[[PageOutline]] = Authorization = GENI requires an authorization solution that will allow architectural components (Clearinghouse, Aggregates) to determine the privileges of an experimenter. Experimenters can be granted privileges based on institutional affiliation, project role or membership attributes, for instance. Aggregates are expected to have local policies regarding resource access and use. = GEC 12 Engineering Meeting = == Meeting Summary == '''Ted Faber''' first provided an ABAC introduction and overview. See Ted's [attachment:wiki:GEC12Authorization:vocabulary.pdf slides] on the [wiki:GEC12Authorization session wiki page]. '''Ted Faber''' then proposed a simple vocabulary of ABAC attributes to use in the GENI AM API. Base operations require attributes that name the operations (like AM.!CreateSliver). Researchers get attributes like !ProjectLeader(project), !ProjectMember(project) - which are delegatable. Other attributes include things like USC.Supervises(person), USC.student, PG.!SliceAuthority, PG.!AggregateManager, SA.Creator(slice). There was some debate about whether an 'Endorses' attribute is useful and specific enough. Details are in Ted's [attachment:wiki:TIED:ABAC_Vocabulary_1.0.pdf ABAC vocabulary document]. Ted's [attachment:wiki:GEC12Authorization:vocabulary.pdf slides] are available on the [wiki:GEC12Authorization session wiki page]. '''Jeff Chase''' spoke (remotely) about the status of ABAC integration in ORCA and identified a few key issues relating to ABAC authorization in GENI. The prototype ABAC integration in Orca is complete. Credential management remains an issue both in that integration and in the design for ABAC in GENI. ORCA has built a prototype persistent credential storage/retrieval service to fill this gap. Jeff is concerned about the representation of slice credentials, the nascent definition of the Clearinghouse, and credential management with respect to renewal and revocation. Jeff reviewed his 6 point minimal definition of a clearinghouse, defining it as a credentialing authority. In Jeff's view, actions must be tied to a key that CH/GMOC can associate with a human, actions must be in terms of a slice that can be mapped to a project leader, aggregates must log actions, including actor and slice, and share logs with GMOC/CH as needed, and GMOC/CH must be able to learn the full delegation chain when needed. This led to some debate about whether by deployment choice anything needed to be centralized relative to these points. Jeff's [attachment:wiki:GEC12Authorization:GEC12-chase-auth.pdf slides] are available on the [wiki:GEC12Authorization session wiki page]. See also the [wiki:AuthStoryBoard Authorization Storyboard]. '''David Cheperdak''' of the U. of Victoria gave an invited talk about his plans to integrate ABAC into !PlanetLab/SFA. David's [attachment:"wiki:GEC12Authorization:GEC-12 ABAC Presentation - Final.pdf" slides] are available on the [wiki:GEC12Authorization session wiki page]. '''Richard Kagan''' of Infoblox gave an invited talk on IF-MAP. IF-MAP is a set of interfaces for a scalable, expandable data store that they are proposing for use in GENI. Richard's [attachment:"wiki:GEC12Authorization:IF-MAP GEC12.pdf" slides] are available on the [wiki:GEC12Authorization session wiki page]. = GEC 11 Engineering Meeting = == Meeting Summary == '''Ted Faber''' reviewed the goals of the Authorization effort within GENI and discussed the status of ABAC integration with ProtoGENI. Ted highlighted challenges that they faced both with ProtoGENI and with the GENI AM API. Ted demonstrated the ABAC integration using omni to access ProtoGENI with ABAC credentials instead of GENI credentials. Ted also discussed helpful tools for using ABAC and next steps (see below) for the authorization effort. Ted's [attachment:wiki:GEC11Authorization:integration.pdf slides] are available on the [wiki:GEC11Authorization session wiki page]. Details: * Status of ABAC integration with ProtoGENI * ABAC is integrated in both ProtoGENI and omni * The ProtoGENI slice authority can generate ABAC credentials related to a slice * The ProtoGENI AM can accept ABAC credentials and use them for authorization decisions * Challenges faced * ProtoGENI uses their current credentials for information unrelated to authorization, so the integration requires both current credentials and ABAC credentials * The AM API uses simple scalar return values and XML-RPC Faults, but ABAC matches better with complex return values (like a structure) in order to communicate why something failed or succeeded * ABAC tools * creddy (http://abac.deterlab.net/wiki/Creddy) - a command line tool for credential generation and verification * crudge (http://abac.deterlab.net/wiki/CrudgeDocs) - a graphical tool to view an ABAC proof or policy * Java Web Start: http://abac.deterlab.net/java/crudge.jnlp '''Jeff Chase''' gave an overview of ORCA from the practical standpoint of an implementer. He went on to describe two unique facets of ORCA's use of ABAC: policy templates and RT1-lite. ORCA uses policy templates to instantiate policies about specific objects, like slices, on demand. RT1-lite is a technique to handle single parameters to ABAC assertions in RT0, a parameter-less version of ABAC as currently implemented in the ABAC library. Jeff also described the trust structure used in ORCA to inform the discussion about GENI trust structure. Jeff's [attachment:wiki:GEC11Authorization:chase-abac-gec11.ppt slides] are available on the [wiki:GEC11Authorization session wiki page]. Also see the working paper: [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/geni-abac.pdf Authorization and Trust Structure in GENI: A Perspective on the Role of ABAC]. '''Steve Schwab''' discussed next steps for the Authorization effort with respect to control framework integration, tools, and vocabulary (see below). Steve's [attachment:wiki:GEC11Authorization:GEC11-authorization-wrapup-schwab.pdf slides] are available on the [wiki:GEC11Authorization session wiki page]. == Proposed Next Steps == * Continue ProtoGENI ABAC integration * Assist ORCA with ABAC integration * Revise APIs * The Easy Stuff: Widen AM API * The Hard Stuff: Standardize other Elements * Define a GENI vocabulary for ABAC authorization * Continue to develop and revise ABAC tools * Integrate with prototype identity portal = GEC10 Authorization Engineering Meeting = At GEC10 there was an [wiki:GEC10Auth authorization engineering meeting] which discussed a proposal by Steve Schwab (ISI) and Ted Faber (ISI) to incorporate Attribute Based Access Control and its viability as a GENI authorization framework. Steve and Ted recommended ABAC as an authorization mechanism for GENI that would enable richer authorization decisions, use declarative policies, and improve logging and forensic support. Jeff Chase (Duke, ORCA) and Rob Ricci (Utah, Emulab/ProtoGENI) gave their perspectives on the proposal based on their experience as GENI control framework developers. == Community Agreement == The meeting concluded with a community agreement to try ABAC for at most one year. Specifically: * ABAC should be added to the GENI AM API as an alternative means of authorization * Does not replace existing credentials * Supports gaining experience with ABAC * An existing aggregate should be ABAC-enabled * Aggregates are not required to add ABAC support * Supports gaining experience with ABAC * ProtoGENI AM is the likely first target * Experience and proposed next steps to be reported at GEC11 * Limit the ABAC 'experiment' to 1 year * Either select it or reject it within that time frame == Next Steps == * ISI: Integrate ABAC assertion handling into ProtoGENI AM (w/GPO support) * ISI: Implement existing access rules as ABAC assertions * ISI: Issue ABAC assertions for existing users * ISI: Explore richer assertions and policy rules within ProtoGENI code base * ISI: Report results by GEC11 = Getting Involved = If you have questions or comments on the status of the authorization work, please email the GENI developers list (dev at geni.net) or Tom Mitchell (tmitchell at bbn.com).