1 | OVERVIEW |
---|
2 | |
---|
3 | ABAC proves attributes about principals. |
---|
4 | |
---|
5 | libabac is comprised of three main types of objects: credentials, roles, |
---|
6 | and contexts. |
---|
7 | |
---|
8 | A typical use of ABAC is: |
---|
9 | |
---|
10 | - create a context |
---|
11 | - load some certificates |
---|
12 | - add more certificates, possibly presented by another party |
---|
13 | - make a query 'does principal B have the role A.r1?' |
---|
14 | or a query 'is object B part of the oset A.o1?' |
---|
15 | |
---|
16 | CREDENTIAL |
---|
17 | |
---|
18 | An ABAC credential is the most basic unit of an ABAC proof. |
---|
19 | |
---|
20 | It is a signed assertion by a principal A that some other entity has a |
---|
21 | role r1. Abstractly, it is one of the following (A, B principals; |
---|
22 | r1, r2, r3 roles): |
---|
23 | |
---|
24 | A.r1 <- B |
---|
25 | A.r1 <- B.r2 |
---|
26 | A.r1 <- B.r2.r3 |
---|
27 | |
---|
28 | It is a signed assertion by a principal A that some other entity is |
---|
29 | an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object): |
---|
30 | |
---|
31 | A.o1 <- O |
---|
32 | A.o1 <- B.o2 |
---|
33 | A.o1 <- B.r1.o2 |
---|
34 | |
---|
35 | |
---|
36 | When interacting with libabac, a credential is represented by an X509 |
---|
37 | attribute certificates and the associated issuer X509 identity |
---|
38 | certificate. |
---|
39 | |
---|
40 | A principal is represented by the SHA1 hash of the public key of its |
---|
41 | identity certificate. Therefore when a credential is encoded in an |
---|
42 | attribute certificate, it will look something along the lines of: |
---|
43 | |
---|
44 | e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <- |
---|
45 | e93547826455a80d9488825a1d083ef6ef264107 |
---|
46 | |
---|
47 | ROLE |
---|
48 | |
---|
49 | ABAC roles are the atomic units that form the head and tail of a |
---|
50 | credential. The head will always be a proper role, which is to say it |
---|
51 | takes form: |
---|
52 | |
---|
53 | A.r1 |
---|
54 | |
---|
55 | As seen in the CREDENTIAL section, the tail of a role can take one of |
---|
56 | three forms: |
---|
57 | |
---|
58 | principal: B |
---|
59 | role: B.r2 |
---|
60 | linking role: B.r2.r3 |
---|
61 | |
---|
62 | For more information about the different types of roles, refer to |
---|
63 | [Li03rt]. |
---|
64 | |
---|
65 | OSET |
---|
66 | |
---|
67 | ABAC osets are the atomic units that form the head and tail of a |
---|
68 | credential. The head will always be a proper oset, which is to say it |
---|
69 | takes form: |
---|
70 | |
---|
71 | A.o1 |
---|
72 | |
---|
73 | As seen in the CREDENTIAL section, the tail of a oset can take one of |
---|
74 | three forms: |
---|
75 | |
---|
76 | object: O |
---|
77 | oset: B.o2 |
---|
78 | linking oset: B.r2.o3 |
---|
79 | |
---|
80 | |
---|
81 | CONTEXT |
---|
82 | |
---|
83 | An ABAC context object encapsulates a set of ABAC credentials and its |
---|
84 | associated YAP clause db. The context supports the following operations: |
---|
85 | |
---|
86 | - load X509 identity certificate |
---|
87 | - load X509 attribute certificate |
---|
88 | - list all the credentials (attribute identity certificate pairs) |
---|
89 | - query whether a principal has a given role |
---|
90 | |
---|
91 | RT2 |
---|
92 | |
---|
93 | RT2 is an more expressive logic than the original RT0 logic that ABAC |
---|
94 | supported. |
---|
95 | |
---|
96 | The RT2 specification extends the existing RT0 notation in 5 ways: |
---|
97 | |
---|
98 | * More general principal specification to allow room for other |
---|
99 | identity providers |
---|
100 | * Explicit syntax for specifying RT2 objects |
---|
101 | * Explicit type information to differentiate roles and o-sets. |
---|
102 | * Explicit type information for RT1 and RT2 parameters |
---|
103 | * Syntax for constraints |
---|
104 | |
---|
