Ownership:
Type: string (Base64-encoded SHA-256 hash)
Length: 16 characters
Description: The ownership attribute uniquely identifies the authenticated CILogon user who creates a service. Leveraging the CILogon OpenID "sub" scope ensures secure authentication, authorization, and accounting (AAA).
Derivation Process:
- Extract the unique user identifier from the CILogon "sub" attribute.
Example: If sub = "http://cilogon.org/serverA/users/12345", extract "/serverA/users/12345".
- Hash the extracted identifier using the SHA-256 algorithm.
- Encode the hashed output in Base64 and trim it to the first 16 characters.
Example output: "X4ZKjHeqCITviBb_", This computed value is stored and used as the ownership attribute.
Usage in Service Provisioning:
- The ownership attribute must be included when creating a service.
- SDXLib and Meican validate the attribute before sending it to the SDX Controller.
- The SDX Controller adds the ownership attribute to the database and uses it for filtering, authorization, and accounting queries.
Usage in Manipulating Created L2VPNs:
- When retrieving services, SDXLib and Meican must recompute and verify the ownership attribute against the authenticated user's CILogon " sub."
- When requesting a list of L2VPNs, SDXLib and Meican must include the ownership attribute to filter the results in the request.
- The SDX Controller returns only the L2VPNs where the ownership attribute matches the authenticated user’s computed ownership.
- SDX Controller verifies the ownership before allowing modifications or deletions.
This ensures users can only view, modify, or delete their L2VPNs while administrators have broader access based on role-based access control (RBAC).
- Different endpoints will be restricted based on RBAC roles, ensuring access is granted only to permitted L2VPNs:
Researcher: “CRUD” only their L2VPNs.
Admin: CRUD” L2VPNs within their assigned organization.
Super Admin: “CRUD” all L2VPNs across all organizations.
Security & Access Control
- Verification: The ownership value retrieved from SDX Controller must match the recomputed hash from the authenticated user’s CILogon sub.
- Authorization: RBAC will be enforced at multiple levels:
SDX Controller enforces database-level access control based on roles.
SDXLib and Meican enforce UI-level access control, preventing unauthorized modifications.
Example
{
'name': 'Test SDX SC24 L2VPN',
'Endpoints':[
{'port_id':'urn:sdx:port:ampath.net:Novi03:5','vlan':'4015'},
{'port_id': 'urn:sdx:port:sax.net:Novi04:6', 'vlan': '4015'}
],
'ownership': 'ROVLwA1pgxor7GHP',
'notifications': [{'email': 'lmarinve@fiu.edu'}]
}
Ownership:
Type: string (Base64-encoded SHA-256 hash)
Length: 16 characters
Description: The ownership attribute uniquely identifies the authenticated CILogon user who creates a service. Leveraging the CILogon OpenID "sub" scope ensures secure authentication, authorization, and accounting (AAA).
Derivation Process:
Example: If sub = "http://cilogon.org/serverA/users/12345", extract "/serverA/users/12345".
Example output: "X4ZKjHeqCITviBb_", This computed value is stored and used as the ownership attribute.
Usage in Service Provisioning:
Usage in Manipulating Created L2VPNs:
This ensures users can only view, modify, or delete their L2VPNs while administrators have broader access based on role-based access control (RBAC).
Researcher: “CRUD” only their L2VPNs.
Admin: CRUD” L2VPNs within their assigned organization.
Super Admin: “CRUD” all L2VPNs across all organizations.
Security & Access Control
SDX Controller enforces database-level access control based on roles.
SDXLib and Meican enforce UI-level access control, preventing unauthorized modifications.
Example
{
'name': 'Test SDX SC24 L2VPN',
'Endpoints':[
{'port_id':'urn:sdx:port:ampath.net:Novi03:5','vlan':'4015'},
{'port_id': 'urn:sdx:port:sax.net:Novi04:6', 'vlan': '4015'}
],
'ownership': 'ROVLwA1pgxor7GHP',
'notifications': [{'email': 'lmarinve@fiu.edu'}]
}