Changes between Version 6 and Version 7 of FeddGeniUseCases


Ignore:
Timestamp:
Dec 1, 2009 3:15:15 PM (15 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddGeniUseCases

    v6 v7  
    9999A simple way to encode these permissions is to map each local project, user tuple into an ABAC attribute.  For example, the local TIED, faber pair could be encoded as the ABAC principal fedid ce90957dd5b7d20f9c3890c4599313b7f1cf31ea:TIED_faber.  Because it is easier to think of setting up separate rules for usernames and projects, that attribute (denoting the pair) would probably be derived from a rule of the form:
    100100
     101{{{
    101102fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.TIED_faber <-- fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea:TIED and fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber
     103}}}
    102104
    103105Now consider the derivation of a project attribute for a local testbed with fedid:1111111111111111111111111111111111111111.  The rules above (that pretain to projects) become the following ABAC rules:
    104106
     107{{{
    105108fedid:1111111111111111111111111111111111111111:TIED <--- (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.DETER).actfor
    106109fedid:1111111111111111111111111111111111111111:TIED <--- (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber).actfor
    107110fedid:1111111111111111111111111111111111111111:TIEDadmin <--- (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.DETER).actfor and (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber).actfor
     111}}}
    108112
    109113As we mention above, requests for resources are made by an experiment principal.  If that experiment principal has been delegated the actfor attribute by a prinicpal in the DETER project from the testbed with fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, it may be given access to the TIED group locally.  Similarly a user who both had the faber (username) and DETER (project) attributes from that testbed can be given access to the TIEDadmin group locally.  (The username and projectname semantics are by convention.  If the namespaces collide, or if this is unclear, conventions can be made to make those semantics explicit.)
     
    111115On the testbed that is granting the credentials - the one with fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea in this case - usernames and projects are assigned as ABAC credentials.  Using the same ascending and descending fedids as above, the ABAC looks like:
    112116
     117{{{
     118fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber <-- fedid:1234567890abcdef1234567890abcdef12345678
     119fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.DETER <-- fedid:fedcba0987654321fedcba0987654321fedcba09
     120fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.faber <-- fedid:fedcba0987654321fedcba0987654321fedcba09
     121}}}
    113122
     123ABAC credentials must also be issued to allow the user to create an experiment with the experiment controller:
     124
     125{{{
     126fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.create <-- fedid:1234567890abcdef1234567890abcdef12345678
     127fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.create <-- fedid:fedcba0987654321fedcba0987654321fedcba09
     128}}}
     129
     130Now to create a resource and allocate resources to it, an experimenter (fedid:fedcba0987654321fedcba0987654321fedcba09) contacts the experiment controller (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea) and is allowed to create an experiment because the experimenter has the fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea.create credential.  The experiment controller replies with the fedid of the new experiment (e.g. fedid:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee).  The experimenter now delegates their attributes to the experiment bi issuing the following credential:
     131
     132{{{
     133fedid:fedcba0987654321fedcba0987654321fedcba09.actfor <-- fedid:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
     134}}}
     135
     136Now the experimenter requests resources from the experiment contoller (including the new credential in the request), who acts as the experiment principal and makes the resource request from the testbed access controller (potentially including the credentials).  The access controller is able to prove that this experiment has the fedid:1111111111111111111111111111111111111111:TIEDadmin_faber attribute and can use the project/username pair TIEDadmin, faber.
     137
     138That proof looks like this (in the notation introduced in our [http://groups.geni.net/geni/wiki/TIEDABACModel earlier description of the model]):