105 | These additions make the syntax both much less terse and much less |
---|
106 | ambiguous. |
---|
107 | |
---|
108 | A few words about RT1 and RT2 before we describe syntax. RT1 parameterizes |
---|
109 | roles, that is, it attaches ordered, typed data to roles. It also adds |
---|
110 | matching requirements to role derivations, including constraints. The |
---|
111 | RT1 rule |
---|
112 | |
---|
113 | A.r(?x, ?y) <- A.s(1, ?y:[1..3]) & A.t(?y, ?x) |
---|
114 | |
---|
115 | requires that all instances of ?x and ?y on the right side have the same |
---|
116 | type and that the constraints on ?y in the first term are valid for that |
---|
117 | type. There's no explicit typing in the rule notation of the papers, |
---|
118 | which this specification addresses. |
---|
119 | |
---|
120 | The data types in the papers inlcude integers, floats, dates, closed |
---|
121 | enumerations, and open enumerations. Closed enumerations are things |
---|
122 | like C or C++ enums, with boolean being a specific example. Open |
---|
123 | enumerations include things like principals. For tractability we're |
---|
124 | going to want to define a specific set of data types, which we do |
---|
125 | below. |
---|
126 | |
---|
127 | RT2 allows principals to label data in the same way that they label |
---|
128 | principals. The ABAC authors helpfully use the exact same syntax for |
---|
129 | assigining a label to a data object as they do for assigning a role to a |
---|
130 | principal, but the semantics are slightly different. We add syntax |
---|
131 | that clarfies when data is being labelled and when principals are being |
---|
132 | labelled. These "data roles" are called o-sets. |
---|
133 | |
---|
134 | On with the specification, from the basic chunks up to rules. |
---|
135 | |
---|
136 | Principal Names |
---|
137 | |
---|
138 | We've been using self-signed X.509 identity certificates as identities, |
---|
139 | and that's been a useful way to get started, but it would be nice to be |
---|
140 | able to use other identities in the future. Now a principal name is not |
---|
141 | marked in the representation at all. New principal IDs will be of the |
---|
142 | form: [idtype:A]. The idtype will define what valid characters in A |
---|
143 | will be, but in any event "]" must be escaped with a backslash. |
---|
144 | |
---|
145 | The current id's will be of idtype 'keyid', so only applying the |
---|
146 | principal extensions, the role A.r would be written [keyid:A].r, where A |
---|
147 | is the sha1 hash of the public key. keyid principal names can include |
---|
148 | [0-9a-fA-F] (hex digits). |
---|
149 | |
---|
150 | I'm going to continue to use [keyid:A] here so not everything runs off |
---|
151 | the page. |
---|
152 | |
---|
153 | Data Objects |
---|
154 | |
---|
155 | The RT1 and RT2 parameters are loosely data objects. RT1 allows one to |
---|
156 | reason about them, RT2 adds the ability to have principals make |
---|
157 | statements about these data objects. Just as we need to represent |
---|
158 | principals including their type, we need to represent objects with their |
---|
159 | type. We support following types: |
---|
160 | |
---|
161 | int: 32-bit signed integers |
---|
162 | float: floats in the range of an IEEE float. |
---|
163 | time: a time expressed as yyyymmddThhmmss where the lower case |
---|
164 | letters are digits and the T is a T. Zulu time, |
---|
165 | everything after the T is optional |
---|
166 | boolean: true or false |
---|
167 | urn: a resource named by a URN |
---|
168 | string: a UTF-8 string. This is a free space for people to |
---|
169 | define local free-form attributes |
---|
170 | |
---|
171 | A particular object is specified by: |
---|
172 | |
---|
173 | [ type: name] |
---|
174 | |
---|
175 | Objects are always specified this way, because rules and assignments may |
---|
176 | come from many places and the typing information must mesh. The {} |
