Changes between Version 6 and Version 7 of TIEDCredentials


Ignore:
Timestamp:
04/19/13 18:39:08 (8 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDCredentials

    v6 v7  
    1212 * Importing the information from GENI credentials into the ABAC prover
    1313
    14 Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy.  We can encode the generic parts of the policy into a configuration file on the aggregate manager once.  For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM.  This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT0 lite template].  Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.
     14Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy.  We can encode the generic parts of the policy into a configuration file on the aggregate manager once.  For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM.  This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT1-lite template].  Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.
    1515
    1616Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules.  The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question.  Our plan is to use existing GENI credential formats in the short term, but to add new formats in the long term.  The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future.
     
    4141== GENI Policy in ABAC ==
    4242
    43 Here we describe the ABAC rules that describe the GENI policy as it stands.  The policy and credential formats are somewhat entwined, and we cannot speak of one completely without the other. This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT0 lite"] encoding of RT1 single parameter attributes.  (In a nutshell, an RT0 lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter).
     43Here we describe the ABAC rules that describe the GENI policy as it stands.  The policy and credential formats are somewhat entwined, and we cannot speak of one completely without the other. This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT1-lite"] encoding of RT1 single parameter attributes.  (In a nutshell, an RT1-lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter).
    4444
    45 We give the ABAC as RT1, and explain how the RT0 lite conversion will happen later. 
     45We give the ABAC as RT1, and explain how the RT1-lite conversion will happen later. 
    4646
    4747Unlike the description above, we first describe how to encode a policy that supports "speaks-for" and then add delegation.  Speaks for is actually the simpler rule.
     
    109109{{{
    110110Issuer.privilege(Target) <- Issuer.can_delegate_privilege(Target).privilege(Target)
    111 Issuer.can_delegate_privilege(T) <- Issuer.speaks_for(P)
     111Issuer.can_delegate_privilege(Target) <- Issuer.speaks_for(P)
    112112}}}
    113113
    114 The issuer says that anyone in the {{{Issuer.can_delegate_privilege(Target)}}} set can assign {{{Issuer.privilege(Target)}}} and that any principal who speaks for P (including P) is in that set.
     114The issuer says that anyone in the {{{Issuer.can_delegate_privilege(Target)}}} set can assign {{{Issuer.privilege(Target)}}} and that any principal who speaks for P (including P) is in that set.  This formulation implies that "speaks-for" works for delegation as well.  A tool that can speak for a user can delegate on that user's behalf.  If the second line is:
     115
     116{{{
     117Issuer.can_delegate_privilege(Target) <- P
     118}}}
     119
     120then only the user can delegate.
     121
     122== RT1-lite templates for AMs ==
     123
     124One of the things RT1-lite must do is to generate RT0 statements for new parameterizations of the RT1 statements. In this system, an RT0 statement of the form
     125
     126{{{
     127AM.privilege_Target <- Issuer.privilege_Target
     128}}}
     129
     130Needs to be created and added to the ABAC context the first time each (privilege, Target) pair is encountered by AM.  This is the code stub mentioned in the introduction.
     131Similar stubs will be needed by other resource controllers.
     132
     133= Conclusions =
     134
     135This has described the implementation strategy for GENI privilege credentials using existing credential formats and implementing "speaks-for."  Most of the development is focused on accepting existing GENI privilege credentials and translating them into ABAC.  We have also laid out the ABAC that reflects the existing GENI authorization strategy at AMs.