D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

Slides:

Advertisements

Similar presentations

D u k e S y s t e m s Foundations of a Future Inter-Cloud Architecture Jeff Chase Duke University / RENCI.

Advertisements

PASSPrivacy, Security and Access Services Don Jorgenson Introduction to Security and Privacy Educational Session HL7 WG Meeting- Sept

FIBRE-BR Meeting GENI I&M Marcelo Pinheiro. Agenda GENI Overview GENI User groups GENI I&M Use Cases GENI I&M Services.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

Sponsored by the National Science Foundation 1 Activities this trimester 0.5 revision of Operational Security Plan Independently (from GPO) developing.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Information Resources and Communications University of California, Office of the President UCTrust Implementation Experiences David Walker, UCOP Albert.

Use Case Development Scott Shorter, Electrosoft Services January/February 2013.

CS-550 (M.Soneru): Protection and Security - 2 [SaS] 1 Protection and Security - 2.

A Model for Enterprise Group and Affiliation Management RL “Bob” Morgan University of Washington CAMP, June 2005.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS

D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS

Survey of Identity Repository Security Models JSR 351, Sep 2012.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Digital Object Architecture

1 Multi Cloud Navid Pustchi April 25, 2014 World-Leading Research with Real-World Impact!

Sponsored by the National Science Foundation GEC16 Service Developers Roundtable: Strawman Unified I&M Tools and Services Marshall Brinn, GPO March 19,

D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University.

Federation Strategy Robert Ricci GENI-FIRE Workshop September 2015.

Java Security Pingping Ma Nov 2 nd, Overview Platform Security Cryptography Authentication and Access Control Public Key Infrastructure (PKI)

Secure Credential Manager Claes Nilsson - Sony Ericsson

Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: Gathering, Transferring and Sharing MD Goals Architecture Overview –Process.

GEC5 Security Summary Stephen Schwab Cobham Analytical Services July 21, 2009.

Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: MD Objects and Descriptors Goals Architecture Overview –Process –Functional.

Sponsored by the National Science Foundation GEC17 Developer Sessions: ABAC: Life after Speaks-For Marshall Brinn, GPO July 22, 2013.

D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS

Sponsored by the National Science Foundation GEC16 Plenary Session: GENI Solicitation 4 Tool Context Marshall Brinn, GPO March 20, 2013.

Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014.

Conceptual Modelling – Behaviour

Information Security - City College1 Access Control in Collaborative Systems Authors: Emis Simo David Naco.

INTERNET AND ADHOC SERVICE DISCOVERY BY: NEHA CHAUDHARY.

Sponsored by the National Science Foundation Towards Uniform Clearinghouse APIs GEC17 Developer Working Sessions July 23,

Sponsored by the National Science Foundation GENI Security Architecture What’s Up Next? GENI Engineering Conference 7 Durham, NC Stephen Schwab SPARTA/Cobham.

D u k e S y s t e m s Building the GENI Federation With ABAC Jeff Chase Duke University Thanks: NSF TC CNS

Introduction to Trust Logic Jeff Chase Duke University This presentation contains easily recognizable copyrighted material. No offense is intended. Please.

Sponsored by the National Science Foundation Introduction to GENI Architecture: Federated Trust Perspective Marshall Brinn, GPO GEC20: June 24, 2014.

D u k e S y s t e m s GENI Federation Basics Jeff Chase Duke University.

Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain 1.

July 14 th SAM 2008 Las Vegas, NV An Ad Hoc Trust Inference Model for Flexible and Controlled Information Sharing Danfeng (Daphne) Yao Rutgers University,

Sponsored by the National Science Foundation Meeting Introduction: Integrating GENI Networks with Control Frameworks Aaron Falk GENI Project Office June.

Sponsored by the National Science Foundation Establishing Policy-based Resource Quotas at Software-defined Exchanges Marshall Brinn, GPO June 16, 2015.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

DTI Mission – 29 June LCG Security Ian Neilson LCG Security Officer Grid Deployment Group CERN.

Copyright © 2006 by Maribeth H. Price 13-1 Chapter 13 Working with Geodatabases.

CSCI 3428: Software Engineering Tami Meredith UML Unified Modeling Language.

Sponsored by the National Science Foundation GENI Cloud Security GENI Engineering Conference 12 Kansas City, MO Stephen Schwab University of Southern California.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

Security and Privacy for the Smart Grid James Bryce Clark, OASIS Robert Griffin, RSA Hal Lockhart, Oracle.

Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: I&M Service Types, Arrangements, Assembling Goals Architecture Overview.

AuthZ WG Conceptual Grid Authorization Framework document Presentation of Chapter 2 GGF8 Seattle June 25th 2003 Document AID 222 draft-ggf-authz-framework pdf.

INFSO-RI Enabling Grids for E-sciencE NPM Security Alistair K Phipps (NeSC) JRA4 Face To Face, CERN, Geneva.

Clearing house for all GENI news and documents GENI Architecture Concepts Global Environment for Network Innovations The GENI Project Office.

