source: doc/design @ 43ff309

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 43ff309 was 9502c50, checked in by Mei <mei@…>, 13 years ago

1) rename examples' rr to run_query
2) updated some doc
3) add decode to creddy --roles and creddy --display --show so it will

show more useful attribute rule string

4) stub in the python script in one of the example directory

  • Property mode set to 100644
File size: 11.1 KB
Line 
1OVERVIEW
2
3ABAC proves attributes about principals.
4
5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - add more certificates, possibly presented by another party
13    - make a query 'does principal B have the role A.r1?'
14         or a query 'is object B part of the oset A.o1?'
15
16CREDENTIAL
17
18An ABAC credential is the most basic unit of an ABAC proof.
19
20It is a signed assertion by a principal A that some other entity has a
21role r1.  Abstractly, it is one of the following (A, B principals;
22r1, r2, r3 roles):
23
24    A.r1 <- B
25    A.r1 <- B.r2
26    A.r1 <- B.r2.r3
27
28It is a signed assertion by a principal A that some other entity is
29an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object):
30
31    A.o1 <- O
32    A.o1 <- B.o2
33    A.o1 <- B.r1.o2
34
35
36When interacting with libabac, a credential is represented by an X509
37attribute certificates and the associated issuer X509 identity
38certificate.
39
40A principal is represented by the SHA1 hash of the public key of its
41identity certificate. Therefore when a credential is encoded in an
42attribute certificate, it will look something along the lines of:
43
44    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
45        e93547826455a80d9488825a1d083ef6ef264107
46
47ROLE
48
49ABAC roles are the atomic units that form the head and tail of a
50credential. The head will always be a proper role, which is to say it
51takes form:
52
53    A.r1
54
55As seen in the CREDENTIAL section, the tail of a role can take one of
56three forms:
57
58    principal:      B
59    role:           B.r2
60    linking role:   B.r2.r3
61
62For more information about the different types of roles, refer to
63[Li03rt].
64
65OSET
66
67ABAC osets are the atomic units that form the head and tail of a
68credential. The head will always be a proper oset, which is to say it
69takes form:
70
71    A.o1
72
73As seen in the CREDENTIAL section, the tail of a oset can take one of
74three forms:
75
76    object:         O
77    oset:           B.o2
78    linking oset:   B.r2.o3
79
80
81CONTEXT
82
83An ABAC context object encapsulates a set of ABAC credentials and its
84associated YAP clause db. The context supports the following operations:
85
86    - load X509 identity certificate
87    - load X509 attribute certificate
88    - list all the credentials (attribute identity certificate pairs)
89    - query whether a principal has a given role
90    - query whether an object belongs to a given o-set
91
92RT2
93
94RT2 is an more expressive logic than the original RT0 logic that ABAC
95supported.
96
97The RT2 specification extends the existing RT0 notation in 5 ways:
98
99        * More general principal specification to allow room for other
100          identity providers
101        * Explicit syntax for specifying RT2 objects
102        * Explicit type information to differentiate roles and o-sets.
103        * Explicit type information for RT1 and RT2 parameters
104        * Syntax for constraints
105
106These additions make the syntax both much less terse and much less
107ambiguous.
108
109A few words about RT1 and RT2 before we describe syntax.  RT1 parameterizes
110roles, that is, it attaches ordered, typed data to roles.  It also adds
111matching requirements to role derivations, including constraints.  The
112RT1 rule
113
114A.r(?x, ?y) <- A.s(1, ?y:[1..3]) & A.t(?y, ?x)
115
116requires that all instances of ?x and ?y on the right side have the same
117type and that the constraints on ?y in the first term are valid for that
118type.  There's no explicit typing in the rule notation of the papers,
119which this specification addresses.
120
121The data types in the papers inlcude integers, floats, dates, closed
122enumerations, and open enumerations.  Closed enumerations are things
123like C or C++ enums, with boolean being a specific example.  Open