---|
177 | indicates this is data constant, as opposed to the variables below. |
---|
178 | |
---|
179 | Examples: |
---|
180 | |
---|
181 | [boolean: true] |
---|
182 | [int: 3454] |
---|
183 | [float: -323.0] also [ float: 1] |
---|
184 | [time: 20111109T122300] also [ time: 20101010] |
---|
185 | [urn:"file:///usr/local/bin/ls"] |
---|
186 | [urn:"uuid://106c0cdd-0afb-11e1-90d8-14feb5e4012d"] |
---|
187 | [string:"a string"] |
---|
188 | |
---|
189 | Roles anfd O-Sets |
---|
190 | |
---|
191 | In the ABAC papers, roles and o-sets look exactly alike, and one may |
---|
192 | have trouble understanding that they are different. This spec |
---|
193 | explicitly types them for clarity. Roles are prefixed by "role:" and |
---|
194 | o-sets by "o-set:". |
---|
195 | |
---|
196 | The rule that places principal P in role A.r is written in the paper as |
---|
197 | |
---|
198 | A.r <- P |
---|
199 | |
---|
200 | In our notation: |
---|
201 | |
---|
202 | [keyid:A].role:r <- [keyid:P] |
---|
203 | |
---|
204 | The rule that places file P in o-set A.r is written in the paper as |
---|
205 | |
---|
206 | A.r <- P |
---|
207 | |
---|
208 | In our notation: |
---|
209 | |
---|
210 | [keyid:A].oset:r <- ["urn:file://P"] |
---|
211 | |
---|
212 | Similarly derivation rules like: |
---|
213 | |
---|
214 | A.r <- B.r |
---|
215 | |
---|
216 | become |
---|
217 | |
---|
218 | [keyid:A].role:r <- [keyid:B].role:r |
---|
219 | |
---|
220 | or |
---|
221 | |
---|
222 | [keyid:A].oset:r <- [keyid:B].oset:r |
---|
223 | |
---|
224 | depening on their intent. It is an error to try (or probably to think): |
---|
225 | |
---|
226 | [keyid:A].oset:r <- [keyid:B].role:r |
---|
227 | |
---|
228 | Note also that |
---|
229 | |
---|
230 | [A.keyid].oset:os <- [keyid:B].role:r.oset:os |
---|
231 | |
---|
232 | Is the only valid linking credential for assigning o-sets. |
---|
233 | [keyid:B].role:r is a set of principals that may have defined an o-set |
---|
234 | (oset:os), but the members of an o-set could not have done so. |
---|
235 | |
---|
236 | Variables |
---|
237 | |
---|
238 | Both RT1 and RT2 allow rules defining roles or osets to match |
---|
239 | parameters using variable bindings. We illustrate with roles here, |
---|
240 | though all of this holds for osets. The variables may be named to |
---|
241 | specify connections between the role to be defined and the roles used to |
---|
242 | define it. |
---|
243 | |
---|
244 | For example the rule (in paper notation): |
---|
245 | |
---|
246 | A.evaluatorOf(?x) <- A.managerOf(?x) |
---|
247 | |
---|
248 | means that if |
---|
249 | |
---|
250 | A.managerOf(mikeryan) <- faber |
---|
251 | |
---|
252 | then |
---|
253 | |
---|
254 | A.evaluatorOf(mikeryan) <- faber |
---|
255 | |
---|
256 | is also true. The two ?x es bind to the same thing. For more complex |
---|
257 | rules, we have to make sure that the types are also consistent: |
---|
258 | |
---|
259 | A.example(?x) <- A.isInteger(?x) & A.isFloat(?x) |
---|
260 | |
---|
261 | ?x is not allowed to match an integer-typed data object in the first |
---|
262 | clause and a float-typed one in the second. The papers say this is an |
---|
263 | invalid rule, but without knowing the types of the parameters it cannot |
---|
264 | be checked. |
---|
265 | |
---|
266 | We adopt the same variable naming convention, but require them to be |
---|
267 | prefixed with the types above. Variable names start with a ? and can |
---|
268 | contain [_a-zA-Z0-9] that is, alphanumerics and the underscore. ? is a |
---|
269 | valid anonymous variable name. Multiple instances of ? in the same rule |
---|
270 | can bind to different types. This is OK: |
---|
271 | |
---|
272 | [keyid:A]role:weird([urn:?x]) <- |
---|
273 | [keyid:B].role:a([urn:?x], [int:?]) & [keyid:C].role:b([urn:?x], |
---|
274 | [boolean:?]) |
---|
275 | |
---|
276 | Other examples: |
---|
277 | |
---|
