Sponsored by the National Science Foundation
GEC17: Developer Working SessionJuly 22, 2013
1600-1730
Speaks-for Credentials in GENI Tools, Services and Aggregates
Sponsored by the National Science Foundation 2
Introduction
• The goal of this discussion is to review the role of and plans for “Speaks-For” in GENI– What is Speaks-for? Why do we need it?– What do we have to do to make it happen?– When can we and should we have the
capability ready?
Sponsored by the National Science Foundation 3
Outline
• Credential Generation - Gary Wong, Utah/Flux• ABAC and Speaks-For Credentials – Steve
Schwab and Ted Faber, ISI• Proof of Concept – Marshall Brinn, GPO• Discussion and Forward Plan - All
Sponsored by the National Science Foundation 4
The need for Speaks-For
• GENI experimenters use different API’s to speak to different services– The AM API to speak to aggregates to manage
resources– The different CH/SA/MA API’s to talk to authorities to
manage credentials• [Hopefully to be unified in coming months]
Sponsored by the National Science Foundation 5
The need for Speaks-for [2]
• Since these API’s are based on secure SSL connections, the “speaker” (the one sending/receiving API traffic) needs a certificate and private key.
• If a tool has access to the experimenter’s cert and key, they are effectively “speaking as” the experimenters– There is no way for the service on the other side to
know the difference between the tool and the user
But, in fact, people don’t speak these API’s directly: tools speak them on their behalf
Sponsored by the National Science Foundation 6
The need for Speaks-for [3]
• This has two problems:– Accountability: We want to be able to log that a given
transaction was done by/for a given experimenter by a given tool
– Privacy: We don’t want to require that an experimenter provide his/her private key to a tool, in violation of security/privacy best practices. (*)
The solution is to enable the tool to “speak as” itself with its own cert and key, and “speak for” the experimenter when invoking GENI API’s
(*) We distinguish between local and hosted tools. A tool on your desktop (e.g. omni) does not require uploading a private key and should be acceptable to “speak as” the experimenter.
Sponsored by the National Science Foundation 7
Speaks-as: Essential Flow
Service (AM, SA)
Tool
Experimenter
1) Experimenter uploads cert and private key to tool
2) Tool working with or on behalf of user speaks to service with experimenter’s cert and key
Sponsored by the National Science Foundation 8
Speaks-for: Essential Flow
Service (AM, SA)
Tool
Experimenter
1) Experimenter creates and signs (with their private key) a “Speaks For” Credential indicating that a given tool is allowed to speak for the experimenter (in some context).
2) Tool working with or on behalf of user speaks to service with its own cert and key, but passes:The speaks-for credentialThe public cert of the experimenter being spoken forA “speaks-for=experimenterURN” option on API call
Sponsored by the National Science Foundation 9
Yes, but…
• How does an experimenter generate this “speaks-for” credential?
• What does it look like? What scope does it have?• What changes do AM and CH/SA API calls need
to make to support speaks-for?
Sponsored by the National Science Foundation 10
SPEAKS-FOR CREDENTIAL GENERATOR
Gary Wong, Utah/Flux
Sponsored by the National Science Foundation 11
SPEAKS-FOR CREDENTIAL DETAILS
Steve Schwab/Ted Faber, ISI
Sponsored by the National Science Foundation 12
SPEAKS-FOR PROOF OF CONCEPT
Marshall Brinn, GPO
Sponsored by the National Science Foundation
ABAC/Speaks-For in GCF
Sponsored by the National Science Foundation 14
Overview
• I’ve been working to implement an end-to-end ABAC-based speaks-for solution– Based on the GCF baseline:
• Tool = omni• SA = gcf-ch• AM = gcf-am
– Using the ISI libabac • I’ve got things working but
– Only for create_slice in GCF-CH– Only for create_sliver in AM V2
I’d like to go over what I’ve done to review what I think needs to be done, if it sounds reasonable, how it could be done better, how it could be applied more generally.
Sponsored by the National Science Foundation 15
What do I mean by “working”?
