geni cloud planetlab sfa
play

GENI Cloud PlanetLab (SFA) ABAC Integration David Cheperdak - PowerPoint PPT Presentation

Sep 04, 2022 •203 likes •403 views

GENI Cloud PlanetLab (SFA) ABAC Integration David Cheperdak djbchepe@cs.uvic.ca November 2 nd to 4 th , 2011 Project Objectives Develop: ABAC based authentication mechanism for PL API specification (including authorization)

  1. GENI Cloud PlanetLab (SFA) ABAC Integration David Cheperdak djbchepe@cs.uvic.ca November 2 nd to 4 th , 2011

  2. Project Objectives • Develop: – ABAC based authentication mechanism for PL – API specification (including authorization) – automated testing framework • Integrate: – libABAC into PlanetLab November 2 nd to 4 th , 2011

  3. Why ABAC? 1. Automate authorization for users 2. Interoperability 3. Automated delegation 4. Automated agents November 2 nd to 4 th , 2011

  4. PlanetLab Configurations 1. 2. EMULAB PLC PLC SM SM SM AM RM RM AM CM CM CM CM CM CM 3. 4. VINI PLC PLC EMULAB SM SM SM AM AM RM AM RM AM CM CM CM CM CM CM CM CM CM CM CM CM November 2 nd to 4 th , 2011

  5. PlanetLab Configurations PLE PLC SM SM RM AM RM AM CRED CRED CM CM CM CM CM CM SM: Slice Manager Color Name Slice Interface RM: Registry Manager Registry Interface AM: Aggregate Manager Management Interface CM: Component Manager Research Interface November 2 nd to 4 th , 2011

  6. ABAC Integration Process • Clearly define and document API: – dependencies – functionality – authorization mechanisms – specification • Verify, repair and standardize existing authorization mechanisms • Integrate ABAC into PlanetLab • Test and verify: – framework interoperability – ABAC functionality – PlanetLab functionality • Analyze: – PlanetLab performance November 2 nd to 4 th , 2011

  7. Authorization Overview: Current authorization process Client side (Request Action) Server side (Execute Action) SSH Key Credentials supplied to SSL XMLRPC SSH Key Credentials received SSL XMLRPC Key to Slice association Key to Slice association User GID to Cert. verification User GID to Cert. verification Perform Action Cert. verification Perform Action Cert. verification Cert. Trust Verification Cert. Trust Verification November 2 nd to 4 th , 2011

  8. Authorization Overview: libABAC authorization process Client side (Request Action) Server side (Execute Action) SSH Key Credentials supplied to SSL XMLRPC SSH Key Credentials received SSL XMLRPC Key to Slice association (ABAC + PlanetLab) User GID to Cert. verification (ABAC) Perform Action Cert. verification (ABAC) Cert. Trust Verification (ABAC) November 2 nd to 4 th , 2011

  9. Authorization Mechanisms: Server Side API: CreateSliver() #API Found in the PlanetLab Aggrgegate Manager def CreateSliver(api, xrn, creds, rspec_str, users, call_id): . . . Continued . . . if not credential: credential = api.getCredential() hrn, type = urn_to_hrn(xrn) valid_cred = api.auth.checkCredentials(creds, 'createsliver' , hrn)[0] caller_hrn = Credential(string=valid_cred).get_gid_caller().get_hrn() threads = ThreadManager() for aggregate in api.aggregates: if caller_hrn == aggregate and aggregate != api.hrn:` continue server = api.aggregates[aggregate] threads.run(_CreateSliver, aggregate, server, xrn, credential, rspec.toxml(), users, call_id) . . . Continued . . . • Authorization by SSH Key: • confirmation must occur every time the API is called November 2 nd to 4 th , 2011

  10. Authorization Mechanisms: • Every manager within SFA PlanetLab: – Requires comprehensive authorization checking – Utilize a variety of authorization libraries • ABAC Integration – Standardizes authorization mechanism

