identity manager in cloud with openflow switches
DESCRIPTION
TRANSCRIPT
Identity Manager in Software Defined NetMohammad FarajiEmail: [email protected]
SAVI Identity Manager Design Requirements
SAVI is a federation of autonomous systems: Testbeds Cloud Datacenters Information Providers (e.g. Identity providers)
Researcher needs a fine-grained Access Control to have flexibility: Policy negotiation Attribute Assertion
SAVI Federation Architecture
SAVI Federation OversightTrust Anchor (Keystone)
SAVI Core node
SAVI edge node
Testbed
Remote Datacent
ers
Domain Admin
User 1
User 2
User 3
Identity Provider
s
Service Accounting (Beacon)
Repository
AuthenticationOAUTHOpen IDSAML
AuthorizationXACML
Authentication Interoperability Standard Security Assertion Markup Language - SAML
SAML
AuthenticationAssertion
AttributeAssertion
AuthorizationDecisionAssertion
AuthenticationAuthority
AttributeAuthority
Policy DecisionPoint
Policy EnforcementPoint
Policy Policy Policy
CredentialsCollector
SystemEntity
ApplicationRequest
Source: OASIS SAML Standard
5
Authorization Interoperability StandardseXtensible Access Control Markup Language – XACML
Policy server distributes policy changes to all network elements using XACML
Federation Layer Virtualization
Openflow Switch
Firewall
Policy
XML
XACML
XML
XACML
XML
XACML
XML
XACML
Policy Serve in SAVI
XACML
6
SAVI Access Control Technologies
Responsibility•Owner•Custodian •User
Security Policy
Determines Access Control
Digital certificates and access control
Can store subjects roles and permissions
Accountability vs. Enforcement
Log-analysis vs. Strict control
Role-Based Access Control - (RBAC)Access based on users roles. Role assignment. Role
authentication. Action authorization
Attribute-Based Access Control - (ABAC)On user attributes and object metadata
Access-control lists (ACL)Lists of specific users and groups and permissions
Under Development
Empty Role Contains just roles without any associated role
Explicit Capability MappingRoles have capabilities not in the context of any given resource
Restricted RolesThe role, capability, resource collection will be complete
Attribute Based Access Control (ABAC)
Subject Attributes Related to a subject (e.g. user, application, process) that
defines the identity and characteristics of the subject E.g. identifier, name, job title, role
Resource Attributes Associated with a resource (web service, system function, or
data) E.g. Dublin Core metadata elements
Environment Attributes Describes the operational, technical, or situational environment
or context in which the information access occurs E.g. current date time, current threat level, network security
classification
ABAC Policy Formulation
N
M
K
EAEAEAeATTR
RARARArATTR
SASASAsATTR
...)(
...)(
...)(
21
21
21
1. S, R, and E are subjects, resources, and environments, respectively;
2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre-defined attributes for subjects, resources, and environments, respectively;
3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively:
ABAC in SAVIEdge Node
Attribute& PolicyServices
Resources APIs
Con
trol
W
eb
Serv
ice
Policy Unit
Access Control
Service Catalog (Beacon)Trust Anchor
Researcher
SOAP Msg
SA
RA
1 3
2
PolicyAdmin.Service
SA
EA
Identity Provider
SA
1