• If omni asks for a slice or sliver AS mbrinn– Works fine
• If omni asks for a slice or sliver AS omni but passing speaks_for=<mbrinn_urn> and omni_speaks_for_mbrinn credential and mbrinn cert– Works fine
• If omni asks for a slice or sliver AS omni– Exception “Only users or tools speaking for users allowed to
invoke SA/AM calls”• If omni asks for a slice or sliver as OMNI but passes
speaks_for=<alice_urn> and omni_speaks_for_mbrinn credential– Exception “Speaks-for credential doesn't match speaks-for user”
Sponsored by the National Science Foundation 16
Steps
• Install ABAC (and add to PYTHONPATH)
• Edit gen-certs.py and cert-util.py to create tool certs/urns• Create OMNI Tool Cert/Keys
• Generate speaks-for credential./gen-certs.py --notAll --tool --directory /tmp --username omni
$ wget http://abac.deterlab.net/src/abac-0.1.4.tar.gz$ tar xvfz abac-0.1.4.tar.gz; cd abac-0.1.4$ ./configure$ make $ sudo make install$ export PYTHONPATH=abac-0.1.4/swig/python:$PYTHONPATH
python ABACManager.py --config abac.conf --credential "ME.speaks_for(ME)<-T" --outfile omni_speaks_for_mbrinn.xml
abac.conf:[Principals]ME=/home/mbrinn/.gcf/mbrinn-cert.pemT=/home/mbrinn/speaksfor/omni-cert.pem
[Keys]ME = /home/mbrinn/.gcf/mbrinn-key.pem
Sponsored by the National Science Foundation 17
Steps [2]
• Edit omni_config• Edit omni (client) side to
– pass speaks-for credential and speaking-for option• src/omnilib/frameworks/framework_gcf.py [CH Client]• src/omnilib/am_handler.py [AM Client]
• Edit gcf (server) side to – handle speaks-for credential and speaking-for option– authorize tool to speak for intended user
• src/geni/ch.py [CH Server]• src/geni/am/am2.py [AM Server]
# For speaks-for testingspeaks_for=/home/mbrinn/speaksfor/omni_speaks_for_mbrinn.xmlspeaking_for=/home/mbrinn/.gcf/mbrinn-cert.pem#speaking_for=/home/mbrinn/.gcf/alice-cert.pemcert=/home/mbrinn/.gcf/omni-cert.pemkey=/home/mbrinn/.gcf/omni-key.pem
Sponsored by the National Science Foundation 18
Mods to: am2.CreateSliver [GCF Aggregate]
• Look at ‘options’ for a ‘speaks-for’ entry. If found:– Load ABAC Context with these principals:
• T = the caller (grab cert from SSL connection)• S = the requester (grab cert from credentials argument with subject matching
URN in speaks-for option)– If not found, raise Exception (“NO credential found for speaks-for user”)
• ME = the AM’s own cert and key– Load ABAC Context with this statement
• ME.speaks_for(S)<-S.speaks_for(S)– Load ABAC Context with any ABAC credentials in ‘credentials’ argument
• Hopefully one is a statement that S.speaks_for(S)<-T– Ask ABAC to validate
• ME.speaks_for(S)<-T– If not, raise Exception (“Tool cannot speak for Principal”)– Otherwise continue with existing authZ and CreateSlice logic.
• Replacing cert of ‘speaker’ from SSL connection with ‘requester’ cert from credentials
Sponsored by the National Science Foundation 19
Mods to: ch.CreateSlice [GCF CH/SA]
• Need to add credentials/options arguments to match AM signature
• Same logic as previous– Substituting ME = SA’s cert and key
In general, the preceding logic should be what is needed for any CH/AM call.
Sponsored by the National Science Foundation 20
Mods to Omni
• framework_gcf.get_slice_cred [GCF SA/CH client]– Add credentials, options to SA call– Add {‘speaks-for’ : user-urn} to options– Add user credential and speaks-for-credential to
credentials• amhandler.create_sliver [GCF AM client]
– Same
Sponsored by the National Science Foundation 21
Helper modules in GCF src/abac
• ABACManager.py: Provides wrapper class around libabac to: – Define principals by certs/keys and associate with names– Ingest assertions, credentials in ‘raw’ and ‘natural’ ABAC-style
• Translating RT1_lite to RT0 hash labels• E.g. S.speaks_for(S)<-T =>• 173e01944a6546b10353370d6e380c946a4ec9bd.speaks_for_173e01944a6546b10353370d6e380c946a4ec9bd<-
eb56b6301bcd0aaf93c36b400b9fdff544ce5000
– Load fixed policies and instantiate policy templates– Handle queries, generate credentials
• speaksfor_util.py: Helper methods to help server-side processing of speaks-for credentials/options
def get_speaking_for(config):def get_speaks_for(config):def determine_speaker_cert(options, creds, config, default_cert):def authorize_caller(caller_cert, config):
Sponsored by the National Science Foundation 22
DISCUSSION
Top Related