124enumerations include things like principals.  For tractability we're
125going to want to define a specific set of data types, which we do
126below.
127
128RT2 allows principals to label data in the same way that they label
129principals.  The ABAC authors helpfully use the exact same syntax for
130assigining a label to a data object as they do for assigning a role to a
131principal, but the semantics are slightly different.  We add syntax
132that clarfies when data is being labelled and when principals are being
133labelled.  These "data roles" are called o-sets.
134
135On with the specification, from the basic chunks up to rules.
136
137Principal Names
138
139We've been using self-signed X.509 identity certificates as identities,
140and that's been a useful way to get started, but it would be nice to be
141able to use other identities in the future.  Now a principal name is not
142marked in the representation at all.  New principal IDs will be of the
143form: [idtype:A].  The idtype will define what valid characters in A
144will be, but in any event "]" must be escaped with a backslash.
145
146The current id's will be of idtype 'keyid', so only applying the
147principal extensions, the role A.r would be written [keyid:A].r, where A
148is the sha1 hash of the public key.  keyid principal names can include
149[0-9a-fA-F] (hex digits).
150
151I'm going to continue to use [keyid:A] here so not everything runs off
152the page.
153
154Data Objects
155
156The RT1 and RT2 parameters are loosely data objects.  RT1 allows one to
157reason about them, RT2 adds the ability to have principals make
158statements about these data objects.  Just as we need to represent
159principals including their type, we need to represent objects with their
160type.  We support following types:
161
162        int: 32-bit signed integers
163        float: floats in the range of an IEEE float.
164        time: a time expressed as yyyymmddThhmmss where the lower case
165                letters are digits and the T is a T.  Zulu time,
166                everything after the T is optional
167        boolean: true or false
168        urn: a resource named by a URN
169        string: a UTF-8 string.  This is a free space for people to
170                define local free-form attributes
171
172A particular object is specified by:
173
174[ type: name]
175
176Objects are always specified this way, because rules and assignments may
177come from many places and the typing information must mesh.
178
179Examples:
180
181        [boolean: true]
182        [int: 3454]
183        [float: -323.0] also [ float: 1]
184        [time: 20111109T122300] also [ time: 20101010T]
185        [urn:"file:///usr/local/bin/ls"]
186        [urn:"uuid://106c0cdd-0afb-11e1-90d8-14feb5e4012d"]
187        [string:"a string"]
188
189Roles and O-Sets
190
191In the ABAC papers, roles and o-sets look exactly alike, and one may
192have trouble understanding that they are different.  This spec
193explicitly types them for clarity.  Roles are prefixed by "role:" and
194o-sets by "oset:".
195
196The rule that places principal P in role A.r is written in the paper as
197
198A.r <- P
199
200In our notation:
201
202[keyid:A].role:r <- [keyid:P]
203
204The rule that places file P in o-set A.r is written in the paper as
205
206A.r <- P
207
208In our notation:
209
210[keyid:A].oset:r <- ["urn:file://P"]
211
212Similarly derivation rules like:
213
214A.r <- B.r
215
216become
217
218[keyid:A].role:r <- [keyid:B].role:r
219
220or
221
222[keyid:A].oset:r <- [keyid:B].oset:r
223
224depending on their intent.  It is an error to try (or probably to think):
225
226[keyid:A].oset:r <- [keyid:B].role:r
227
228Note also that
229
230[keyid:A].oset:os <- [keyid:B].role:r.oset:os
231
232Is the only valid linking credential for assigning o-sets.
233[keyid:B].role:r is a set of principals that may have defined an o-set
234(oset:os), but the members of an o-set could not have done so.
235
236Variables
237
238Both RT1 and RT2 allow rules defining roles or o-sets to match
239parameters using variable bindings.  We illustrate with roles here,
240though all of this holds for o-sets.  The variables may be named to
241specify connections between the role to be defined and the roles used to