  11. Authorization Mechanisms: Server Side API: CreateSliver() def checkCredentials(self, creds, operation, hrn = None): valid = [] # check if a credential is associated with an instance if not isinstance(creds, list): creds = [creds] for cred in creds: try: # authorize operation by a particular user on a slice self.check(cred, operation, hrn) valid.append(cred) except: cred_obj=Credential(string=cred) continue if not len(valid): raise InsufficientRights('Access denied: %s -- %s' % (error[0],error[1])) return valid • Authorization by SSH Key: • preliminary authorization mechanisms including the presence of a certificate associated with the instance November 2 nd to 4 th , 2011

  12. Authorization Mechanisms: • Every manager within SFA PlanetLab: – Does not support attribute driven resource association – Every user must be bound to a slice instead of facilitating a generic association such as role • ABAC Integration – Supports generic role driven association

  13. Authorization Mechanisms: Server Side API: CreateSliver() def check(self, cred, operation, hrn = None): self.client_cred = Credential(string = cred) self.client_gid = self.client_cred.get_gid_caller() self.object_gid = self.client_cred.get_gid_object() ...Continued... # verify the client_gid matches client's certificate if self.peer_cert: self.verifyPeerCert(self.peer_cert, self.client_gid) # validate client authorization to perform operation if operation: if not self.client_cred.can_perform(operation): raise InsufficientRights(operation) # verify the certificate signature if self.trusted_cert_list: self.client_cred.verify(self.trusted_cert_file_list, self.config.SFA_CREDENTIAL_SCHEMA) else: raise MissingTrustedRoots(self.config.get_trustedroots_dir()) ...Continued... return True November 2 nd to 4 th , 2011

  14. Authorization Mechanisms: • Every manager within SFA PlanetLab: – User groups are used to verify slice association – A User must be verified if they can perform and action based on a unique key – User credentials must be checked if it is trusted • ABAC Integration – User groups are replaced by roles that can be easily allocated and de-allocated – Performing actions within PL now support role driven verification

  15. Authorization Mechanisms: libABAC Integration #ABAC Library Calls from Python def authorize (self, principal): store = CredentialManager() context = Context() context.load_directory(keystore) # verify the certificate signatures, obtain user role and permissions (success, credentials) = context.query(role, principal) if success: for cred in credentials: print ”%s < - %s” %(cred.head().string(), cred.tail().string()) //Determine if principal possesses role if so return a proof of that, otherwise return a partial proof of it public QueryResult query( String role, String principal) { derive_implied_edges(); Query q = new Query(g); Graph<Role, Credential> rg = q.run(role, principal); /* return all credentials (edges) and boolean if the query found principle vertices */ return new QueryResult(rg.getEdges(), q.successful()); } November 2 nd to 4 th , 2011

  16. Conclusions deter ABAC Integration • Simplifies authorization procedures: • bundling authority to a given certificate (Credential) • bundling a proof of identity, authorization and role with a certificate(Credential) • Authorization reduces authorization complexity by: • eliminating confirmation of identify, role and permissions client side • Improves security by: • Standardizing security and authorization mechanisms across frameworks • Enforcing role, authority and identity through signed certificates • Scalability as permissions, role and association among users change • Easy to revoke an identity without modifying global permissions November 2 nd to 4 th , 2011

  17. Timeline • September to October 2011 – System analysis (Omni, PlanetLab, Emulab) – Prototyping, documentation and UML • November 1 st to Nov 30 th – Final integration, expanding authorization features – Initial development of automated tester (Draft test Cases) • December 1 st to December 20 th – Automated testing (Finalize test cases, verification) – Performance analysis (PlanetLab and ABAC) November 2 nd to 4 th , 2011

