1. Sponsored by the National Science Foundation Distributed Identity & Authorization Mechanisms Spiral 2 Year-end Project Review SPARTA, Inc. PI: Stephen Schwab Staff: Jay Jacobs August 31, 2010 Project Graphic and/or Photo

2. Sponsored by the National Science Foundation 2 Project Summary Development and prototyping of a set of Distributed Authorization & Identity Mechanisms for use in and among GENI control frameworks and aggregates. Leverage previous seminal work in distributed authorization policy funded by DARPA under the Attribute Based Access Control (ABAC) project Attributes are published as cryptographically-signed credentials by multiple parties. Requestors (GENI users) provide sufficient attributes to allow an Authorizing Party (GENI control framework, aggregate, etc.) to combine user’s attributes with other locally specified or cached attributes to make a Boolean authorization decision. Overarching goal is to provide proof-by-demonstration of feasibility and utility of ABAC authorization for GENI community, and software with integration examples to allow others to adopt ABAC for their own use. INSERT PROJECT REVIEW DATE

3. Sponsored by the National Science Foundation 3 Milestone & QSR Status IDMilestoneStatusOn Time? On Wiki? GPO signoff? S2aABAC Requirements for ProtoGENIRequirements document describing high-level functions of ABAC and theory- of-operation, interface for ProtoGENI integration, and ABAC web services calls required to support integration. On Time YesYes? S2bDIAC prototype software design and interfaces v1.0 Document of ABAC web service interfaces, along with parameters and example calling sequences for using the service. On Time YesYes? S2cV1.0 software for supporting ABAC mechanisms within ProtoGENI Delivered software (distribution available on wiki page), as well as integrating with ProtoGENI ReferenceCM from Utah. Short demonstration presented to GPO SE at GEC. On Time YesYes? QSR: 4Q2009DoneOn Time Yes QSR: 1Q2010DoneOn Time Yes QSR: 2Q2010DoneOn Time Yes INSERT PROJECT REVIEW DATE

4. Sponsored by the National Science Foundation 4 Accomplishments 1: Advancing GENI Spiral 2 Goals Both interoperability and identity management are important goals for spiral 2. GENI is moving toward a cross-cluster/multiple control framework federation in which any resource (aggregate manager, network link, instrumentation & measurement infrastructure) should be available to any GENI researcher, regardless of what ‘front door’ they use to access GENI. –ABAC has taken a step (albeit a small one) in showing how distributed authorization may be used to assist different parts of a GENI cluster in securing their APIs by using attributes supplied by both the requestor and authorizing party. In principle, these attributes can be transferred across the boundaries between GENI clusters, moving the entire system in the direction of “Universal Access” and interoperability, e.g. the ABAC services set the stage for controlled sharing of resources across GENI. While ABAC does not directly support identity management, the prototyping work and conversations surrounding that work has helped to stimulate and motivate discussions of how identity providers that transcend a single control framework may be introduced within GENI –In particular, we believe the Shibboleth/InCommons federated identity is only a step away from allowing authorization policies to be expressed, by any GENI entity, about individuals and groups in the InCommons universe. INSERT PROJECT REVIEW DATE

5. Sponsored by the National Science Foundation 5 Accomplishments 2: Other Project Accomplishments The ProtoGENI ReferenceCM is an example of an aggregate/component manager that provides the API used within ProtoGENI. By exercising the interfaces and implementation, the ABAC work helped to shake down many small problems with X.509 certificates between ProtoGENI and our ABAC implementation. –While painful, this debugging will hopefully make it quicker and easier to avoid or resolve X.509 certificate problems when the ReferenceCM is used by others in the future. –Multiple languages (C/C++, Python, Perl, Java, etc.) have a place in GENI. This work involved Java-based handling of GENI credentials. INSERT PROJECT REVIEW DATE

6. Sponsored by the National Science Foundation 6 Issues ProtoGENI cluster is large, and their staff are hard-pressed to integrate everything. Other clusters (control frameworks) are also in similar stages, although ProtoGENI may be the most overloaded right now. ABAC’s original implementation was quite complex and difficult to modify for use in GENI. We have moved to a new (re-written from scratch and open source libraries) ABAC implementation within DETER. –Anticipate jumping to this new and improved ABAC implementation. –May re-use the ABAC Web Services API or other pieces if they prove useful for integration with various control frameworks/aggregates. INSERT PROJECT REVIEW DATE

7. Sponsored by the National Science Foundation 7 Plans What are you plans for the remainder of Spiral 2? One last set of milestones (software update, design/interface document) remains for 9/24/2010. Given limited remaining Spiral 2 funds, we will do a minimal update to the software, ensuring that it is easy to install and run the example test cases. The design/interface document will be updated to be consistent with or highlight differences between the old and new ABAC implementations. The GPO is starting to formulate goals for Spiral 3. What are your thoughts regarding potential Spiral 3 work? ORCA remains an important control framework cluster for prototyping. –Work with ORCA to integrate ABAC into their identity & authorization system E-GENI openFlow / FlowVisor / Aggregate Manager –The E-GENI suite of software is reaching (or close to reaching) a stable enough point where introduction of distributed authorization makes sense – we could work with E-GENI to pursue this direction. INSERT PROJECT REVIEW DATE