A sample ABAC scenario

Prerequisite: Please go through the AbacPolicy and AbacTools documents.

We have the following actors as part of our implementation.

  • GOC: GENI's trust root
  • IdP1: Identity Provider
  • ProjAuth1: Project Authority
  • SliceAuth1: Slice Authority
  • OrcaAM1: Aggregate Manager (Orca Service Manager)
  • Alice: PI
  • Bob: Experimenter

We suppose the the working directory to contain the ABAC Tools jar and the entity's key pair to be available under a directory named credentials. Also, the private key and the certificate files are expected to be named as <Entity Name>_private.pem and <Entity Name>_cert.pem, respectively.

GOC

GOC endorses all the coordinators according to their specific functionalities. All the other actors trust the GOC-endorsed coordinators. Credentials, once generated are uploaded to POD. The uploaded credentials are associated with the uploader, which in this case is the GOC, and are associated to the subject's public key identifier.

GOC.GeniIdP <- IdP1
GOC.GeniPA <- ProjAuth1
GOC.GeniSA <- SliceAuth1
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniIdP 
--subjectcert credentials/IdP1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/IdP1_cert.pem`

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniPA 
--subjectcert credentials/ProjAuth1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/ProjAuth1_cert.pem`

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniSA 
--subjectcert credentials/SliceAuth1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/SliceAuth1_cert.pem`

GOC uploads the coordinator role credentials scoped to the coordinator's public key identifier. The coordinator can associate the same credentials with its own identifier by creating a link to them.

Identity Provider

IdP creates a link to the credentials representing the GOC endorsement.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/IdP1_private.pem --sourcecert credentials/IdP1_cert.pem 
--targetcert credentials/GOC_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/IdP1_cert.pem`

Project Authority

The PA generates its trust policy credentials.

ProjAuth1.GeniUser <- GOC.GeniIdP.GeniUser
ProjAuth1.GeniPI <- GOC.GeniIdP.GeniPI
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/ProjAuth1_private.pem --issuercert credentials/ProjAuth1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniUser

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/ProjAuth1_private.pem --issuercert credentials/ProjAuth1_cert.pem --role GeniPI 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniPI

PA also creates a link to the credentials representing the GOC endorsement.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/ProjAuth1_private.pem --sourcecert credentials/ProjAuth1_cert.pem 
--targetcert credentials/GOC_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/ProjAuth1_cert.pem`

Slice Authority

The SA generates its trust policy credentials.

SliceAuth1.GeniPA <- GOC.GeniPA
SliceAuth1.GeniUser <- GOC.GeniIdP.GeniUser
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/SliceAuth1_private.pem --issuercert credentials/SliceAuth1_cert.pem --role GeniPA 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniPA

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/SliceAuth1_private.pem --issuercert credentials/SliceAuth1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniUser

SA also creates a link to the credentials representing the GOC endorsement.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/SliceAuth1_private.pem --sourcecert credentials/SliceAuth1_cert.pem 
--targetcert credentials/GOC_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/SliceAuth1_cert.pem`

Aggregate Manager (Orca Service Manager)

The AM generates its trust policy credentials.

OrcaAM.GeniSA <- GOC.GeniSA
OrcaAM.GeniUser <- GOC.GeniIdP.GeniUser
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/OrcaAM1_private.pem --issuercert credentials/OrcaAM1_cert.pem --role GeniSA 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniSA

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/OrcaAM1_private.pem --issuercert credentials/OrcaAM1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniUser

User Registration

Alice and Bob register at the IdP. IdPs are shibboleth authenticated. A user needs to provide a public key certificate to identify itself. The related ABAC credentials are generated according to their primary affiliation, and uploaded to a credential store.

An new public key certificate (based on the original public key fetched out of the input certificate) signed by the IdP is also issued, which the user can use to talk to the POD credential store. This is because POD does certificate chain based authentication. It requires the requester to talk with a certificate signed by a trusted CA. The IdP is registered by POD as a trusted CA, which is why a certificate issued by the IdP can be used to talk to the POD.

IdP1.GeniUser <- Alice
IdP1.GeniPI <- Alice

IdP1.GeniUser <- Bob

An Identity Provider uploads the credentials scoped to the user's public key identifier. The user can associate the same credentials with its own identifier by creating a link to them.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Alice_private.pem --sourcecert credentials/Alice_cert.pem 
--targetcert credentials/IdP1_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Alice_cert.pem`

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Bob_private.pem --sourcecert credentials/Bob_cert.pem 
--targetcert credentials/IdP1_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Bob_cert.pem`

The IdP also issues a public key certificate. This is required from the users to access POD, the credential store. POD's authentication is based on public key certificate chain.

Project Creation

A user with a GeniPI role can create a project. In our use-case Alice requests a PA to create a project.

A project is created by visiting the corresponding webpage and filling out the required information. Once a project has been the created, details similar to the following are output.

Project Authority ID: fd8c228193b72e7d6028b135804745355b5f98d4
Project Name: ProjectAlice
Project UUID: 9de36607-7cb5-4e51-8f62-9bbab9427fdc

This information is required to operate on the project. The associated credentials are uploaded to the credential store.

Alice can then delegate the privilege to operate on the project to Bob.

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/Alice_private.pem --issuercert credentials/Alice_cert.pem --role Operate 
--roleobject <Project UUID> --subjectcert credentials/Bob_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Bob_cert.pem`

Bob can create a link to the these credentials in order to associate them with its own public key identifier.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Bob_private.pem --sourcecert credentials/Bob_cert.pem --sourcescope <Project UUID> 
--targetcert credentials/Alice_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Bob_cert.pem`

Slice Creation

A user with a GeniUser role and the privilege to operate on a project can create a slice under the same project.

Bob requests a SA to create a slice under the earlier created project.

A slice is created by visiting the corresponding webpage and filling out the required information. Once a slice has been the created, details similar to the following are output.

Slice Authority ID: 256329ec2e1bca0aa25e992189b0f818b6a33745
Slice Name: SliceAlice
Slice UUID: c0c8cdc4-425c-4dbf-a00c-f88feb0a1ae0

This information is required to operate on the slice. The associated credentials are uploaded to the credential store.

Sliver Creation

A user with a GeniUser role and the privilege to operate on a slice can add a sliver to the same slice.

Bob requests an AM (an Orca SM) to add a sliver to the earlier created slice.

While requesting an operation on a slice, a slice identifier needs to be passed to the AM. The slice identifier needs to be of the following format.

<Slice Authority ID>.<Slice UUID>

which in case of the sample scenario is

256329ec2e1bca0aa25e992189b0f818b6a33745.c0c8cdc4-425c-4dbf-a00c-f88feb0a1ae0