Introduction to Calvin Authorization Considerations Authorization in Calvin Demo Authorization Aspects of the Distributed Dataflow-oriented IoT Framework Calvin Master’s Thesis Tomas Nilsson June 8, 2016 Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 1 / 20
33
Embed
Authorization Aspects of the Distributed Dataflow-oriented IoT Framework Calvin
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization Aspects of the DistributedDataflow-oriented IoT Framework Calvin
Master’s Thesis
Tomas Nilsson
June 8, 2016
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 1 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Presentation Outline
I Introduction to CalvinI Authorization Considerations
I Aims and challenges for this master’s thesis work
I Authorization in CalvinI What have I implemented?
I Demo
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 2 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Distributed Cloud for IoT
I Open-source framework developed by Ericsson Research
I Simplify development of distributed applications combiningIoT and cloud computing
I Execute different parts of the application on different devices
I Migrate to other devices without interrupting execution
I Calvin runtime handles data transport, message parsing,scheduling, etc.
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 3 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Applications and Actors
I Dataflow programming methodologyI Actors perform certain tasksI Application defines how data flows between actors
State Requirements
Action outin
Actor
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 4 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Applications and Actors
I Dataflow programming methodologyI Actors perform certain tasksI Application defines how data flows between actors
I Application example:
button
io.GPIOReader
state
camera
media.Camera
trigger image
screen
media.ImageRenderer
image
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 4 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Migration, Capabilities, and Requirements
Before migration
A
B
Runtime 1
B
C
Runtime 2
B
CActor 1
CActor 3
AActor 2
Requirements
Capabilities &Attributes
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 5 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Distributed Cloud for IoTApplications and ActorsMigration, Capabilities, and Requirements
Calvin – Migration, Capabilities, and Requirements
After migration
A
B
Runtime 1
B
C
Runtime 2
AActor 2
B
CActor 1
CActor 3
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 5 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Aims and Challenges for this thesis work
Implement authorization of applications/actors in Calvin
Desired Functionality:
3 Fine-grained authorization decisions on access to resources offeredby a runtime
3 Adaptable to different environments
3 Usable as input for migration decisions in Calvin
Challenges
I Dynamic distributed execution modelI All runtimes not known when execution starts
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 6 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Aims and Challenges for this thesis work
Implement authorization of applications/actors in Calvin
Desired Functionality:
3 Fine-grained authorization decisions on access to resources offeredby a runtime
3 Adaptable to different environments
3 Usable as input for migration decisions in Calvin
Challenges
I Dynamic distributed execution modelI All runtimes not known when execution starts
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 6 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Attribute-Based Access Control (ABAC)
I Evaluate policy rules against attributesI Subject attributesI Resource attributes
I Action attributesI Environment attributes
I Flexible and fine-grained access control
I XACML – XML-based ABAC standard
Who? What? When? Where? Why? How?
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 7 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Aims and ChallengesAttribute-Based Access ControlAdaptable to Constrained Devices
Adaptable to Constrained Devices
I Compact message and policy formats
I JSON instead of XMLI Flexibility important
I Local authorization – minimize network trafficI External authorization – minimize storage or processing power needs
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 8 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Authorization Flow
Policy Administration
Point (PAP)
Policy Enforcement Point (PEP)
Policy Decision Point (PDP)
Policy Information Point
(PIP)
Policy Retrieval Point (PRP)
2. Authorization request
1. Access required
3. Retrieve policies
4a. Evaluate policies
4b. Retrieve additional attributes
Manage policies
5. Authorization decision
User/Application/Actor
6. Access permitted/
denied
Fetch data from different sources
Tomas Nilsson Authorization Aspects of the IoT Framework Calvin 9 / 20
Introduction to CalvinAuthorization Considerations
Authorization in CalvinDemo
Authorization FlowMessage and Policy FormatsSmart MigrationConclusion
Authorization Request
I Request sent by Policy Enforcement Point to Policy Decision Pointto check if access should be granted to an actor