source: doc/design @ 9806e76

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 9806e76 was 9806e76, checked in by Mei <mei@…>, 13 years ago

1) add handling for typed anonymous term, [int:?]
2) make a pass through abac/doc
3) fix up creddy to take oset option at different calls
  • Property mode set to 100644
File size: 2.7 KB
RevLine 
[fe5682f]1OVERVIEW
2
[80f6450]3ABAC proves attributes about principals.
4
[fe5682f]5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
[80f6450]8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - add more certificates, possibly presented by another party
13    - make a query 'does principal B have the role A.r1?'
[9806e76]14         or a query 'is object B part of the oset A.o1?'
[80f6450]15
[fe5682f]16CREDENTIAL
17
[9806e76]18An ABAC credential is the most basic unit of an ABAC proof.
19
20It is a signed assertion by a principal A that some other entity has a
21role r1.  Abstractly, it is one of the following (A, B principals;
22r1, r2, r3 roles):
[fe5682f]23
24    A.r1 <- B
25    A.r1 <- B.r2
26    A.r1 <- B.r2.r3
27
[9806e76]28It is a signed assertion by a principal A that some other entity is
29an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object):
30
31    A.o1 <- O
32    A.o1 <- B.o2
33    A.o1 <- B.r1.o2
34
35
[fe5682f]36When interacting with libabac, a credential is represented by an X509
37attribute certificates and the associated issuer X509 identity
38certificate.
39
[80f6450]40A principal is represented by the SHA1 hash of the public key of its
41identity certificate. Therefore when a credential is encoded in an
42attribute certificate, it will look something along the lines of:
43
44    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
45        e93547826455a80d9488825a1d083ef6ef264107
46
[fe5682f]47ROLE
48
49ABAC roles are the atomic units that form the head and tail of a
50credential. The head will always be a proper role, which is to say it
51takes form:
52
53    A.r1
54
55As seen in the CREDENTIAL section, the tail of a role can take one of
56three forms:
57
58    principal:      B
59    role:           B.r2
60    linking role:   B.r2.r3
61
62For more information about the different types of roles, refer to
63[Li03rt].
64
[9806e76]65OSET
66
67ABAC osets are the atomic units that form the head and tail of a
68credential. The head will always be a proper oset, which is to say it
69takes form:
70
71    A.o1
72
73As seen in the CREDENTIAL section, the tail of a oset can take one of
74three forms:
75
76    object:         O
77    oset:           B.o2
78    linking oset:   B.r2.o3
79
80
[fe5682f]81CONTEXT
82
83An ABAC context object encapsulates a set of ABAC credentials and its
[9806e76]84associated YAP clause db. The context supports the following operations:
[fe5682f]85
86    - load X509 identity certificate
87    - load X509 attribute certificate
88    - list all the credentials (attribute identity certificate pairs)
89    - query whether a principal has a given role
90
91REFERENCES
92
93[Li03rt]
94    Li, N. and Mitchell, J. C. RT: A role-based trust-management
95    framework. In Proceedings of the Third DARPA Information
96    Survivability Conference and Exposition. IEEE Computer Society
97    Press, 201­212.
[22414c9]98
[9806e76]99
100
[22414c9]101http://groups.geni.net/geni/wiki/TIEDABACModel
102
103http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.