Changes between Version 8 and Version 9 of TIEDCredentials


Ignore:
Timestamp:
04/19/13 19:12:41 (8 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDCredentials

    v8 v9  
    55GENI is currently working toward making [wiki:TIEDABACModel ABAC] the primary authorization system for the [wiki:GAPI_AM_API GENI AM API]. A first step in that direction is to use the ABAC prover library, [http://abac.deterlab.net libabac], to make authorization decisions based on the current GENI policy.  A first step in this direction is to implement current GENI policy - including a new "speaks-for" feature - using ABAC without changing the existing AM API calls or credential formats.  This document describes our approach to do so.  While there are other issues to consider, for example improving libabac portability, this document does not address them.
    66
    7 For most elemets in the system, the workflow is unchanged.  They generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will
     7Current GENI credentials allow one principal to grant privileges to other principals.  If the original granting principal allows it, privileges can be further delegated.
     8
     9The "speaks-for" privilege is a new privilege intended to be used as follows. A user wishes to use a tool to access aggregate managers but does not want to give its identity certificate and private key to that tool, which may be a web service.  The user can issue a GENI credential granting a "speaks-for" right to the tool (a principal).  The tool includes that credential in its requests and the aggregate manager (and other parties making authorization decisions) will treat these requests as though they came from the user.
     10
     11This differs from delegation in two ways:
     12
     13 * Credential issuers need not issue delegatable privileges
     14 * A tool need not receive and manipulate all the delegated credentials
     15
     16"Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the GENI credentials.  It is unclear to me if "speaks-for" permits delegation as well, but the rest of this document assumes that it does.
     17
     18When using the ABAC access code, for most elemets in the system, the workflow is unchanged.  They generate the same credentials they would otherwise.  The workflow change for any element that makes an access check based on GENI privilege credentials, for example an aggregate manager, is that when it receives a request through the [wiki:GAPI_AM_API GENI AM API] it will
    819
    920 * Initialize an ABAC prover with its current policy (the prover is initialized for each request to allow dynamic policy changes),
     
    3849= GENI Privilege Credentials and "Speaks-for" =
    3950
    40 The "speaks-for" privilege is intended to be used as follows. A user wishes to use a hosted tool to access aggregate managers but does not want to give its identity certificate and private key to that tool, which may be a web service.  The user can issue a GENI credential granting a "speaks-for" right to the tool (a principal).  The tool includes that credential in its requests and the aggregate manager (and other parties making authorization decisions) will treat these requests as though they came from the user.
    4151
    42 This differs from delegation in two ways:
    43 
    44  * Credential issuers need not issue delegatable privileges
    45  * A tool need not receive and manipulate all the delegated credentials
    46 
    47 "Speaks-for" makes all existing GENI credentials delegatable by "speaks-for".  To make future credentials immune to this delegation will require a format change to the privilege credentials.
    4852
    4953= GENI Policy in ABAC =