| 1 | OVERVIEW |
|---|
| 2 | |
|---|
| 3 | libabac is comprised of three main types of objects: credentials, roles, |
|---|
| 4 | and contexts. |
|---|
| 5 | |
|---|
| 6 | CREDENTIAL |
|---|
| 7 | |
|---|
| 8 | An ABAC credential is the most basic unit of an ABAC proof. It is a |
|---|
| 9 | signed assertion by a principal A that some other entity has a role r1. |
|---|
| 10 | Abstractly, it is one of the following (A and B principls, r1, r2, r3 |
|---|
| 11 | roles): |
|---|
| 12 | |
|---|
| 13 | A.r1 <- B |
|---|
| 14 | A.r1 <- B.r2 |
|---|
| 15 | A.r1 <- B.r2.r3 |
|---|
| 16 | |
|---|
| 17 | When interacting with libabac, a credential is represented by an X509 |
|---|
| 18 | attribute certificates and the associated issuer X509 identity |
|---|
| 19 | certificate. |
|---|
| 20 | |
|---|
| 21 | ROLE |
|---|
| 22 | |
|---|
| 23 | ABAC roles are the atomic units that form the head and tail of a |
|---|
| 24 | credential. The head will always be a proper role, which is to say it |
|---|
| 25 | takes form: |
|---|
| 26 | |
|---|
| 27 | A.r1 |
|---|
| 28 | |
|---|
| 29 | As seen in the CREDENTIAL section, the tail of a role can take one of |
|---|
| 30 | three forms: |
|---|
| 31 | |
|---|
| 32 | principal: B |
|---|
| 33 | role: B.r2 |
|---|
| 34 | linking role: B.r2.r3 |
|---|
| 35 | |
|---|
| 36 | For more information about the different types of roles, refer to |
|---|
| 37 | [Li03rt]. |
|---|
| 38 | |
|---|
| 39 | A principal in libabac is represented by the SHA1 hash of the public key |
|---|
| 40 | of its identity certificate. Therefore the credentials encoded in |
|---|
| 41 | attribute certificates look like this: |
|---|
| 42 | |
|---|
| 43 | e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <- |
|---|
| 44 | e93547826455a80d9488825a1d083ef6ef264107 |
|---|
| 45 | |
|---|
| 46 | CONTEXT |
|---|
| 47 | |
|---|
| 48 | An ABAC context object encapsulates a set of ABAC credentials and its |
|---|
| 49 | associated proof graph. The context supports the following operations: |
|---|
| 50 | |
|---|
| 51 | - load X509 identity certificate |
|---|
| 52 | - load X509 attribute certificate |
|---|
| 53 | - list all the credentials (attribute identity certificate pairs) |
|---|
| 54 | - query whether a principal has a given role |
|---|
| 55 | - duplicate context |
|---|
| 56 | |
|---|
| 57 | REFERENCES |
|---|
| 58 | |
|---|
| 59 | [Li03rt] |
|---|
| 60 | Li, N. and Mitchell, J. C. RT: A role-based trust-management |
|---|
| 61 | framework. In Proceedings of the Third DARPA Information |
|---|
| 62 | Survivability Conference and Exposition. IEEE Computer Society |
|---|
| 63 | Press, 201212. |
|---|
