authorization aspects of the distributed dataflow-oriented iot framework calvin
TRANSCRIPT
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization Aspects of the DistributedDataflow-oriented IoT Framework Calvin
Master’s Thesis
Tomas Nilsson
June 8, 2016
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 1 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Presentation Outline
I Introduction to CalvinI Authorization Considerations
I Aims and challenges for this master’s thesis work
I Authorization in CalvinI What have I implemented?
I Demo
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 2 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Distributed Cloud for IoT
I Open-source framework developed by Ericsson Research
I Simplify development of distributed applications combiningIoT and cloud computing
I Execute different parts of the application on different devices
I Migrate to other devices without interrupting execution
I Calvin runtime handles data transport, message parsing,scheduling, etc.
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 3 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Applications and Actors
I Dataflow programming methodologyI Actors perform certain tasksI Application defines how data flows between actors
State Requirements
Action outin
Actor
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 4 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Applications and Actors
I Dataflow programming methodologyI Actors perform certain tasksI Application defines how data flows between actors
I Application example:
button
io.GPIOReader
state
camera
media.Camera
trigger image
screen
media.ImageRenderer
image
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 4 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Migration, Capabilities, and Requirements
Before migration
A
B
Runtime 1
B
C
Runtime 2
B
CActor 1
CActor 3
AActor 2
Requirements
Capabilities &Attributes
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 5 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Migration, Capabilities, and Requirements
After migration
A
B
Runtime 1
B
C
Runtime 2
AActor 2
B
CActor 1
CActor 3
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 5 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Aims and Challenges for this thesis work
Implement authorization of applications/actors in Calvin
Desired Functionality:
3 Fine-grained authorization decisions on access to resources offeredby a runtime
3 Adaptable to different environments
3 Usable as input for migration decisions in Calvin
Challenges
I Dynamic distributed execution modelI All runtimes not known when execution starts
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 6 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Aims and Challenges for this thesis work
Implement authorization of applications/actors in Calvin
Desired Functionality:
3 Fine-grained authorization decisions on access to resources offeredby a runtime
3 Adaptable to different environments
3 Usable as input for migration decisions in Calvin
Challenges
I Dynamic distributed execution modelI All runtimes not known when execution starts
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 6 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Attribute-Based Access Control (ABAC)
I Evaluate policy rules against attributesI Subject attributesI Resource attributes
I Action attributesI Environment attributes
I Flexible and fine-grained access control
I XACML – XML-based ABAC standard
Who? What? When? Where? Why? How?
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 7 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Adaptable to Constrained Devices
I Compact message and policy formats
I JSON instead of XMLI Flexibility important
I Local authorization – minimize network trafficI External authorization – minimize storage or processing power needs
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 8 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Authorization Flow
Policy Administration
Point (PAP)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Policy Information Point
(PIP)
Policy Retrieval Point (PRP)
2. Authorization request
1. Access required
3. Retrieve policies
4a. Evaluate policies
4b. Retrieve additional attributes
Manage policies
5. Authorization decision
User/Application/Actor
6. Access permitted/
denied
Fetch data from different sources
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 9 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Authorization Request
I Request sent by Policy Enforcement Point to Policy Decision Pointto check if access should be granted to an actor
1 {
2 "subject": {
3 "first_name": "Tomas",
4 "last_name": "Nilsson",
5 "actor_signer": "Ericsson"
6 },
7 "action": {
8 "requires": ["runtime", "calvinsys.events.timer"]
9 },
10 "resource": {
11 "node_id": "a77c0687-dce8-496f-8d81-571333be6116"
12 }
13 }
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 10 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Authorization Response
I Response from Policy Decision Point to Policy Enforcement Point
I Contains authorization decision and constraints under which thedecision is valid
1 {
2 "decision": "permit",
3 "obligations": [
4 {
5 "id": "time_range",
6 "attributes": {
7 "start_time": "09:00",
8 "end_time": "17:00"
9 }
10 }
11 ]
12 }
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 11 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Find Matching Policies
I Use policy target to determine to which requests a policy applies
Examples:
I "first name" must be "Tomas" or "Gustav":
{"first_name": ["Tomas", "Gustav"]}
I "email" must end with "@ericsson.com":
{"email": ".*@ericsson.com"}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 12 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Evaluate Policies
I Evaluate complete policy if policy target matches the request
I Rules with conditions are evaluated to get a policy decisionI The following functions can be used in a condition:
I ==, <=, >=, !=, AND, OR
I Combining algorithms are used to combine decisions if multiplepolicies match the request
I Permit overridesI Deny overrides
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 13 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Evaluate Policies
1 {
2 "condition": {
3 "function": "and",
4 "attributes": [
5 {
6 "function": "equal",
7 "attributes": ["attr:resource:address.country",
8 ["SE", "DK"]]
9 },
10 {
11 "function": "greater_than_or_equal",
12 "attributes": ["attr:environment:current_date",
13 "2016-03-04"]
14 }
15 ]
16 }
17 }
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 14 / 20
xxxxx yyyyy zzzzz..
Payload SignatureHeader
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
JSON Web Token for External Authorization
I Signed JSON Web Tokens (JWT) are used to secure theinformation exchange when the Policy Decision Point is external
Header:
{
"typ": "JWT",
"alg": "ES256"
}
I ES256 = Elliptic Curve Digital Signature Algorithm using theSHA-256 hash algorithm
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 15 / 20
xxxxx yyyyy zzzzz..
