Version 4 (modified by prateek, 7 years ago)

--

Authorization in ORCA using ABAC

ORCA's authorization framework is based on ABAC. Please go through the introductory material and some of the examples of ABAC policies to get an understanding of how ABAC works.

This page talks about the different authorities and their policies in case of the ORCA system.

We have the following actors as part of our implementation.

  • GOC: GENI's trust root
  • IdP: Identity Provider
  • PA: Project Authority
  • SA: Slice Authority
  • Orca AM: Orca Aggregate Manager

GOC

GOC endorses all the coordinators according to their specific functionalities. All the other actors trust the GOC-endorsed coordinators.

GOC.GeniIdP <- IdP
GOC.GeniPA <- PA
GOC.GeniSA <- SA

The individual actor policies are as follows.

Identity Provider

An identity provider is a trust anchor, a source of user attributes that is empowered to assert attributes without any proof. An IdP may endorse users based on information that it gets from other sources such as an InCommon? registered identity provider.

IdP.GeniUser <- User1
IdP.GeniExperimenter <-User2

Project Authority

A project authority is an entity that controls creation of projects and de nes the policies to access and control the created projects. A decision to approve a project is based at least in part on validated attributes of the requester.

The PA trusts a GOC endorsed IdP to issue user-role credentials.

PA.GeniPI <- GOC.GeniIdP.GeniPI

The PA requires a user to be a GENI PI, to be able to create a project.

PA.GeniPI <?- Requester

The PA's access control policy for a project allows the project's manager(s) to operate on the project. It also allows the project manager(s) to further delegate the privilege.

PA.Operate_ProjectId <- PA.PM_ProjectId
PA.Operate_ProjectId <- PA.PM_ProjectId.Operate_ProjectId

The PA issues a project manager credential, for the newly created project, to the requester.

PA.PM_ProjectId <- Requester

Slice Authority

A slice authority is an entity that controls creation of slices and de nes the policies to access and control the created slices. A decision to approve a slice is based at least in part on validated attributes of the requester and the users association with the corresponding project.

The SA trusts the GOC to issue clearinghouse coordinator credentials.

SA.GeniPA <- GOC.GeniPA

The SA trusts a GOC endorsed IdP to issuer user-role credentials.

SA.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter

The SA requires a user to be a trusted GENI experimenter in order to create a slice. A slice can only be created under a project that's root is a trusted project authority. Also, the requester must have the privilege, asserted by the project’s root, to operate on the project.

SA.GeniExperimenter <?- Requester
SA.GeniPA <?- ProjectRoot
ProjectRoot.Operate_ProjectId <?- Requester

The SA's access control policy for a slice allows a project manager of the associated project to operate on the slice. It also allows the project manager(s) to further delegate the privilege. The SA delegates the policy to determine the project manager(s), to the project root.

SA.Operate_SliceId <- ProjectRoot.PM_ProjectId
SA.Operate_SliceId <- ProjectRoot.PM_ProjectId.Operate_SliceId

The SA also issues a non-delegatable credential, for operating on the slice, to the requester.

SA.Operate_SliceId <- Requester

Aggregate Manager

The Orca AM trusts the GOC to issue clearinghouse coordinator credentials.

OrcaAM.GeniSA <- GOC.GeniSA

The Orca AM trusts a GOC endorsed IdP to issue user-role credentials.

OrcaAM.GeniExperimenter <- GOC.GeniIdP.GeniExperimenter

The Orca AM requires a user to be a trusted GENI experimenter in order to operate on a slice. Also, the slice's root has to be a trusted slice authority and the requester must have the privilege to operate on the slice.

OrcaAM.GeniExperimenter <?- Requester
OrcaAM.GeniSA <?- SliceRoot
SliceRoot.Operate_SliceId <?- Requester