Version 2 (modified by prateek, 7 years ago)

--

ABAC Tools

The proposed GENI architecture needs the following coordinators to mediate interaction between the users and the aggregate managers.

  • Identity Provider
  • Project Authority
  • Slice Authority

The coordinators need to generate ABAC credentials to perform the required operations. ABAC Tools is a set of Java programs to generate and upload ABAC credentials

CreddyPod?

CreddyPod? is a program to generate and upload generic ABAC credentials. This in turn is used by the coordinator specific programs.

The following are the required input parameters.

  • Issuer's public key certificate (issuerkey)
  • Issuer's private key (issuercert)
  • Issuer's role/attribute (role)
  • Object Identifier, if the role is specific to a particular object (roleobject)
  • Subject's public key certificate (subjectcert)
  • Subject's role/attribute (subjectrole)
  • Scope identifier, if the credential needs to be scoped to a particular identifier (scope)

Example

PA.GeniPI <- GOC.GeniIdP.GeniPI
CreddyPod --issuerkey <path to PA's private key file> -- issuercert <path to PA's certificate file> 
          --issuerrole GeniPI --subjectcert <path to GOC's certificate file> --subjectrole GeniIdP.GeniPI

Identity Provider

The following are the required input parameters.

  • IdP's public key certificate (issuerkey)
  • IdP's private key (issuercert)
  • Requester's public key certificate (requestercert)
  • Requester's role (role)
  • POD URL, if different from the default instance (podurl)

Example

IdentityProvider --idpkey IdP_private.pem --idpcert IdP_cert.pem 
                 --requestercert Alice_cert.pem --role faculty --podurl https://geni.renci.org/test-pod/orca-pod/

Project Authority

Slice Authority