorization effort. Ted's slides are available on the session wiki page.

Details:

  • Status of ABAC integration with ProtoGENI
    • ABAC is integrated in both ProtoGENI and omni
    • The ProtoGENI slice authority can generate ABAC credentials related to a slice
    • The ProtoGENI AM can accept ABAC credentials and use them for authorization decisions
  • Challenges faced
    • ProtoGENI uses their current credentials for information unrelated to authorization, so the integration requires both current credentials and ABAC credentials
    • The AM API uses simple scalar return values and XML-RPC Faults, but ABAC matches better with complex return values (like a structure) in order to communicate why something failed or succeeded
  • ABAC tools

Jeff Chase gave an overview of ORCA from the practical standpoint of an implementer. He went on to describe two unique facets of ORCA's use of ABAC: policy templates and RT1-lite. ORCA uses policy templates to instantiate policies about specific objects, like slices, on demand. RT1-lite is a technique to handle single parameters to ABAC assertions in RT0, a parameter-less version of ABAC as currently implemented in the ABAC library. Jeff also described the trust structure used in ORCA to inform the discussion about GENI trust structure. Jeff's slides are available on the session wiki page. Also see the working paper: Authorization and Trust Structure in GENI: A Perspective on the Role of ABAC.

Steve Schwab discussed next steps for the Authorization effort with respect to control framework integration, tools, and vocabulary (see below). Steve's slides are available on the session wiki page.

Proposed Next Steps

  • Continue ProtoGENI ABAC integration
  • Assist ORCA with ABAC integration
  • Revise APIs
    • The Easy Stuff: Widen AM API
    • The Hard Stuff: Standardize other Elements
  • Define a GENI vocabulary for ABAC authorization
  • Continue to develop and revise ABAC tools
  • Integrate with prototype identity portal

GEC10 Authorization Engineering Meeting

At GEC10 there was an authorization engineering meeting which discussed a proposal by Steve Schwab (ISI) and Ted Faber (ISI) to incorporate Attribute Based Access Control and its viability as a GENI authorization framework. Steve and Ted recommended ABAC as an authorization mechanism for GENI that would enable richer authorization decisions, use declarative policies, and improve logging and forensic support. Jeff Chase (Duke, ORCA) and Rob Ricci (Utah, Emulab/ProtoGENI) gave their perspectives on the proposal based on their experience as GENI control framework developers.

Community Agreement

The meeting concluded with a community agreement to try ABAC for at most one year. Specifically:

  • ABAC should be added to the GENI AM API as an alternative means of authorization
    • Does not replace existing credentials
    • Supports gaining experience with ABAC
  • An existing aggregate should be ABAC-enabled
    • Aggregates are not required to add ABAC support
    • Supports gaining experience with ABAC
    • ProtoGENI AM is the likely first target
    • Experience and proposed next steps to be reported at GEC11
  • Limit the ABAC 'experiment' to 1 year
    • Either select it or reject it within that time frame

Next Steps

  • ISI: Integrate ABAC assertion handling into ProtoGENI AM (w/GPO support)
  • ISI: Implement existing access rules as ABAC assertions
  • ISI: Issue ABAC assertions for existing users
  • ISI: Explore richer assertions and policy rules within ProtoGENI code base
  • ISI: Report results by GEC11

Getting Involved

If you have questions or comments on the status of the authorization work, please email the GENI developers list (dev at geni.net) or Tom Mitchell (tmitchell at bbn.com).