1 / 26

Efficient Distributed Authorization Coordination in ABAC Slice Creation Process

This article discusses how Attribute-Based Access Control (ABAC) coordinates distributed authorization in the creation of slices, focusing on TIED, GENI, and Alex. The process involves maintaining local ABAC policies, sharing known attributes, discovering partner policy changes, and coordinating with new partners. GENI defines attributes for different user groups and manages them, while TIED incorporates GENI's facts into its local policy for authorization. Various scenarios with Alex, Bob, and Chloe demonstrate the negotiation and coordination between the involved parties using ABAC to grant slice creation access. The interactions showcase the importance of information sharing and adjustment of policies in a coordinated manner for efficient authorization management.

crumb
Download Presentation

Efficient Distributed Authorization Coordination in ABAC Slice Creation Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authorizing Slice Creation How ABAC Coordinates Distributed Authorization Alefiya Hussain alefiya.hussain@sparta.com

  2. TIED Joins GENI How does TIED get to know GENI users? • Keeping local ABAC policy same (there are many other ways too) • Sharing known attributes • Discovery of partner policy changes • Coordinating with new partners

  3. The Players TIED the resource owner provides equipment and establishes high-level policies for utilization Alex the researcher received a GENI award and want to use the substrate for experiments

  4. The Players TIED the resource owner provides equipment and establishes high-level policies for utilization GENI the coordinator/certifier asserts attributes for these new principals Alex the researcher received a GENI award and want to use the substrate for experiments

  5. The Players: GENI, TIED, Alex The GENI defines various attributes to manage groups of people Defines groups such as researchers, gradStudents, vendors…. And publishes facts about them Alex is a GENI researcher

  6. The Players: GENI, TIED, Alex TIED learns about GENI’s facts and incorporates them into its local authorization policy So TIED publishes a fact All GENI researchers can create slices on TIED Thus it delegates some resource control to GENI

  7. The Players: GENI, TIED, Alex Alex learns he needs to identify himself as a researcher to create a slice

  8. ABAC Enables the Players TIED Local Policy: If you are a GENI researcher, you can create a slice. TIED.createSlice GENI.researcher TIED Slice Manager ABAC GENI Welcome Package: A researcher credential is sent to Alex GENI GENI.researcher Alex Alex: I want to create a slice?

  9. ABAC Negotiation Grants Access TIED Slice Manager ABAC TIED.createSlice GENI.researcher 2. ABAC constructs proof. Proof: TIED.createSlice GENI.researcherAlex Grants Access • Sends request • with cred+key. GENI.researcher  Alex

  10. Summary: Alex creates a slice GENI added Alex to the researcher attribute space TIED uses GENI’s credential (GENI.researcher) to authorize users to create slices

  11. The GENI expands it’s attribute space • Keeping local ABAC policy same • Sharing known attributes • Discovery of partner policy changes • Coordinating with new partners

  12. The Players: GENI, TIED, Bob GENI decides gradStudents are also a kind of researcher So, GENI publishes a new fact All gradstudents are also researchers

  13. The Players: GENI, TIED, Bob Policy at TIED does not change TIED.createSlice  GENI.researcher TIED is unaware of the change

  14. The Players: GENI, TIED, Bob • Bob identifies himself as a gradStudent to TIED

  15. ABAC Enables the Players TIED.createSlice GENI.researcher TIED Slice Manager ABAC • I want to create • a slice? GENI.researcher GENI.gradStudent. GENI Registry GENI.gradStudent  Bob

  16. TIED discovers credentials TIED.createSlice GENI.researcher TIED Slice Manager ABAC 2. ABAC proof construction fails Proof: TIED.createSlice  GENI.researcher ? GENI.gradStudent  Bob Need more information from GENI • I want to create • a slice? GENI Registry

  17. TIED discovers credentials TIED.createSlice GENI.resercher TIED Slice Manager ABAC 2. ABAC proof construction fails 3. Is Bob a researcher? 4. I don’t know, but here are some relevant credentials GENI.researcher GENI.gradStudent • I want to create • a slice? 5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercher GENI.researcher  GENI.gradStudent Bob Grants Access GENI Registry

  18. Summary: Bob creates the slice! • No policy impact on the resource provider • TIED, the resource provider, learned relevant information from the external certifiers

  19. GENI Coordinates with the NSF • Keeping local ABAC policy same • Sharing know attributes • Discovery of partner policy changes, • Coordinating with new partners

  20. Chloe wants to create a slice • Chloe is a NSF NeTS FIND researcher

  21. The Players: NSF, GENI, TIED, Chloe NSF makes each program initiative a principal • FIND, CISE NSF assigns each initiative a program attribute NSF.program FIND Each initiative defines its own attribute space; specifically researcher attributes FIND.researcher Chloe

  22. The Players: NSF, GENI, TIED, Chloe GENI and NSF negotiate and decide to treat all NSF program researchers as GENI researchers GENI publishes a new fact All NSF program researchers are also GENI researchers This is expressed as a linked credential GENI.researcher  NSF.program.researcher

  23. The Players: NSF, GENI, TIED, Chloe • TIED has no policy changes • Chloe identifies herself as a FIND researcher to TIED

  24. ABAC Enables the Access TIED.createSlice GENI.researcher TIED Slice Manager ABAC 2. ABAC proof construction fails Proof: TIED.createSlice  GENI.researcher ? FIND.researcher Chloe NSF.programFIND Need more information from GENI • I want to create • a slice? FIND.researcher Chloe NSF.programFIND NSF

  25. ABAC Enables the Access TIED.createSlice GENI.researcher TIED Slice Manager ABAC 2. ABAC proof construction fails 3. Do you know the NSF? • I want to create • a slice? 4. Yes, here are some relevant credentials GENI.researcher NSF.program.researcher GENI 5. ABAC constructs proof. Proof: TIED.createSlice GENI.resercherNSF.program.researcher; NSF.program FIND; FIND.researcer Chloe Grants Access

  26. Summary • ABAC can expresses complex relationships between principals • Through principal delegation • Through attribute-based delegation • Local policy at the resource provider need not change • Many entities can coordinate complex policy • End user is insulated from policy details

More Related