source: doc/design @ 302f477

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 302f477 was 302f477, checked in by Mei <mei@…>, 13 years ago

1) insert a ABAC query using python into examples directory

(added to be part of runcheck)

2) tweak doc alittle bit more

  • Property mode set to 100644
File size: 11.1 KB
Line 
1OVERVIEW
2
3ABAC proves attributes about principals.
4
5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - add more certificates, possibly presented by another party
13    - make a query 'does principal B have the role A.r1?'
14         or a query 'is object B part of the oset A.o1?'
15
16CREDENTIAL
17
18An ABAC credential is the most basic unit of an ABAC proof.
19
20It is a signed assertion by a principal A that some other entity has a
21role r1.  Abstractly, it is one of the following (A, B principals;
22r1, r2, r3 roles):
23
24    A.r1 <- B
25    A.r1 <- B.r2
26    A.r1 <- B.r2.r3
27
28It is a signed assertion by a principal A that some other entity is
29an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object):
30
31    A.o1 <- O
32    A.o1 <- B.o2
33    A.o1 <- B.r1.o2
34
35
36When interacting with libabac, a credential is represented by an X509
37attribute certificates and the associated issuer X509 identity
38certificate.
39
40A principal is represented by the SHA1 hash of the public key of its
41identity certificate. Therefore when a credential is encoded in an
42attribute certificate, it will look something along the lines of:
43
44    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
45        e93547826455a80d9488825a1d083ef6ef264107
46
47ROLE
48
49ABAC roles are the atomic units that form the head and tail of a
50credential. The head will always be a proper role, which is to say it
51takes form:
52
53    A.r1
54
55As seen in the CREDENTIAL section, the tail of a role can take one of
56three forms:
57
58    principal:      B
59    role:           B.r2
60    linking role:   B.r2.r3
61
62For more information about the different types of roles, refer to
63[Li03rt].
64
65OSET
66
67ABAC osets are the atomic units that form the head and tail of a
68credential. The head will always be a proper oset, which is to say it
69takes form:
70
71    A.o1
72
73As seen in the CREDENTIAL section, the tail of a oset can take one of
74three forms:
75
76    object:         O
77    oset:           B.o2
78    linking oset:   B.r2.o3
79
80
81CONTEXT
82
83An ABAC context object encapsulates a set of ABAC credentials and its
84associated YAP clause db. The context supports the following operations:
85
86    - load X509 identity certificate
87    - load X509 attribute certificate
88    - list all the credentials (attribute identity certificate pairs)
89    - query whether a principal has a given role
90    - query whether an object belongs to a given o-set
91
92RT2
93
94RT2 is an more expressive logic than the original RT0 logic that ABAC
95supported.
96
97The RT2 specification extends the existing RT0 notation in 5 ways:
98
99        * More general principal specification to allow room for other
100          identity providers
101        * Explicit syntax for specifying RT2 objects
102        * Explicit type information to differentiate roles and o-sets.
103        * Explicit type information for RT1 and RT2 parameters
104        * Syntax for constraints
105
106These additions make the syntax both much less terse and much less
107ambiguous.
108
109A few words about RT1 and RT2 before we describe syntax.  RT1 parameterizes
110roles, that is, it attaches ordered, typed data to roles.  It also adds
111matching requirements to role derivations, including constraints.  The
112RT1 rule
113
114A.r(?x, ?y) <- A.s(1, ?y:[1..3]) & A.t(?y, ?x)
115
116requires that all instances of ?x and ?y on the right side have the same
117type and that the constraints on ?y in the first term are valid for that
118type.  There's no explicit typing in the rule notation of the papers,
119which this specification addresses.
120
121The data types in the papers inlcude integers, floats, dates, closed
122enumerations, and open enumerations.  Closed enumerations are things
123like C or C++ enums, with boolean being a specific example.  Open
124enumerations include things like principals.  For tractability we're
125going to want to define a specific set of data types, which we do
126below.
127
128RT2 allows principals to label data in the same way that they label
129principals.  The ABAC authors helpfully use the exact same syntax for
130assigining a label to a data object as they do for assigning a role to a
131principal, but the semantics are slightly different.  We add syntax
132that clarfies when data is being labelled and when principals are being
133labelled.  These "data roles" are called o-sets.
134
135On with the specification, from the basic chunks up to rules.
136
137Principal Names
138
139We've been using self-signed X.509 identity certificates as identities,
140and that's been a useful way to get started, but it would be nice to be
141able to use other identities in the future.  Now a principal name is not
142marked in the representation at all.  New principal IDs will be of the
143form: [idtype:A].  The idtype will define what valid characters in A
144will be, but in any event "]" must be escaped with a backslash.
145
146The current id's will be of idtype 'keyid', so only applying the
147principal extensions, the role A.r would be written [keyid:A].r, where A
148is the sha1 hash of the public key.  keyid principal names can include
149[0-9a-fA-F] (hex digits).
150
151I'm going to continue to use [keyid:A] here so not everything runs off
152the page.
153
154Data Objects
155
156The RT1 and RT2 parameters are loosely data objects.  RT1 allows one to
157reason about them, RT2 adds the ability to have principals make
158statements about these data objects.  Just as we need to represent
159principals including their type, we need to represent objects with their
160type.  We support following types:
161
162        int: 32-bit signed integers
163        float: floats in the range of an IEEE float.
164        time: a time expressed as yyyymmddThhmmss where the lower case
165                letters are digits and the T is a T.  Zulu time,
166                everything after the T is optional
167        boolean: true or false
168        urn: a resource named by a URN
169        string: a UTF-8 string.  This is a free space for people to
170                define local free-form attributes
171
172A particular object is specified by:
173
174[ type: name]
175
176Objects are always specified this way, because rules and assignments may
177come from many places and the typing information must mesh.
178
179Examples:
180
181        [boolean: true]
182        [int: 3454]
183        [float: -323.0] also [ float: 1]
184        [time: 20111109T122300] also [ time: 20101010T]
185        [urn:"file:///usr/local/bin/ls"]
186        [urn:"uuid://106c0cdd-0afb-11e1-90d8-14feb5e4012d"]
187        [string:"a string"]
188
189Roles and O-Sets
190
191In the ABAC papers, roles and o-sets look exactly alike, and one may
192have trouble understanding that they are different.  This spec
193explicitly types them for clarity.  Roles are prefixed by "role:" and
194o-sets by "oset:".
195
196The rule that places principal P in role A.r is written in the paper as
197
198A.r <- P
199
200In our notation:
201
202[keyid:A].role:r <- [keyid:P]
203
204The rule that places file P in o-set A.r is written in the paper as
205
206A.r <- P
207
208In our notation:
209
210[keyid:A].oset:r <- ["urn:file://P"]
211
212Similarly derivation rules like:
213
214A.r <- B.r
215
216become
217
218[keyid:A].role:r <- [keyid:B].role:r
219
220or
221
222[keyid:A].oset:r <- [keyid:B].oset:r
223
224depending on their intent.  It is an error to try (or probably to think):
225
226[keyid:A].oset:r <- [keyid:B].role:r
227
228Note also that
229
230[keyid:A].oset:os <- [keyid:B].role:r.oset:os
231
232Is the only valid linking credential for assigning o-sets.
233[keyid:B].role:r is a set of principals that may have defined an o-set
234(oset:os), but the members of an o-set could not have done so.
235
236Variables
237
238Both RT1 and RT2 allow rules defining roles or o-sets to match
239parameters using variable bindings.  We illustrate with roles here,
240though all of this holds for o-sets.  The variables may be named to
241specify connections between the role to be defined and the roles used to
242define it.
243
244For example the rule (in paper notation):
