Abstract
GENI’s goal of wide-scale collaboration on infrastructure owned by independent and diverse stakeholders stresses current access control systems to the breaking point. Challenges not well addressed by current systems include, at minimum, support for distributed identity and policy management, correctness and auditability, and approachability. The Attribute Based Access Control (ABAC) system [1, 2] is an attribute-based authorization system that combines attributes using a simple reasoning system to provide authorization that (1) expresses delegation and other authorization models efficiently and scalably; (2) provides auditing information that includes both the decision and reasoning; and (3) supports multiple authentication frameworks as entry points into the attribute space. The GENI project has taken this powerful theoretical system and matured it into a form ready for practical use.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Strictly speaking, identity based systems are a subset of attribute based systems, because “identity” can be viewed as an attribute.
- 2.
In this chapter, use of the capitalized ABAC acronym always refers to the specific ABAC system, rather than attribute based access control systems generally.
- 3.
Later renamed McAfee Research. Subsequently, this research lab was acquired by SPARTA, Inc. and operated as the Security Research Division of SPARTA.
- 4.
A misbehaving principal can undermine these properties, e.g., by sharing a private key. ABAC assumes good behavior of principals.
- 5.
The typing is implicit. AM1.ListResources and AM2.ListResources must have direct assignments made so the system can determine the type and types must be consistent. This is a place where the theoretical nature of the ABAC papers is abundantly clear. In our implementation of RT2 we added syntax to declare types of parameters and perform explicit type checking.
- 6.
For example, there is syntax for referring to the principal being evaluated when looking at a parameterized linking role. This is useful, but well beyond the scope of this document. The interested reader is referred to [1] Sections 3.1 and 3.3.
- 7.
In the TIED ABAC RT2 library, we use distinct notation for o-set rules and attribute rules, to ensure that each is represented by a unique type.
- 8.
Alternatively, a public key fingerprint can be utilized as the identity, if the benefits of the smaller identifier outweigh the increased collision probability.
- 9.
There may be other reasons to make the server a principal; mutual authentication is rarely a mistake.
- 10.
These are objects in the software engineering sense, containing and providing both executable methods and data.
- 11.
In some sense this is extraneous code, as any X.509 toolkit can create an identity certificate and key files, but we have found the unified interface to be helpful.
References
Li, N., Mitchell, J.C., Winsborough, W.H.: Design of a role-based trust management system. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (May 2002)
Li, N., Winsborough, W.H., Mitchell, J.C.: Distributed credential chain discovery in trust management (extended abstract). In: Proceedings of the Eighth ACM Conference on Computer and Communications Security (CCS-8), pp. 156–165 (November 2001)
Callas, J., Donnerhacke, L., Finney, H., Shaw, D., Thayer, R.: Open PGP Message Format. RFC 4880 (November 2007)
Rivest, R., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978)
Huang, S.S., Green, T.J., and Loo, B.T.: Datalog and emerging applications: an interactive tutorial. In: Proceedings of the 2011 ACM SIGMOD International Conference on Management of Data (SIGMOD '11), pp. 1213–1216. New York, NY, USA (June 2011)
Internet 2, InCommon: InCommon Basics and Participating in InCommon. http://www.incommon.org/docs/guides/InCommon_Resources.pdf. Retrieved Aug 2014
TIED Team: GENI-Compatible ABAC Credentials. http://groups.geni.net/geni/wiki/TIEDC redentials. Retrieved Aug 2014
ProtoGENI Team: Privileges in the Reference Implementation. http://www.protogeni.net/ProtoGeni/wiki/ReferenceImplementationPrivileges. Retrieved Aug 2014
Benzel, T.: The science of cyber-security experimentation: the DETER project. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC) '11, Orlando, FL (December 2011)
Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate RevocationList (CRL) Profile. RFC 5280 (May 2008)
Yee, P.: Updates to the Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 6818 (January 2013)
Shibboleth Consortium: Shibboleth 3—A New Identity Platform. https://shibboleth.net/consortium/documents.html. Retrieved Aug 2014
Kohl, J., Neuman, C.: The Kerberos Network Authentication Service (V5). Internet RFC 1510 (September 1993)
TIED Team Libabac Software Distribution. http://abac.deterlab.net. Retrieved Aug 2014
The DETER Team: The DETER Federation Architecture. http://fedd.deterlab.net/wiki/FeddAbout. Retrieved Aug 2014
TIED Team: GENI ABAC Credentials. http://groups.geni.net/geni/wiki/TIEDABACCredential. Retrieved Aug 2014
GENI Program Office: Clearinghouse. http://groups.geni.net/geni/wiki/GeniClearinghouse. Retrieved Aug 2014
GENI Program Office: GENI Credentials. http://groups.geni.net/geni/wiki/GeniApiCredentials. Retrieved Aug 2014
Bartel, M., Boyer, J., Fox, B., LaMacchia, B., Simon, E.: XML Signature and Processing, 2nd edn. W3C Recommendation. http://www.w3.org/TR/xmldsig-core/ (June 2008)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Faber, T., Schwab, S., Wroclawski, J. (2016). Authorization and Access Control: ABAC. In: McGeer, R., Berman, M., Elliott, C., Ricci, R. (eds) The GENI Book. Springer, Cham. https://doi.org/10.1007/978-3-319-33769-2_10
Download citation
DOI: https://doi.org/10.1007/978-3-319-33769-2_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-33767-8
Online ISBN: 978-3-319-33769-2
eBook Packages: Computer ScienceComputer Science (R0)