Authorization in ORCA using ABAC
ORCA's authorization framework is based on ABAC. Please go through the introductory material and some of the examples of ABAC policies to get an understanding of how ABAC works.
This page talks about the different authorities and their policies in case of the ORCA system.
We have the following actors as part of our implementation.
- GOC: GENI's trust root
- IdP: Identity Provider
- PA: Project Authority
- SA: Slice Authority
- AM: Aggregate Manager (Orca Service Manager)
GOC
GOC endorses all the coordinators according to their specific functionalities. All the other actors trust the GOC-endorsed coordinators.
GOC.GeniIdP <- IdP GOC.GeniPA <- PA GOC.GeniSA <- SA
The individual actor policies are as follows.
Identity Provider
An identity provider is a trust anchor, a source of user attributes that is empowered to assert attributes without any proof. An IdP may endorse users based on information that it gets from other sources such as an InCommon? registered identity provider.
IdP.GeniUser <- User1 IdP.GeniExperimenter <-User2
Project Authority
A project authority is an entity that controls creation of projects and denes the policies to access and control the created projects. A decision to approve a project is based at least in part on validated attributes of the requester.
The PA trusts a GOC endorsed IdP to issue user-role credentials.
PA.GeniPI <- GOC.GeniIdP.GeniPI
The PA requires a user to be a GENI PI, to be able to create a project.
PA.GeniPI <?- Requester
The PA's access control policy for a project allows the project's manager(s) to operate on the project. It also allows the project manager(s) to further delegate the privilege.
PA.Operate_ProjectId <- PA.PM_ProjectId PA.Operate_ProjectId <- PA.PM_ProjectId.Operate_ProjectId
The PA issues a project manager credential, for the newly created project, to the requester.
PA.PM_ProjectId <- Requester
Slice Authority
A slice authority is an entity that controls creation of slices and denes the policies to access and control the created slices. A decision to approve a slice is based at least in part on validated attributes of the requester and the users association with the corresponding project.
The SA trusts the GOC to issue clearinghouse coordinator credentials.
SA.GeniPA <- GOC.GeniPA
The SA trusts a GOC endorsed IdP to issuer user-role credentials.
SA.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter
The SA requires a user to be a trusted GENI experimenter in order to create a slice. A slice can only be created under a project that's root is a trusted project authority. Also, the requester must have the privilege, asserted by the project’s root, to operate on the project.
SA.GeniExperimenter <?- Requester SA.GeniPA <?- ProjectRoot ProjectRoot.Operate_ProjectId <?- Requester
The SA's access control policy for a slice allows a project manager of the associated project to operate on the slice. It also allows the project manager(s) to further delegate the privilege. The SA delegates the policy to determine the project manager(s), to the project root.
SA.Operate_SliceId <- ProjectRoot.PM_ProjectId SA.Operate_SliceId <- ProjectRoot.PM_ProjectId.Operate_SliceId
The SA also issues a non-delegatable credential, for operating on the slice, to the requester.
SA.Operate_SliceId <- Requester
Aggregate Manager (Orca Service Manager)
The AM trusts the GOC to issue clearinghouse coordinator credentials.
Note: With respect to authorization, the Aggregate Manager role is played by an Orca Service Manager. However, the documentation refers to the actor as OrcaAM.
OrcaAM.GeniSA <- GOC.GeniSA
The Orca AM trusts a GOC endorsed IdP to issue user-role credentials.
OrcaAM.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter
The Orca AM requires a user to be a trusted GENI experimenter in order to operate on a slice. Also, the slice's root has to be a trusted slice authority and the requester must have the privilege to operate on the slice.
OrcaAM.GeniExperimenter <?- Requester OrcaAM.GeniSA <?- SliceRoot SliceRoot.Operate_SliceId <?- Requester