D u k e S y s t e m s ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS
A simple example Client EServer A Request Command C on Object O authorization policiesattributes + capabilities Query A.C O E? ABAC inference engine query context
ABAC: facts and rules A.r {E} “A says:”“These entities {E} have the role r.” A.r (A.k).r “A believes:” “If my king decrees E has role r, then I accept it.” These are X.509 certificates (credentials) signed by A.
A simple example Client EServer A Request Command C on Object O authorization policiesattributes + capabilities Query A.C O E? ABAC inference engine query context Implementation question: what credentials are gathered into the query context? How are they passed, stored, and indexed?
Context flow trust anchors Client E context store operator Server A Request Command C on Object O Context transfer credential set user delegation authorization policiesattributes + capabilities Query A.C O E? ABAC inference engine credential set for C A’s policies for O context store query context
Trust sources / anchors Actor Registry Identity Provider Identity Portal Slice Authority user logon user certs identity attributes capability attributes user credentials slice credentials server/entity endorsements and roles These certs are X.509 attribute certificates representing facts about subject roles and rules governing how entities may delegate their roles. (global objects)
How contexts are made Registry, etc. IdP SA actor context User user contextuser+slice context credential set server trust policyslice policy query context slice policy template generation A.C * O (A.sa).C * O A.C * O (A.C * O ).C * O A.C O (A.C O ).speaksFor geni(x): A.C O A.gmoc Client Server
Object policy templates generation A.C* X (A.sa).C * X A.C* X (A.C* X ). C * X A.C X (A.C* X ). C X A.C X A.C * X A.C X (A.C X ).speaksFor geni(x): A.C X A.gmoc A.C O A.C * O A.C O (A.C O ).speaksFor A.C O A.gmoc A.C* O (A.sa).C * O A.C* O (A.C* O ). C * O A.C O (A.C* O ). C O 1.Substitute O for X 2.Conditional filtering Templating enables “RT1-Lite” and “RT2-Lite”.
Authorization policy for slices Proxied user agents A.C O (A.C O ).speaksFor GMOC “kill switch” A.C O A.gmoc SA as capability root A.C* O (A.sa).C * O Capability delegation A.C* O (A.C* O ). C * O A.C O A.C * O Capability confinement A.C O (A.C* O ). C O
ABAC trust structures Key elements of CF are merely endorsing entities that produce/consume certs. – Examples: slice authority, management authority, identity provider, registry. Every server has local policies for whose endorsements it trusts or requires. – ABAC can specify these structures declaratively. These rules may also empower specially privileged entities. – SliceTracker, GMOC
ORCA Testbed: Trust Structure AM SM B R AM.broker (AM.registry).broker AM.member (AM.registry).member AM.classn (AM.registry).classn … AM.sa (AM.member).sa AM.rankn (AM.member).rankn … M.registry R R.member M R.classn M AM M.registry M.registry SM M.registry M.registry M.rankn SM i M.sa SM i Member
ORCA Testbed: Trust Structure AM SM B R Members recognize registry M.registry R Registry recognizes members class A, class B, class C,… R.member M R.classn M Actors in member domains recognize registry AM M.registry M.registry SM M.registry M.registry Member domain admin endows local actors with ranks/privileges M.rankn SM i M.sa SM i Member
ORCA Testbed: Trust Structure AM SM B R AMs accept registry-endorsed broker(s) AM.broker (AM.registry).broker AM recognizes members AM.member (AM.registry).member AM.classn (AM.registry).classn … AM recognizes actor ranks/privileges assigned by members AM.sa (AM.member).sa AM.rankn (AM.member).rankn … Member
Conclusion More info: see the “geni-abac” doc. ORCA integration for ABAC is ongoing. – ABAC/libabac vetted – implementation/policy mapped – foundation in place – trust structure, speaksFor, templates Key focus: context indexing/transfer/union. Thanks to NSF CNS – Trustworthy Virtual Cloud Computing