Identity Manager in Cloud with Openflow Switches
•Download as PPTX, PDF•
0 likes•378 views
This document discusses the design requirements for an identity manager in SAVI, a federation of autonomous systems. It outlines that SAVI requires fine-grained access control and policy negotiation between testbeds, cloud datacenters, and identity providers. It then describes SAVI's federation architecture with core and edge nodes, as well as authentication and authorization standards like SAML and XACML that will be used. Finally, it discusses access control methods like ACLs, RBAC, and attribute-based access control (ABAC) that could be implemented in SAVI's policy server.
Identity Manager in Cloud with Openflow Switches
- 1. Identity Manager in Software Defined Net Mohammad Faraji Email: ms.faraji@utoronto.ca
- 2. SAVI Identity Manager Design Requirements  SAVI is a federation of autonomous systems:  Testbeds  Cloud Datacenters  Information Providers (e.g. Identity providers)  Researcher needs a fine-grained Access Control to have flexibility:  Policy negotiation  Attribute Assertion
- 3. SAVI Federation Architecture SAVI Federation SAVI Core Oversight node Trust Anchor Domain (Keystone) Admin User User User Service Accounting 1 2 3 SAVI edge (Beacon) node Repository Testbed Identity Providers   Remote  Datacenter  s
- 4. Authentication Interoperability Standard Security Assertion Markup Language - SAML Policy Policy Policy Credentials Authentication Attribute Policy Decision Collector Authority Authority Point SAML Authentication Attribute Authorization Assertion Assertion Decision Assertion System Application Policy Enforcement Entity Request Point Source: OASIS SAML Standard
- 5. 5 Authorization Interoperability Standards eXtensible Access Control Markup Language – XACML XACML Policy Policy Serve in SAVI XML XML XML XML XACML XACML XACML XACML Federation Layer Virtualizatio Openflow Firewall n Switch  Policy server distributes policy changes to all network elements using XACML
- 6. 6 SAVI Access Control Technologies Access-control lists (ACL) Lists of specific users and groups and permissions Role-Based Access Control - (RBAC) Access based on users roles. Role assignment. Role authentication. Action authorization Empty Role Contains just roles without any associated role Explicit Capability Mapping Under Developm Roles have capabilities not in the context of any given resource Restricted Roles The role, capability, resource collection will be complete Attribute-Based Access Control - (ABAC) On user attributes and object metadata
- 7. Attribute Based Access Control (ABAC) ï‚› Subject Attributes ï‚› Related to a subject (e.g. user, application, process) that defines the identity and characteristics of the subject ï‚› E.g. identifier, name, job title, role ï‚› Resource Attributes ï‚› Associated with a resource (web service, system function, or data) ï‚› E.g. Dublin Core metadata elements ï‚› Environment Attributes ï‚› Describes the operational, technical, or situational environment or context in which the information access occurs ï‚› E.g. current date time, current threat level, network security classification
- 8. ABAC Policy Formulation 1. S, R, and E are subjects, resources, and environments, respectively; 2. SAk (1 k K), RAm (1 m M), and EAn (1 n N) are the pre- defined attributes for subjects, resources, and environments, respectively; 3. ATTR(s), ATTR(r), and ATTR(e) are attribute assignment relations for subject s, resource r, and environment e, respectively: ATTR( s) SA1 SA2 ... SAK ATTR(r ) RA1 RA2 ... RAM ATTR(e) EA1 EA2 ... EAN
- 9. ABAC in SAVI Researcher SA Edge Node SOAP Msg 1 3 Resources Control Service APIs Web 1 SA 2 RA Access Service Catalog Trust Anchor EA Control (Beacon) SA Policy Attribute Admin. Policy Unit Service & Policy Identity Services Provider