Changes between Version 5 and Version 6 of FeddGeniUseCases


Ignore:
Timestamp:
Nov 30, 2009 6:12:39 PM (15 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddGeniUseCases

    v5 v6  
    6262  Principal '''P1''' assigns attribute '''P1.attr1''' to any principal that has attribute '''P2.link_attr''' asserts has '''attr2''' in that principal's name space.  For example if '''P3''' has the '''P2.link_attr''' attribute and '''P3''' assigns '''P4''' the '''P3.attr2''' attribute, '''P1''' has assigned it the '''P1.attr1''' attribute.  All principals with the '''P2.link_attr''' attribute have been granted authority to assign the '''P1.attr1''' attribute by assigning their local '''attr2''' attribute.  "GENI.researcher <-- (NSF.funded).researcher" encodes the policy that GENI recognizes all researchers funded by NSF (and issued an NSF.funded credential) as GENI researchers.
    6363
     64Conjunctions of attributes may also be used
     65
     66 '''P3.attr3 <-- P2.attr2 and P1.attr1'''::
     67  Printicpal '''P3''' assigns attribute '''P3.attr3''' to any principal possessing both '''P2.attr2''' and '''P1.attr1'''.
     68
    6469=== Three Level Names ===
    6570
     
    6974
    7075{{{
    71 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (TIED, <same>, <same>)
     76(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (TIED, duser, <same>)
    7277(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, faber) -> (TIED, faber, <same>)
    7378(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, faber) -> (TIEDadmin, faber, <same>)
    7479}}}
    7580
    76 An access controller on an emulab based testbed that was configured with those lines would grant any user that testbed fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea (let's call it deterlab.net) asserted was in the Deter project access to the local testbed and map it to the local TIED project with the same username (ignore the second username for now).  If that same testbed asserted that the requesting username was faber in any project the local testbed would allow access nd map that user into the local TIED project with username faber.  If the testbed asserted that the requesting project was Deter and the requesting username was faber, access would be permitted and the user mapped to the local TIEDadmin project with local username faber.  The most specific match wins and others are not allowed access.
     81An access controller on an emulab based testbed that was configured with those lines would grant any user that testbed fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea (let's call it deterlab.net) asserted was in the Deter project access to the local testbed and map it to the local TIED project with the duser (ignore the second username for now).  If that same testbed asserted that the requesting username was faber in any project the local testbed would allow access and map that user into the local TIED project with username faber.  If the testbed asserted that the requesting project was Deter and the requesting username was faber, access would be permitted and the user mapped to the local TIEDadmin project with local username faber.  The most specific match wins and others are not allowed access.
    7782
    7883On the experiment controller side, lines like the following configure assignment of attributes to users:
     
    8489
    8590These lines map the first user (with the ascending fedid) to the faber username and the second (with the descending one) to
    86 both the faber username and the Deter project.  If contacting a
     91both the faber username and the Deter project.  This file controls which attributes are certified by an experiment controller.
     92
     93If the experiment controller with fedid ce90957dd5b7d20f9c3890c4599313b7f1cf31ea is configured as above, when it contacts a testbed access controller configured as above on behalf of the ascending fedid, that user would be mapped to project TIED, user faber.  Similarly, the descending one is mapped to project TIEDadmin, user faber.
     94
     95=== Three Level Names in ABAC ===
     96
     97In order to assign local privleges to a user under ABAC, the local access controller binds ABAC attributes to local resource controls and uses ABAC to prove that a principal requesting resources has those attributes.  For example, an access controller of an Emulab-based testbeds would assign ABAC attributes to project/user pairs and prove that requesting experiments had those attributes.  The assignment of attributes by the experiment conroller (or another testbed) would be controlled by that testbed, but the reasoning about those attributes is controlled by the local access controller.
     98
     99A simple way to encode these permissions is to map each local project, user tuple into an ABAC attribute.  For example, the local TIED, faber pair could be encoded as the ABAC principal fedid ce90957dd5b7d20f9c3890c4599313b7f1cf31ea:TIED_faber.  Because it is easier to think of setting up separate rules for usernames and projects, that attribute (denoting the pair) would probably be derived from a rule of the form:
     100
     101fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.TIED_faber <-- fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea:TIED and fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber
     102
     103Now consider the derivation of a project attribute for a local testbed with fedid:1111111111111111111111111111111111111111.  The rules above (that pretain to projects) become the following ABAC rules:
     104
     105fedid:1111111111111111111111111111111111111111:TIED <--- (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.DETER).actfor
     106fedid:1111111111111111111111111111111111111111:TIED <--- (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber).actfor
     107fedid:1111111111111111111111111111111111111111:TIEDadmin <--- (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.DETER).actfor and (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber).actfor
     108
     109As we mention above, requests for resources are made by an experiment principal.  If that experiment principal has been delegated the actfor attribute by a prinicpal in the DETER project from the testbed with fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, it may be given access to the TIED group locally.  Similarly a user who both had the faber (username) and DETER (project) attributes from that testbed can be given access to the TIEDadmin group locally.  (The username and projectname semantics are by convention.  If the namespaces collide, or if this is unclear, conventions can be made to make those semantics explicit.)
     110
     111On the testbed that is granting the credentials - the one with fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea in this case - usernames and projects are assigned as ABAC credentials.  Using the same ascending and descending fedids as above, the ABAC looks like:
     112
     113