Authorizing Slice Creation

How ABAC Coordinates Distributed

Authorization

Alefiya Hussain alefiya.hussain@sparta.com

1

TIED Joins GENI

How does TIED get to know GENI users? • Keeping local ABAC policy same (there are many

other ways too)

– Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners

2

The Players

TIED the resource owner provides equipment and establishes

high-level policies for utilization

3

Alex the researcher received a GENI award and want to use the substrate for experiments

The Players

TIED the resource owner provides equipment and establishes

high-level policies for utilization

4

Alex the researcher received a GENI award and want to use the substrate for experiments

GENI the coordinator/certifier asserts attributes for these new principals

The Players: GENI, TIED, Alex

The GENI defines various attributes to manage groups of people

Defines groups such as researchers, gradStudents,vendors….

And publishes facts about themAlex is a GENI researcher

5

The Players: GENI, TIED, Alex

TIED learns about GENI’s facts and incorporatesthem into its local authorization policy

So TIED publishes a factAll GENI researchers can create slices on TIED

Thus it delegates some resource control toGENI

6

The Players: GENI, TIED, Alex

Alex learns he needs to identify himself as a researcher to create a slice

7

ABAC Enables the Players

TIED

Slice Manager

ABAC

Alex: I want to create a slice?

GENI.researcher Alex

TIED Local Policy: If you are a GENI researcher, you can create a slice. TIED.createSlice GENI.researcher

GENI

GENI Welcome Package:A researcher credential is sent to Alex

8

ABAC Negotiation Grants Access

TIED

Slice Manager

ABAC

GENI.researcher Alex

TIED.createSlice GENI.researcher

1. Sends request with cred+key.

2. ABAC constructs proof. Proof: TIED.createSlice GENI.researcherAlexGrants Access

9

Summary: Alex creates a slice

GENI added Alex to the researcher attribute space

TIED uses GENI’s credential (GENI.researcher) to authorize users to create slices

10

The GENI expands it’s attribute space

• Keeping local ABAC policy same – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners

11

The Players: GENI, TIED, Bob

GENI decides gradStudents are also a kind of researcher

So, GENI publishes a new fact All gradstudents are also researchers

12

The Players: GENI, TIED, Bob

Policy at TIED does not change TIED.createSlice GENI.researcher

TIED is unaware of the change

13

The Players: GENI, TIED, Bob

• Bob identifies himself as a gradStudent to TIED

14

ABAC Enables the Players

TIED

Slice Manager

ABAC

1. I want to create a slice?

TIED.createSlice GENI.researcher

GENI

Registry

GENI.gradStudent Bob

GENI.researcher GENI.gradStudent.

15

TIED discovers credentials

TIED

Slice Manager

ABAC

1. I want to create a slice?

TIED.createSlice GENI.researcher

GENI

Registry

2. ABAC proof construction failsProof: TIED.createSlice GENI.researcher ? GENI.gradStudent BobNeed more information from GENI

16

TIED discovers credentials

TIED

Slice Manager

ABAC

1. I want to create a slice?

TIED.createSlice GENI.resercher

GENI

Registry

2. ABAC proof construction fails

3. Is Bob a researcher?

4. I don’t know, but here are some relevant credentialsGENI.researcher GENI.gradStudent

5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercherGENI.researcher GENI.gradStudent BobGrants Access

17

Summary: Bob creates the slice!

• No policy impact on the resource provider

• TIED, the resource provider, learned relevant information from the external certifiers

18

GENI Coordinates with the NSF

19

• Keeping local ABAC policy same– Sharing know attributes – Discovery of partner policy changes, – Coordinating with new partners

Chloe wants to create a slice

• Chloe is a NSF NeTS FIND researcher

20

The Players: NSF, GENI, TIED, ChloeNSF makes each program initiative a principal

– FIND, CISE

NSF assigns each initiative a program attribute NSF.program FIND

Each initiative defines its own attribute space; specifically researcher attributes

FIND.researcher Chloe

21

The Players: NSF, GENI, TIED, Chloe

GENI and NSF negotiate and decide to treat all NSF program researchers as GENI researchers

GENI publishes a new factAll NSF program researchers are also GENI researchers

This is expressed as a linked credential GENI.researcher NSF.program.researcher

22

The Players: NSF, GENI, TIED, Chloe

• TIED has no policy changes • Chloe identifies herself as a FIND researcher to

TIED

23

ABAC Enables the Access

TIED

Slice Manager

ABAC

FIND.researcher ChloeNSF.programFIND

TIED.createSlice GENI.researcher

NSF

1. I want to create a slice?

2. ABAC proof construction failsProof: TIED.createSlice GENI.researcher ?FIND.researcher ChloeNSF.programFINDNeed more information from GENI

24

ABAC Enables the Access

TIED

Slice Manager

ABAC

TIED.createSlice GENI.researcher

GENI

1. I want to create a slice?

2. ABAC proof construction fails

3. Do you know the NSF?

4. Yes, here are some relevant credentialsGENI.researcher NSF.program.researcher

5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercherNSF.program.researcher;NSF.program FIND;FIND.researcer ChloeGrants Access 25

Summary

• ABAC can expresses complex relationships between principals– Through principal delegation – Through attribute-based delegation

• Local policy at the resource provider need not change

• Many entities can coordinate complex policy• End user is insulated from policy details

26