wiki:GeniAuthorization

Version 3 (modified by tmitchel@bbn.com, 13 years ago) (diff)

--

Authorization

GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use.

GEC10 Authorization Engineering Meeting

At GEC10 there was an authorization engineering meeting which discussed a proposal by Steve Schwab (ISI) and Ted Faber (ISI) to incorporate Attribute Based Access Control and its viability as a GENI authorization framework. Steve and Ted recommended ABAC as an authorization mechanism for GENI that would enable richer authorization decisions, use declarative policies, and improve logging and forensic support. Jeff Chase (Duke, ORCA) and Rob Ricci (Utah, Emulab/ProtoGENI) gave their perspectives on the proposal based on their experience as GENI control framework developers.

Community Agreement

The meeting concluded with a community agreement to try ABAC for at most one year. Specifically:

  • ABAC should be added to the GENI AM API as an alternative means of authorization
    • Does not replace existing credentials
    • Allow gaining experience with ABAC
  • An existing aggregate should be ABAC-enabled
    • Aggregates are not required to add ABAC support
    • Allow gaining experience with ABAC
    • ProtoGENI AM is the likely first target
    • Experience and proposed next steps to be reported at GEC11
  • Limit the ABAC 'experiment' to 1 year
    • Either select it or reject it within that time frame

Next Steps

  • ISI: Integrate ABAC assertion handling into ProtoGENI AM (w/GPO support)
  • ISI: Implement existing access rules as ABAC assertions
  • ISI: Issue ABAC assertions for existing users
  • ISI: Explore richer assertions and policy rules within ProtoGENI code base
  • ISI: Report results by GEC11

Getting Involved

If you have questions or comments on the status of the authorization work, please email the GENI developers list (dev at geni.net) or Tom Mitchell (tmitchell at bbn.com).