Skip to content

Create and retrieve the ownership for the created L2VPN #425

Description

@lmarinve

Ownership:

Type: string (Base64-encoded SHA-256 hash)
Length: 16 characters
Description: The ownership attribute uniquely identifies the authenticated CILogon user who creates a service. Leveraging the CILogon OpenID "sub" scope ensures secure authentication, authorization, and accounting (AAA).
Derivation Process:

  • Extract the unique user identifier from the CILogon "sub" attribute.
    Example: If sub = "http://cilogon.org/serverA/users/12345", extract "/serverA/users/12345".
  • Hash the extracted identifier using the SHA-256 algorithm.
  • Encode the hashed output in Base64 and trim it to the first 16 characters.
    Example output: "X4ZKjHeqCITviBb_", This computed value is stored and used as the ownership attribute.
    Usage in Service Provisioning:
  • The ownership attribute must be included when creating a service.
  • SDXLib and Meican validate the attribute before sending it to the SDX Controller.
  • The SDX Controller adds the ownership attribute to the database and uses it for filtering, authorization, and accounting queries.
    Usage in Manipulating Created L2VPNs:
  • When retrieving services, SDXLib and Meican must recompute and verify the ownership attribute against the authenticated user's CILogon " sub."
  • When requesting a list of L2VPNs, SDXLib and Meican must include the ownership attribute to filter the results in the request.
  • The SDX Controller returns only the L2VPNs where the ownership attribute matches the authenticated user’s computed ownership.
  • SDX Controller verifies the ownership before allowing modifications or deletions.
    This ensures users can only view, modify, or delete their L2VPNs while administrators have broader access based on role-based access control (RBAC).
  • Different endpoints will be restricted based on RBAC roles, ensuring access is granted only to permitted L2VPNs:
    Researcher: “CRUD” only their L2VPNs.
    Admin: CRUD” L2VPNs within their assigned organization.
    Super Admin: “CRUD” all L2VPNs across all organizations.
    Security & Access Control
  • Verification: The ownership value retrieved from SDX Controller must match the recomputed hash from the authenticated user’s CILogon sub.
  • Authorization: RBAC will be enforced at multiple levels:
    SDX Controller enforces database-level access control based on roles.
    SDXLib and Meican enforce UI-level access control, preventing unauthorized modifications.

Example
{
'name': 'Test SDX SC24 L2VPN',
'Endpoints':[
{'port_id':'urn:sdx:port:ampath.net:Novi03:5','vlan':'4015'},
{'port_id': 'urn:sdx:port:sax.net:Novi04:6', 'vlan': '4015'}
],
'ownership': 'ROVLwA1pgxor7GHP',
'notifications': [{'email': 'lmarinve@fiu.edu'}]
}

Metadata

Metadata

Assignees

Labels

No labels
No labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions