Download - GENI Wiki

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
Document related concepts

PRINCE2 wikipedia , lookup

Transcript 
Duke Systems
Authorization Framework: Status
Jeff Chase
Duke University
ABAC in GENI
• ABAC is a powerful declarative representation that
can capture the GENI authorization/trust model.
• It saves a lot of code, provides a rigorous foundation,
and preserves flexibility for future innovation.
• It should be easy for users, although we need some
better tools there. (E.g., to delegate rights.)
• Libabac “works off the shelf” (RT0 does...RT2 too)
• In progress: policies for safe operational deployment.
• New http://groups.geni.net/geni/wiki/AuthStoryBoard
GEC-12 Auth Session
End-to-end credential flow
Cloud-Based Credential Store
Issue
project x
credentials
Issue user
credentials
IdP
1
Register
user
Issue
slice s
credentials
PA
2
SA
Create
project
3
Delegate
4
Create
slice
in x
5
Create
sliver
in s
Policy mobility: a scenario
SA
Only the
creator of a
slice s may
create a sliver
for s...
....or a delegate
of the creator...
AM
Create
sliver for
slice SA.s
SA.creator_sT
Subject to the
policies of the
project that
contains the
slice.
IdP.geniUserT
Anyone can
create a sliver
for a slice SA.s
if s was
approved by an
SA I trust, and
the request
conforms to
slice policies.
Multi-federation?
AM
AM
AM
AM
An aggregate might choose to affiliate with multiple federations.
Multi-federation
To the extent that AMs overlap in the coordination services they
affiliate with, those services should work to coordinate them…
…even if the aggregate’s
affiliation is not exclusive.
AM
AM
AM
Multi-federation
Federations may merge or split. There might be multiple
instances of each kind of service within a federation.
AM
AM
AM
AM
To the extent that AMs affiliate with shared coordination
services, those services should work to coordinate those AMs.
I stopped there...the rest is
background.
IdP: Identity
Provider
1
PA: Project
Authority
2
4
IdP
Register
user
Verify user
identity, obtain
attributes,
check that user
is qualified,
execute
agreement.
SA: Slice
Authority
PA
Create
project
Verify that user
is authorized to
create project
and act as
project leader.
3
Delegate
project
membership
SA
Create
slice
in x
Verify that
project x is
valid and user
is authorized to
create slice in
project x.
Create
sliver in
in s
AM
5
Verify that slice s is
valid and user is
authorized to request
resources for s.
It’s all about credential flow
1
2
4
IdP
Register
user
PA
Create
project
Project x
created
user
registered
Issue user
credentials
Issue project
credentials
SA
Create
slice
in x
Slice s
created
Issue slice
credentials
3
Delegate
project
credentials
AM
Create
sliver in
in s
5
Policy mobility: a scenario
SA
Only the
creator of a
slice s may
create a sliver
for s...
....or a delegate
of the creator...
AM
Create
sliver for
slice SA.s
SA.creator_sT
Subject to the
policies of the
project that
contains the
slice.
IdP.geniUserT
Anyone can
create a sliver
for a slice SA.s
if s was
approved by an
SA I trust, and
the request
conforms to
slice policies.
Policy mobility: a scenario
Any approved GENI user
who is also a faculty member
can create/lead a project.
Anyone can create a slice
for a project PA.x if x was
approved by a PA I trust,
and the request conforms
to project policies.
PA
SA
The project leader may
delegate membership in the
project to any GENI user.
Any project member may
create a slice for the project.
Only the creator of a slice s
may create a sliver for s, or
a delegate of the creator,
consistent with project
policies.
Cloud-based credential storage
• Concept: always-on, highly available credential store.
• The store is lightly trusted: it cannot forge credentials,
but we must trust it not to “forget” them.
Put issued credentials and
policies (certs) in the store.
Cert Store
Pass credentials by
reference in request.
See also: Conchord, CERTDIST
Get certs to
“cache or check”.
Server
GENI trust structure: overview (v1.0)
Users and
tools
GENI Operations
and Control
CH
Users create global
slices and request
aggregates to bind
local resources to
those slices.
Bidirectional
trust based on
agreements
AM
AM
AM
AM
Principals are users and organizations, and tools or
servers acting on their behalf.
GENI trust structure: overview (v2.0)
• Each of these entities may:
GENI “clearinghouse”
– Speak with its own keypair.
GOC
– Wield credentials.
– Produce/consume credentials.
• There are limited trust
relationships among them.
• Trust reflects agreements, and
is limited by their scope.
• Credentials capture this trust.
GMOC
AM
AMs trust the
coordinators,
transitively.
I&M
AM
• Trust may be transitive.
• Transitive trust is inferred
from facts and policy rules.
Example coordinators:
identity and authorization
services for a federation.
Declarative trust structure
• This is a trust graph.
– Edges represent partial trust by
source entity in the target.
GOC
• We can capture trust graphs
in a delegation logic.
GMOC
I&M
o Some out-edges are facts given
by an entity’s local operator.
o The others are inferred locally
by applying locally accepted
policy rules to facts.
AM
AM
Given a suitable trust management framework the trust delegations
and policies for inferring trust (by finding trust paths) may be
specified declaratively and checked automatically.
Related documents
Day 52
Day 52
5 E`s Lesson Components
5 E`s Lesson Components
Pizza Slice Earth
Pizza Slice Earth
Volume computation - Harvard Math Department
Volume computation - Harvard Math Department
The Law of Demand - Brunswick City Schools
The Law of Demand - Brunswick City Schools
Exam 3 Solutions
Exam 3 Solutions
Virtual Memory Systems
Virtual Memory Systems
comprehensive quality control of nmr tomography using 3d printed
comprehensive quality control of nmr tomography using 3d printed
Chapter 20, Section 1 What is Demand? (448-451)
Chapter 20, Section 1 What is Demand? (448-451)
Name
Name