= Project Number = 1609 = Project Title = TIED: Trial Integration Environment in DETER a.k.a. DETER = Technical Contacts = Principal Investigator: John Wroclawski jtw@isi.edu Co-Principal Investigator: Terry Benzel tbenzel@isi.edu Ted Faber faber@ISI.EDU = Participating Organizations = * [http://www.isi.edu/index.php University of Southern California Information Sciences Institute], Marina del Rey * [http://www.eecs.berkeley.edu/ University of California, Berkeley] = Scope = The scope of work on this project is to develop and evangelize a control framework that particularly emphasizes usability across different communities, through federation, rich trust/security models, and similar enabling mechanisms. = Milestones = == Spiral 2 == * [[MilestoneDate(TIED: S2.a Design specification for plugin)]] * [[MilestoneDate(TIED: S2.b TIED GEC demo)]] * [[MilestoneDate(TIED: S2.c Fedd release with ProtGeni plug-in)]] * [[MilestoneDate(TIED: S2.d Preliminary design document for Unified/SFA (GENIAPI) plugin)]] * [[MilestoneDate(TIED: S2.e review S2.f milestone and revise if necessary)]] * [[MilestoneDate(TIED: S2.f Demo TIED/GENIAPI Experiment)]] == Spiral 3 == * [[MilestoneDate(TIED: S3.a "API modifications design document, patches or modified GENI API reference code")]] [[BR]] * [[MilestoneDate(TIED: S3.b Machine-readable ABAC rules and attributes usable with S3a code)]] [[BR]] * [[MilestoneDate(TIED: S3.c Code release of tools to manage ABAC attributes and interpret authorization decisions)]] [[BR]] * [[MilestoneDate(TIED: S3.d Strawman GENI API specification)]] [[BR]] * [[MilestoneDate(TIED: S3.e Demonstration of an experiment using multiple GENI resources controlled by TIED through the CF-independent GENI API design of milestone S3.e)]] [[BR]] = Project Technical Documents = TIED is based on the [http://fedd.isi.deterlab.net TIED/DETER federation system], which allows a researcher to construct experiments that span testbeds by dynamically acquiring resources from other testbeds and configuring them into a single experiment. As closely as possible that experiment will mimic a single DETER/Emulab experiment. This model fundamentally supports creation of cohesive experiments (slices) from independently administered resources (components/aggregates). Because resources are independently administered and serve different communities, the authorization system needs to support a rich delegation structure, formal semantics, efficient negotiation, and clear auditing. The [http://www.isso.sparta.com/research_projects/security_infrastructure/abac_overview.html ABAC] system meets those requirements; TIED is integrating this into the federation system. To make use of widely distributed components it is helpful to establish guaranteed network connections between them. TIED is addressing this by federating with testbeds that represent dynamically allocatable wide-area network resources. The prototyping plan is to use DRAGON interfaces to configure these resources. [http://fedd.isi.deterlab.net The TIED/DETER Federation architecture and implementation]:: Information about the TIED/DETER federation system, including overview, detailed user and developer documentation, pointers to published papers, and released code. [wiki:TIEDClearinghouse The TIED Clearinghouse]:: Description of how the TIED stsyem provides GENI clearinghouse functionality, including how to join [wiki:TIEDABACModel The ABAC model in TIED]:: Discussion of ABAC concepts and how they relate to TIED implementation [wiki:TIEDABACDemo An ABAC demo]:: A worked example of ABAC applied to a GENI scenario. Also shows the TIED attribute explorer. [wiki:TIEDProtoGENIPlugin ProtoGENI Plug-in]:: A description of the design for the upcoming TIED/ProtoGENI subsystem. [http://fedd.isi.deterlab.net/trac/wiki/FeddReleaseNodes Release of fedd 3.00]:: Release of fedd that includes the ProtoGENI plugin (as per milestone S2.c). It also includes [http://fedd.isi.deterlab.net/trac/wiki/FeddDevelop information for developers] who want to write their own plug-ins. We have also prepared [wiki:TIEDFedd30GIR12 a document] explaining where to find the information required for a [wiki:GIR2.1Guidelines GENI Integration Release 2.1] inclusion on the [http://fedd.isi.deterlab.net fedd website]. [http://groups.geni.net/geni/attachment/wiki/TIED/TIED_GENIAPI_v1.2.pdf Preliminary Review of the GENIAPI as Control Framework Interoperability Architecture and TIED Federation Plug-In Candidate]:: This discusses the [GeniApi