d u k e s y s t e m s abac: an orca perspective gec 11 jeff chase duke university thanks: nsf tc...
TRANSCRIPT
D u k e S y s t e m s
ABAC: An ORCA PerspectiveGEC 11
Jeff ChaseDuke University
Thanks: NSF TC CNS-0910653
A simple example
Client E Server ARequestCommand C on Object O
authorization policiesattributes + capabilities
Query A.COE?
ABACinference
engine
query context
ABAC: facts and rules
A.r {E}“A says:” “These entities {E} have the role r.”
A.r (A.k).r“A believes:” “If my king decrees E has role r,
then I accept it.”
These are X.509 certificates (credentials) signed by A.
A simple example
Client E Server ARequestCommand C on Object O
authorization policiesattributes + capabilities
Query A.COE?
ABACinference
engine
query context
Implementation question: what credentials are gathered into the query context? How are they passed, stored, and indexed?
Context flow
trust anchors
Client E
context store
operator
Server ARequestCommand C on Object O
Context transfer credential set
user delegation
authorization policiesattributes + capabilities
Query A.COE?
ABACinference
engine
credential set for CA’s policies for Ocontext
store
query context
Trust sources / anchors
Actor Registry
Identity Provider
Identity Portal
Slice Authority
user logonuser certs
identity attributes capability attributesuser credentials slice credentials
server/entity endorsements
and roles
These certs are X.509 attribute certificates representing facts about subject roles and rules governing how entities may delegate their roles.
(global objects)
How contexts are made
Registry, etc. IdP SA
actor context
User
user context user+slice context
credential set
server trust policyslice policy
query context
slice policy template
generation A.C*O(A.sa).C*
O
A.C*O(A.C*
O).C*O
A.CO(A.CO).speaksForgeni(x): A.COA.gmoc
Client
Server
Object policy templates
generation
A.C*X(A.sa).C*X
A.C*X(A.C*X). C*X
A.CX(A.C*X). CX
A.CXA.C*X
A.CX(A.CX).speaksForgeni(x): A.CXA.gmoc
A.COA.C*O
A.CO(A.CO).speaksForA.COA.gmoc
A.C*O(A.sa).C*O
A.C*O(A.C*O). C*O
A.CO(A.C*O). CO
1. Substitute O for X2. Conditional filtering
Templating enables “RT1-Lite” and “RT2-Lite”.
Authorization policy for slices
Proxied user agentsA.CO(A.CO).speaksFor
GMOC “kill switch”A.COA.gmoc
SA as capability rootA.C*O(A.sa).C*
O
Capability delegationA.C*O(A.C*O). C*
O
A.COA.C*O
Capability confinementA.CO(A.C*O). CO
ABAC trust structures
• Key elements of CF are merely endorsing entities that produce/consume certs.– Examples: slice authority, management authority,
identity provider, registry.
• Every server has local policies for whose endorsements it trusts or requires.– ABAC can specify these structures declaratively.
• These rules may also empower specially privileged entities.– SliceTracker, GMOC
ORCA Testbed: Trust Structure
AM
AM
SM
SM
SM
BR
AM.broker(AM.registry).brokerAM.member(AM.registry).memberAM.classn(AM.registry).classn…AM.sa(AM.member).saAM.rankn(AM.member).rankn…
M.registryRR.memberMR.classnM
AMM.registryM.registrySMM.registryM.registry
M.ranknSMi
M.saSMi Member
ORCA Testbed: Trust Structure
AM
AM
SM
SM
SM
BR
Members recognize registryM.registryR
Registry recognizes membersclass A, class B, class C,…R.memberMR.classnM
Actors in member domains recognize registryAMM.registryM.registrySMM.registryM.registry
Member domain admin endows local actors with ranks/privilegesM.ranknSMi
M.saSMi
Member
ORCA Testbed: Trust Structure
AM
AM
SM
SM
SM
BRAMs accept registry-endorsed broker(s)AM.broker(AM.registry).broker
AM recognizes membersAM.member(AM.registry).memberAM.classn(AM.registry).classn…
AM recognizes actor ranks/privileges assigned by membersAM.sa(AM.member).saAM.rankn(AM.member).rankn…
Member
Conclusion
• More info: see the “geni-abac” doc.
• ORCA integration for ABAC is ongoing.– ABAC/libabac vetted
– implementation/policy mapped
– foundation in place
– trust structure, speaksFor, templates
• Key focus: context indexing/transfer/union.
• Thanks to NSF CNS-0910653– Trustworthy Virtual Cloud Computing