  18. Future Work Development: • Automated Tester – Integration testing – ABAC Verification • ABAC Integration – Integrate ABAC into all essential API within PlanetLab • PlanetLab – Ensure PlanetLab API incorporate functionally correct authorization mechanisms – Remove redundant or dead code • Specification – API specification will be developed November 2 nd to 4 th , 2011

  19. Questions and Feedback • Source Contribution: – Commit to source tree • Questions? • Feedback? – Reasonable? – Present errors? – Other ABAC project deadlines and goals? – Inter-platform ABAC testing? David Cheperdak djbchepe@cs.uvic.ca November 2 nd to 4 th , 2011

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provenance Collection on GENI Experimental Networks GUSH and Twister on Planetlab GUSH deploys

Provenance Collection on GENI Experimental Networks GUSH and Twister on Planetlab GUSH deploys

Provenance Collection on GENI Experimental Networks GUSH and Twister on Planetlab GUSH deploys Node 0 Head node of BFS application and application. Called Node 0 in Partition graph monitors status. PlanetLab slice Its like a shell or

510 views • 4 slides
Monitoring PlanetLab Monitoring PlanetLab Keeping PlanetLab up and running 24-7 is a major

Monitoring PlanetLab Monitoring PlanetLab Keeping PlanetLab up and running 24-7 is a major

Monitoring PlanetLab Monitoring PlanetLab Keeping PlanetLab up and running 24-7 is a major challenge Users (mostly researchers) need to know which nodes are up, have disk space, are lightly loaded, responding promptly, etc. CoMon

409 views • 27 slides
GENI and NDN or why should I use GENI? Niky Riga, PhD GENI Project Office nriga@bbn.com

GENI and NDN or why should I use GENI? Niky Riga, PhD GENI Project Office nriga@bbn.com

GENI and NDN or why should I use GENI? Niky Riga, PhD GENI Project Office nriga@bbn.com www.geni.net Sponsored by the National Science Foundation GENI: Infrastructure for Experimentation GENI provides compute resources that can be

576 views • 13 slides
GENI Laboratory Exercises for a Cloud Computing course Prasad Calyam, Ph.D. Assistant Professor,

GENI Laboratory Exercises for a Cloud Computing course Prasad Calyam, Ph.D. Assistant Professor,

GENI Laboratory Exercises for a Cloud Computing course Prasad Calyam, Ph.D. Assistant Professor, Department of Computer Science NSF Workshop on GENI in Education, October 26 th 2013 What is Cloud Computing? Classic Computing Cloud

700 views • 32 slides
GENI (the Global Environment for Network Innovations) and Cloud Computing Harry Mussman

GENI (the Global Environment for Network Innovations) and Cloud Computing Harry Mussman

GENI (the Global Environment for Network Innovations) and Cloud Computing Harry Mussman GENI Project Office at BBN Technologies GENI Project Office at BBN Technologies June 15, 2009 www.geni.net Sponsored by the National Science

448 views • 9 slides
GENI Global Environment for Network Innovations The GENI Project Office (GPO) www.geni.net

GENI Global Environment for Network Innovations The GENI Project Office (GPO) www.geni.net

GENI Global Environment for Network Innovations The GENI Project Office (GPO) www.geni.net Clearing house for all GENI news and documents July 15, 2008 www.geni.net 1 Our founders The GENI Planning Group and Many, Many Working Group

540 views • 19 slides
GENI Global Environment for Network Innovations Aaron Falk GENI Engineering Architect

GENI Global Environment for Network Innovations Aaron Falk GENI Engineering Architect

GENI Global Environment for Network Innovations Aaron Falk GENI Engineering Architect falk@bbn.com www.geni.net Clearing house for all GENI news and documents July 2008 www.geni.net 1 Outline What is GENI? The GENI system

539 views • 23 slides
Outline GENI Exploring future internets at scale GENIs status and plans GENI

Outline GENI Exploring future internets at scale GENIs status and plans GENI

GENI Project Update IETF-78 MOBOPTS Research Group Maastricht, Netherlands Aaron Falk GENI Engineering Architect July 29, 2010 www.geni.net Sponsored by the National Science Foundation Outline GENI Exploring future internets at scale