242define it.
243
244For example the rule (in paper notation):
245
246A.evaluatorOf(?x) <- A.managerOf(?x)
247
248means that if
249
250A.managerOf(mikeryan) <- faber
251
252then
253
254A.evaluatorOf(mikeryan) <- faber
255
256is also true.  The two ?x es bind to the same thing.  For more complex
257rules, we have to make sure that the types are also consistent:
258
259A.example(?x) <- A.isInteger(?x) & A.isFloat(?x)
260
261?x is not allowed to match an integer-typed data object in the first
262clause and a float-typed one in the second.  The papers say this is an
263invalid rule, but without knowing the types of the parameters it cannot
264be checked.
265
266We adopt the same variable naming convention, but require them to be
267prefixed with the types above.  Variable names start with a ? can
268contain [_\-a-zA-Z0-9], that is, alphanumerics, underscore and
269the hyphens.  ? is a valid anonymous variable name.  Multiple instances
270of ? in the same rule can bind to different types.
271
272This is OK:
273
274[keyid:A].role:weird([urn:?x]) <- [keyid:B].role:a([urn:?x], [int:?]) &
275        [keyid:C].role:b([urn:?x], [boolean:?])
276
277Other examples:
278
279[keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) &
280        [keyid:A].role:isFloat([int:?x])
281
282is valid
283
284[keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) &
285        [keyid:A].role:isFloat([float:?x])
286
287is not, because the types of ?x are different.
288
289
290In addition to the data object types, the "principal" type is allowed as
291well, indicating that the variable must match an ABAC principal.  The
292first example in this section is written:
293
294[keyid:A].role:evaluatorOf([principal:?x]) <-
295        [keyid:A].role:managerOf([principal:?x])
296
297Constraints
298
299A constraint is a static (RT1) or dynamic (RT2) set of valid choices for
300a parameter.  There are two kinds of constraint sets, static and
301dynamic.  A dynamic constraint set is an o-set or role.  Static
302constraint sets are a list of valid values.  Constraints are separated
303from a variable name by a colon (:).
304
305We specify a static set by enclosing the values in [] separated by
306commas.  Because the set is bound to a typed variable, the values
307in the set can omit the [type:], so we write:
308
309[keyid:A].role:r([int:?x:[1,3,5])
310
311not
312
313[keyid:A].role:r([int:?x:[[int:1],[int:3],[int:5]]])
314
315For ordered sets like integers, floats and dates, the .. sequence
316specifies a range:
317
318[keyid:A].role:r(int:?x:[1..5])
319
320in static constraint sets, commas, elipses (..), and the bracket
321characters [, ] must be escaped using a backslash (\) prefix.
322
323The constraint can also be an o-set (for objects) or a role (for a principal).
324
325[keyid:A].role:r([principal:?x:[[keyid:A].role:r1])
326[keyid:A].role:r([urn:?x:[[keyid:A].oset:o1])
327
328A Complex Example
329
330The example on p. 10 of "Design of a Role-Based Trust Management
331Framework" starts with the rule
332
333Alpha.fileAc(read, ?F:Alpha.documents(?proj)) <- Alpha.team(?proj)
334
335and says that given
336
337Alpha.documents(proj1) <- fileA
338Alpha.team(proj1) <- Bob
339
340one can conclude
341
342Alpha.fileAc(read, fileA) <- Bob
343
344In our notation the initial rule is encoded (note the mingling of o-sets
345and roles)
346
347[keyid:Alpha].role:fileAc([string:"read"],
348        [string:?F:[keyid:Alpha].oset:documents([string:?proj])])
349                <- [keyid:Alpha].role:team([string:?proj])
350
351and given
352
353[keyid:Alpha].oset:documents([string:"proj1"]) <- [string:"fileA"]
354[keyid:Alpha].role:team([string:"proj1"]) <- [keyid:Bob]
355
356one can conclude
357
358[keyid:Alpha].role:fileAc([string:"read"], [string:"fileA"]) <- [keyid:Bob]
359
360It is more verbose, but draws out the different roles and o-sets in
361play. 
362
363REFERENCES
364
365[Li03rt]
366    Li, N. and Mitchell, J. C. RT: A role-based trust-management
367    framework. In Proceedings of the Third DARPA Information
368    Survivability Conference and Exposition. IEEE Computer Society
369    Press, 201­212.
370
371
372
373http://groups.geni.net/geni/wiki/TIEDABACModel
374
375http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.