GENIAPI] both from the perspective of TIED using it, and more broadly as an interoperation architecture. GENIAPI support:: We have three screencast videos on line that demonstrate the creation and manipulation of an experiment using both DETER resources and ProtoGENI resources that are manipulated through the GENIAPI interface. These are multi-megabyte files in mpeg format, and we have linked to them below rather than attach them to the wiki * [http://www.isi.edu/~faber/tmp/tied_cast1.mpg Establishing the experiment] * [http://www.isi.edu/~faber/tmp/tied_cast2.mpg Simple Experiment exploration] * [http://www.isi.edu/~faber/tmp/tied_cast3.mpg Using the DETER experiment manipulation tools (SEER)] The files are large enough that they seem to confuse some browser players. You may have to hit the play button in your browser a few times or download the file to local storage and run a player. In addition we have completed a [attachment:TIED_PlanetLab_GENIAPI.pdf report] on the directions for improving the [wiki:GeniApi GENIAPI] to make it easier to support [http://planet-lab.org PlanetLab] plug-ins under TIED using the GENIAPI. The report also includes a revised discussion of the role of the control framework and the aggregate managers as we see them, based partially on feedback from the e-mail exchange and discussions the [http://groups.geni.net/geni/attachment/wiki/TIED/TIED_GENIAPI_v1.2.pdf earlier report] touched off. GENIAPI AM/ABAC integration:: We have integrated [http://abac.deterlab.net libabac] v 0.1.2 with the current [http://trac.gpolab.bbn.com/gcf/wiki/GettingGcf GENIAPI AM v1.2 reference implementation] (actually the tarball works with the git version as of 6 Jan 2011). The resulting system makes all authorization decisions based on TIED self-validating identities and ABAC credentials. It passes the tests shipped with the GCF reference implementation. The only direct modification to the GENIAPI AM code was a few lines to request a 'list' credential in {{{ListResources}}}. The difficulty that led to this change is described in the design document and the change is backward compatible. We have a [attachment:abac_geniapi-1.0.tgz tarfile of our code] (relative to the {{{gcf}}} directory in the GCF release) available and a [attachment:ABAC_GENIAPIv1.2.pdf document] describing the design and lessons from the work. Instructions on initializing the ABAC policies and running the code are in the tarfile in the {{{ABAC_README}}} file. * [attachment:abac_geniapi-1.0.tgz abac_geniapi-1.0.tgz] * [attachment:ABAC_GENIAPIv1.2.pdf Design and Integration of ABAC and the GENIAPI AM: Version 1.0] ABAC rules for GENI authorization:: This is a set of machine readable ABAC rules that represent our proposal for encoding the GENI authorization in ABAC rules. The milestone actually calls for rules usable with the [attachment:abac_geniapi-1.0.tgz code in the previous milestone], but that code was delivered with such rules. These rules represent a cleaner instantiation of the rules that would require some reimplementation to incorporate. The [attachment:ABAC_Rules_v1.2.pdf attached document] both explains those rules to an audience knowledgable in ABAC, and stands alone as an introduction to both ABAC and GENI authorization. Playing that dual role makes it a little longer than a simple description of the rules. * [attachment:GENI_ABAC_rules.tgz Rules and example scripts] * [attachment:ABAC_Rules_v1.2.pdf Explanation of ABAC rules (also in above tar file)] = [http://groups.geni.net/geni/wiki/TIED/QuarterlyStatus Quarterly Status Reports] = * [http://groups.geni.net/geni/attachment/wiki/TIED/QuarterlyStatus/TIED%20QPR%2012-31-08.pdf 4Q08 Status Report] * [http://groups.geni.net/geni/attachment/wiki/TIED/QuarterlyStatus/TIED%20QPR%2003-31-09.pdf 1Q09 Status Report] * [http://groups.geni.net/geni/attachment/wiki/TIED/QuarterlyStatus/TIED%20QPR%2006-30-09.pdf 2Q09 Status Report] * [wiki:TIEDQ22010 2Q10 Status Report] [wiki:TIEDQ12011] = Spiral 2 Project Review Slides = [http://groups.geni.net/geni/attachment/wiki/TIED/Spiral%202%20Project%20Review%20-%20TIED.pdf PDF] or [http://groups.geni.net/geni/attachment/wiki/TIED/Spiral%202%20Project%20Review%20-%20TIED.pptx PPTX] = GPO Liaison System Engineer = Heidi Picher Dempsey hdempsey@geni.net = Related Projects = * [http://www.isi.edu/deter/ DETERlab Testbed (cyber-DEfense Technology Experimental Research laboratory Testbed) ] * [http://fedd.isi.deterlab.net TIED/DETER Federation Architecture Website]