| 1 | OVERVIEW |
|---|
| 2 | |
|---|
| 3 | ABAC proves attributes about principals. |
|---|
| 4 | |
|---|
| 5 | libabac is comprised of three main types of objects: credentials, roles, |
|---|
| 6 | and contexts. |
|---|
| 7 | |
|---|
| 8 | A typical use of ABAC is: |
|---|
| 9 | |
|---|
| 10 | - create a context |
|---|
| 11 | - load some certificates |
|---|
| 12 | - clone the context |
|---|
| 13 | - add more certificates, possibly presented by another party |
|---|
| 14 | - make a query 'does principal B have the role A.r1?' |
|---|
| 15 | |
|---|
| 16 | CREDENTIAL |
|---|
| 17 | |
|---|
| 18 | An ABAC credential is the most basic unit of an ABAC proof. It is a |
|---|
| 19 | signed assertion by a principal A that some other entity has a role r1. |
|---|
| 20 | Abstractly, it is one of the following (A and B principls, r1, r2, r3 |
|---|
| 21 | roles): |
|---|
| 22 | |
|---|
| 23 | A.r1 <- B |
|---|
| 24 | A.r1 <- B.r2 |
|---|
| 25 | A.r1 <- B.r2.r3 |
|---|
| 26 | |
|---|
| 27 | When interacting with libabac, a credential is represented by an X509 |
|---|
| 28 | attribute certificates and the associated issuer X509 identity |
|---|
| 29 | certificate. |
|---|
| 30 | |
|---|
| 31 | A principal is represented by the SHA1 hash of the public key of its |
|---|
| 32 | identity certificate. Therefore when a credential is encoded in an |
|---|
| 33 | attribute certificate, it will look something along the lines of: |
|---|
| 34 | |
|---|
| 35 | e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <- |
|---|
| 36 | e93547826455a80d9488825a1d083ef6ef264107 |
|---|
| 37 | |
|---|
| 38 | ROLE |
|---|
| 39 | |
|---|
| 40 | ABAC roles are the atomic units that form the head and tail of a |
|---|
| 41 | credential. The head will always be a proper role, which is to say it |
|---|
| 42 | takes form: |
|---|
| 43 | |
|---|
| 44 | A.r1 |
|---|
| 45 | |
|---|
| 46 | As seen in the CREDENTIAL section, the tail of a role can take one of |
|---|
| 47 | three forms: |
|---|
| 48 | |
|---|
| 49 | principal: B |
|---|
| 50 | role: B.r2 |
|---|
| 51 | linking role: B.r2.r3 |
|---|
| 52 | |
|---|
| 53 | For more information about the different types of roles, refer to |
|---|
| 54 | [Li03rt]. |
|---|
| 55 | |
|---|
| 56 | CONTEXT |
|---|
| 57 | |
|---|
| 58 | An ABAC context object encapsulates a set of ABAC credentials and its |
|---|
| 59 | associated proof graph. The context supports the following operations: |
|---|
| 60 | |
|---|
| 61 | - load X509 identity certificate |
|---|
| 62 | - load X509 attribute certificate |
|---|
| 63 | - list all the credentials (attribute identity certificate pairs) |
|---|
| 64 | - query whether a principal has a given role |
|---|
| 65 | - duplicate context |
|---|
| 66 | |
|---|
| 67 | REFERENCES |
|---|
| 68 | |
|---|
| 69 | [Li03rt] |
|---|
| 70 | Li, N. and Mitchell, J. C. RT: A role-based trust-management |
|---|
| 71 | framework. In Proceedings of the Third DARPA Information |
|---|
| 72 | Survivability Conference and Exposition. IEEE Computer Society |
|---|
| 73 | Press, 201212. |
|---|
| 74 | |
|---|
| 75 | http://groups.geni.net/geni/wiki/TIEDABACModel |
|---|
| 76 | |
|---|
| 77 | http://groups.geni.net/geni/wiki/TIEDABACDemo |
|---|
