Changes between Version 11 and Version 12 of TIEDCredentials


Ignore:
Timestamp:
04/22/13 13:05:44 (6 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDCredentials

    v11 v12  
    1212
    1313 * Credential issuers need not issue delegatable privileges
    14  * A tool need not receive and manipulate all the delegated credentials
     14 * A tool need not receive and manipulate all the delegated credentials.  For example, a tool need not have all of a user's slice credentials to look up the status of all the user's slices.
    1515
    1616"Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the GENI credentials.  It is unclear to me if "speaks-for" permits delegation as well, but the rest of this document assumes that it does.
    1717
    18 When using the ABAC access code, for most elemets in the system, the workflow is unchanged.  They generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will
     18When ABAC authorization code is integrated, the workflow is unchanged for most elements in the system.  Users, clearinghouses, and slice authorities generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will
    1919
    2020 * Initialize an ABAC prover with its current policy (the prover is initialized for each request to allow dynamic policy changes),
     
    3131Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy.  We can encode the generic parts of the policy into a configuration file on the aggregate manager once.  For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM.  This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT1-lite template].  Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.  We describe the contents of those policies below.
    3232
    33 Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules.  The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question.  Our plan is to use existing GENI credential formats in the short term, but to add new formats in the long term.  The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future.
     33Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules.  The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question.  Our plan is to use existing GENI privilege credentials in the short term, but to add new GENI credential types (the format is extensible) in the long term.  The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future.
    3434
    3535GENI components issuing GENI credentials and making requests using them will continue to pass the same credentials around, and require no changes.  Parties making authorization decisions based on GENI credentials will add code provided by ISI to interface to the ABAC prover and rely on it to check access.  This will add speaks-for to GENI.
     
    4343A GENI privilege credential encodes a set of statements of the form "The issuer of this credential (a principal) gives the owner of it (a principal) these privileges (strings) with respect to the target (a principal)."  The privilege strings are defined with respect to the GENI APIs.  For each of the privileges, a boolean is given and is true if the privilege can be passed to others.  For example, a slice authority (issuer) can grant the resolve privilege to a user (owner) on a given slice (target).
    4444
    45 The issuer is the principal that signed the credential.  The target and owner are given explicitly as X.509 certificates.  We can identify each of these principals by their public key from the X.509 certificates.  In the short term that binding is stable.  In the long term the ABAC policy can take changing keys into account.
     45The issuer is the principal that signed the credential.  The target and owner are given explicitly as X.509 certificates.  We can identify each of these principals by their public key from the X.509 certificates.
    4646
    47 When the credential is delegated, the credential assigning the delegatable privilege, called the base credential, is included in a new credential signed by the owner of the base credential.  The owner of the base credential is the issuer of the new credential.  The new credential assigns privileges to an new owner.  The new credential is valid if the base one is, if the delegated rights are marked delegatable, and the expiration time of the new credential is no longer than the base.  This recurses.
     47In the current semantics, When the credential is delegated, the credential assigning the delegatable privilege, called the base credential, is included in a new credential signed by the owner of the base credential.  The owner of the base credential is the issuer of the new credential.  The new credential assigns privileges to an new owner.  The new credential is valid if the base one is, if the delegated rights are marked delegatable, and the expiration time of the new credential is no longer than the base.  This recurses.
    4848
    4949= GENI Policy in ABAC =
     
    8080
    8181{{{
    82 Issuer.privilege(Target) <- Issuer.speaks_for(P)
    83 Issuer.speaks_for(P) <- P
    84 Issuer.speaks_for(P) <- P.speaks_for(P)
     82 (1) Issuer.privilege(Target) <- Issuer.speaks_for(P)
     83 (2) Issuer.speaks_for(P) <- P
     84 (3) Issuer.speaks_for(P) <- P.speaks_for(P)
    8585}}}
    8686
    87 The Issuer says that anyone that speaks for P has the privilege.  The Issuer says P speaks for itself. The Issuer says that anyone P says speaks for P speaks for P.  When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC.  The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential.
     87These ABAC statements mean: (1) The Issuer says that anyone that speaks for P has the privilege.  (2) The Issuer says P speaks for itself.  (3) The Issuer says that anyone P says speaks for P speaks for P.  When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC.  The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential.
    8888
    8989When a user (P) issues a speaks-for credential for a tool (T), that credential is translated into ABAC as:
     
    143143
    144144Needs to be created and added to the ABAC context the first time each (privilege, Target) pair is encountered by AM.  This is the code stub mentioned in the introduction.
    145 Similar stubs will be needed by other resource controllers.
     145Similar stubs will be needed by other resource controllers that call the ABAC prover.
     146
     147If existing RT1-lite templates are available, we will use them.
    146148
    147149= Conclusions =