Transcript Title Slide

Distributed Identity & Authorization Mechanisms
Spiral 2 Year-end Project Review
Project Graphic and/or
Photo
SPARTA, Inc.
PI: Stephen Schwab
Staff: Jay Jacobs
August 31, 2010
Sponsored by the National Science Foundation
Project Summary
•
Development and prototyping of a set of Distributed Authorization & Identity
Mechanisms for use in and among GENI control frameworks and aggregates.
•
Leverage previous seminal work in distributed authorization policy funded by
DARPA under the Attribute Based Access Control (ABAC) project
•
Attributes are published as cryptographically-signed credentials by multiple
parties.
•
Requestors (GENI users) provide sufficient attributes to allow an Authorizing
Party (GENI control framework, aggregate, etc.) to combine user’s attributes
with other locally specified or cached attributes to make a Boolean
authorization decision.
•
Overarching goal is to provide proof-by-demonstration of feasibility and utility
of ABAC authorization for GENI community, and software with integration
examples to allow others to adopt ABAC for their own use.
Sponsored by the National Science Foundation
INSERT PROJECT REVIEW DATE
2
Milestone & QSR Status
ID
Milestone
Status
On
Time?
On
Wiki?
GPO
signoff?
S2a
ABAC Requirements for ProtoGENI
Requirements document describing
high-level functions of ABAC and theoryof-operation, interface for ProtoGENI
integration, and ABAC web services calls
required to support integration.
On
Time
Yes
Yes?
S2b
DIAC prototype software design and
interfaces v1.0
Document of ABAC web service
interfaces, along with parameters and
example calling sequences for using the
service.
On
Time
Yes
Yes?
S2c
V1.0 software for supporting ABAC
mechanisms within ProtoGENI
Delivered software (distribution available
on wiki page), as well as integrating with
ProtoGENI ReferenceCM from Utah.
Short demonstration presented to GPO
SE at GEC.
On
Time
Yes
Yes?
QSR: 4Q2009
Done
On
Time
Yes
Yes
QSR: 1Q2010
Done
On
Time
Yes
Yes
QSR: 2Q2010
Done
On
Time
Yes
Yes
Sponsored by the National Science Foundation
INSERT PROJECT REVIEW DATE
3
Accomplishments 1:
Advancing GENI Spiral 2 Goals
•
Both interoperability and identity management are important goals for spiral 2.
•
GENI is moving toward a cross-cluster/multiple control framework federation
in which any resource (aggregate manager, network link, instrumentation &
measurement infrastructure) should be available to any GENI researcher,
regardless of what ‘front door’ they use to access GENI.
–
•
ABAC has taken a step (albeit a small one) in showing how distributed authorization may be
used to assist different parts of a GENI cluster in securing their APIs by using attributes
supplied by both the requestor and authorizing party. In principle, these attributes can be
transferred across the boundaries between GENI clusters, moving the entire system in the
direction of “Universal Access” and interoperability, e.g. the ABAC services set the stage for
controlled sharing of resources across GENI.
While ABAC does not directly support identity management, the prototyping
work and conversations surrounding that work has helped to stimulate and
motivate discussions of how identity providers that transcend a single control
framework may be introduced within GENI
–
In particular, we believe the Shibboleth/InCommons federated identity is only a step away from
allowing authorization policies to be expressed, by any GENI entity, about individuals and
groups in the InCommons universe.
Sponsored by the National Science Foundation
INSERT PROJECT REVIEW DATE
4
Accomplishments 2:
Other Project Accomplishments
•
The ProtoGENI ReferenceCM is an example of an aggregate/component
manager that provides the API used within ProtoGENI. By exercising the
interfaces and implementation, the ABAC work helped to shake down many
small problems with X.509 certificates between ProtoGENI and our ABAC
implementation.
–
–
While painful, this debugging will hopefully make it quicker and easier to avoid or resolve X.509
certificate problems when the ReferenceCM is used by others in the future.
Multiple languages (C/C++, Python, Perl, Java, etc.) have a place in GENI. This work involved
Java-based handling of GENI credentials.
Sponsored by the National Science Foundation
INSERT PROJECT REVIEW DATE
5
Issues
•
ProtoGENI cluster is large, and their staff are hard-pressed to integrate
everything. Other clusters (control frameworks) are also in similar stages,
although ProtoGENI may be the most overloaded right now.
•
ABAC’s original implementation was quite complex and difficult to modify for
use in GENI. We have moved to a new (re-written from scratch and open
source libraries) ABAC implementation within DETER.
–
–
Anticipate jumping to this new and improved ABAC implementation.
May re-use the ABAC Web Services API or other pieces if they prove useful for integration with
various control frameworks/aggregates.
Sponsored by the National Science Foundation
INSERT PROJECT REVIEW DATE
6
Plans
•
What are you plans for the remainder of Spiral 2?
One last set of milestones (software update, design/interface document)
remains for 9/24/2010. Given limited remaining Spiral 2 funds, we will do a
minimal update to the software, ensuring that it is easy to install and run the
example test cases. The design/interface document will be updated to be
consistent with or highlight differences between the old and new ABAC
implementations.
•
The GPO is starting to formulate goals for Spiral 3. What are your thoughts
regarding potential Spiral 3 work?
•
ORCA remains an important control framework cluster for prototyping.
–
•
Work with ORCA to integrate ABAC into their identity & authorization system
E-GENI openFlow / FlowVisor / Aggregate Manager
–
The E-GENI suite of software is reaching (or close to reaching) a stable enough point where
introduction of distributed authorization makes sense – we could work with E-GENI to pursue
this direction.
Sponsored by the National Science Foundation
INSERT PROJECT REVIEW DATE
7