Changes between Version 2 and Version 3 of FeddGeniUseCases


Ignore:
Timestamp:
Oct 29, 2009 2:53:11 PM (15 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FeddGeniUseCases

    v2 v3  
    1515== TIED Authorization Architecture ==
    1616
     17The TIED authorization architecture brings together the GENI actors who participate in slice allocation and a set of ABAC prinicpals and attributes and rule.  The attributes and rules vary with policy (and some policies require more principals than the simple ones), but the core principals in the exchanges remain the same.  The GENI actors are:
     18
     19 * A researcher who wants to create a slice
     20 * A slice manager that will coordinate creation of a slice
     21 * The slice to which resources will be attached
     22 * The various resource contollers - aggregates and components
     23
     24One can blur the line between the slice manager and the researcher, but it somewhat aids the intuition and mapping to the existing models to make it explicit.
     25
     26Each of these is also an ABAC principal.  It is pretty obvious that most of these are principals who take part in the authorization decisions.  It may be surprising that the slice is a principal; it is helpful to have that principal available as a delegation point.  An ABAC principal is the object of an assertion or a delegation, and it is helpful to have a principal to which the researcher and other authorization players can delegate, rather than vesting all slices a researcher is creating with the researcher's full credentials or vesting the slice manager with the union of all the principals' credentials (that they choose to delegate to slices) that it manages slices for.  This should be clearer as we walk through the operation below.
     27
     28[[Image(GENI_ABAC.png)]]
     29
     30== Flow of operations ==
     31
     32The basic operations in using a slice or running an experiment are:
     33
     34 1. Create an empty slice from the slice manager (slice manager checks researcher credentials)
     35 2. Researcher delegates attributes to the slice
     36 3. Slice manager add or configure slice resources from components/aggregates under direction of the researcher. (slice manager checks researcher authorization for operation, components check experiment authorization to resources).
     37
     38
     39