source: doc/design @ 3529e2d

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 3529e2d was 3529e2d, checked in by Ted Faber <faber@…>, 13 years ago

Add RT2 syntax description

  • Property mode set to 100644
File size: 11.1 KB
Line 
1OVERVIEW
2
3ABAC proves attributes about principals.
4
5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - add more certificates, possibly presented by another party
13    - make a query 'does principal B have the role A.r1?'
14         or a query 'is object B part of the oset A.o1?'
15
16CREDENTIAL
17
18An ABAC credential is the most basic unit of an ABAC proof.
19
20It is a signed assertion by a principal A that some other entity has a
21role r1.  Abstractly, it is one of the following (A, B principals;
22r1, r2, r3 roles):
23
24    A.r1 <- B
25    A.r1 <- B.r2
26    A.r1 <- B.r2.r3
27
28It is a signed assertion by a principal A that some other entity is
29an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object):
30
31    A.o1 <- O
32    A.o1 <- B.o2
33    A.o1 <- B.r1.o2
34
35
36When interacting with libabac, a credential is represented by an X509
37attribute certificates and the associated issuer X509 identity
38certificate.
39
40A principal is represented by the SHA1 hash of the public key of its
41identity certificate. Therefore when a credential is encoded in an
42attribute certificate, it will look something along the lines of:
43
44    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
45        e93547826455a80d9488825a1d083ef6ef264107
46
47ROLE
48
49ABAC roles are the atomic units that form the head and tail of a
50credential. The head will always be a proper role, which is to say it
51takes form:
52
53    A.r1
54
55As seen in the CREDENTIAL section, the tail of a role can take one of
56three forms:
57
58    principal:      B
59    role:           B.r2
60    linking role:   B.r2.r3
61
62For more information about the different types of roles, refer to
63[Li03rt].
64
65OSET
66
67ABAC osets are the atomic units that form the head and tail of a
68credential. The head will always be a proper oset, which is to say it
69takes form:
70
71    A.o1
72
73As seen in the CREDENTIAL section, the tail of a oset can take one of
74three forms:
75
76    object:         O
77    oset:           B.o2
78    linking oset:   B.r2.o3
79
80
81CONTEXT
82
83An ABAC context object encapsulates a set of ABAC credentials and its
84associated YAP clause db. The context supports the following operations:
85
86    - load X509 identity certificate
87    - load X509 attribute certificate
88    - list all the credentials (attribute identity certificate pairs)
89    - query whether a principal has a given role
90
91RT2
92
93RT2 is an more expressive logic than the original RT0 logic that ABAC
94supported.
95
96The RT2 specification extends the existing RT0 notation in 5 ways:
97
98        * More general principal specification to allow room for other
99          identity providers
100        * Explicit syntax for specifying RT2 objects
101        * Explicit type information to differentiate roles and o-sets.
102        * Explicit type information for RT1 and RT2 parameters
103        * Syntax for constraints
104
105These additions make the syntax both much less terse and much less
106ambiguous.
107
108A few words about RT1 and RT2 before we describe syntax.  RT1 parameterizes
109roles, that is, it attaches ordered, typed data to roles.  It also adds
110matching requirements to role derivations, including constraints.  The
111RT1 rule
112
113A.r(?x, ?y) <- A.s(1, ?y:[1..3]) & A.t(?y, ?x)
114
115requires that all instances of ?x and ?y on the right side have the same
116type and that the constraints on ?y in the first term are valid for that
117type.  There's no explicit typing in the rule notation of the papers,
118which this specification addresses.
119
120The data types in the papers inlcude integers, floats, dates, closed
121enumerations, and open enumerations.  Closed enumerations are things
122like C or C++ enums, with boolean being a specific example.  Open
123enumerations include things like principals.  For tractability we're
124going to want to define a specific set of data types, which we do
125below.
126
127RT2 allows principals to label data in the same way that they label
128principals.  The ABAC authors helpfully use the exact same syntax for
129assigining a label to a data object as they do for assigning a role to a
130principal, but the semantics are slightly different.  We add syntax
131that clarfies when data is being labelled and when principals are being
132labelled.  These "data roles" are called o-sets.
