Version 3 (modified by prateek, 7 years ago)

--

ABAC Tools

The proposed GENI architecture needs the following coordinators to mediate interaction between the users and the aggregate managers.

  • Identity Provider
  • Project Authority
  • Slice Authority

The coordinators need to generate ABAC credentials to perform the required operations. ABAC Tools is a set of Java programs to generate and upload ABAC credentials

CreddyPod?

CreddyPod? is a program to generate and upload generic ABAC credentials. This in turn is used by the coordinator specific programs.

The following are the required input parameters.

  • Issuer's public key certificate (issuerkey)
  • Issuer's private key (issuercert)
  • Issuer's role/attribute (role)
  • Object Identifier, if the role is specific to a particular object (roleobject)
  • Subject's public key certificate (subjectcert)
  • Subject's role/attribute (subjectrole)
  • Scope identifier, if the credential needs to be scoped to a particular identifier (scope)

Example

PA.GeniPI <- GOC.GeniIdP.GeniPI
CreddyPod --issuerkey <path to PA's private key file> -- issuercert <path to PA's certificate file> 
          --issuerrole GeniPI --subjectcert <path to GOC's certificate file> --subjectrole GeniIdP.GeniPI

Identity Provider

The following are the required input parameters.

  • IdP's public key certificate (idpkey)
  • IdP's private key (idpcert)
  • Requester's public key certificate (requestercert)
  • Requester's role (role)
  • POD URL, if different from the default instance (podurl)

Example

IdentityProvider --idpkey IdP_private.pem --idpcert IdP_cert.pem 
                 --requestercert Alice_cert.pem --role faculty --podurl https://geni.renci.org/test-pod/orca-pod/

Project Authority

The following are the required input parameters.

  • PA's public key certificate (pakey)
  • PA's private key (pacert)
  • Requester's public key certificate (requestercert)
  • Project name (projectname)

Example

ProjectAuthorityPolicy --pakey PA_private.pem --pacert PA_cert.pem 
                       --requestercert Alice_cert.pem --projectname Project1

Slice Authority

The following are the required input parameters.

  • SA's public key certificate (sakey)
  • SA's private key (sacert)
  • PA's public key identifier (paid)
  • Requester's public key certificate (requestercert)
  • Project UUID (projectuuid)
  • Slice Name (slicename)

Example

SliceAuthorityPolicy --sakey SA_private.pem --sacert SA_cert.pem --paid <PA's public key SHA-1 hash>
                     --requestercert Alice_cert.pem --projectuuid 0cb9a18f-d541-4d64-a06c-8b2941cfe14f --slicename Slice1