Managing Identity and Authorization for Community Clouds

A community cloud operates to serve multiple organizations who have entered into sharing arrangements with one or more cloud providers. Members of the participating organizations may also collaborate on shared projects, which may lead them to exercise shared control over virtual machines or other cloud-hosted resource instances. Software running in the cloud instances may serve the community members or act on their behalf. For these reasons a flexible framework for identity and authorization is essential for community clouds. This paper gives an overview of the trust framework adopted in NSF’s GENI project, which may be viewed as a multi-provider infrastructure cloud serving a community of researchers with various institutional and project affiliations. The authorization framework for GENI combines elements of existing solutions to related challenges: Web-based Single-Sign On and federated identity management (e.g., Shibboleth), virtual organizations in grid computing, access control based on roles or attributes, and public key cryptosystems with delegated trust and proxy certificates. The GENI solution uses a form of Attribute-Based Access Control (ABAC) incorporating a trust management logic and authorization policy language called Role-based Trust (RT).