133
134On with the specification, from the basic chunks up to rules.
135
136Principal Names
137
138We've been using self-signed X.509 identity certificates as identities,
139and that's been a useful way to get started, but it would be nice to be
140able to use other identities in the future.  Now a principal name is not
141marked in the representation at all.  New principal IDs will be of the
142form: [idtype:A].  The idtype will define what valid characters in A
143will be, but in any event "]" must be escaped with a backslash.
144
145The current id's will be of idtype 'keyid', so only applying the
146principal extensions, the role A.r would be written [keyid:A].r, where A
147is the sha1 hash of the public key.  keyid principal names can include
148[0-9a-fA-F] (hex digits).
149
150I'm going to continue to use [keyid:A] here so not everything runs off
151the page.
152
153Data Objects
154
155The RT1 and RT2 parameters are loosely data objects.  RT1 allows one to
156reason about them, RT2 adds the ability to have principals make
157statements about these data objects.  Just as we need to represent
158principals including their type, we need to represent objects with their
159type.  We support following types:
160
161        int: 32-bit signed integers
162        float: floats in the range of an IEEE float.
163        time: a time expressed as yyyymmddThhmmss where the lower case
164                letters are digits and the T is a T.  Zulu time,
165                everything after the T is optional
166        boolean: true or false
167        urn: a resource named by a URN
168        string: a UTF-8 string.  This is a free space for people to
169                define local free-form attributes
170
171A particular object is specified by:
172
173[ type: name]
174
175Objects are always specified this way, because rules and assignments may
176come from many places and the typing information must mesh.  The {}
177indicates this is data constant, as opposed to the variables below.
178
179Examples:
180
181        [boolean: true]
182        [int: 3454]
183        [float: -323.0] also [ float: 1]
184        [time: 20111109T122300] also [ time: 20101010]
185        [urn:"file:///usr/local/bin/ls"]
186        [urn:"uuid://106c0cdd-0afb-11e1-90d8-14feb5e4012d"]
187        [string:"a string"]
188
189Roles anfd O-Sets
190
191In the ABAC papers, roles and o-sets look exactly alike, and one may
192have trouble understanding that they are different.  This spec
193explicitly types them for clarity.  Roles are prefixed by "role:" and
194o-sets by "o-set:".
195
196The rule that places principal P in role A.r is written in the paper as
197
198A.r <- P
199
200In our notation:
201
202[keyid:A].role:r <- [keyid:P]
203
204The rule that places file P in o-set A.r is written in the paper as
205
206A.r <- P
207
208In our notation:
209
210[keyid:A].oset:r <- ["urn:file://P"]
211
212Similarly derivation rules like:
213
214A.r <- B.r
215
216become
217
218[keyid:A].role:r <- [keyid:B].role:r
219
220or
221
222[keyid:A].oset:r <- [keyid:B].oset:r
223
224depening on their intent.  It is an error to try (or probably to think):
225
226[keyid:A].oset:r <- [keyid:B].role:r
227
228Note also that
229
230[A.keyid].oset:os <- [keyid:B].role:r.oset:os
231
232Is the only valid linking credential for assigning o-sets.
233[keyid:B].role:r is a set of principals that may have defined an o-set
234(oset:os), but the members of an o-set could not have done so.
235
236Variables
237
238Both RT1 and RT2 allow rules defining roles or osets to match
239parameters using variable bindings.  We illustrate with roles here,
240though all of this holds for osets.  The variables may be named to
241specify connections between the role to be defined and the roles used to
242define it.
243
244For example the rule (in paper notation):
245
246A.evaluatorOf(?x) <- A.managerOf(?x)
247
248means that if
249
250A.managerOf(mikeryan) <- faber
251
252then
253
254A.evaluatorOf(mikeryan) <- faber
255
256is also true.  The two ?x es bind to the same thing.  For more complex
257rules, we have to make sure that the types are also consistent:
258
259A.example(?x) <- A.isInteger(?x) & A.isFloat(?x)
260
261?x is not allowed to match an integer-typed data object in the first
262clause and a float-typed one in the second.  The papers say this is an
263invalid rule, but without knowing the types of the parameters it cannot
264be checked.
