Presentation is loading. Please wait.

Presentation is loading. Please wait.

D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University.

Published byErin Fisher Modified over 9 years ago

Similar presentations

Presentation on theme: "D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University."— Presentation transcript:

1 D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University

2 IdP.faculty  D SA Reading the slides IdP.student  T GENI users Test Tube Guy and Dr. D, and some of their credentials A coordination service implementing some clearinghouse function, such as a Slice Authority Indicates trust of one principal in another, often associated with some kind of formal agreement: Indicates a request Indicates credential flow A A generic principal AM Aggregate

3 Bidirectional trust based on agreements GENI Federation Oversight GENI trust structure: overview (v1.0) CH AM Users and tools Principals are users and organizations, and tools or servers acting on their behalf. Users create global slices and request aggregates to bind local resources to those slices.

4 GENI trust structure: overview (v2.0) AM GOC Each of these entities may: – Speak with its own keypair. – Wield credentials. There are limited trust relationships among them. Trust reflects agreements, and is limited by their scope. Credentials capture this trust. Trust may be transitive. GMOC I&M IdP PA SA Nothing has really changed, but we have named some of the CH coordination services, and introduced a federation root (GOC) to endorse federation-affiliated services. See the intro slide deck. AMs trust the coordination services, transitively. GENI “clearinghouse”

5 Coordination services GOC We consider three CH coordination services. – IdP: Identity Portal/Provider Register user identities and issue user credentials. – PA: Project Authority Approve projects and issue project credentials. – SA: Slice Authority Approve slices and issue slice credentials. IdP PA SA Note: these coordination services are limited to identity management and authorization. There will likely be others, e.g., for resource control. We’ll also call coordination services coordinators for short. The intro slide deck explains these services and their roles.

6 AM GOC GMOC I&M IdP PA SA AM FIROC GMOC I&M FirIdP FirPA FirSA A Tale of Two Federations Suppose, in the future, GENI wants to federate with, say, FIRE. What are the alternatives? What are the tradeoffs?

7 GOC GMOC I&M IdP PA SA FIROC GMOC I&M FirIdP FirPA FirSA Option 1: indirect delegations The various coordinators can talk to each other to share information and validate one another’s users, projects, slices… If there is no common trust management framework, then this might be the only way to go. But it is brittle, inflexible, and labor-intensive.

8 GOC GMOC I&M IdP PA SA FIROC GMOC I&M FirIdP FirPA FirSA Option 2: root federation Simple, easy. (Just a few rules in ABAC logic.) Given suitable policies that allow such transitive delegations, federations will accept each other’s users, slices, projects, AMs. Drawback: “one size fits all or nothing”. E.g., AMs cannot easily choose to opt out.

9 GOC GMOC I&M IdP PA SA FIROC GMOC I&M FirIdP FirPA FirSA Option 3: selective federation (a) In this example, FIRE accepts users from GENI. A FIRE user may delegate rights for a slice or project to a GENI user, to the extent that per-project or per-slice policies allow it. Of course it works the other way too: GENI could accept users from FIRE just as easily.

10 GOC GMOC I&M IdP PA SA FIROC GMOC I&M FirIdP FirPA FirSA Option 3: selective federation (b) In this example, FIRE accepts users and projects from GENI. A FIRE user may delegate rights for a slice or project to a GENI user, to the extent that per-project or per-slice policies allow it. And a GENI project could create FIRE slices. Of course it works the other way too….

11 GOC GMOC I&M IdP PA SA FIROC GMOC I&M FirIdP FirPA FirSA Option 3: selective federation (c) In this example, FIRE accepts GENI users, projects, and slices. …a GENI project could create FIRE slices, and a GENI slice could allocate resources at FIRE aggregates. Other variations are possible. For example, FIRE could allow GENI slices on its aggregates, but disallow GENI users from creating FIRE slices or operating on FIRE slices.

12 GOC GMOC I&M IdP PA SA AM FIROC GMOC I&M FirIdP FirPA FirSA Option 4: aggregates choose (a) This option offers aggregates more control. In fact, aggregates may join a federation without the other’s knowledge or consent (even if the AMs promise to be faithful).

13 GOC GMOC I&M IdP PA SA AM FIROC GMOC I&M FirIdP FirPA FirSA Option 4: aggregates choose (b) An AM may choose whose users, projects, and/or slices to accept. In fact, aggregates can accept users, projects, slices without the federation’s knowledge or endorsement. This will happen. Some aggregates won’t care about projects, slice credentials, and all that GENI stuff. (Think about EC2.)

14 The view from an AM AM To an aggregate, the world is (has) a cloud of coordinators that the aggregate might choose to accept, or not. EC2 only cares about VISA and MasterCard.

15 The view from an AM AM Some coordinators are part of a federation, which is just a convenient grouping of services for an AM to accept as a bundle. The AM may even accept them without joining the federation.

