Presentation is loading. Please wait.

Presentation is loading. Please wait.

Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014.

Published byTrevor Lawrence Modified over 7 years ago

Similar presentations

Presentation on theme: "Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014."— Presentation transcript:

1 Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014

2 Sponsored by the National Science Foundation2 Overview The GPO Clearinghouse (CHAPI) adheres to the Federation Services API v2 –Including Registry, Member Authority and Slice Authority services The calls are like AM API calls in that they are: –Communicated via XMLRPC/SSL –Authenticated against a set trust root certs We use ABAC as the mechanism to Authorize calls: Specifying policies as well as determining authorization –This presentation provides some detail on how this works

3 Sponsored by the National Science Foundation3 ABAC Essentials ABAC (Attribute-based Access Control) provides a mechanism for creating assertions and proving queries against these assertions In order to authorize calls in CHAPI, we consider two kinds of assertions –Attributes: Claims about some entity “Joe is a member of project FOO” –Policies: Claims about members of sets “The lead or admins or members of a given project may create slices in that project” By gathering and reasoning on proper sets of assertions and policies, we can make authorization decisions –“May Joe create slices in project FOO?”

4 Sponsored by the National Science Foundation4 ABAC-Guard Authorization For a given method invocation –Determine the “subjects” (unique identities) on which the method seeks to operate (e.g. a list of slices or projects or members) –Gather the ‘context-free’ assertions about the caller E.g. “AUTHORITY.IS_OPERATOR  CALLER” –For each subject, Gather the assertions that are true in the context of that subject –E.g. “AUTHORITY.IS_MEMBER_$SLICE  CALLER” Instantiate the policies for this method and subject Try to prove either: – “AUTHORITY.MAY_$METHOD  CALLER” –“AUTHORITY.MAY_$METHOD_$SUBJECT  CALLER” The call is authorized iff either proof succeeds for each subject

5 Sponsored by the National Science Foundation5 Externalized Policies CHAPI authorization rules (what policies and attributes to try to assert) are stored externally –In a set of JSON files that are parsed at service initialization time We can edit these policies and modify ongoing Service behavior –NOT requiring a restart of the given (MA, SA) service This capability has been ‘live’ since GEC19.

6 Sponsored by the National Science Foundation6 Example "create_slice" : { "__DOC__" : "Operators, project Leads, members, admins may create slice", "assertions" : [ "ME.IS_$ROLE_$PROJECT<-CALLER" ], "policies" : [ "ME.MAY_$METHOD<-ME.IS_OPERATOR", "ME.MAY_$METHOD_$PROJECT<-ME.IS_LEAD_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_ADMIN_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_MEMBER_$PROJECT" ] } def create_slice(self, credentials, options): Consider the SA method create_slice: The following JSON represents the ABAC policies applied to authorize an invocation of create_slice: Think of these as “OR”ed. We seek any path leading to a proof. Each of these is asserted IF TRUE

7 Sponsored by the National Science Foundation7 Example: Project Member Tries to Create Slice

8 Sponsored by the National Science Foundation8 Editing Policy (from slice_authority_policy.json) "create_slice" : { "__DOC__" : "Operators, project Leads, members, admins may create slice", "assertions" : [ "ME.IS_$ROLE_$PROJECT<-CALLER" ], "policies" : [ "ME.MAY_$METHOD<-ME.IS_OPERATOR", "ME.MAY_$METHOD_$PROJECT<-ME.IS_LEAD_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_ADMIN_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_MEMBER_$PROJECT" ] } "create_slice" : { "__DOC__" : "Operators, project Leads, members, admins may create slice", "assertions" : [ "ME.IS_$ROLE_$PROJECT<-CALLER" ], "policies" : [ "ME.MAY_$METHOD<-ME.IS_OPERATOR", "ME.MAY_$METHOD_$PROJECT<-ME.IS_LEAD_$PROJECT", "ME.MAY_$METHOD_$PROJECT<-ME.IS_ADMIN_$PROJECT” ] } INFO:chapi:SA: Policy File Changed: /etc/geni-chapi/slice_authority_policy.json

