Changes between Version 20 and Version 21 of TIEDABACDemo

07/12/09 21:17:43 (13 years ago)




    v20 v21  
    2929Throughout this example we will make use of screenshots from the program to illustrate points.  The program is itself is available via a Web Start/JLNP link.  Clicking on that link will start the program on your desktop if your machine is configured to use Web Start.  Instructions for that configuration are [ available on the web].  Feel free to follow along.
    31 == Attributes for Officials ==
     31== Attributes for Slice Control ==
    3333First we consider the attributes used to control the contest slice.  The GENI principal will have created these with the slice, and much of the ABAC configuration that follows is delegating the authority to assign other principals those attributes.  We name them '''GENI.CTFaccess''' and '''GENI.CFTadmin''' for the abilities to access and administrate the slice respectively.
    3535An attribute name encodes the controller of that attribute and the attribute name being granted.  The controller is a principal (identified by a unique identifier/key that the explorer maps to a readable string) and the attribute name is a string.  Prinicpals using each others attributes agree on the semantics of the names.  The '''GENI.CTFaccess''' attribute is controlled by the GENI principal and is named CTFaccess.
     37== Assigning Attributes to Principals Directly (local GENI administrator) ==
    3739In order to assign that attribute to a principal using the explorer, one connects the principal representation (an ellipse with that prinicpal's name in it) to the attribute in question.  The following shows the '''BBNAdmin''' principal being assigned the '''GENI.CTFAdmin''' attribute.
     43Every arrow we draw in the explorer represents the creation of a credential (though some arrows will appear later without being drawn that do not represent credentials).  A credential is a statement about either a principal having an attribute (as in this case) or the relationship between a attributes as we see below.  The credential is always issued by the controller of the attribute at the head of the arrow (GENI, in this case) and contains enough information to recreate the edge and nodes in the graph.  In this case a credential saying "the BBNAdmin principal has the GENI.CTFadmin attribute, signed the GENI principal" is created.
     45The BBNAdmin can now configure the contest slice.
     47Surprisingly, that administrator does not possess the '''GENI.CTFaccess''' attribute.  While we could assume that the administrator privilege subsumes access rights, that makes queries about users who have asserted access rights more difficult as the query engine needs to understand the semantics of access.  Rather than do that, the GENI principal connects the two attributes by drawing an arrow from the '''GENI.CTFadmin''' attribute to the '''GENI.CTFaccess''' attribute.
    4151=== ABAC Encoding (simple delegation) ===