Payload SignatureHeader
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
JSON Web Token for External Authorization
I Signed JSON Web Tokens (JWT) are used to secure theinformation exchange when the Policy Decision Point is external
Payload:
{
"iss": "ID of runtime that creates JWT",
"sub": "ID of actor that the response applies to",
"aud": "ID of runtime to which the JWT is intended",
"iat": "the time at which the JWT was issued",
"exp": "the expiration time for the JWT",
"response": "the authorization response"
}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 15 / 20
xxxxx yyyyy zzzzz..
Payload SignatureHeader
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
JSON Web Token for External Authorization
I Signed JSON Web Tokens (JWT) are used to secure theinformation exchange when the Policy Decision Point is external
Signature:
I The digital signature of the concatenation of the encoded headerand the encoded payload (separated by ’.’)
I Signed using the private key of the runtime that creates the JWT
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 15 / 20
Policy Decision
Point
1. Access Denied for Camera, Runtime 1
at 17:00
Camera
Runtime 2 (RT2)
Camera
PDP PDP
Runtime 1 (RT1)(uses PDP on RT2)
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
Policy Decision
Point
1. Access Denied for Camera, Runtime 1
at 17:00
Camera
Possible migration destinations:
RT2 (PDP on RT2)RT4 (PDP on RT3)
Runtime 2 (RT2)
Camera
2. Get possible migration destinations
from global storage
PDP PDP
Runtime 1 (RT1)(uses PDP on RT2)
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
Policy Decision
Point
1. Access Denied for Camera, Runtime 1
at 17:00
Camera
Possible migration destinations:
RT2 (PDP on RT2)RT4 (PDP on RT3)
Runtime 2 (RT2)
Camera
2. Get possible migration destinations
from global storage
PDP PDP
3. Authorization search request
Signed by Runtime 1 Runtime 1 (RT1)
(uses PDP on RT2)
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
Policy Decision
Point
1. Access Denied for Camera, Runtime 1
at 17:00
4. No runtimes where access is permitted
Camera
Possible migration destinations:
RT2 (PDP on RT2)RT4 (PDP on RT3)
Runtime 2 (RT2)
Camera
2. Get possible migration destinations
from global storage
PDP PDP
3. Authorization search request
Signed by Runtime 1 Runtime 1 (RT1)
(uses PDP on RT2)
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
Camera
Policy Decision
Point
Runtime 3 (RT3)
Runtime 4 (RT4)(uses PDP on RT3)
Camera
PDPPDP
Runtime 1 (RT1)(uses PDP on RT2)
5. New authorization search request
Signed by Runtime 1
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
Camera
Policy Decision
Point
6. Access Permitted for Camera, Runtime 4
Signed by Runtime 3
Runtime 3 (RT3)
Runtime 4 (RT4)(uses PDP on RT3)
Camera
PDPPDP
Runtime 1 (RT1)(uses PDP on RT2)
5. New authorization search request
Signed by Runtime 1
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
7. Migrate Camera actor to Runtime 4(include access decision)
Camera
Policy Decision
Point
6. Access Permitted for Camera, Runtime 4
Signed by Runtime 3
Signed by Runtime 3
Access Permitted for Camera, Runtime 4
Runtime 3 (RT3)
Runtime 4 (RT4)(uses PDP on RT3)
Camera
PDPPDP
Runtime 1 (RT1)(uses PDP on RT2)
5. New authorization search request
Signed by Runtime 1
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Smart Migration
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 16 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Conclusion
I All aims achievedI The following combination is highly suitable for dynamic
distributed execution models:I Attribute-Based Access Control – enables flexibility and fine-grained
decisionsI JSON-based messages and policies – lightweight and compact
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 17 / 20
Calvin Runtime
Name:laptop
Camera
Address: Testvägen 1,
Lund, SwedenCalvin Runtime
Name:entrance
Camera
Address: Testvägen 1,
Lund, SwedenCalvin Runtime
Name:secret_room
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Available RuntimesApplication and Deployment RequirementsAuthorization Policies
Demo – Available Runtimes
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 18 / 20
trigger
std.Constant
token
camera
media.IPCamera
trigger image
screen
media.ImageRenderer
image
Name:laptop
Address: Testvägen 1,
Lund, Sweden
Name:laptop
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Available RuntimesApplication and Deployment RequirementsAuthorization Policies
Demo – Application and Deployment Requirements
User attributes:
{
"first_name": "Tomas",
"last_name": "Nilsson",
"age": "24",
"organization": "Ericsson",
"group": "Security"
}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 19 / 20
trigger
std.Constant
token
camera
media.IPCamera
trigger image
screen
media.ImageRenderer
image
Name:laptop
Address: Testvägen 1,
Lund, Sweden
Name:laptop
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Available RuntimesApplication and Deployment RequirementsAuthorization Policies
Demo – Application and Deployment Requirements
User attributes:
{
"first_name": "Tomas",
"last_name": "Nilsson",
"age": "24",
"organization": "Ericsson",
"group": "Security"
}
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 19 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Available RuntimesApplication and Deployment RequirementsAuthorization Policies
Demo – Authorization Policies
Secret room:
3 Permit camera access if subject belongs to group SecurityI Only between 08:00 and 10:XX
Entrance:
3 Permit camera access if subject belongs to group SecurityI Only between 08:00 and 18:00
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 20 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Available RuntimesApplication and Deployment RequirementsAuthorization Policies
Demo – Authorization Policies
Secret room:
3 Permit camera access if subject belongs to group SecurityI Only between 08:00 and 10:XX
Entrance:
3 Permit camera access if subject belongs to group SecurityI Only between 08:00 and 18:00
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 20 / 20