Changes between Version 16 and Version 17 of TIEDCredentials


Ignore:
Timestamp:
05/17/13 16:13:45 (11 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • TIEDCredentials

    v16 v17  
    3333 * Ask the prover if the caller has the privileges needed to make the call
    3434
     35"Speaks-for" requires making 2 proofs:
     36
     37 * Can the caller speak for the principal it has specified in the API call
     38 * Does the spoken-for principal have the necessary privilege
     39
     40The logic presented below will also grant the principal executing the speaks-for the right directly.  We mention how to break that connection below.
     41
    3542Specifically, the AM will check the same privilege strings it currently checks but using the ABAC prover to get the allowed/denied answers.
    3643
     
    4249Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy.  We can encode the generic parts of the policy into a configuration file on the aggregate manager once.  For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM.  This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT1-lite template].  Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.  We describe the contents of those policies below.
    4350
    44 Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules.  The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question.  Our plan is to use existing GENI privilege credentials in the short term, but to add new GENI credential types (the format is extensible) in the long term.  The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future.
     51Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules.  The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question.  Our plan is to use existing GENI privilege credentials in the short term, but to add new GENI credential types (the format is extensible) in the long term.  The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future.  We have defined an [wiki:TIEDABACCredential initial format] for this.
    4552
    4653GENI components issuing GENI credentials and making requests using them will continue to pass the same credentials around, and require no changes.  Parties making authorization decisions based on GENI credentials will add code provided by ISI to interface to the ABAC prover and rely on it to check access.  This will add speaks-for to GENI.
     
    97104}}}
    98105
    99 These ABAC statements mean: (1) The Issuer says that anyone that speaks for P can exercise the privilege as P (the second parameter). (2) The Issuer says P speaks for itself.  (3) The Issuer says that anyone that the Issuer believes is a trusted tool and that P says speaks for P speaks for P.  When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC.  The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential.
     106These ABAC statements mean: (1) The Issuer says that anyone that speaks for P can exercise the privilege as P (the second parameter). Note that this means that the speaker-for has the right under these rules.  If we want only the actual principal (and whoever he/she delegates to) to have the right (1) can be issued as {{{Issuer.privilege(Target) <- P}}}. (2) The Issuer says P speaks for itself.  (3) The Issuer says that anyone that the Issuer believes is a trusted tool and that P says speaks for P speaks for P.  When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC.  The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential.
    100107
    101108When a user (P) issues a speaks-for credential for a tool (T), that credential is translated into ABAC as: