Version 1 (modified by, 9 years ago) (diff)


GENI-Compatible ABAC credentials

GENI is currently working toward making ABAC the primary authorization system for the GENI AM. A first step in that direction is to implement a credential format compatible with existing GENI credentials that can be passed into AM calls and that can be used to implement the "speaks-for" relation. Though importing ABAC into GENI also requires portability improvements to libabac, this page addresses the credential issues.

"Speaks-for" allows a user to delegate to a tool the right to act on their behalf without giving the tool direct access to the user's GENI identity.

Existing GENI credential formats do not allow the full expressiveness of ABAC, but they have two very useful features:

  • The privilege assignment that they express can be written in ABAC
  • They include a type field that can be used to extend them to express more ABAC statements

Our initial plan is to pass credentials in the existing GENI credential format between entities and to import those statements into the ABAC prover at relying parties. That prover will be used to make the authorization decision.

Encoding the policies may require more expressive ABAC rules than a GENI credential can encode. In the very short term, we can use the X.509 based formats to encode those more complex ABAC rules. In very short order we will define types of the existing credential formats to encode these rules.

The rest of this page discusses the short term modifications to libabac that will be needed to support the existing GENI credentials.

GENI "privilege" credentials

The only type of GENI credential currently in use is the "privilege" credential. This credential assigns a principal (called the owner) one or more privileges with respect to another principal (called the target). The privileges are strings meaningful to the implementation. There is also a bit that allows delegation of the privilege.

This directly translates into one or more ABAC statements that include the owner in the target's privilege set. Said another way, the target gives owner the privilege attribute defined by the string. In ABAC RT0 notation: Target.privilege <- Owner for each privilege in the credential.