Changes between Initial Version and Version 1 of FeddGeniUseCases


Ignore:
Timestamp:
Oct 29, 2009 12:02:44 PM (15 years ago)
Author:
faber
Comment:

checkpoint

Legend:

Unmodified
Added
Removed
Modified
  • FeddGeniUseCases

    v1 v1  
     1= TIED / ABAC Architecture and Applications =
     2
     3We discuss the general architecture for applying [http://www.isso.sparta.com/research_projects/security_infrastructure/abac_overview.html Attribute Based Access Control ] to the TIED/GENI system.  We lay out the general architecture of the authorization system and then provide worked examples how the system can be configured to implement several access control systems, including the DETER Federation Architecture (DFA)'s [FeddAbout#GlobalIdentifiers:Three-levelNamesthree level naming system], a centralized (but fairly scalable) GENI certification system, and the several Slice Based Architecture scenarios discussed in the [http://www.cs.princeton.edu/~llp/geniwrapper.pdf PlanetLab GENI SFA design document].  We also describe how the ABAC realization of these policies is more expressive than the existing proposals.
     4
     5ABAC proves attributes about principals scalably, expressively, according to well-defined semantics.  We have described the [http://groups.geni.net/geni/wiki/TIEDABACModel basic operation of ABAC].  This document outlines the ABAC principals, how they relate to GENI actors and illustrates the flow of operations and authentication information in slice manipulation.
     6
     7We talk of the ABAC authorization negotiations as happening outside the simple request-response paradigm of the various GENI SBA interfaces.  We believe this is correct for two reasons:
     8
     9 * Though many authorization decisions will be as simple as checking credentials supplied by the requester, some authorization decisions will be more complex and require actors to gather information from other sources or provide more information about one another before releasing all information - all of which is supported by ABAC.  By separating these interactions from the simple SBA operations, we allow room for more complex interactions when we need them, while keeping simple interactions simple.
     10
     11 * We expect that other GENI systems and subsystems will find these operations useful - for example granting access to the measurement subsystems or OMIS data.  Separating the authorization system insulates the concerns of an authorization system from the operative system.
     12
     13
     14
     15== TIED Authorization Architecture ==