Aranya Documentation An overview of the Aranya project

Access Management (Control Plane)

Aranya allows the application to enforce Identity and Access Management (IDAM) via decentralized Role-Based Access Control (RBAC) and Attribute-Based Access Control (ABAC). Device permissions are managed via RBAC and are enforced by the policy on every endpoint. Other permissions like usage of the data plane are governed by assigning labels (attributes) that grant devices permission to communicate with other devices.

Device Roles

For devices, the Aranya policy defines a set of roles that can be assigned to devices:

  • Owner:
    • Initialize/terminate Team.
    • Add (new) / remove Members.
    • Assign/revoke Owner role.
    • Assign/revoke Admin role.
    • Assign/revoke Operator role.
    • Define/undefine AQC channel label.
    • Assign/revoke AQC channel label.
    • Set/unset AQC network identifier.
  • Admin:
    • Assign/revoke Operator role.
    • Define/undefine AQC channel label.
    • Revoke AQC channel label.
    • Unset AQC network identifier.
  • Operator:
    • Add (new) / remove Member.
    • Define AQC channel label.
    • Assign/revoke AQC channel label.
    • Set/unset AQC address&name.
  • Member:
    • Create/delete AQC channel.

See the default policy for more information.

Each device can have a single role, and each role has tightly scoped permissions. Role assignments are stored on graph, meaning assignment and revocation are enforced on each device. Before performing an operation, the device’s role is checked against the policy to verify its permissions. When other devices process commands from this device, they will also check for valid permissions.

Onboarding and revocation

Devices can only be onboarded to the team under the Member role and the role assignment commands can be thought of as a promotion of the devices’s single role. Similarly, only the Member role can be removed from the team and so role revocation commands will simply demote any higher role back down to Member.

Labels

Labels are used to define access to use data planes like AQC. In order for a device to utilize AQC, a label must be defined and assigned to that device and the peer they intend to communicate with.

Creation and Assignment

Labels have three levels of access control: permission to define, permission to assign, and permission to utilize. Channel labels can be defined by any device with Operator, Admin, or Owner roles. In order to utilize a label, a device with the Operator (or Owner) role must assign a member permission for the desired labels.

Revocation

Labels can be revoked in two ways: direct revocation for a specific device, and undefining the label. Operators, Admins, and Owners can directly revoke a label from a device. Revoking a label from a device directly causes any peers that were communicating with that device to drop the channel and refuse future messages.

NOTE: In the current version (v1.0.0) revocation of a label will not close the associated AQC channels. This will change in a future release.

How permissions are enforced

Aranya uses endpoint enforcement for the policy. Whenever an operation requiring some sort of permission check is taken the device will check against the current policy based on the current known set of commands. Using that information, the device can decide to accept or reject the operation.