278 | [keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) & |
---|
279 | [keyid:A].role:isFloat([int:?x]) |
---|
280 | |
---|
281 | is valid |
---|
282 | |
---|
283 | [keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) & |
---|
284 | [keyid:A].role:isFloat([float:?x]) |
---|
285 | |
---|
286 | is not because the types of ?x are different. |
---|
287 | |
---|
288 | |
---|
289 | In addition to the data object types, the "principal" type is allowed as |
---|
290 | well, indicating that the variable must match an ABAC principal. The |
---|
291 | first example in this section is written: |
---|
292 | |
---|
293 | [keyid:A].role:evaluatorOf([principal:?x]) <- |
---|
294 | [keyid:A].role:managerOf([principal:?x]) |
---|
295 | |
---|
296 | Constraints |
---|
297 | |
---|
298 | A constraint is a static (RT1) or dynamic (RT2) set of valid choices for |
---|
299 | a parameter. There are two kinds of constraint sets, static and |
---|
300 | dynamic. A dynamic constraint set is an oset or role. Static |
---|
301 | constraint sets are a list of valid values. Constraints are separated |
---|
302 | from a variable name by a colon (:). |
---|
303 | |
---|
304 | We specify a static set by enclosing the values in [] separated by |
---|
305 | commas. Because the set is bound to a typed variable the values in the |
---|
306 | set omit the [type:], so we write: |
---|
307 | |
---|
308 | [keyid:A].role:r([int:?x:[1,3,5]) |
---|
309 | |
---|
310 | not |
---|
311 | |
---|
312 | [keyid:A].role:r([int:?x:[[int:1],[int:3],[int:5]]) |
---|
313 | |
---|
314 | For ordered sets like integers and dates, the .. sequence specifies a |
---|
315 | range (floats may not be given ranges): |
---|
316 | |
---|
317 | [keyid:A].role:r(int:?x:[1..5]) |
---|
318 | |
---|
319 | in static constraint sets, commas, elipses (..), and the bracket |
---|
320 | characters [, ] must be escaped using a backslash (\) prefix. |
---|
321 | |
---|
322 | The constraint can also be an oset (for objects) or a role (for a principal). |
---|
323 | |
---|
324 | [keyid:A].role:r([principal:?x:[[A].role:r1]) |
---|
325 | [keyid:A].role:r([urn:?x:[[A].oset:o1]) |
---|
326 | |
---|
327 | A Complex Example |
---|
328 | |
---|
329 | The example on p. 10 of "Design of a Role-Based Trust Management |
---|
330 | Framework" starts with the rule |
---|
331 | |
---|
332 | Alpha.fileAc(read, ?F:Alpha.documents(?proj)) <- Alpha.team(?proj) |
---|
333 | |
---|
334 | and says that given |
---|
335 | |
---|
336 | Alpha.documents(proj1) <- fileA |
---|
337 | Alpha.team(proj1) <- Bob |
---|
338 | |
---|
339 | one can conclude |
---|
340 | |
---|
341 | Alpha.fileAc(read, fileA) <- Bob |
---|
342 | |
---|
343 | In our notation the initial rule is encoded (note the mingling of o-sets |
---|
344 | and roles) |
---|
345 | |
---|
346 | [keyid:Alpha].role:fileAc([string:"read"], |
---|
347 | [string:?F:[keyid:Alpha].o-set:documents([string:?proj])]) |
---|
348 | <- [keyid:Alpha].role:team([string:?proj]) |
---|
349 | |
---|
350 | and given |
---|
351 | |
---|
352 | [keyid:Alpha].o-set:documents([string:"proj1"]) <- [string:"fileA"] |
---|
353 | [keyid:Alpha].role:team([string:"proj1"]) <- [keyid:Bob] |
---|
354 | |
---|
355 | one can conclude |
---|
356 | |
---|
357 | [keyid:Alpha].role:fileAc([string:"read"], [string:"fileA"]) <- [keyid:Bob] |
---|
358 | |
---|
359 | It is more verbose, but draws out the different roles and o-sets in |
---|
360 | play. |
---|
361 | |
---|
362 | REFERENCES |
---|
363 | |
---|
364 | [Li03rt] |
---|
365 | Li, N. and Mitchell, J. C. RT: A role-based trust-management |
---|
366 | framework. In Proceedings of the Third DARPA Information |
---|
367 | Survivability Conference and Exposition. IEEE Computer Society |
---|
368 | Press, 201212. |
---|
369 | |
---|
370 | |
---|
371 | |
---|
372 | http://groups.geni.net/geni/wiki/TIEDABACModel |
---|
373 | |
---|
374 | http://groups.geni.net/geni/wiki/TIEDABACDemo |
---|