Post on 17-Jan-2016
Authorizing Slice Creation
How ABAC Coordinates Distributed
Authorization
Alefiya Hussain alefiya.hussain@sparta.com
1
TIED Joins GENI
How does TIED get to know GENI users? • Keeping local ABAC policy same (there are many
other ways too)
– Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners
2
The Players
TIED the resource owner provides equipment and establishes
high-level policies for utilization
3
Alex the researcher received a GENI award and want to use the substrate for experiments
The Players
TIED the resource owner provides equipment and establishes
high-level policies for utilization
4
Alex the researcher received a GENI award and want to use the substrate for experiments
GENI the coordinator/certifier asserts attributes for these new principals
The Players: GENI, TIED, Alex
The GENI defines various attributes to manage groups of people
Defines groups such as researchers, gradStudents,vendors….
And publishes facts about themAlex is a GENI researcher
5
The Players: GENI, TIED, Alex
TIED learns about GENI’s facts and incorporatesthem into its local authorization policy
So TIED publishes a factAll GENI researchers can create slices on TIED
Thus it delegates some resource control toGENI
6
The Players: GENI, TIED, Alex
Alex learns he needs to identify himself as a researcher to create a slice
7
ABAC Enables the Players
TIED
Slice Manager
ABAC
Alex: I want to create a slice?
GENI.researcher Alex
TIED Local Policy: If you are a GENI researcher, you can create a slice. TIED.createSlice GENI.researcher
GENI
GENI Welcome Package:A researcher credential is sent to Alex
8
ABAC Negotiation Grants Access
TIED
Slice Manager
ABAC
GENI.researcher Alex
TIED.createSlice GENI.researcher
1. Sends request with cred+key.
2. ABAC constructs proof. Proof: TIED.createSlice GENI.researcherAlexGrants Access
9
Summary: Alex creates a slice
GENI added Alex to the researcher attribute space
TIED uses GENI’s credential (GENI.researcher) to authorize users to create slices
10
The GENI expands it’s attribute space
• Keeping local ABAC policy same – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners
11
The Players: GENI, TIED, Bob
GENI decides gradStudents are also a kind of researcher
So, GENI publishes a new fact All gradstudents are also researchers
12
The Players: GENI, TIED, Bob
Policy at TIED does not change TIED.createSlice GENI.researcher
TIED is unaware of the change
13
The Players: GENI, TIED, Bob
• Bob identifies himself as a gradStudent to TIED
14
ABAC Enables the Players
TIED
Slice Manager
ABAC
1. I want to create a slice?
TIED.createSlice GENI.researcher
GENI
Registry
GENI.gradStudent Bob
GENI.researcher GENI.gradStudent.
15
TIED discovers credentials
TIED
Slice Manager
ABAC
1. I want to create a slice?
TIED.createSlice GENI.researcher
GENI
Registry
2. ABAC proof construction failsProof: TIED.createSlice GENI.researcher ? GENI.gradStudent BobNeed more information from GENI
16
TIED discovers credentials
TIED
Slice Manager
ABAC
1. I want to create a slice?
TIED.createSlice GENI.resercher
GENI
Registry
2. ABAC proof construction fails
3. Is Bob a researcher?
4. I don’t know, but here are some relevant credentialsGENI.researcher GENI.gradStudent
5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercherGENI.researcher GENI.gradStudent BobGrants Access
17
Summary: Bob creates the slice!
• No policy impact on the resource provider
• TIED, the resource provider, learned relevant information from the external certifiers
18
GENI Coordinates with the NSF
19
• Keeping local ABAC policy same– Sharing know attributes – Discovery of partner policy changes, – Coordinating with new partners
Chloe wants to create a slice
• Chloe is a NSF NeTS FIND researcher
20
The Players: NSF, GENI, TIED, ChloeNSF makes each program initiative a principal
– FIND, CISE
NSF assigns each initiative a program attribute NSF.program FIND
Each initiative defines its own attribute space; specifically researcher attributes
FIND.researcher Chloe
21
The Players: NSF, GENI, TIED, Chloe
GENI and NSF negotiate and decide to treat all NSF program researchers as GENI researchers
GENI publishes a new factAll NSF program researchers are also GENI researchers
This is expressed as a linked credential GENI.researcher NSF.program.researcher
22
The Players: NSF, GENI, TIED, Chloe
• TIED has no policy changes • Chloe identifies herself as a FIND researcher to
TIED
23
ABAC Enables the Access
TIED
Slice Manager
ABAC
FIND.researcher ChloeNSF.programFIND
TIED.createSlice GENI.researcher
NSF
1. I want to create a slice?
2. ABAC proof construction failsProof: TIED.createSlice GENI.researcher ?FIND.researcher ChloeNSF.programFINDNeed more information from GENI
24
ABAC Enables the Access
TIED
Slice Manager
ABAC
TIED.createSlice GENI.researcher
GENI
1. I want to create a slice?
2. ABAC proof construction fails
3. Do you know the NSF?
4. Yes, here are some relevant credentialsGENI.researcher NSF.program.researcher
5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercherNSF.program.researcher;NSF.program FIND;FIND.researcer ChloeGrants Access 25
Summary
• ABAC can expresses complex relationships between principals– Through principal delegation – Through attribute-based delegation
• Local policy at the resource provider need not change
• Many entities can coordinate complex policy• End user is insulated from policy details
26