Changes between Version 4 and Version 5 of FeddGeniUseCases


Ignore:
Timestamp:
Nov 13, 2009 5:41:33 PM (15 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddGeniUseCases

    v4 v5  
    4848
    4949This separation of delegation has another significant benefit.  Researchers can combine or transfer slice authority.  A long lived slice may change owners as the graduate student responsible for it graduates or a programmer changes jobs.  ABAC allows the slice to exert the attributes of the new "owner" by delegating a subset of that new owner's attributes to the slice (and allowing the old attribute delegations to time out).  If configuration of existing resources (and perhaps maintaining control of those resources) requires different attributes, a professor or higher ranking authority can create a slice, then pass control of it to a student or subordinate who has authority to maintain and configure the resources, but not grow the slice.
     50
     51In addition to simple delegation of slice control, ABAC allows a slice to be imbued with attributes from more than one principal, directly.  A slice can be given delegated power to carry out operations that neither principal can do alone.
     52
     53== Examples ==
     54
     55To demonstrate the expressive power of ABAC in GENI terms, we lay out several example policies as ABAC configurations.  Notation follows the ABAC papers:
     56
     57 '''P1.attr <-- P2'''::
     58  Principal '''P1''' assigns attribute '''P1.attr''' to '''P2'''.  "'''P1''' says '''P2''' is '''attr'''."
     59 '''P1.attr1 <-- P2.attr2'''::
     60  Principal '''P1''' assigns attribute '''P1.attr1''' to all principals that '''P2''' has assigned '''P2.attr2''', that is all principals with attribute '''P2.attr2'''.  "'''P1''' says any principal that '''P2''' says is '''attr2''' is '''attr1'''."  Note that the '''attr1''' and '''attr2''' strings may be the same.  "GENI.researcher <-- DETER.researcher" encodes the policy that GENI recognizes all DETER researchers as GENI researchers.
     61 '''P1.attr1 <-- (P2.link_attr).attr2'''::
     62  Principal '''P1''' assigns attribute '''P1.attr1''' to any principal that has attribute '''P2.link_attr''' asserts has '''attr2''' in that principal's name space.  For example if '''P3''' has the '''P2.link_attr''' attribute and '''P3''' assigns '''P4''' the '''P3.attr2''' attribute, '''P1''' has assigned it the '''P1.attr1''' attribute.  All principals with the '''P2.link_attr''' attribute have been granted authority to assign the '''P1.attr1''' attribute by assigning their local '''attr2''' attribute.  "GENI.researcher <-- (NSF.funded).researcher" encodes the policy that GENI recognizes all researchers funded by NSF (and issued an NSF.funded credential) as GENI researchers.
     63
     64=== Three Level Names ===
     65
     66The initial fedd [FeddAbout#GlobalIdentifiers:Three-levelNames three-level name] system of authentication allowed testbeds to make access control decisions based on the user and project identifiers that a testbed asserted about a requesting user.  The request was made on behalf of that user by fedd, with later requests made on behalf of the allocation created above.  The fedd representing a testbed was identified by its [FeddAbout#GlobalIdentifiers:Fedids fedid], which anchored the attributes, assserted as a triple.
     67
     68The [FeddDatabases#AccessComponentAccessDB acces control database] section gives examples of how to express and configure access control based on these options.  Three relevant examples are:
     69
     70{{{
     71(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (TIED, <same>, <same>)
     72(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, faber) -> (TIED, faber, <same>)
     73(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, faber) -> (TIEDadmin, faber, <same>)
     74}}}
     75
     76An access controller on an emulab based testbed that was configured with those lines would grant any user that testbed fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea (let's call it deterlab.net) asserted was in the Deter project access to the local testbed and map it to the local TIED project with the same username (ignore the second username for now).  If that same testbed asserted that the requesting username was faber in any project the local testbed would allow access nd map that user into the local TIED project with username faber.  If the testbed asserted that the requesting project was Deter and the requesting username was faber, access would be permitted and the user mapped to the local TIEDadmin project with local username faber.  The most specific match wins and others are not allowed access.
     77
     78On the experiment controller side, lines like the following configure assignment of attributes to users:
     79
     80{{{
     81fedid:1234567890abcdef1234567890abcdef12345678 -> faber
     82fedid:fedcba0987654321fedcba0987654321fedcba09 -> (Deter, faber)
     83}}}
     84
     85These lines map the first user (with the ascending fedid) to the faber username and the second (with the descending one) to
     86both the faber username and the Deter project.  If contacting a