Version 11 (modified by prateek, 7 years ago)

--

A sample ABAC scenario

We have the following actors as part of our implementation.

  • GOC: GENI's trust root
  • IdP1: Identity Provider
  • ProjAuth?1: Project Authority
  • SliceAuth?1: Slice Authority
  • OrcaAM1: Orca Aggregate Manager
  • Alice: PI
  • Bob: Experimenter

We suppose the the working directory to contain the ABAC Tools jar and the entity's key pair to be available under a directory named credentials. Also, the private key and the certificate files are expected to be named as <Entity Name>_private.pem and <Entity Name>_cert.pem, respectively.

GOC

GOC endorses all the coordinators according to their specific functionalities. Credentials, once generated are uploaded to POD. The uploaded credentials are associated with the uploader, which in this case is the GOC, and are associated to the subject's public key identifier.

GOC.GeniIdP <- IdP1
GOC.GeniPA <- ProjAuth1
GOC.GeniSA <- SliceAuth1
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniIdP 
--subjectcert credentials/IdP1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/IdP1_cert.pem`

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniPA 
--subjectcert credentials/ProjAuth1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/ProjAuth1_cert.pem`

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniSA 
--subjectcert credentials/SliceAuth1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/SliceAuth1_cert.pem`

GOC uploads the coordinator role credentials scoped to the coordinator's public key identifier. The coordinator can associate the same credentials with its own identifier by creating a link to them.

Identity Provider

IdP creates a link to the credentials representing the GOC endorsement.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/IdP1_private.pem --sourcecert credentials/IdP1_cert.pem 
--targetcert credentials/GOC_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/IdP1_cert.pem`

Project Authority

The PA generates its trust policy credentials.

ProjAuth1.GeniUser <- GOC.GeniIdP.GeniUser
ProjAuth1.GeniPI <- GOC.GeniIdP.GeniPI
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/ProjAuth1_private.pem --issuercert credentials/ProjAuth1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniUser

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/ProjAuth1_private.pem --issuercert credentials/ProjAuth1_cert.pem --role GeniPI 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniPI

PA also creates a link to the credentials representing the GOC endorsement.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/ProjAuth1_private.pem --sourcecert credentials/ProjAuth1_cert.pem 
--targetcert credentials/GOC_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/ProjAuth1_cert.pem`

Slice Authority

The SA generates its trust policy credentials.

SliceAuth1.GeniPA <- GOC.GeniPA
SliceAuth1.GeniUser <- GOC.GeniIdP.GeniUser
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/SliceAuth1_private.pem --issuercert credentials/SliceAuth1_cert.pem --role GeniPA 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniPA

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/SliceAuth1_private.pem --issuercert credentials/SliceAuth1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniIdP.GeniUser

SA also creates a link to the credentials representing the GOC endorsement.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/SliceAuth1_private.pem --sourcecert credentials/SliceAuth1_cert.pem 
--targetcert credentials/GOC_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/SliceAuth1_cert.pem`

User Registration

Alice and Bob register at the IdP. IdPs? are shibboleth authenticated. The related ABAC credentials are generated according to their primary affiliation, and uploaded to a credential store.

IdP1.GeniUser <- Alice
IdP1.GeniPI <- Alice

IdP1.GeniUser <- Bob

An Identity Provider uploads the credentials scoped to the user's public key identifier. The user can associate the same credentials with its own identifier by creating a link to them.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Alice_private.pem --sourcecert credentials/Alice_cert.pem 
--targetcert credentials/IdP1_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Alice_cert.pem`

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Bob_private.pem --sourcecert credentials/Bob_cert.pem 
--targetcert credentials/IdP1_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Bob_cert.pem`

The IdP also issues a public key certificate. This is required from the users to access POD, the credential store. POD's authentication is based on public key certificate chain.

Project Creation

A user with a GeniPI role can create a project. In our use-case Alice requests a PA to create a project.

Alice can then delegate the privilege to operate on the project to Bob.

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/Alice_private.pem --issuercert credentials/Alice_cert.pem --role Operate --roleobject <Project UUID> 
--subjectcert credentials/Bob_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Bob_cert.pem`

Bob can create a link to the these credentials in order to associate them with its own public key identifier.

java -cp AbacTools.jar util.PodAddLink --sourcekey credentials/Bob_private.pem 
--sourcecert credentials/Bob_cert.pem --sourcescope `java -cp AbacTools.jar util.GetSha1Hash <Project UUID>` 
--targetcert credentials/Alice_cert.pem --targetscope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/Bob_cert.pem`

Slice Creation

A user with a GeniUser? role and the privilege to operate on a project can create a slice under the same project.

Bob requests a SA to create a slice under the earlier created project.

Sliver Creation

A user with a GeniUser? role and the privilege to operate on a slice can add a sliver to the same slice.

Bob requests an AM to add a sliver to the earlier created slice.