Version 53 (modified by 13 years ago) (diff) | ,
---|
Project Number
1609
Project Title
TIED: Trial Integration Environment in DETER
a.k.a. DETER
Technical Contacts
Principal Investigator: John Wroclawski jtw@isi.edu
Co-Principal Investigator: Terry Benzel tbenzel@isi.edu
Ted Faber faber@ISI.EDU
Participating Organizations
Scope
The scope of work on this project is to develop and evangelize a control framework that particularly emphasizes usability across different communities, through federation, rich trust/security models, and similar enabling mechanisms.
Milestones
Spiral 2
- MilestoneDate(TIED: S2.a Design specification for plugin)?
- MilestoneDate(TIED: S2.b TIED GEC demo)?
- MilestoneDate(TIED: S2.c Fedd release with ProtGeni plug-in)?
- MilestoneDate(TIED: S2.d Preliminary design document for Unified/SFA (GENIAPI) plugin)?
- MilestoneDate(TIED: S2.e review S2.f milestone and revise if necessary)?
- MilestoneDate(TIED: S2.f Demo TIED/GENIAPI Experiment)?
Spiral 3
- MilestoneDate(TIED: S3.a "API modifications design document, patches or modified GENI API reference code")?
- MilestoneDate(TIED: S3.b Machine-readable ABAC rules and attributes usable with S3a code)?
- MilestoneDate(TIED: S3.c Code release of tools to manage ABAC attributes and interpret authorization decisions)?
- MilestoneDate(TIED: S3.d Strawman GENI API specification)?
- MilestoneDate(TIED: S3.e Demonstration of an experiment using multiple GENI resources controlled by TIED through the CF-independent GENI API design of milestone S3.e)?
Spiral 4
- MilestoneDate(TIED: S4.a Deploy prototype integrated ABAC authorization system)?
- MilestoneDate(TIED: S4.b Deploy prototype integrated ABAC authorization system)?
- MilestoneDate(TIED: S4.c Deploy prototype integrated ABAC authorization system)?
- MilestoneDate(TIED: S4.d Deploy prototype integrated ABAC authorization system)?
- MilestoneDate(TIED: S4.e Cross-control-framework authorization policies and tools)?
- MilestoneDate(TIED: S4.f Cross-control-framework authorization policies and tools)?
- MilestoneDate(TIED: S4.g Cross-control-framework authorization policies and tools)?
- MilestoneDate(TIED: S4.h Production deployment)?
- MilestoneDate(TIED: S4.i Production deployment)?
- MilestoneDate(TIED: S4.j Production deployment)?
Project Technical Documents
TIED is based on the TIED/DETER federation system, which allows a researcher to construct experiments that span testbeds by dynamically acquiring resources from other testbeds and configuring them into a single experiment. As closely as possible that experiment will mimic a single DETER/Emulab experiment.
This model fundamentally supports creation of cohesive experiments (slices) from independently administered resources (components/aggregates). Because resources are independently administered and serve different communities, the authorization system needs to support a rich delegation structure, formal semantics, efficient negotiation, and clear auditing. The ABAC system meets those requirements; TIED is integrating this into the federation system.
To make use of widely distributed components it is helpful to establish guaranteed network connections between them. TIED is addressing this by federating with testbeds that represent dynamically allocatable wide-area network resources. The prototyping plan is to use DRAGON interfaces to configure these resources.
- The TIED/DETER Federation architecture and implementation
- Information about the TIED/DETER federation system, including overview, detailed user and developer documentation, pointers to published papers, and released code.
- The TIED Clearinghouse
- Description of how the TIED stsyem provides GENI clearinghouse functionality, including how to join
- The ABAC model in TIED
- Discussion of ABAC concepts and how they relate to TIED implementation
- An ABAC demo
- A worked example of ABAC applied to a GENI scenario. Also shows the TIED attribute explorer.
- ProtoGENI Plug-in
- A description of the design for the upcoming TIED/ProtoGENI subsystem.
- Release of fedd 3.00
- Release of fedd that includes the ProtoGENI plugin (as per milestone S2.c). It also includes information for developers who want to write their own plug-ins.
We have also prepared a document explaining where to find the information required for a GENI Integration Release 2.1 inclusion on the fedd website.
