Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.

Slides:



Advertisements
Similar presentations
UDDI v3.0 (Universal Description, Discovery and Integration)
Advertisements

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Chapter 6 Security Kernels.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Sponsored by the National Science Foundation Strategies for Cyber-Infrastructure Integration Marshall Brinn, GPO Brecht Vermeulen, iMinds GEC22: March.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Access Control Intro, DAC and MAC System Security.
OASIS Reference Model for Service Oriented Architecture 1.0
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
4/20/2017.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS
Sponsored by the National Science Foundation Omni: a command line GENI resource reservation tool Niky Riga, Sarah Edwards GENI Project Office 13 March,
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.
Client Authentication & Authorization for GENI XMPP Messaging Service Anirban Mandal, Shu Huang, Ilia Baldine (RENCI) Rudra Dutta (NSCU) GEC14 I&M Session.
Sponsored by the National Science Foundation GEC16 Service Developers Roundtable: Strawman Unified I&M Tools and Services Marshall Brinn, GPO March 19,
Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.
Sponsored by the National Science Foundation GEC17: Developer Track Introduction Marshall Brinn, GPO July 21, 2013.
Sponsored by the National Science Foundation Towards an Ontology-savvy Aggregate Manager API Marshall Brinn GENI Program Office Sept. 17, 2015.
Sponsored by the National Science Foundation Programmable Networks and GENI Marshall Brinn, GPO GEC October 25, 2012.
Secure Credential Manager Claes Nilsson - Sony Ericsson
SAML CCOW Work Item HL7 Working Group Meeting San Antonio - January 2008 Presented by: David Staggs, JD CISSP VHA Office of Information Standards.
Elisa Bertino Purdue University Pag. 1 Security of Distributed Systems Part II Elisa Bertino CERIAS and CS &ECE Departments Purdue University.
GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.
Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: MD Objects and Descriptors Goals Architecture Overview –Process –Functional.
Sponsored by the National Science Foundation GEC17 Developer Sessions: ABAC: Life after Speaks-For Marshall Brinn, GPO July 22, 2013.
1 Schema Registries Steven Hughes, Lou Reich, Dan Crichton NASA 21 October 2015.
D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS
Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.
Connect. Communicate. Collaborate eduGAIN in Real Life! Ajay Daryanani, RedIRIS TERENA Networking Conference Brugge, 20th May 2008.
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.
In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:
Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23,
SAML: An XML Framework for Exchanging Authentication and Authorization Information + SPML, XCBF Prateek Mishra August 2002.
Sponsored by the National Science Foundation GENI Security Architecture What’s Up Next? GENI Engineering Conference 7 Durham, NC Stephen Schwab SPARTA/Cobham.
D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS
Sponsored by the National Science Foundation Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen.
XP New Perspectives on XML, 2 nd Edition Tutorial 8 1 TUTORIAL 8 CREATING ELEMENT GROUPS.
Sponsored by the National Science Foundation Introduction to GENI Architecture: Federated Trust Perspective Marshall Brinn, GPO GEC20: June 24, 2014.
D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.
Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.
Sponsored by the National Science Foundation GENI Aggregate Manager API Tom Mitchell March 16, 2010.
App-ID Use Cases, Syntax and Attributes ARC R01-App-ID_Use_Cases,_Syntax_and_Attributes Group Name: Architecture Source: Darold Hemphill, iconectiv,
Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.
1 draft-sidr-bgpsec-protocol-05 Open Issues. 2 Overview I received many helpful reviews: Thanks Rob, Sandy, Sean, Randy, and Wes Most issues are minor.
0 eCPIC User Training: v6.4 Webinars – Overview of Significant Changes July 2014 These training materials are owned by the Federal Government. They can.
Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.
Andrew J. Hewatt, Gayatri Swamynathan and Michael T. Wen Department of Computer Science, UC-Santa Barbara A Case Study of the WS-Security Framework.
Chapter 12: Authentication Basics Passwords Challenge-Response Biometrics Location Multiple Methods Computer Security: Art and Science © Matt.
Authentication Presenter Meteor Advisory Team Member Version 1.1.
1 Authorization Sec PAL: A Decentralized Authorization Language.
Authorization PDP GE Course (R4) FIWARE Chapter: Security FIWARE GE: Authorization PDP FIWARE GEri: AuthZForce Authorization PDP Owner: Cyril Dangerville,
Agenda  Microsoft Directory Synchronization Tool  Active Directory Federation Server  ADFS Proxy  Hybrid Features – LAB.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Chapter 4 Access Control. Access Control Principles RFC 4949 defines computer security as: “Measures that implement and assure security services in a.
An Introduction to Data Modeling with Fedora Thorny Staples Fedora Commons, Inc.
Unlocking the Secrets of Alfresco Authentication Mehdi BELMEKKI, Consultancy Team Alfresco.
Sponsored by the National Science Foundation GEC17: Developer Working Session July 22, Speaks-for Credentials in GENI Tools, Services and.
Sponsored by the National Science Foundation GEC17 Plenary Session: Architecture Marshall Brinn, GPO July 22, 2013.
Alternative Governance Models for PKI
Health Ingenuity Exchange - HingX
Presentation transcript:

Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014

Sponsored by the National Science Foundation2 Overview The GPO Clearinghouse (CHAPI) adheres to the Federation Services API v2 –Including Registry, Member Authority and Slice Authority services The calls are like AM API calls in that they are: –Communicated via XMLRPC/SSL –Authenticated against a set trust root certs We use ABAC as the mechanism to Authorize calls: Specifying policies as well as determining authorization –This presentation provides some detail on how this works

Sponsored by the National Science Foundation3 ABAC Essentials ABAC (Attribute-based Access Control) provides a mechanism for creating assertions and proving queries against these assertions In order to authorize calls in CHAPI, we consider two kinds of assertions –Attributes: Claims about some entity “Joe is a member of project FOO” –Policies: Claims about members of sets “The lead or admins or members of a given project may create slices in that project” By gathering and reasoning on proper sets of assertions and policies, we can make authorization decisions –“May Joe create slices in project FOO?”

Sponsored by the National Science Foundation4 ABAC-Guard Authorization For a given method invocation –Determine the “subjects” (unique identities) on which the method seeks to operate (e.g. a list of slices or projects or members) –Gather the ‘context-free’ assertions about the caller E.g. “AUTHORITY.IS_OPERATOR  CALLER” –For each subject, Gather the assertions that are true in the context of that subject –E.g. “AUTHORITY.IS_MEMBER_$SLICE  CALLER” Instantiate the policies for this method and subject Try to prove either: – “AUTHORITY.MAY_$METHOD  CALLER” –“AUTHORITY.MAY_$METHOD_$SUBJECT  CALLER” The call is authorized iff either proof succeeds for each subject

Sponsored by the National Science Foundation5 Externalized Policies CHAPI authorization rules (what policies and attributes to try to assert) are stored externally –In a set of JSON files that are parsed at service initialization time We can edit these policies and modify ongoing Service behavior –NOT requiring a restart of the given (MA, SA) service This capability has been ‘live’ since GEC19.

Sponsored by the National Science Foundation6 Example "create_slice" : { "__DOC__" : "Operators, project Leads, members, admins may create slice", "assertions" : [ "ME.IS_$ROLE_$PROJECT<-CALLER" ], "policies" : [ "ME.MAY_$METHOD<-ME.IS_OPERATOR", "ME.MAY_$METHOD_$PROJECT<-ME.IS_LEAD_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_ADMIN_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_MEMBER_$PROJECT" ] } def create_slice(self, credentials, options): Consider the SA method create_slice: The following JSON represents the ABAC policies applied to authorize an invocation of create_slice: Think of these as “OR”ed. We seek any path leading to a proof. Each of these is asserted IF TRUE

Sponsored by the National Science Foundation7 Example: Project Member Tries to Create Slice

Sponsored by the National Science Foundation8 Editing Policy (from slice_authority_policy.json) "create_slice" : { "__DOC__" : "Operators, project Leads, members, admins may create slice", "assertions" : [ "ME.IS_$ROLE_$PROJECT<-CALLER" ], "policies" : [ "ME.MAY_$METHOD<-ME.IS_OPERATOR", "ME.MAY_$METHOD_$PROJECT<-ME.IS_LEAD_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_ADMIN_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_MEMBER_$PROJECT" ] } "create_slice" : { "__DOC__" : "Operators, project Leads, members, admins may create slice", "assertions" : [ "ME.IS_$ROLE_$PROJECT<-CALLER" ], "policies" : [ "ME.MAY_$METHOD<-ME.IS_OPERATOR", "ME.MAY_$METHOD_$PROJECT<-ME.IS_LEAD_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_ADMIN_$PROJECT” ] } INFO:chapi:SA: Policy File Changed: /etc/geni-chapi/slice_authority_policy.json

Sponsored by the National Science Foundation9 Before Policy Edit

Sponsored by the National Science Foundation10 After Policy Edit

Sponsored by the National Science Foundation11 A few details… Due to ABAC syntax rules, entities are referenced in these ABAC rules by a ‘flattened’ version of their URN Determining the ‘subjects’ of a given call requires searching both –‘options’ argument (‘match’ and ‘fields’ elements) –‘arguments’ dictionary composed of other API call arguments, e.g. {‘project_urn’ : “urn:publicid:IDN+ch.geni.net+project+MYPROJ”} urn:publicid:IDN+ch.geni.net+user+mbrinn  urn_publicid_IDN_ch_geni_net_user_mbrinn

Sponsored by the National Science Foundation12 Summary ABAC is a powerful and efficient mechanism to express and enforce AuthN policies –Our experience using ABAC in CHAPI has shown that it is sufficiently expressive and performant for our needs ABAC also allows for a common representation of signed assertions –Enabling coordinated/distributed policy management by passing asserts among trusted partners –We encourage others (Services, Aggregates) to explore using ABAC for their respective AuthN needs For more information about –ABAC: –Federation API: –GPO Clearinghouse:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.