source: doc/design @ 04f5da1

abac0-leakabac0-meicompt_changesgec13mei-idmei-rt0-nmei_rt0mei_rt2mei_rt2_fix_1meiyap-rt1meiyap1rt2tvf-new-xml
Last change on this file since 04f5da1 was 22414c9, checked in by Mike Ryan <mikeryan@…>, 14 years ago

include references to GENI web site

  • Property mode set to 100644
File size: 2.2 KB
RevLine 
[fe5682f]1OVERVIEW
2
[80f6450]3ABAC proves attributes about principals.
4
[fe5682f]5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
[80f6450]8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - clone the context
13    - add more certificates, possibly presented by another party
14    - make a query 'does principal B have the role A.r1?'
15
[fe5682f]16CREDENTIAL
17
18An ABAC credential is the most basic unit of an ABAC proof. It is a
19signed assertion by a principal A that some other entity has a role r1.
20Abstractly, it is one of the following (A and B principls, r1, r2, r3
21roles):
22
23    A.r1 <- B
24    A.r1 <- B.r2
25    A.r1 <- B.r2.r3
26
27When interacting with libabac, a credential is represented by an X509
28attribute certificates and the associated issuer X509 identity
29certificate.
30
[80f6450]31A principal is represented by the SHA1 hash of the public key of its
32identity certificate. Therefore when a credential is encoded in an
33attribute certificate, it will look something along the lines of:
34
35    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
36        e93547826455a80d9488825a1d083ef6ef264107
37
[fe5682f]38ROLE
39
40ABAC roles are the atomic units that form the head and tail of a
41credential. The head will always be a proper role, which is to say it
42takes form:
43
44    A.r1
45
46As seen in the CREDENTIAL section, the tail of a role can take one of
47three forms:
48
49    principal:      B
50    role:           B.r2
51    linking role:   B.r2.r3
52
53For more information about the different types of roles, refer to
54[Li03rt].
55
56CONTEXT
57
58An ABAC context object encapsulates a set of ABAC credentials and its
59associated proof graph. The context supports the following operations:
60
61    - load X509 identity certificate
62    - load X509 attribute certificate
63    - list all the credentials (attribute identity certificate pairs)
64    - query whether a principal has a given role
65    - duplicate context
66
67REFERENCES
68
69[Li03rt]
70    Li, N. and Mitchell, J. C. RT: A role-based trust-management
71    framework. In Proceedings of the Third DARPA Information
72    Survivability Conference and Exposition. IEEE Computer Society
73    Press, 201­212.
[22414c9]74
75http://groups.geni.net/geni/wiki/TIEDABACModel
76
77http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.