wiki:TIEDQ12011

Version 11 (modified by faber@isi.edu, 13 years ago) (diff)

Collaborator fixup

TIED - Trial Integration Environment Based on DETER

QPR 31 Mar 2010

Introduction

This quarter members of the TIED project advanced their work on Attribute Based Access Control (ABAC) both technically and internally among GENI researchers, drove GENI interface discussions on both ABAC and the GENIAPI, and furthered our international collaboration with our Japanese counterparts.

Major Accomplishments

  • ABAC/GENI Integration
    • Published Reference code and Documentation for integrating ABAC with the GENIAPI AM.
      • ABAC 0.1.3 is being integrated with the standard GENI Integration Release v 3.1
    • Published machine-readable ABAC encoding of the current GENIAPI models, and wrote detailed documentation for the same.
      • Documentation is a jumping on point for users who have not been following authorization discussions closely
      • Encoding uses running code to demonstrate practicality of the implementation
    • With Steve Schwab, we worked with GPO personnel to forge a consensus and forward path on ABAC integration for GENI at GEC10
  • ABAC Development
    • Demonstrated the ABAC credential browser at GEC10
    • Browser development resulted in a second, interoperable ABAC implementation in native Java that is being taken up by the ORCA project.
      • Included in ABAC 0.1.3, in the GENI Integration release v3.1
  • Other GENI Interface design
    • Published and discussed a draft on the Future of the Slice manager interface.
    • Discussions continuing on the CF lists
  • Japan Collaboration
    • Mike Ryan spent several weeks in Japan educating users on the TIED model and learning about their testbed models
    • Collaboration underway to federate the two testbeds

Description of the Work Performed During the Quarter

The TIED work this quarter has focused in integration and improvement of the ABAC authorization framework and on improving the GENIAPI as interoperability framework. TIED's focus on federating resources from multiple control framework guides our interest in cross-framework authorization and allocation.

We have developed and integrated the ABAC implementation with GENI components and are pressing forward with new tools and moving from prototype integrations to operational deployments of ABAC in GENI. We have shown several levels of prototype integration this quarter (sample policy encodings, GENIAPI code integration, tool demonstrations) and achieved a consensus to deploy ABAC operationally. Similarly, our perspective as a consumer of GENI resources from multiple control frameworks has led us to be somewhat critical of the existing architecture for resource allocation. We have expressed these views in earlier documents. This quarter we published a document laying out constructive ways forward that address our concerns, and continue to argue for their uptake.

Our work with the Japanese continues as well with an informational and personnel exchange, aimed at both producing prototype code and sharing perspectives.

We summarize those accomplishments below.

ABAC/GENI Integration

We have been extolling the benefits of the ABAC authorization system and our implementation of it for some time, and this quarter we took steps to prove that a large scale integration with GENI is technically and practically feasible. This has taken the form of demonstrations, documentation, and trial integrations that have led to a commitment to integrating ABAC into a GENI control framework (ProtoGENI) over the next year.

One of the important trial integrations was with the GENIAPI AM code, the purpose of which was showing that existing implementations of both the AM and ABAC were mature enough to work together. Though most of the coding was undertaken last quarter, the code (and more importantly the documentation) was made available early this quarter. The integration proceeded as expected, showing that the code functions and interoperates correctly, and in the process important contacts and informational exchanges were accomplished between TIED staff and GPO staff.

We both encoded GENI policy into ABAC credentials and produced an explanatory document describing both the GENI policy and the ABAC encoding of it. That document has proven powerful in framing the discussion of both an ABAC deployment and GENI authorization in general. That document appeared because we technically demonstrated one policy encoding when we produced the GENIAPI AM integration, so we took advantage of the second milestone to both provide a more comprehensive encoding of GENI policy and a complete documentation of that encoding. That document has been the basis for many ongoing discussions among GENI implementers and was part of the basis for the agreement reached at GEC10.

Finally, in conjunction with GPO staff and Steve Schwab, the GENI security architect, TIED staff were instrumental in forging an agreement to integrate ABAC with an GENI CF - ProtoGENI - this year. This entailed several discussions and presentations at GEC10.

