Changes between Version 2 and Version 3 of AbacPolicy

Show
Ignore:
Timestamp:
05/09/12 16:14:00 (7 years ago)
Author:
prateek (IP: 152.3.68.8)
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • AbacPolicy

    v2 v3  
     1= Authorization in ORCA using ABAC = 
     2 
     3ORCA's authorization framework is based on [http://abac.deterlab.net/ ABAC]. Please go through the [http://groups.geni.net/geni/wiki/TIEDABACModel introductory material] and some of the [http://groups.geni.net/geni/wiki/TIEDABACDemo examples of ABAC policies] to get an understanding of how ABAC works. 
     4 
     5This page talks about the different authorities and their policies in case of the ORCA system. 
     6 
    17We have the following actors as part of our implementation. 
    28 * GOC: GENI's trust root 
     
    410 * PA: Project Authority 
    511 * SA: Slice Authority 
    6  * Orca: Orca Aggregate Manager 
    7  * DrD: PI named Dr. D 
    8  * TTGuy: Experimenter named Test Tube Guy 
     12 * Orca AM: Orca Aggregate Manager 
    913 
    1014The individual actor policies are as follows. 
    1115 
    1216===  Project Authority === 
    13 The PA trusts a GOC endorsed IdP to issue user-role credentials.[[BR]] 
    14 PA.GeniPI <- GOC.GeniIdP.GeniPI[[BR]] 
    15 [[BR]] 
    16 The PA requires a user to be a GENI PI, to be able to create a project.[[BR]] 
     17The PA trusts a GOC endorsed IdP to issue user-role credentials. 
     18{{{ 
     19PA.GeniPI <- GOC.GeniIdP.GeniPI 
     20}}} 
     21The PA requires a user to be a GENI PI, to be able to create a project. 
     22{{{ 
    1723PA.GeniPI <?- Requester 
    18  
    19 The PA's access control policy for a project allows the project's manager(s) to operate on the project. It also allows the project manager(s) to further delegate the privilege.[[BR]] 
    20 PA.Operate_ProjectId <- PA.PM_ProjectId[[BR]] 
    21 PA.Operate_ProjectId <- PA.PM_ProjectId.Operate_ProjectId[[BR]] 
    22 [[BR]] 
    23 The PA issues a project manager credential, for the newly created project, to the requester.[[BR]] 
    24 PA.PM_ProjectId <- Requester[[BR]] 
     24}}} 
     25The PA's access control policy for a project allows the project's manager(s) to operate on the project. It also allows the project manager(s) to further delegate the privilege. 
     26{{{ 
     27PA.Operate_ProjectId <- PA.PM_ProjectId 
     28PA.Operate_ProjectId <- PA.PM_ProjectId.Operate_ProjectId 
     29}}} 
     30The PA issues a project manager credential, for the newly created project, to the requester. 
     31{{{ 
     32PA.PM_ProjectId <- Requester 
     33}}} 
    2534 
    2635=== Slice Authority === 
    27 The SA trusts the GOC to issue clearinghouse coordinator credentials.[[BR]] 
    28 SA.GeniPA <- GOC.GeniPA[[BR]] 
    29 [[BR]] 
    30 The SA trusts a GOC endorsed IdP to issuer user-role credentials.[[BR]] 
    31 SA.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter[[BR]] 
    32 [[BR]] 
    33 The SA requires a user to be a trusted GENI experimenter in order to create a slice. A slice can only be created under a project that's root is a trusted project authority. Also, the requester must have the privilege, asserted by the project’s root, to operate on the project.[[BR]] 
    34 SA.GeniExperimenter <?- Requester[[BR]] 
    35 SA.GeniPA <?- ProjectRoot[[BR]] 
    36 ProjectRoot.Operate_ProjectId <?- Requester[[BR]] 
    37 [[BR]] 
    38 The SA's access control policy for a slice allows a project manager of the associated project to operate on the slice. It also allows the project manager(s) to further delegate the privilege. The SA delegates the policy to determine the project manager(s), to the project root.[[BR]] 
    39 SA.Operate_SliceId <- ProjectRoot.PM_ProjectId[[BR]] 
    40 SA.Operate_SliceId <- ProjectRoot.PM_ProjectId.Operate_SliceId[[BR]] 
    41 [[BR]] 
    42 The SA also issues a non-delegatable credential, for operating on the slice, to the requester.[[BR]] 
     36The SA trusts the GOC to issue clearinghouse coordinator credentials. 
     37{{{ 
     38SA.GeniPA <- GOC.GeniPA 
     39}}} 
     40The SA trusts a GOC endorsed IdP to issuer user-role credentials. 
     41{{{ 
     42SA.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter 
     43}}} 
     44The SA requires a user to be a trusted GENI experimenter in order to create a slice. A slice can only be created under a project that's root is a trusted project authority. Also, the requester must have the privilege, asserted by the project’s root, to operate on the project. 
     45{{{ 
     46SA.GeniExperimenter <?- Requester 
     47SA.GeniPA <?- ProjectRoot 
     48ProjectRoot.Operate_ProjectId <?- Requester 
     49}}} 
     50The SA's access control policy for a slice allows a project manager of the associated project to operate on the slice. It also allows the project manager(s) to further delegate the privilege. The SA delegates the policy to determine the project manager(s), to the project root. 
     51{{{ 
     52SA.Operate_SliceId <- ProjectRoot.PM_ProjectId 
     53SA.Operate_SliceId <- ProjectRoot.PM_ProjectId.Operate_SliceId 
     54}}} 
     55The SA also issues a non-delegatable credential, for operating on the slice, to the requester. 
     56{{{ 
    4357SA.Operate_SliceId <- Requester 
     58}}} 
    4459 
    4560=== Aggregate Manager === 
    46 The Orca AM trusts the GOC to issue clearinghouse coordinator credentials.[[BR]] 
    47 OrcaAM.GeniSA <- GOC.GeniSA[[BR]] 
    48 [[BR]] 
    49 The Orca AM trusts a GOC endorsed IdP to issue user-role credentials.[[BR]] 
    50 OrcaAM.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter[[BR]] 
    51  
    52 The Orca AM requires a user to be a trusted GENI experimenter in order to operate on a slice. Also, the slice's root has to be a trusted slice authority and the requester must have the privilege to operate on the slice.[[BR]] 
    53 OrcaAM.GeniExperimenter <?- Requester[[BR]] 
    54 OrcaAM.GeniSA <?- SliceRoot[[BR]] 
    55 SliceRoot.Operate_SliceId <?- Requester[[BR]] 
    56  
     61The Orca AM trusts the GOC to issue clearinghouse coordinator credentials. 
     62{{{ 
     63OrcaAM.GeniSA <- GOC.GeniSA 
     64}}} 
     65The Orca AM trusts a GOC endorsed IdP to issue user-role credentials. 
     66{{{ 
     67OrcaAM.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter 
     68}}} 
     69The Orca AM requires a user to be a trusted GENI experimenter in order to operate on a slice. Also, the slice's root has to be a trusted slice authority and the requester must have the privilege to operate on the slice. 
     70{{{ 
     71OrcaAM.GeniExperimenter <?- Requester 
     72OrcaAM.GeniSA <?- SliceRoot 
     73SliceRoot.Operate_SliceId <?- Requester 
     74}}}