9 Sponsored by the National Science Foundation9 Before Policy Edit

10 Sponsored by the National Science Foundation10 After Policy Edit

11 Sponsored by the National Science Foundation11 A few details… Due to ABAC syntax rules, entities are referenced in these ABAC rules by a ‘flattened’ version of their URN Determining the ‘subjects’ of a given call requires searching both –‘options’ argument (‘match’ and ‘fields’ elements) –‘arguments’ dictionary composed of other API call arguments, e.g. {‘project_urn’ : “urn:publicid:IDN+ch.geni.net+project+MYPROJ”} urn:publicid:IDN+ch.geni.net+user+mbrinn  urn_publicid_IDN_ch_geni_net_user_mbrinn

12 Sponsored by the National Science Foundation12 Summary ABAC is a powerful and efficient mechanism to express and enforce AuthN policies –Our experience using ABAC in CHAPI has shown that it is sufficiently expressive and performant for our needs ABAC also allows for a common representation of signed assertions –Enabling coordinated/distributed policy management by passing asserts among trusted partners –We encourage others (Services, Aggregates) to explore using ABAC for their respective AuthN needs For more information about –ABAC: http://abac.deterlab.nethttp://abac.deterlab.net –Federation API:http://groups.geni.net/geni/wiki/CommonFederationAPIv2http://groups.geni.net/geni/wiki/CommonFederationAPIv2 –GPO Clearinghouse: help@geni.net help@geni.net

Download ppt "Sponsored by the National Science Foundation ABAC and GPO Clearinghouse Authorization Marshall Brinn, GPO GEC20: June 22, 2014."

Similar presentations

UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.

D u k e S y s t e m s Some tutorial slides on ABAC Jeff Chase Duke University.
Chapter 6 Security Kernels.

Chapter 6 Security Kernels.
Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.

Sponsored by the National Science Foundation Campus Policies for the GENI Clearinghouse and Portal Sarah Edwards, GPO March 20, 2013.
D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.

D u k e S y s t e m s Authorization Framework: Status Jeff Chase Duke University.
Sponsored by the National Science Foundation Strategies for Cyber-Infrastructure Integration Marshall Brinn, GPO Brecht Vermeulen, iMinds GEC22: March.

Sponsored by the National Science Foundation Strategies for Cyber-Infrastructure Integration Marshall Brinn, GPO Brecht Vermeulen, iMinds GEC22: March.
Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.

Integration Technologies for Grouper & Signet Tom Barton, U Chicago Joy Veronneau, Cornell Gary Brown, U Bristol Lynn McRae, Stanford.
Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
OASIS Reference Model for Service Oriented Architecture 1.0

OASIS Reference Model for Service Oriented Architecture 1.0
NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.

NaLIX: A Generic Natural Language Search Environment for XML Data Presented by: Erik Mathisen 02/12/2008.
Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.

Identity, Spheres and Privacy Rules Henning Schulzrinne (with Hannes Tschofenig and Richard Barnes) Workshop on Identity, Information and Context October.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 4: Access Control.
Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense

Audumbar Chormale Advisor: Dr. Anupam Joshi M.S. Thesis Defense
14 May 2002© 2000-02 TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.

14 May 2002© TrueTrust Ltd1 Privilege Management in X.509(2000) David W Chadwick BSc PhD.
4/20/2017.

4/20/2017.
D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Accountability and Authorization GEC 12 Jeff Chase Duke University Thanks: NSF TC CNS
SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.

SAML Conformance Sub-Group Report Face-to-face meeting August 29, 2001 Bob Griffin.
D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS-0910653.

D u k e S y s t e m s Building the GENI Federation with ABAC: Going Deeper Jeff Chase Duke University Thanks: NSF TC CNS
Sponsored by the National Science Foundation Omni: a command line GENI resource reservation tool Niky Riga, Sarah Edwards GENI Project Office 13 March,

Sponsored by the National Science Foundation Omni: a command line GENI resource reservation tool Niky Riga, Sarah Edwards GENI Project Office 13 March,

Similar presentations

Ads by Google