2. SAVI Identity Manager Design
Requirements
SAVI is a federation of autonomous systems:
Testbeds
Cloud Datacenters
Information Providers (e.g. Identity providers)
Researcher needs a fine-grained Access
Control to have flexibility:
Policy negotiation
Attribute Assertion
3. SAVI Federation Architecture
SAVI Federation SAVI Core
Oversight node
Trust Anchor
Domain (Keystone)
Admin
User User User Service Accounting
1 2 3 SAVI edge
(Beacon)
node
Repository
Testbed
Identity
Providers
Remote
Datacenter
s
4. Authentication Interoperability Standard
Security Assertion Markup Language - SAML
Policy Policy Policy
Credentials Authentication Attribute Policy Decision
Collector Authority Authority Point
SAML
Authentication Attribute Authorization
Assertion Assertion Decision
Assertion
System Application Policy Enforcement
Entity Request Point
Source: OASIS SAML Standard
5. 5
Authorization Interoperability Standards
eXtensible Access Control Markup Language – XACML
XACML
Policy Policy Serve in SAVI
XML
XML
XML XML
XACML
XACML
XACML XACML
Federation Layer Virtualizatio Openflow Firewall
n Switch
Policy server distributes policy changes to all network elements
using XACML
6. 6
SAVI Access Control Technologies
Access-control lists (ACL)
Lists of specific users and groups and permissions
Role-Based Access Control - (RBAC)
Access based on users roles. Role assignment. Role authentication.
Action authorization
Empty Role
Contains just roles without any associated role
Explicit Capability Mapping Under Developm
Roles have capabilities not in the context of any given resource
Restricted Roles
The role, capability, resource collection will be complete
Attribute-Based Access Control - (ABAC)
On user attributes and object metadata
7. Attribute Based Access Control (ABAC)
Subject Attributes
Related to a subject (e.g. user, application, process) that
defines the identity and characteristics of the subject
E.g. identifier, name, job title, role
Resource Attributes
Associated with a resource (web service, system function, or
data)
E.g. Dublin Core metadata elements
Environment Attributes
Describes the operational, technical, or situational environment
or context in which the information access occurs
E.g. current date time, current threat level, network security
classification
8. ABAC Policy Formulation
1. S, R, and E are subjects, resources, and environments,
respectively;
2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-
defined attributes for subjects, resources, and environments,
respectively;
3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations
for subject s, resource r, and environment e, respectively:
ATTR( s) SA1 SA2 ... SAK
ATTR(r ) RA1 RA2 ... RAM
ATTR(e) EA1 EA2 ... EAN
9. ABAC in SAVI
Researcher SA Edge Node
SOAP Msg 1 3
Resources
Control
Service
APIs
Web
1
SA
2
RA
Access Service Catalog
Trust Anchor EA Control (Beacon)
SA
Policy Attribute
Admin. Policy Unit
Service & Policy
Identity
Services
Provider