265
266We adopt the same variable naming convention, but require them to be
267prefixed with the types above.  Variable names start with a ? and can
268contain [_a-zA-Z0-9] that is, alphanumerics and the underscore.  ? is a
269valid anonymous variable name.  Multiple instances of ? in the same rule
270can bind to different types.  This is OK:
271
272[keyid:A]role:weird([urn:?x]) <-
273        [keyid:B].role:a([urn:?x], [int:?]) & [keyid:C].role:b([urn:?x],
274                [boolean:?])
275
276Other examples:
277
278[keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) &
279        [keyid:A].role:isFloat([int:?x])
280
281is valid
282
283[keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) &
284        [keyid:A].role:isFloat([float:?x])
285
286is not because the types of ?x are different.
287
288
289In addition to the data object types, the "principal" type is allowed as
290well, indicating that the variable must match an ABAC principal.  The
291first example in this section is written:
292
293[keyid:A].role:evaluatorOf([principal:?x]) <-
294        [keyid:A].role:managerOf([principal:?x])
295
296Constraints
297
298A constraint is a static (RT1) or dynamic (RT2) set of valid choices for
299a parameter.  There are two kinds of constraint sets, static and
300dynamic.  A dynamic constraint set is an oset or role.  Static
301constraint sets are a list of valid values.  Constraints are separated
302from a variable name by a colon (:).
303
304We specify a static set by enclosing the values in [] separated by
305commas.  Because the set is bound to a typed variable the values in the
306set omit the [type:], so we write:
307
308[keyid:A].role:r([int:?x:[1,3,5])
309
310not
311
312[keyid:A].role:r([int:?x:[[int:1],[int:3],[int:5]])
313
314For ordered sets like integers and dates, the .. sequence specifies a
315range (floats may not be given ranges):
316
317[keyid:A].role:r(int:?x:[1..5])
318
319in static constraint sets, commas, elipses (..), and the bracket
320characters [, ] must be escaped using a backslash (\) prefix.
321
322The constraint can also be an oset (for objects) or a role (for a principal).
323
324[keyid:A].role:r([principal:?x:[[A].role:r1])
325[keyid:A].role:r([urn:?x:[[A].oset:o1])
326
327A Complex Example
328
329The example on p. 10 of "Design of a Role-Based Trust Management
330Framework" starts with the rule
331
332Alpha.fileAc(read, ?F:Alpha.documents(?proj)) <- Alpha.team(?proj)
333
334and says that given
335
336Alpha.documents(proj1) <- fileA
337Alpha.team(proj1) <- Bob
338
339one can conclude
340
341Alpha.fileAc(read, fileA) <- Bob
342
343In our notation the initial rule is encoded (note the mingling of o-sets
344and roles)
345
346[keyid:Alpha].role:fileAc([string:"read"],
347        [string:?F:[keyid:Alpha].o-set:documents([string:?proj])])
348                <- [keyid:Alpha].role:team([string:?proj])
349
350and given
351
352[keyid:Alpha].o-set:documents([string:"proj1"]) <- [string:"fileA"]
353[keyid:Alpha].role:team([string:"proj1"]) <- [keyid:Bob]
354
355one can conclude
356
357[keyid:Alpha].role:fileAc([string:"read"], [string:"fileA"]) <- [keyid:Bob]
358
359It is more verbose, but draws out the different roles and o-sets in
360play. 
361
362REFERENCES
363
364[Li03rt]
365    Li, N. and Mitchell, J. C. RT: A role-based trust-management
366    framework. In Proceedings of the Third DARPA Information
367    Survivability Conference and Exposition. IEEE Computer Society
368    Press, 201­212.
369
370
371
372http://groups.geni.net/geni/wiki/TIEDABACModel
373
374http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.