1 / 14

ABAC: An ORCA Perspective GEC 11

ABAC: An ORCA Perspective GEC 11. Jeff Chase Duke University. Thanks : NSF TC CNS-0910653. A simple example. ABAC inference engine. attributes + capabilities. authorization policies. Query A.C O E?. Request Command C on Object O. Client E. Server A. query context.

stamos
Télécharger la présentation

ABAC: An ORCA Perspective GEC 11

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS-0910653

  2. A simple example ABAC inference engine attributes + capabilities authorization policies Query A.COE? Request Command C on Object O Client E Server A query context

  3. ABAC: facts and rules A.r  {E} “A says:” “These entities {E} have the role r.” A.r  (A.k).r “If my king decrees E has role r, then I accept it.” “A believes:” These are X.509 certificates (credentials) signed by A.

  4. A simple example ABAC inference engine attributes + capabilities authorization policies Query A.COE? Request Command C on Object O Client E Server A query context Implementation question: what credentials are gathered into the query context? How are they passed, stored, and indexed?

  5. Context flow ABAC inference engine trust anchors operator attributes + capabilities authorization policies Query A.COE? Request Command C on Object O Client E Server A query context user delegation credential set for C A’s policies for O Context transfer credential set context store context store

  6. Trust sources / anchors user logon user certs Actor Registry Identity Provider Slice Authority Identity Portal server/entity endorsements and roles identity attributes capability attributes user credentials slice credentials (global objects) These certs are X.509 attribute certificates representing facts about subject roles and rules governing how entities may delegate their roles.

  7. How contexts are made IdP User SA Registry, etc. actor context user context user+slice context Client credential set Server query context server trust policy slice policy slice policy template A.C*O(A.sa).C*O A.C*O(A.C*O).C*O A.CO(A.CO).speaksFor geni(x): A.COA.gmoc generation

  8. Object policy templates A.C*X(A.sa).C*X A.C*X(A.C*X). C*X A.CX(A.C*X). CX A.CXA.C*X A.CX(A.CX).speaksFor geni(x): A.CXA.gmoc • Substitute O for X • Conditional filtering generation A.C*O(A.sa).C*O A.C*O(A.C*O). C*O A.CO(A.C*O). CO A.COA.C*O A.CO(A.CO).speaksFor A.COA.gmoc Templating enables “RT1-Lite” and “RT2-Lite”.

  9. Authorization policy for slices SA as capability root A.C*O(A.sa).C*O Capability delegation A.C*O(A.C*O). C*O A.COA.C*O Capability confinement A.CO(A.C*O). CO Proxied user agents A.CO(A.CO).speaksFor GMOC “kill switch” A.COA.gmoc

  10. ABAC trust structures • Key elements of CF are merely endorsing entities that produce/consume certs. • Examples: slice authority, management authority, identity provider, registry. • Every server has local policies for whose endorsements it trusts or requires. • ABAC can specify these structures declaratively. • These rules may also empower specially privileged entities. • SliceTracker, GMOC

  11. ORCA Testbed: Trust Structure SM SM SM M.registryR R.memberM R.classnM AMM.registryM.registry SMM.registryM.registry M.ranknSMi M.saSMi B AM R Member AM.broker(AM.registry).broker AM.member(AM.registry).member AM.classn(AM.registry).classn … AM.sa(AM.member).sa AM.rankn(AM.member).rankn … AM

  12. ORCA Testbed: Trust Structure SM SM SM Members recognize registry M.registryR Registry recognizes members class A, class B, class C,… R.memberM R.classnM Actors in member domains recognize registry AMM.registryM.registry SMM.registryM.registry Member domain admin endows local actors with ranks/privileges M.ranknSMi M.saSMi B AM R Member AM

  13. ORCA Testbed: Trust Structure SM SM SM B AMs accept registry-endorsed broker(s) AM.broker(AM.registry).broker AM recognizes members AM.member(AM.registry).member AM.classn(AM.registry).classn … AM recognizes actor ranks/privileges assigned by members AM.sa(AM.member).sa AM.rankn(AM.member).rankn … AM R Member AM

  14. Conclusion • More info: see the “geni-abac” doc. • ORCA integration for ABAC is ongoing. • ABAC/libabac vetted • implementation/policy mapped • foundation in place • trust structure, speaksFor, templates • Key focus: context indexing/transfer/union. • Thanks to NSF CNS-0910653 • Trustworthy Virtual Cloud Computing

More Related