245
246A.evaluatorOf(?x) <- A.managerOf(?x)
247
248means that if
249
250A.managerOf(mikeryan) <- faber
251
252then
253
254A.evaluatorOf(mikeryan) <- faber
255
256is also true.  The two ?x es bind to the same thing.  For more complex
257rules, we have to make sure that the types are also consistent:
258
259A.example(?x) <- A.isInteger(?x) & A.isFloat(?x)
260
261?x is not allowed to match an integer-typed data object in the first
262clause and a float-typed one in the second.  The papers say this is an
263invalid rule, but without knowing the types of the parameters it cannot
264be checked.
265
266We adopt the same variable naming convention, but require them to be
267prefixed with the types above.  Variable names start with a ?, followed
268by a capitalized character and can contain [_\-a-zA-Z0-9], that is,
269alphanumerics, underscore and the hyphens.  ? is a valid anonymous
270variable name.  Multiple instances of ? in the same rule can bind to
271different types.
272
273This is OK:
274
275[keyid:A].role:weird([urn:?X]) <- [keyid:B].role:a([urn:?X], [int:?]) &
276        [keyid:C].role:b([urn:?X], [boolean:?])
277
278Other examples:
279
280[keyid:A].role:example([int:?X]) <- [keyid:A].role:isInteger([int:?X]) &
281        [keyid:A].role:isFloat([int:?X])
282
283is valid
284
285[keyid:A].role:example([int:?X]) <- [keyid:A].role:isInteger([int:?X]) &
286        [keyid:A].role:isFloat([float:?X])
287
288is not, because the types of ?X are different.
289
290
291In addition to the data object types, the "principal" type is allowed as
292well, indicating that the variable must match an ABAC principal.  The
293first example in this section is written:
294
295[keyid:A].role:evaluatorOf([principal:?X]) <-
296        [keyid:A].role:managerOf([principal:?X])
297
298Constraints
299
300A constraint is a static (RT1) or dynamic (RT2) set of valid choices for
301a parameter.  There are two kinds of constraint sets, static and
302dynamic.  A dynamic constraint set is an o-set or role.  Static
303constraint sets are a list of valid values.  Constraints are separated
304from a variable name by a colon (:).
305
306We specify a static set by enclosing the values in [] separated by
307commas.  Because the set is bound to a typed variable, the values
308in the set can omit the [type:], so we write:
309
310[keyid:A].role:r([int:?X:[1,3,5])
311
312not
313
314[keyid:A].role:r([int:?X:[[int:1],[int:3],[int:5]]])
315
316For ordered sets like integers, floats and dates, the .. sequence
317specifies a range:
318
319[keyid:A].role:r(int:?X:[1..5])
320
321in static constraint sets, commas, elipses (..), and the bracket
322characters [, ] must be escaped using a backslash (\) prefix.
323
324The constraint can also be an o-set (for objects) or a role (for a principal).
325
326[keyid:A].role:r([principal:?X:[[keyid:A].role:r1])
327[keyid:A].role:r([urn:?X:[[keyid:A].oset:o1])
328
329A Complex Example
330
331The example on p. 10 of "Design of a Role-Based Trust Management
332Framework" starts with the rule
333
334Alpha.fileAc(read, ?F:Alpha.documents(?proj)) <- Alpha.team(?proj)
335
336and says that given
337
338Alpha.documents(proj1) <- fileA
339Alpha.team(proj1) <- Bob
340
341one can conclude
342
343Alpha.fileAc(read, fileA) <- Bob
344
345In our notation the initial rule is encoded (note the mingling of o-sets
346and roles)
347
348[keyid:Alpha].role:fileAc([string:"read"],
349        [string:?F:[keyid:Alpha].oset:documents([string:?proj])])
350                <- [keyid:Alpha].role:team([string:?proj])
351
352and given
353
354[keyid:Alpha].oset:documents([string:"proj1"]) <- [string:"fileA"]
355[keyid:Alpha].role:team([string:"proj1"]) <- [keyid:Bob]
356
357one can conclude
358
359[keyid:Alpha].role:fileAc([string:"read"], [string:"fileA"]) <- [keyid:Bob]
360
361It is more verbose, but draws out the different roles and o-sets in
362play. 
363
364REFERENCES
365
366[Li03rt]
367    Li, N. and Mitchell, J. C. RT: A role-based trust-management
368    framework. In Proceedings of the Third DARPA Information
369    Survivability Conference and Exposition. IEEE Computer Society
370    Press, 201­212.
371
372
373
374http://groups.geni.net/geni/wiki/TIEDABACModel
375
376http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.