605 views • 36 slides
Using PlanetLab in Computer Network Courses Sue Moon KAIST January 23 rd , 2006 PlanetLab BoF

Using PlanetLab in Computer Network Courses Sue Moon KAIST January 23 rd , 2006 PlanetLab BoF

Using PlanetLab in Computer Network Courses Sue Moon KAIST January 23 rd , 2006 PlanetLab BoF The 21 st APAN Meeting Akihabara Convention Center, Tokyo My Classroom Experience of PlanetLab Used twice 2003 Fall: Grduate Computer

228 views • 7 slides
GENI Global Environment for Network Innovations Chip Elliott GENI Project Director

GENI Global Environment for Network Innovations Chip Elliott GENI Project Director

GENI Global Environment for Network Innovations Chip Elliott GENI Project Director celliott@bbn.com www.geni.net Clearing house for all GENI news and documents www.geni.net 1 Thank you Matt! and Karl! And also introducing . . .

721 views • 51 slides
GENI Exploring Networks of the Future Aaron Falk GENI Project Office March 23, 2010

GENI Exploring Networks of the Future Aaron Falk GENI Project Office March 23, 2010

GENI Exploring Networks of the Future Aaron Falk GENI Project Office March 23, 2010 www.geni.net Sponsored by the National Science Foundation What is GENI? GENI is a virtual laboratory for exploring future internets at scale. GENI

472 views • 14 slides
GENI FEDERATION WITH CHAMELEON: A LARGE-SCALE, RECONFIGURABLE EXPERIMENTAL ENVIRONMENT FOR CLOUD

GENI FEDERATION WITH CHAMELEON: A LARGE-SCALE, RECONFIGURABLE EXPERIMENTAL ENVIRONMENT FOR CLOUD

www. chameleoncloud.org GENI FEDERATION WITH CHAMELEON: A LARGE-SCALE, RECONFIGURABLE EXPERIMENTAL ENVIRONMENT FOR CLOUD RESEARCH Principal Investigator: Kate Keahey Co-PIs: J. Mambretti, D.K. Panda, P . Rad, W. Smith, D. Stanzione Presented

655 views • 20 slides
GENI-VIOLIN: Distributed Suspend and Resume for GENI

GENI-VIOLIN: Distributed Suspend and Resume for GENI

GENI-VIOLIN: Distributed Suspend and Resume for GENI Experiments Ardalan Kangarlou Pradeep Padala Sahan Gamage Ulas C. Kozat Dongyan Xu Ken

499 views • 16 slides
GENI Exploring Networks of the Future Now going live across the US! GENI Project Office APAN

GENI Exploring Networks of the Future Now going live across the US! GENI Project Office APAN

8/25/2011 GENI Exploring Networks of the Future Now going live across the US! GENI Project Office APAN 32, August 2011 www.geni.net Sponsored by the National Science Foundation Outline GENI Exploring future internets at scale

583 views • 26 slides
PlanetLab VINI: A Vi rtualized N etwork I nfrastructure Marc E. Fiuczynski, Ph.D. Princeton

PlanetLab VINI: A Vi rtualized N etwork I nfrastructure Marc E. Fiuczynski, Ph.D. Princeton

PlanetLab VINI: A Vi rtualized N etwork I nfrastructure Marc E. Fiuczynski, Ph.D. Princeton UniversityResearch Scholar PlanetLab ConsortiumR&amp;D Staff Member (mef@cs.princeton.edu) What is PlanetLab? Consortium : Academic,

726 views • 37 slides
http://portal.geni.net Sponsored by the National Science Foundation GENI Regional Workshop (GRW)

http://portal.geni.net Sponsored by the National Science Foundation GENI Regional Workshop (GRW)

