wiki:TIEDQ12011

Version 5 (modified by faber@isi.edu, 14 years ago) (diff)

--

TIED - Trial Integration Environment Based on DETER

QPR 31 Mar 2010

Introduction

This quarter members of the TIED project advanced their work on Attribute Based Access Control (ABAC) both technically and internally among GENI researchers, drove GENI interface discussions on both ABAC and the GENIAPI, and furthered our international collaboration with our Japanese counterparts.

Major Accomplishments

  • ABAC/GENI Integration
    • Published Reference code and Documentation for integrating ABAC with the GENIAPI AM.
      • ABAC 0.1.3 is being integrated with the standard GENI Integration Release v 3.1
    • Published machine-readable ABAC encoding of the current GENIAPI models, and wrote detailed documentation for the same.
      • Documentation is a jumping on point for users who have not been following authorization discussions closely
      • Encoding uses running code to demonstrate practicality of the implementation
    • With Steve Schwab, we worked with GPO personnel to forge a consensus and forward path on ABAC integration for GENI at GEC10
  • ABAC Development
    • Demonstrated the ABAC credential browser at GEC10
    • Browser development resulted in a second, interoperable ABAC implementation in native Java that is being taken up by the ORCA project.
      • Included in ABAC 0.1.3, in the GENI Integration release v3.1
  • Other GENI Interface deisgn
    • Published and discussed a draft on the Future of the Slice manager interface.
    • Discussions continuing on the CF lists
  • Japan Collaboration
    • Mike Ryan spent several weeks in Japan educating users on the TIED model and learning about their testbed models
    • Work underway to federate the two testbeds

Description of the Work Performed During the Quarter

TIED's focus on the creation of federated experiments across multiple testbed architectures has allowed us to focus on key areas for GENI interoperability: a federable authorization framework (ABAC) and the overall architecture of the GENIAPI from the perspective of a system that combines resources across multiple control frameworks. We have implemented such a simple federable framework in the ABAC system, and much of the work this quarter has been in demonstrating that our implementation is ready for use and can be integrated with the existing GENI frameworks. We made significant forward progress on both these fronts.

Similarly, our perspective as a consumer of GENI resources from multiple control frameworks has led us to be somewhat critical of the existing architecture for resource allocation. We have expressed these views in earlier documents. This quarter we provided constructive ways forward that address our concerns, and continue to argue for their uptake.

Our work with the Japanese continues as well with an informational and personnel exchnage, aimed at both producing prototype code and sharing perspectives. Though interrupted by recent events in Japan, the collaboration continues to move forward.

We summarize those accomplishments below.

ABAC/GENI Integration

We have been extolling the benefits of the ABAC authorization system and our implementation of it for some time, and this quarter we took steps to prove that a large scale integration with GENI is technically and practically feasible. This has taken the form of demonstrations, documentation and trial integrations that have led to a commitment to integrating ABAC into a GENI control framework (ProtoGENI) over the next year.

One of the important trial integrations was with the GENIAPI AM code, the purpose of which was showing that exising implementations of both the AM and ABAC were mature enough to work together. Though most of the coding was undertaken last quarter, the code (and more importantly the documentation) was made available early this quarter. This proceeded as expected, showing that the code functions and interoperates correctly, and in the process important contacts and informational exchanges were accomplished between TIED staff and GPO staff.

We both encoded GENI policy into ABAC credentials and produced an explanatory document describing both the GENI policy and the ABAC encoding of it that has proven powerful in explaining the problem and ABAC's role in its solution. In preparing the integrated AM code, we technically demonstrated this capability, so we took advantage of the second milestone to both provide a more comprehensive encoding of GENI policy and to provide a comprehensive documentation of that encoding. That document has been the basis for many ongoing discussions among GENI implementers and was part of the basis for the agreement reached at GEC10.

Finally, in conjunction with GPO staff and Steve Schwab, the GENI security architect, TIED staff were instrumental in forging an agreement to integrate ABAC with an GENI CF - ProtoGENI - this year. This entailed several discussions and presentations at GEC10.

ABAC Developement

ABAC is a multi-platform implementation of our authorization system that is missing a system for administrators to interpret and create credentials encoding a policy or proof. This quarter we extended our existing credential browser significantly to display policies and proofs in clearer ways as well as to provide the crytpographic representations of those credentials. That browser was demonstrated at GEC10.

As a side effect of that broswer development, which was carried out in Java, we now have an interoperable implementation in Java. Our initial plan was to use our existing multi-platform tool - swig - to produce a Java implementation, but swig-generated code proved too unstable. A native-java implementation was developed and is integrated into the most recent ABAC release (0.1.3). Orca developers who work in java are currently taking that code up.

In addition, the ABAC libraries with Java support are being integrated into the GENI Integration release 3.1.

Interface Discussions

This quarter saw circulation of a document discussing missing pieces of the GENIAPI interface, primarily concerned with missing interfaces that impede interoperability between control frameworks. We identified these problems when designing plug-ins to allocate resources across control frameworks using TIED's federation system. This document describes our suggestions for steps forward to improve the situation.

We have circulated the document privately among the key GENI and GPO developers and then released it to the control framework mailing list. It continues to generate discussion and debate.

International Collaboration

As we have reported earler, TIED is collaborating with several Japanese research agencies on federating testbeds using TIED and GENI technologies.The organizations are the Nara Institute of Science and Technology (NAIST) working with Prof. Suguru Yamaguchi, the Japan Advanced Institute of Science and Technology (JAIST), working with Yoichi Shinoda and Prof. Tetsuo Wasano, and the Univeristy of Tokyo, working with Prof. Yuji Sekiya. The ISI investigators are John Wroclawski (PI) and Bill Manning.

There are four goals of this collaboration:

  • Prototyping a TIED plug-in for access to the Japanese StarBed facility
  • Demonstrating two cooperative seed research projects
  • Demonstrating research enabled by federation
    • One group plans to access the BGPMUX in ProtoGENI from StarBed using the TIED plug-in developed above
  • Student Exchanges

We advanced the first and last of these goals this quarter by sending TIED staffer Mike Ryan to Japan for several weeks. Mike took part in WIDE camp and spent time learning the details of the StarBed model as well as educating his Japanese counterparts in the TIED model of federation. Though Mike's stay was interrupted, the collaboration and co-development is continuing.

Project participants

  • Individuals directly supported by TIED award:
    • John Wroclawski, PI
    • Ted Faber, Research Computer Scientist
    • Tom Lehman, Research Computer Scientist
  • Individuals contributing to the project with outside support:
    • Jelena Mirkovic, ISI Research Computer Scientist
    • Mike Ryan, ISI Systems Programmer
    • Jay Jacobs, Cobham Systems Programmer
    • Brett Wilson, Cobham Systems Programmer
    • Bill Manning, Research Staff Member
  • International Collaborators
    • Prof. Suguru Yamaguchi, Graduate School of Information Science, Nara Institute of Science and Technology (NIAST)
    • Yoichi Shinoda, Internet Research Center, Japan Advanced Institute of Science and Technology (JAIST) and Horuriku Research Center, National Institute of Incormation and Communications Technology (NICT)
    • Prof. Tetsuo Wasano, Internet Research Center, Japan Advanced Institute of Science and Technology (JAIST)
    • Prof. Yuji Sekiya, University of Tokyo