EGI-InSPIRE RI Grid Training for Power Users EGI-InSPIRE N G I A E G I S Grid Training for Power Users Institute of Physics Belgrade.

D u k e S y s t e m s Some Issues for Control Framework Security GEC7 Jeff Chase Duke University.

Designing a Federated Testbed as a Distributed System Robert Ricci, Jonathon Duerig, Gary Wong, Leigh Stoller, Srikanth Chikkulapelly, Woojin Seok 1.

Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.

Sponsored by the National Science Foundation 1 March 15, 2011 GENI I&M Update: Sharing MD Objects with Researchers, MDA Service Goals Architecture Overview.

Sponsored by the National Science Foundation GEC17 Plenary Session: Architecture Marshall Brinn, GPO July 22, 2013.

Federated Identity & Attribute Based Resource Access Controls

Identity Federations - Overview

Cryptography and Network Security

Stitching: the ORCA View

Access Control What’s New?

Ponder policy toolkit Jovana Balkoski, Rashid Mijumbi

Presentation transcript:

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University

ABAC in GENI ABAC is a powerful declarative representation that can capture the GENI authorization/trust model. It saves a lot of code, provides a rigorous foundation, and preserves flexibility for future innovation. It should be easy for users, although we need some better tools there. (E.g., to delegate rights.) Libabac “works off the shelf” (RT0 does...RT2 too) In progress: policies for safe operational deployment. New GEC-12 Auth Session

Cloud-Based Credential Store IdP Issue user credentials PA Create project SA Register user Issue project x credentials Create slice in x Issue slice s credentials Create sliver in s Delegate End-to-end credential flow

Create sliver for slice SA.s SA AM Policy mobility: a scenario SA.creator_s  T IdP.geniUser  T Anyone can create a sliver for a slice SA.s if s was approved by an SA I trust, and the request conforms to slice policies. Only the creator of a slice s may create a sliver for s or a delegate of the creator... Subject to the policies of the project that contains the slice..

Multi-federation? AM An aggregate might choose to affiliate with multiple federations.

Multi-federation AM To the extent that AMs overlap in the coordination services they affiliate with, those services should work to coordinate them… …even if the aggregate’s affiliation is not exclusive.

Multi-federation AM Federations may merge or split. There might be multiple instances of each kind of service within a federation. To the extent that AMs affiliate with shared coordination services, those services should work to coordinate those AMs.

I stopped there...the rest is background.

IdP PA Create project SA Register user Delegate project membership Create slice in x AM Create sliver in in s Verify user identity, obtain attributes, check that user is qualified, execute agreement. Verify that user is authorized to create project and act as project leader. Verify that project x is valid and user is authorized to create slice in project x. Verify that slice s is valid and user is authorized to request resources for s IdP: Identity Provider PA: Project Authority SA: Slice Authority

IdP Issue user credentials PA Create project Project x created SA Register user user registered Delegate Issue project credentials project credentials Create slice in x Slice s created Issue slice credentials AM Create sliver in in s It’s all about credential flow

Create sliver for slice SA.s SA AM Policy mobility: a scenario SA.creator_s  T IdP.geniUser  T Anyone can create a sliver for a slice SA.s if s was approved by an SA I trust, and the request conforms to slice policies. Only the creator of a slice s may create a sliver for s or a delegate of the creator... Subject to the policies of the project that contains the slice..

Policy mobility: a scenario PA Any approved GENI user who is also a faculty member can create/lead a project. The project leader may delegate membership in the project to any GENI user. Any project member may create a slice for the project. SA Anyone can create a slice for a project PA.x if x was approved by a PA I trust, and the request conforms to project policies. Only the creator of a slice s may create a sliver for s, or a delegate of the creator, consistent with project policies.

Cloud-based credential storage Concept: always-on, highly available credential store. The store is lightly trusted: it cannot forge credentials, but we must trust it not to “forget” them. Server Put issued credentials and policies (certs) in the store. Get certs to “cache or check”. Pass credentials by reference in request. Cert Store See also: Conchord, CERTDIST

Bidirectional trust based on agreements GENI Operations and Control GENI trust structure: overview (v1.0) CH AM Users and tools Principals are users and organizations, and tools or servers acting on their behalf. Users create global slices and request aggregates to bind local resources to those slices.

GENI trust structure: overview (v2.0) AM GOC Each of these entities may: – Speak with its own keypair. – Wield credentials. – Produce/consume credentials. There are limited trust relationships among them. Trust reflects agreements, and is limited by their scope. Credentials capture this trust. Trust may be transitive. Transitive trust is inferred from facts and policy rules. GMOC I&M AMs trust the coordinators, transitively. GENI “clearinghouse” Example coordinators: identity and authorization services for a federation.

Declarative trust structure AM GOC This is a trust graph. – Edges represent partial trust by source entity in the target. We can capture trust graphs in a delegation logic. o Some out-edges are facts given by an entity’s local operator. o The others are inferred locally by applying locally accepted policy rules to facts. GMOC I&M Given a suitable trust management framework the trust delegations and policies for inferring trust (by finding trust paths) may be specified declaratively and checked automatically.