Changes between Version 7 and Version 8 of TIEDCredentials


Ignore:
Timestamp:
04/19/13 19:03:39 (8 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDCredentials

    v7 v8  
    33= GENI-Compatible ABAC credentials =
    44
    5 GENI is currently working toward making [wiki:TIEDABACModel ABAC] the primary authorization system for the [wiki:GAPI_AM_API GENI AM API]. A first step in that direction is to use the ABAC prover library, [http://abac.deterlab.net libabac], to make authorization decisions based on the current GENI policy.  A first step in this direction is to implement current GENI policy - including a new "speaks-for" feature using ABAC without changing the existing AM API calls or credential formats.  This document describes our approach to do so.
     5GENI is currently working toward making [wiki:TIEDABACModel ABAC] the primary authorization system for the [wiki:GAPI_AM_API GENI AM API]. A first step in that direction is to use the ABAC prover library, [http://abac.deterlab.net libabac], to make authorization decisions based on the current GENI policy.  A first step in this direction is to implement current GENI policy - including a new "speaks-for" feature - using ABAC without changing the existing AM API calls or credential formats.  This document describes our approach to do so.  While there are other issues to consider, for example improving libabac portability, this document does not address them.
    66
    7 The workflow for an aggregate manager is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will initialize an ABAC prover with its current policy (to allow dynamic policy changes), import the information in the GENI Credentials in the request, and ask the prover if the caller has the privileges needed to make the call.  Specifically, the AM will check the same privilege strings it currently checks but using the ABAC prover to get the allowed/denied answers.
     7For most elemets in the system, the workflow is unchanged.  They generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will
    88
    9 That leaves two problems to address:
     9 * Initialize an ABAC prover with its current policy (the prover is initialized for each request to allow dynamic policy changes),
     10 * Import the information from the GENI Credentials in the request
     11 * Ask the prover if the caller has the privileges needed to make the call
     12
     13Specifically, the AM will check the same privilege strings it currently checks but using the ABAC prover to get the allowed/denied answers.
     14
     15There are two problems to address:
    1016
    1117 * Encoding the policy for import into the ABAC prover
    1218 * Importing the information from GENI credentials into the ABAC prover
    1319
    14 Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy.  We can encode the generic parts of the policy into a configuration file on the aggregate manager once.  For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM.  This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT1-lite template].  Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.
     20Because we are encoding the current static, global GENI policies, storing and importing them is relatively easy.  We can encode the generic parts of the policy into a configuration file on the aggregate manager once.  For dynamic parts of the policy - specializing the generic policy for a specific target - a short code stub will be inserted into the AM.  This is consistent with using an [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt RT1-lite template].  Note that none of these policy encodings need to be exchanged, so they can be stored in legacy libabac formats.  We describe the contents of those policies below.
    1521
    1622Importing the information in a GENI credential is accomplished by modifying libabac's credential input routines to recognize GENI credentials and convert them into valid ABAC rules.  The ABAC rules need not be exchanged; they are only used in generating the answer to the authorization question.  Our plan is to use existing GENI credential formats in the short term, but to add new formats in the long term.  The new formats will support the full expressiveness of ABAC and can be used to store policies in more human readable formats as well as to pass more expressive ABAC information around in the future.
     
    2026The rest of this document discussed the semantics of GENI credentials including delegation and the "speaks-for" semantics, explains how those will be encoded into ABAC logic, and discusses the dynamic policy insertion.  Readers will want to read farther the more they are interested in ABAC.
    2127
    22 == GENI Privilege Credentials ==
     28= GENI Privilege Credentials =
    2329
    24 A GENI privilege credential encodes a set of statements of the form "The issuer of this credential (a principal) gives the owner of it (a principal) these privileges (strings) with respect to the target (a principal)."  The privilege strings are defined with respect to the GENI APIs.  For each of the privileges, a boolean is given and is true if the privilege can be passed to others.
     30This section describes the content and use of GENI privilege credentials.  These are the only kinds of GENI credentials in use, but the presence of a type field indicates that other formats can be defined.  We expect to do so in later phases.
    2531
    26 The issuer is the principal that signed the credential.  The target and owner are given explicitly as X.509 certificates.  We can identify each of these principals by their public key from the X.509 certificates.  In the short term that binding is stable.  In the long term the ABAC policy can be take changing keys into account.
     32A GENI privilege credential encodes a set of statements of the form "The issuer of this credential (a principal) gives the owner of it (a principal) these privileges (strings) with respect to the target (a principal)."  The privilege strings are defined with respect to the GENI APIs.  For each of the privileges, a boolean is given and is true if the privilege can be passed to others.  For example, a slice authority (issuer) can grant the resolve privilege to a user (owner) on a given slice (target).
    2733
    28 When the credential is delegated, the credential assigning the delegatable privilege (the base credential) is included in a new credential signed by the owner of the base credential.  The owner of the base credential is the issuer of the new credential.  The new credential assigns privileges to an new owner.  The new credential is valid if the base one is, if the delegated rights are marked delegatable, and the expiration time of the new credential is no longer than the base.  This recurses.
     34The issuer is the principal that signed the credential.  The target and owner are given explicitly as X.509 certificates.  We can identify each of these principals by their public key from the X.509 certificates.  In the short term that binding is stable.  In the long term the ABAC policy can take changing keys into account.
    2935
    30 == GENI Privilege Credentials and "Speaks-for" ==
     36When the credential is delegated, the credential assigning the delegatable privilege, called the base credential, is included in a new credential signed by the owner of the base credential.  The owner of the base credential is the issuer of the new credential.  The new credential assigns privileges to an new owner.  The new credential is valid if the base one is, if the delegated rights are marked delegatable, and the expiration time of the new credential is no longer than the base.  This recurses.
     37
     38= GENI Privilege Credentials and "Speaks-for" =
    3139
    3240The "speaks-for" privilege is intended to be used as follows. A user wishes to use a hosted tool to access aggregate managers but does not want to give its identity certificate and private key to that tool, which may be a web service.  The user can issue a GENI credential granting a "speaks-for" right to the tool (a principal).  The tool includes that credential in its requests and the aggregate manager (and other parties making authorization decisions) will treat these requests as though they came from the user.
     
    3947"Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the privilege credentials.
    4048
    41 == GENI Policy in ABAC ==
     49= GENI Policy in ABAC =
    4250
    4351Here we describe the ABAC rules that describe the GENI policy as it stands.  The policy and credential formats are somewhat entwined, and we cannot speak of one completely without the other. This section assumes one knows the [wiki:TIEDABACModel ABAC definitions], and the [http://groups.geni.net/geni/attachment/wiki/GEC11Authorization/chase-abac-gec11.ppt "RT1-lite"] encoding of RT1 single parameter attributes.  (In a nutshell, an RT1-lite encoding of the RT1 credential Principal.Attribute(parameter) is Principal.attribute_parameter).