Changes between Version 9 and Version 10 of TIEDABACDemo

07/10/09 18:15:22 (10 years ago)




    v9 v10  
    99== ABAC Model ==
     11ABAC facilitates authorization decisions by providing rules under which actors in the system, called principals, prove that they have certain attributes necessary for accessing resources.  Which attributes are required for a given resource is a matter of policy outside the system.  ABAC can represent delegation of various forms in scalable and separable ways that can be reasoned about formally.  This section sketches the ideas behind ABAC.  More information is available in [ the literature ].
    1113In ABAC, principals are created by authenticating to the system.  A principal can be an individual (researcher, user) or larger authority (GPO, university).  Prinicpals can use a range of systems to authenticate themselves.  A principal can be the subject of authorization decisions and have attributes asserted about it by other principals.
    8385The graphs generated by the authorization negotiation also act as detailed logs of what was allowed and why.  A log entry containing the credentials and identifiers/keys used to validate them provides the complete set of information that led to the access control decision.  Such logging is of significant use in assessing intrusions or demonstrating that an entity has adhered to a resource control policy.  Such adherence may be important if a resource control policy is mandated by a funder or other contract.
    85 == Authentication and entering the ABAC system ==
     87=== Authentication and entering the ABAC system ===
    8789A key aspect of ABAC's power is that its reasoning system makes few demands on the systems used to establish principals in the system. 
    98100When possible binding to a public-key-based identifier is infinitely preferred.
     102== An Example ==
     104=== Scenario ===
     106Consider the ACM using GENI to run a contest like the University of [ Santa Barbara International Capture the Flag Contest] on a larger scale.  The plan is for security experts from several universities to configure a large network of machines as a playground for intrusion testers.  A slice will be created containing many (virtual) machines that will be configured with a variety of known shortcomings.  Signed data is hidden in various places on the machines.  Then players from many universities - in fact many players from across the country - are granted access to the slice and a scavenger hunt ensues.  The team that most completely audits the security of the network, by capturning the most sensitive data, wins.  There may be other scoring.
     108There are two classes of princpals that will be requesting access to GENI resources for this contest.  There will be a comparatively small number of officials that will need allocation and configuration rights to the slice in order to set up and administer the game.  There will also be the thousands or more contestants who will need access to the slice, but not configuration rights.  Because of the large number of contestants, the ACM does not want to be directly in charge of vetting each one.  Individual universities (and perhaps other sites) will be able to decide on the criteria to admit players from their institutions independently.  Should anything go amiss - or any kind of cheating be detected - officials will want to know where the contestent came from and how they were admitted.
     110For the purposes of the example, we assume that there is a GENI principal that has allocated an empty slice for the contest.  That slice will be expanded and configured by principals with the GENI.adminCTF attribute and accessible by players with the GENI.accessCTF attribute.  We now lay out the attribute policies for allocating these two attributes.
     112Because the set of officials is small, the ACM chooses to administer them directly.  To support this the GENI principal delegates the adminCTF attribute to the ACM principal:
     116And the ACM principal authorizes principals by making them officials.