Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain [email protected] 1 TIED Joins GENI How does TIED get to know GENI users? • Keeping local ABAC policy same (there are many other ways too) – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners 2 The Players TIED the resource owner provides equipment and establishes high-level policies for utilization Alex the researcher received a GENI award and want to use the substrate for experiments 3 The Players TIED the resource owner provides equipment and establishes high-level policies for utilization GENI the coordinator/certifier asserts attributes for these new principals Alex the researcher received a GENI award and want to use the substrate for experiments 4 The Players: GENI, TIED, Alex The GENI defines various attributes to manage groups of people Defines groups such as researchers, gradStudents, vendors…. And publishes facts about them Alex is a GENI researcher 5 The Players: GENI, TIED, Alex TIED learns about GENI’s facts and incorporates them into its local authorization policy So TIED publishes a fact All GENI researchers can create slices on TIED Thus it delegates some resource control to GENI 6 The Players: GENI, TIED, Alex Alex learns he needs to identify himself as a researcher to create a slice 7 ABAC Enables the Players TIED Slice Manager ABAC TIED Local Policy: If you are a GENI researcher, you can create a slice. TIED.createSlice GENI.researcher GENI Welcome Package: A researcher credential is sent to Alex GENI GENI.researcher Alex Alex: I want to create a slice? 8 ABAC Negotiation Grants Access TIED 1. Sends request with cred+key. Slice Manager ABAC TIED.createSlice GENI.researcher 2. ABAC constructs proof. Proof: TIED.createSlice GENI.researcherAlex Grants Access GENI.researcher Alex 9 Summary: Alex creates a slice GENI added Alex to the researcher attribute space TIED uses GENI’s credential (GENI.researcher) to authorize users to create slices 10 The GENI expands it’s attribute space • Keeping local ABAC policy same – Sharing known attributes – Discovery of partner policy changes – Coordinating with new partners 11 The Players: GENI, TIED, Bob GENI decides gradStudents are also a kind of researcher So, GENI publishes a new fact All gradstudents are also researchers 12 The Players: GENI, TIED, Bob Policy at TIED does not change TIED.createSlice GENI.researcher TIED is unaware of the change 13 The Players: GENI, TIED, Bob • Bob identifies himself as a gradStudent to TIED 14 ABAC Enables the Players TIED.createSlice GENI.researcher TIED Slice Manager ABAC 1. I want to create a slice? GENI.researcher GENI.gradStudent. GENI Registry GENI.gradStudent Bob 15 TIED discovers credentials TIED.createSlice GENI.researcher TIED Slice Manager ABAC 2. ABAC proof construction fails Proof: TIED.createSlice GENI.researcher ? GENI.gradStudent Bob Need more information from GENI 1. I want to create a slice? GENI Registry 16 TIED discovers credentials TIED.createSlice GENI.resercher Slice Manager ABAC TIED 2. ABAC proof construction fails 3. Is Bob a researcher? 1. I want to create a slice? 4. I don’t know, but here are some relevant credentials GENI.researcher GENI.gradStudent 5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercher GENI.researcher GENI.gradStudent Bob Grants Access GENI Registry 17 Summary: Bob creates the slice! • No policy impact on the resource provider • TIED, the resource provider, learned relevant information from the external certifiers 18 GENI Coordinates with the NSF • Keeping local ABAC policy same – Sharing know attributes – Discovery of partner policy changes, – Coordinating with new partners 19 Chloe wants to create a slice • Chloe is a NSF NeTS FIND researcher 20 The Players: NSF, GENI, TIED, Chloe NSF makes each program initiative a principal – FIND, CISE NSF assigns each initiative a program attribute NSF.program FIND Each initiative defines its own attribute space; specifically researcher attributes FIND.researcher Chloe 21 The Players: NSF, GENI, TIED, Chloe GENI and NSF negotiate and decide to treat all NSF program researchers as GENI researchers GENI publishes a new fact All NSF program researchers are also GENI researchers This is expressed as a linked credential GENI.researcher NSF.program.researcher 22 The Players: NSF, GENI, TIED, Chloe • TIED has no policy changes • Chloe identifies herself as a FIND researcher to TIED 23 ABAC Enables the Access TIED.createSlice GENI.researcher Slice Manager ABAC TIED 2. ABAC proof construction fails Proof: TIED.createSlice GENI.researcher ? FIND.researcher Chloe NSF.programFIND Need more information from GENI 1. I want to create a slice? FIND.researcher Chloe NSF.programFIND NSF 24 ABAC Enables the Access TIED.createSlice GENI.researcher Slice Manager ABAC TIED 2. ABAC proof construction fails 3. Do you know the NSF? 1. I want to create a slice? 4. Yes, here are some relevant credentials GENI.researcher NSF.program.researcher GENI 5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercherNSF.program.researcher; NSF.program FIND; FIND.researcer Chloe Grants Access 25 Summary • ABAC can expresses complex relationships between principals – Through principal delegation – Through attribute-based delegation • Local policy at the resource provider need not change • Many entities can coordinate complex policy • End user is insulated from policy details 26
© Copyright 2026 Paperzz