Are you ready for the tutorial? 1. Grab instructions 3. Connect to the network Connect to U. Oregons wireless network 2. Did you do the pre-work? A. Do you have an account? B. Have you installed the tools? * ssh GENI Portal is at:

440 views • 41 slides
MICROPILE DATABASE Jouko Lehtonen project manager Ville Hyypp researcher Jussi

MICROPILE DATABASE Jouko Lehtonen project manager Ville Hyypp researcher Jussi

MICROPILE DATABASE Jouko Lehtonen project manager Ville Hyypp researcher Jussi Hattara researcher www.ismicropiles.info Turku University of Applied Sciences 1 WHAT IS MIDA? International database on micropile load tests

411 views • 14 slides
Determinants, and Health Equity into Californias MCAH Programs Shabbir Ahmad, DVM, MS, PhD

Determinants, and Health Equity into Californias MCAH Programs Shabbir Ahmad, DVM, MS, PhD

Incorporating Life Course, Social Determinants, and Health Equity into Californias MCAH Programs Shabbir Ahmad, DVM, MS, PhD Maternal, Child and Adolescent Health Program Center for Family Health California Department of Public Health

227 views • 20 slides
1. Why . ? 2. What + How . ? 3. Who + How long + Costs . ? 4. Benefits +

1. Why . ? 2. What + How . ? 3. Who + How long + Costs . ? 4. Benefits +

Environmental Management Systems at University of Paderborn &gt; Implementation at the Chair (Environmental) Process Engineering 1. Why . ? 2. What + How . ? 3. Who + How long + Costs . ? 4. Benefits + Perspectives . ? Josef

221 views • 21 slides
Training and support system in the cloud for search and rescue missions Janusz Bdkowski , Pawe

Training and support system in the cloud for search and rescue missions Janusz Bdkowski , Pawe

Training and support system in the cloud for search and rescue missions Janusz Bdkowski , Pawe Musialik , Karol Majek, Micha Peka Institute of Mathematical Machines, Warsaw, Poland pjmusialik@gmail.com januszbedkowski@gmail.com

510 views • 23 slides
Pre-Proposal Conference for Public Service Agencies RFP NSD17-001 Presented by David Reitz, MPA

Pre-Proposal Conference for Public Service Agencies RFP NSD17-001 Presented by David Reitz, MPA

Pre-Proposal Conference for Public Service Agencies RFP NSD17-001 Presented by David Reitz, MPA Neighborhood Services Department February 8, 9, &amp; 10, 2017 RFP Pre-Proposal Overview Welcome Interested Proposers Sign-in Sheet

476 views • 47 slides
Types and Static Semantic Analysis Stephen A. Edwards Columbia University Fall 2012 Part I

Types and Static Semantic Analysis Stephen A. Edwards Columbia University Fall 2012 Part I

Types and Static Semantic Analysis Stephen A. Edwards Columbia University Fall 2012 Part I Types Data Types What is a type? A restriction on the possible interpretations of a segment of memory or other program construct. Useful for two

606 views • 47 slides
Get your message across Presentation - Module 4 How to advocate and engage with policy makers

Get your message across Presentation - Module 4 How to advocate and engage with policy makers

YouthMetre - Training Materials Get your message across Presentation - Module 4 How to advocate and engage with policy makers Introduction Media informs the citizens and shape public opinions agenda setting, opinion leaders.

647 views • 10 slides
in Law Enforcem ent Workshop, 21-22 June 2012, JRC I spra, Italy Abstracts 1 . - Research

in Law Enforcem ent Workshop, 21-22 June 2012, JRC I spra, Italy Abstracts 1 . - Research

Open Source I ntelligence Tools in Law Enforcem ent Workshop, 21-22 June 2012, JRC I spra, Italy Abstracts 1 . - Research Manager, W est Midlands Police Counter Terrorism Unit, United Kingdom Open source intelligence - a practitioners

237 views • 3 slides

More recommend