50 likes | 188 Vues
SFA and ABAC. Andy Bavier, David Cheperdak , Rick McGeer. Key Points. Prototype of ABAC – SFA integration Working to incorporate into SFA mainline Plan to deploy on GENICloud OK to support it on PlanetLab Wait for admin, user tool support Not pushing for this. ABAC – SFA Integration.
E N D
SFA and ABAC Andy Bavier, David Cheperdak, Rick McGeer
Key Points • Prototype of ABAC – SFA integration • Working to incorporate into SFA mainline • Plan to deploy on GENICloud • OK to support it on PlanetLab • Wait for admin, user tool support • Not pushing for this
ABAC – SFA Integration • Work by David Cheperdak at UVic • Potential benefits • Easy to set up federation with other aggregates • Specify fine-grained access policies • Separate policy and mechanism in SFA impl. • Auditing of policy decisions • On track to include ABAC as an experimental feature in a future SFA release
ABAC on GENICloud • History of GENICloud: • V1: Eucalyptus • V1.5: PlanetLab • V2: Rebuilding GENICloud using OpenStack • PlanetLab tools to manage physical nodes • OpenStack to manage virtualization • SFA to expose virtual resources • Plan: • Currently down, back up by April 15 • Accept ABAC credentials • Continue to accept “legacy” credentials
ABAC on PlanetLab • We have really simple policies • Not clear that there is a strong case for ABAC • Practical ramifications of a switch unclear • Still trying to understand David’s prototype • Tentatively OK with supporting ABAC if: • Adopted by the GENI community • Good admin tools support for configuring • Good user tools for handling credentials