D u k e S y s t e m s

ABAC: An ORCA PerspectiveGEC 11

Jeff ChaseDuke University

Thanks: NSF TC CNS-0910653

A simple example

Client E Server ARequestCommand C on Object O

authorization policiesattributes + capabilities

Query A.COE?

ABACinference

engine

query context

ABAC: facts and rules

A.r {E}“A says:” “These entities {E} have the role r.”

A.r (A.k).r“A believes:” “If my king decrees E has role r,

then I accept it.”

These are X.509 certificates (credentials) signed by A.

A simple example

Client E Server ARequestCommand C on Object O

authorization policiesattributes + capabilities

Query A.COE?

ABACinference

engine

query context

Implementation question: what credentials are gathered into the query context? How are they passed, stored, and indexed?

Context flow

trust anchors

Client E

context store

operator

Server ARequestCommand C on Object O

Context transfer credential set

user delegation

authorization policiesattributes + capabilities

Query A.COE?

ABACinference

engine

credential set for CA’s policies for Ocontext

store

query context

Trust sources / anchors

Actor Registry

Identity Provider

Identity Portal

Slice Authority

user logonuser certs

identity attributes capability attributesuser credentials slice credentials

server/entity endorsements

and roles

These certs are X.509 attribute certificates representing facts about subject roles and rules governing how entities may delegate their roles.

(global objects)

How contexts are made

Registry, etc. IdP SA

actor context

User

user context user+slice context

credential set

server trust policyslice policy

query context

slice policy template

generation A.C*O(A.sa).C*

O

A.C*O(A.C*

O).C*O

A.CO(A.CO).speaksForgeni(x): A.COA.gmoc

Client

Server

Object policy templates

generation

A.C*X(A.sa).C*X

A.C*X(A.C*X). C*X

A.CX(A.C*X). CX

A.CXA.C*X

A.CX(A.CX).speaksForgeni(x): A.CXA.gmoc

A.COA.C*O

A.CO(A.CO).speaksForA.COA.gmoc

A.C*O(A.sa).C*O

A.C*O(A.C*O). C*O

A.CO(A.C*O). CO

1. Substitute O for X2. Conditional filtering

Templating enables “RT1-Lite” and “RT2-Lite”.

Authorization policy for slices

Proxied user agentsA.CO(A.CO).speaksFor

GMOC “kill switch”A.COA.gmoc

SA as capability rootA.C*O(A.sa).C*

O

Capability delegationA.C*O(A.C*O). C*

O

A.COA.C*O

Capability confinementA.CO(A.C*O). CO

ABAC trust structures

• Key elements of CF are merely endorsing entities that produce/consume certs.– Examples: slice authority, management authority,

identity provider, registry.

• Every server has local policies for whose endorsements it trusts or requires.– ABAC can specify these structures declaratively.

• These rules may also empower specially privileged entities.– SliceTracker, GMOC

ORCA Testbed: Trust Structure

AM

AM

SM

SM

SM

BR

AM.broker(AM.registry).brokerAM.member(AM.registry).memberAM.classn(AM.registry).classn…AM.sa(AM.member).saAM.rankn(AM.member).rankn…

M.registryRR.memberMR.classnM

AMM.registryM.registrySMM.registryM.registry

M.ranknSMi

M.saSMi Member

ORCA Testbed: Trust Structure

AM

AM

SM

SM

SM

BR

Members recognize registryM.registryR

Registry recognizes membersclass A, class B, class C,…R.memberMR.classnM

Actors in member domains recognize registryAMM.registryM.registrySMM.registryM.registry

Member domain admin endows local actors with ranks/privilegesM.ranknSMi

M.saSMi

Member

ORCA Testbed: Trust Structure

AM

AM

SM

SM

SM

BRAMs accept registry-endorsed broker(s)AM.broker(AM.registry).broker

AM recognizes membersAM.member(AM.registry).memberAM.classn(AM.registry).classn…

AM recognizes actor ranks/privileges assigned by membersAM.sa(AM.member).saAM.rankn(AM.member).rankn…

Member

Conclusion

• More info: see the “geni-abac” doc.

• ORCA integration for ABAC is ongoing.– ABAC/libabac vetted

– implementation/policy mapped

– foundation in place

– trust structure, speaksFor, templates

• Key focus: context indexing/transfer/union.

• Thanks to NSF CNS-0910653– Trustworthy Virtual Cloud Computing