Changes between Version 3 and Version 4 of FeddABAC


Ignore:
Timestamp:
Jan 16, 2011 5:07:10 PM (13 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddABAC

    v3 v4  
    55This page describes the use of ABAC with fedd, concentrating on using the transition tools to create initial ABAC credential stores from which to run fedd.  In order to get the most from this page, you should be familiar with
    66
     7 * [FeddAbout#GlobalIdentifiers:Three-levelNames three-names] and [FeddAbout#GlobalIdentifiers:Fedids fedids]
    78 * [http://groups.geni.net/geni/wiki/TIEDABACModel The ABAC model] as it is used by DETER.
    89  * There is a [http://groups.geni.net/geni/wiki/TIEDABACDemo worked example] that can be helpful here
     
    2425The experiment controller can operate in two modes, as an experiment controller dedicated to use by a single user, or as a service on behalf of multiple users.  In the first case the controller acts as the same principal as the user commands.  Essentially the experiment controller is a command run by the single user.  In the second case a common piece of infrastructure acts as an experiment controller for many users.  Because this fedd acts as a distinct principal, some additional delegation is required to make the access control reasonable.
    2526
    26 When the experiment controller is run as a service, it acts as a separate principal for the purposes of experiment creation, and the user and the controller negotiate what principal the controller will act as when making resource allocations from access controllers.  This allows a user to delegate a subset of attributes to the experiment principal and then allow the experiment controller to act as that principal.  (The experiment principal may have attributes delegated by multiple principals, if needed).  This extra principal is required to prevent the experiment controller from combining rights from multiple principals that did not intend it. 
     27When the experiment controller is run as a service, it acts as a separate principal for the purposes of experiment creation, and the user and the controller negotiate what principal the controller will act as when making resource allocations from access controllers.  This allows a user to delegate a subset of attributes to the experiment principal and then allow the experiment controller to act as that principal.  (The experiment principal may have attributes delegated by multiple principals, if needed).  This extra principal is required to prevent the experiment controller from combining rights from multiple principals that did not intend it.  The figure below shows this:
     28
     29[[Image(complex.png)]]
     30
     31When a user is running an experiment controller on their own behalf, like a utility program, the situation is much simpler.  Both experiment controller operations and experiment allocations are simply carried out as the user.  The user's fedid is specified for both the experiment controller's ID and the experiment ID, leading to the simpler situation below:
     32
     33[[Image(simple.png)]]
     34
     35