16 Joining a federation AM The federation might place some trust in the AM as well, e.g., to treat users and their slices properly and report events. The AM must join the federation and enter into an agreement. The federation endorses the AM and advertises it to users.

17 The limits of federation power AM But a federation cannot use the authorization framework to enforce its trust in an AM. A federation can make everyone promise to be faithful, but it can’t prevent anyone from interacting beyond the scope of their agreements with the federation. GOC A federation can give its members and partners a basis for deciding whether to trust one another. But it can’t stop its users from going to any AM they want, and it can’t stop unaffiliated AMs from allocating resources to “its” users and slices. It’s an accountability problem: authorization won’t help.

18 The limits of federation power Not to belabor the point, but let’s be sure we’re clear on this. Suppose TTG requests a createSliver on an AM that has not entered into any agreement with GOC, and is not endorsed by GOC. AM Create sliver for slice s There is nothing that can be done to stop this rogue AM from creating a sliver and “saying” it is part of the slice s (or not). We can only deny this phishing AM the credentials it needs to convince others to believe it and encourage users to use it. The good news is that we can rely on “good” AMs to check compliance with coordinator policies. It doesn’t make us any less safe: compliance is “voluntary” no matter who checks it. But we can hold the “good” AMs accountable.

19 AM-centric view of coordination AM So, in general, the AMs are always in control. They choose their own policies, and any surrender of sovereignty to a Federation is voluntary, or induced by socio-political factors outside the trust structure. Therefore, we should design coordinators that leave AMs free to choose from the menu of services available. To the extent that AMs choose the same coordinators, they should work.

20 Multi-federation? AM An aggregate might choose to affiliate with multiple federations.

21 Multi-federation AM To the extent that AMs overlap in the coordination services they affiliate with, those services should work to coordinate them… …even if the aggregate’s affiliation is not exclusive.

22 Multi-federation AM Federations may merge or split. There might be multiple instances of each kind of service within a federation. To the extent that AMs affiliate with shared coordination services, those services should work to coordinate those AMs.

23 Declarative trust management Every picture in this slide deck is a trust graph. – The vertices are principals. – The edges represent trust: directed delegation of partial trust from one principal to another. We can specify all of these trust structures rigorously using a delegation logic. We can implement and deploy them using an off-the- shelf PKI-based trust management framework. – ISI libabac for RT0 role-based trust logic (“ABAC”) – Deploy new authorization policies and trust structures without changing the code. – Evolve them according to events at the socio-political layer.

Download ppt "D u k e S y s t e m s A Tale of Two Federations Jeff Chase Duke University."

Similar presentations

D u k e S y s t e m s Foundations of a Future Inter-Cloud Architecture Jeff Chase Duke University / RENCI.

D u k e S y s t e m s Foundations of a Future Inter-Cloud Architecture Jeff Chase Duke University / RENCI.
FIBRE-BR Meeting GENI I&M Marcelo Pinheiro. Agenda GENI Overview GENI User groups GENI I&M Use Cases GENI I&M Services.

FIBRE-BR Meeting GENI I&M Marcelo Pinheiro. Agenda GENI Overview GENI User groups GENI I&M Use Cases GENI I&M Services.
Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.

Operating Systems Lecture Notes Deadlocks Matthew Dailey Some material © Silberschatz, Galvin, and Gagne, 2002.
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Chapter 7 Structuring System Process Requirements

Chapter 7 Structuring System Process Requirements
COMP 208/214/215/216 – Lecture 5 Presentation Skills.

COMP 208/214/215/216 – Lecture 5 Presentation Skills.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.

Information Sciences Institute Internet and Networked Systems Managing Security Policies for Federated Cyberinfrastructure Stephen Schwab, John Wroclawski.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
1 CMSC421: Principles of Operating Systems Nilanjan Banerjee Principles of Operating Systems Acknowledgments: Some of the slides are adapted from Prof.

1 CMSC421: Principles of Operating Systems Nilanjan Banerjee Principles of Operating Systems Acknowledgments: Some of the slides are adapted from Prof.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
YAMMER Guidelines for CCAFS Social Learning Group* *Based on CGIAR Master Guidelines.

YAMMER Guidelines for CCAFS Social Learning Group* *Based on CGIAR Master Guidelines.
Norm Theory and Descriptive Translation Studies

Norm Theory and Descriptive Translation Studies
Mediation Information Role Play Case Study. Goals Studying mediation helps you understand that disputes can be resolved successfully without courts or.

Mediation Information Role Play Case Study. Goals Studying mediation helps you understand that disputes can be resolved successfully without courts or.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Chapter 7 Structuring System Process Requirements

Chapter 7 Structuring System Process Requirements
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS
External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Similar presentations

Ads by Google