ABAC: An ORCA Perspective GEC 11

ABAC: An ORCA Perspective GEC 11 Jeff Chase Duke University Thanks: NSF TC CNS-0910653

A simple example ABAC inference engine attributes + capabilities authorization policies Query A.COE? Request Command C on Object O Client E Server A query context

ABAC: facts and rules A.r  {E} “A says:” “These entities {E} have the role r.” A.r  (A.k).r “If my king decrees E has role r, then I accept it.” “A believes:” These are X.509 certificates (credentials) signed by A.

A simple example ABAC inference engine attributes + capabilities authorization policies Query A.COE? Request Command C on Object O Client E Server A query context Implementation question: what credentials are gathered into the query context? How are they passed, stored, and indexed?

Context flow ABAC inference engine trust anchors operator attributes + capabilities authorization policies Query A.COE? Request Command C on Object O Client E Server A query context user delegation credential set for C A’s policies for O Context transfer credential set context store context store

Trust sources / anchors user logon user certs Actor Registry Identity Provider Slice Authority Identity Portal server/entity endorsements and roles identity attributes capability attributes user credentials slice credentials (global objects) These certs are X.509 attribute certificates representing facts about subject roles and rules governing how entities may delegate their roles.

How contexts are made IdP User SA Registry, etc. actor context user context user+slice context Client credential set Server query context server trust policy slice policy slice policy template A.C*O(A.sa).C*O A.C*O(A.C*O).C*O A.CO(A.CO).speaksFor geni(x): A.COA.gmoc generation

Object policy templates A.C*X(A.sa).C*X A.C*X(A.C*X). C*X A.CX(A.C*X). CX A.CXA.C*X A.CX(A.CX).speaksFor geni(x): A.CXA.gmoc • Substitute O for X • Conditional filtering generation A.C*O(A.sa).C*O A.C*O(A.C*O). C*O A.CO(A.C*O). CO A.COA.C*O A.CO(A.CO).speaksFor A.COA.gmoc Templating enables “RT1-Lite” and “RT2-Lite”.

Authorization policy for slices SA as capability root A.C*O(A.sa).C*O Capability delegation A.C*O(A.C*O). C*O A.COA.C*O Capability confinement A.CO(A.C*O). CO Proxied user agents A.CO(A.CO).speaksFor GMOC “kill switch” A.COA.gmoc

ABAC trust structures • Key elements of CF are merely endorsing entities that produce/consume certs. • Examples: slice authority, management authority, identity provider, registry. • Every server has local policies for whose endorsements it trusts or requires. • ABAC can specify these structures declaratively. • These rules may also empower specially privileged entities. • SliceTracker, GMOC

ORCA Testbed: Trust Structure SM SM SM M.registryR R.memberM R.classnM AMM.registryM.registry SMM.registryM.registry M.ranknSMi M.saSMi B AM R Member AM.broker(AM.registry).broker AM.member(AM.registry).member AM.classn(AM.registry).classn … AM.sa(AM.member).sa AM.rankn(AM.member).rankn … AM

ORCA Testbed: Trust Structure SM SM SM Members recognize registry M.registryR Registry recognizes members class A, class B, class C,… R.memberM R.classnM Actors in member domains recognize registry AMM.registryM.registry SMM.registryM.registry Member domain admin endows local actors with ranks/privileges M.ranknSMi M.saSMi B AM R Member AM

ORCA Testbed: Trust Structure SM SM SM B AMs accept registry-endorsed broker(s) AM.broker(AM.registry).broker AM recognizes members AM.member(AM.registry).member AM.classn(AM.registry).classn … AM recognizes actor ranks/privileges assigned by members AM.sa(AM.member).sa AM.rankn(AM.member).rankn … AM R Member AM

Conclusion • More info: see the “geni-abac” doc. • ORCA integration for ABAC is ongoing. • ABAC/libabac vetted • implementation/policy mapped • foundation in place • trust structure, speaksFor, templates • Key focus: context indexing/transfer/union. • Thanks to NSF CNS-0910653 • Trustworthy Virtual Cloud Computing

ABAC: An ORCA Perspective GEC 11