Version 2 (modified by prateek, 7 years ago)

--

A sample ABAC scenario

We have the following actors as part of our implementation.

  • GOC: GENI's trust root
  • IdP1: Identity Provider
  • ProjAuth?1: Project Authority
  • SliceAuth?1: Slice Authority
  • OrcaAM1: Orca Aggregate Manager
  • Alice: PI
  • Bob: Experimenter

We suppose the the working directory to contain the ABAC Tools jar and the entity's key pair to be available under a directory named credentials. Also, the private key and the certificate files are expected to be named as <Entity Name>_private.pem and <Entity Name>_cert.pem, respectively.

GOC

GOC endorses all the coordinators according to their specific functionalities. Credentials, once generated are uploaded to POD. The uploaded credentials are associated with the uploader, which in this case is the GOC, and are associated to the subject's public key identifier.

GOC.GeniIdP <- IdP1
GOC.GeniPA <- ProjAuth1
GOC.GeniSA <- SliceAuth1
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniIdP 
--subjectcert credentials/IdP1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/IdP1_cert.pem`

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniPA 
--subjectcert credentials/ProjAuth1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/ProjAuth1_cert.pem`

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/GOC_private.pem --issuercert credentials/GOC_cert.pem --role GeniSA 
--subjectcert credentials/SliceAuth1_cert.pem --scope `java -cp AbacTools.jar util.GetPublicKeySha1Hash credentials/SliceAuth1_cert.pem`

Project Authority

The PA generates its trust policy credentials.

ProjAuth1.GeniUser <- GOC.IdP.GeniUser
ProjAuth1.GeniPI <- GOC.IdP.GeniPI
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/ProjAuth1_private.pem --issuercert credentials/ProjAuth1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole IdP.GeniUser

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/ProjAuth1_private.pem --issuercert credentials/ProjAuth1_cert.pem --role GeniPI 
--subjectcert credentials/GOC_cert.pem --subjectrole IdP.GeniPI

Slice Authority

The SA generates its trust policy credentials.

SliceAuth1.GeniPA <- GOC.GeniPA
SliceAuth1.GeniUser <- GOC.IdP.GeniUser
java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/SliceAuth1_private.pem --issuercert credentials/SliceAuth1_cert.pem --role GeniPA 
--subjectcert credentials/GOC_cert.pem --subjectrole GeniPA

java -cp AbacTools.jar util.CreddyPod --issuerkey credentials/SliceAuth1_private.pem --issuercert credentials/SliceAuth1_cert.pem --role GeniUser 
--subjectcert credentials/GOC_cert.pem --subjectrole IdP.GeniUser

Users of the system