1 / 7

Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review

Project Graphic and/or Photo. Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review. SPARTA, Inc. PI: Stephen Schwab Staff: Jay Jacobs August 31, 2010. Project Summary.

myron
Download Presentation

Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Project Graphic and/or Photo Distributed Identity & Authorization MechanismsSpiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen Schwab Staff: Jay Jacobs August 31, 2010

  2. Project Summary • Development and prototyping of a set of Distributed Authorization & Identity Mechanisms for use in and among GENI control frameworks and aggregates. • Leverage previous seminal work in distributed authorization policy funded by DARPA under the Attribute Based Access Control (ABAC) project • Attributes are published as cryptographically-signed credentials by multiple parties. • Requestors (GENI users) provide sufficient attributes to allow an Authorizing Party (GENI control framework, aggregate, etc.) to combine user’s attributes with other locally specified or cached attributes to make a Boolean authorization decision. • Overarching goal is to provide proof-by-demonstration of feasibility and utility of ABAC authorization for GENI community, and software with integration examples to allow others to adopt ABAC for their own use. INSERT PROJECT REVIEW DATE

  3. Milestone & QSR Status INSERT PROJECT REVIEW DATE

  4. Accomplishments 1: Advancing GENI Spiral 2 Goals • Both interoperability and identity management are important goals for spiral 2. • GENI is moving toward a cross-cluster/multiple control framework federation in which any resource (aggregate manager, network link, instrumentation & measurement infrastructure) should be available to any GENI researcher, regardless of what ‘front door’ they use to access GENI. • ABAC has taken a step (albeit a small one) in showing how distributed authorization may be used to assist different parts of a GENI cluster in securing their APIs by using attributes supplied by both the requestor and authorizing party. In principle, these attributes can be transferred across the boundaries between GENI clusters, moving the entire system in the direction of “Universal Access” and interoperability, e.g. the ABAC services set the stage for controlled sharing of resources across GENI. • While ABAC does not directly support identity management, the prototyping work and conversations surrounding that work has helped to stimulate and motivate discussions of how identity providers that transcend a single control framework may be introduced within GENI • In particular, we believe the Shibboleth/InCommons federated identity is only a step away from allowing authorization policies to be expressed, by any GENI entity, about individuals and groups in the InCommons universe. INSERT PROJECT REVIEW DATE

  5. Accomplishments 2:Other Project Accomplishments • The ProtoGENI ReferenceCM is an example of an aggregate/component manager that provides the API used within ProtoGENI. By exercising the interfaces and implementation, the ABAC work helped to shake down many small problems with X.509 certificates between ProtoGENI and our ABAC implementation. • While painful, this debugging will hopefully make it quicker and easier to avoid or resolve X.509 certificate problems when the ReferenceCM is used by others in the future. • Multiple languages (C/C++, Python, Perl, Java, etc.) have a place in GENI. This work involved Java-based handling of GENI credentials. INSERT PROJECT REVIEW DATE

  6. Issues • ProtoGENI cluster is large, and their staff are hard-pressed to integrate everything. Other clusters (control frameworks) are also in similar stages, although ProtoGENI may be the most overloaded right now. • ABAC’s original implementation was quite complex and difficult to modify for use in GENI. We have moved to a new (re-written from scratch and open source libraries) ABAC implementation within DETER. • Anticipate jumping to this new and improved ABAC implementation. • May re-use the ABAC Web Services API or other pieces if they prove useful for integration with various control frameworks/aggregates. INSERT PROJECT REVIEW DATE

  7. Plans • What are you plans for the remainder of Spiral 2? One last set of milestones (software update, design/interface document) remains for 9/24/2010. Given limited remaining Spiral 2 funds, we will do a minimal update to the software, ensuring that it is easy to install and run the example test cases. The design/interface document will be updated to be consistent with or highlight differences between the old and new ABAC implementations. • The GPO is starting to formulate goals for Spiral 3. What are your thoughts regarding potential Spiral 3 work? • ORCA remains an important control framework cluster for prototyping. • Work with ORCA to integrate ABAC into their identity & authorization system • E-GENI openFlow / FlowVisor / Aggregate Manager • The E-GENI suite of software is reaching (or close to reaching) a stable enough point where introduction of distributed authorization makes sense – we could work with E-GENI to pursue this direction. INSERT PROJECT REVIEW DATE

More Related