- Preliminary Review of the GENIAPI as Control Framework Interoperability Architecture and TIED Federation Plug-In Candidate
- This discusses the GENIAPI both from the perspective of TIED using it, and more broadly as an interoperation architecture.
- GENIAPI support
- We have three screencast videos on line that demonstrate the creation and manipulation of an experiment using both DETER resources and ProtoGENI resources that are manipulated through the GENIAPI interface. These are multi-megabyte files in mpeg format, and we have linked to them below rather than attach them to the wiki The files are large enough that they seem to confuse some browser players. You may have to hit the play button in your browser a few times or download the file to local storage and run a player.
In addition we have completed a report on the directions for improving the GENIAPI to make it easier to support PlanetLab plug-ins under TIED using the GENIAPI. The report also includes a revised discussion of the role of the control framework and the aggregate managers as we see them, based partially on feedback from the e-mail exchange and discussions the earlier report touched off.
- GENIAPI AM/ABAC integration
-
We have integrated libabac v 0.1.2 with the current GENIAPI AM v1.2 reference implementation (actually the tarball works with the git version as of 6 Jan 2011). The resulting system makes all authorization decisions based on TIED self-validating identities and ABAC credentials. It passes the tests shipped with the GCF reference implementation. The only direct modification to the GENIAPI AM code was a few lines to request a 'list' credential in
ListResources
. The difficulty that led to this change is described in the design document and the change is backward compatible.
We have a tarfile of our code (relative to the
gcf
directory in the GCF release) available and a document describing the design and lessons from the work. Instructions on initializing the ABAC policies and running the code are in the tarfile in theABAC_README
file.
- ABAC rules for GENI authorization
This is a set of machine readable ABAC rules that represent our proposal for encoding the GENI authorization in ABAC rules. The milestone actually calls for rules usable with the code in the previous milestone, but that code was delivered with such rules. These rules represent a cleaner instantiation of the rules that would require some reimplementation to incorporate.
The attached document both explains those rules to an audience knowledgable in ABAC, and stands alone as an introduction to both ABAC and GENI authorization. Playing that dual role makes it a little longer than a simple description of the rules.
- ABAC Vocabulary
This is a document that tries to capture the group consensus on a global attribute vocabulary for carrying out authorization decisions in GENI. It lays out the problem, proposes a vocabulary for authorization and gives two sample policies.
- GENIAPI changes for ABAC support
This is a brief document outlining the changes to the GENIAPI necessary to support ABAC credentials and interactions. More thinking on these lines has happened in the dev mailing list.
Quarterly Status Reports
Spiral 2 Project Review Slides
GPO Liaison System Engineer
Heidi Picher Dempsey hdempsey@geni.net
Related Projects
Attachments (12)
-
TIED_GENIAPI_v1.2.pdf (258.4 KB) - added by 14 years ago.
Preliminary Review of the GENIAPI as Control Framework Interoperability Architecture and TIED Federation Plug-In Candidate
-
TIED QPR 06-30-10-v1.txt (10.8 KB) - added by 14 years ago.
Q2 2010 QSR
-
Spiral 2 Project Review - TIED.pdf (824.4 KB) - added by 14 years ago.
Spiral 2 Project Review slides in PDF format
-
Spiral 2 Project Review - TIED.pptx (712.6 KB) - added by 14 years ago.
Spiral 2 Project Review slides in pptx format
-
TIED_PlanetLab_GENIAPI.pdf (327.1 KB) - added by 14 years ago.
Review of GENIAPI and its role in a TIED/PlanetLab Plug-in
-
abac_geniapi-1.0.tgz (26.0 KB) - added by 14 years ago.
ABAC/GENIAPI code
- ABAC_GENIAPIv1.2.pdf (175.5 KB) - added by 14 years ago.
-
ABAC_Rules_v1.2.pdf (210.6 KB) - added by 14 years ago.
Description of ABAC rules
-
GENI_ABAC_rules.tgz (189.6 KB) - added by 14 years ago.
ABAC rules
-
Strawman_v1.1.pdf (148.3 KB) - added by 14 years ago.
GENI API Strawman 1.1
-
ABAC_Vocabulary_1.0.pdf (238.2 KB) - added by 13 years ago.
GENI Vocabulary
- ABAC_GENIAPI_changes_1.2.pdf (197.1 KB) - added by 13 years ago.