ABAC Development

ABAC is a multi-platform implementation of our authorization system that is missing a system for administrators to interpret and create credentials encoding a policy or proof. This quarter we extended our existing credential browser significantly to display policies and proofs in clearer ways as well as to provide the cryptographic representations of those credentials. That browser was demonstrated at GEC10.

As a side effect of that browser development, which was carried out in Java, we now have an interoperable implementation in Java. Our initial plan was to use our existing multi-platform tool - swig - to produce a Java implementation, but swig-generated code proved too unstable. A native Java implementation was developed and is integrated into the most recent ABAC release (0.1.3). ORCA developers who work in Java are currently taking that code up.

In addition, the ABAC libraries with Java support are being integrated into the GENI Integration release 3.1.

Interface Discussions

This quarter saw circulation of a document discussing missing pieces of the GENIAPI interface, primarily concerned with missing interfaces that impede interoperability between control frameworks. We identified these problems when designing plug-ins to allocate resources across control frameworks using TIED's federation system. This document describes our suggestions for steps forward to improve the situation.

We have circulated the document privately among the key GENI and GPO developers and then released it to the control framework mailing list. It continues to generate discussion and debate.

International Collaboration

As we have reported earlier, TIED is collaborating with several Japanese research agencies on federating testbeds using TIED and GENI technologies.The organizations are the Nara Institute of Science and Technology (NAIST) working with Prof. Suguru Yamaguchi, the Japan Advanced Institute of Science and Technology (JAIST), working with Yoichi Shinoda and Prof. Tetsuo Wasano, and the Univeristy of Tokyo, working with Prof. Yuji Sekiya. The ISI investigators are John Wroclawski (PI) and Bill Manning.

There are four goals of this collaboration:

  • Prototyping a TIED plug-in for access to the Japanese StarBed facility
  • Demonstrating two cooperative seed research projects
  • Demonstrating research enabled by federation
    • One group plans to access the BGPMUX in ProtoGENI from StarBed using the TIED plug-in developed above
  • Student Exchanges

We advanced the first and last of these goals this quarter by sending TIED staffer Mike Ryan to Japan for several weeks. Mike took part in WIDE camp and spent time learning the details of the StarBed model as well as educating his Japanese counterparts in the TIED model of federation. Though Mike's stay was interrupted, the collaboration and co-development is continuing.

Project participants

  • Individuals directly supported by TIED award:
    • John Wroclawski, PI
    • Ted Faber, Research Computer Scientist
    • Mike Ryan, Systems Programmer
  • Individuals contributing to the project with outside support:
    • Steve Schwab, ISI Project Leader
    • Brett Wilson, Cobham Systems Programmer
    • Bill Manning, Research Staff Member
  • International Collaborators
    • Prof. Suguru Yamaguchi, Graduate School of Information Science, Nara Institute of Science and Technology (NIAST)
    • Yoichi Shinoda, Internet Research Center, Japan Advanced Institute of Science and Technology (JAIST) and Horuriku Research Center, National Institute of Information and Communications Technology (NICT)
    • Prof. Tetsuo Wasano, Internet Research Center, Japan Advanced Institute of Science and Technology (JAIST)
    • Prof. Yuji Sekiya, University of Tokyo

Publications

Modularity], Ted Faber, March 7, 2011

Collaborations

  • Utah Emulab group (Rob Ricci and staff) – development and testing of the DETER Federation Architecture software and ProtoGENI debugging.
  • GPO Software Engineers, Tom Mitchell & Aaron Helsinger - design and testing of ABAC integration, and architceture discussions
  • ORCA group (Jeff Chase, et al) - GENIAPI design discussions and ABAC integration into ORCA
  • Cobham/SPARTA (Brett Wilson) – Development of support for federated experiments within the SEER Experiment Control Environment
  • DRAGON project at ISI-East, CENIC, Los Nettos. VLAN interconnection and debugging.
  • International collaborators, above