source: doc/design @ 5308660

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 5308660 was 9806e76, checked in by Mei <mei@…>, 13 years ago

1) add handling for typed anonymous term, [int:?]
2) make a pass through abac/doc
3) fix up creddy to take oset option at different calls

  • Property mode set to 100644
File size: 2.7 KB
Line 
1OVERVIEW
2
3ABAC proves attributes about principals.
4
5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - add more certificates, possibly presented by another party
13    - make a query 'does principal B have the role A.r1?'
14         or a query 'is object B part of the oset A.o1?'
15
16CREDENTIAL
17
18An ABAC credential is the most basic unit of an ABAC proof.
19
20It is a signed assertion by a principal A that some other entity has a
21role r1.  Abstractly, it is one of the following (A, B principals;
22r1, r2, r3 roles):
23
24    A.r1 <- B
25    A.r1 <- B.r2
26    A.r1 <- B.r2.r3
27
28It is a signed assertion by a principal A that some other entity is
29an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object):
30
31    A.o1 <- O
32    A.o1 <- B.o2
33    A.o1 <- B.r1.o2
34
35
36When interacting with libabac, a credential is represented by an X509
37attribute certificates and the associated issuer X509 identity
38certificate.
39
40A principal is represented by the SHA1 hash of the public key of its
41identity certificate. Therefore when a credential is encoded in an
42attribute certificate, it will look something along the lines of:
43
44    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
45        e93547826455a80d9488825a1d083ef6ef264107
46
47ROLE
48
49ABAC roles are the atomic units that form the head and tail of a
50credential. The head will always be a proper role, which is to say it
51takes form:
52
53    A.r1
54
55As seen in the CREDENTIAL section, the tail of a role can take one of
56three forms:
57
58    principal:      B
59    role:           B.r2
60    linking role:   B.r2.r3
61
62For more information about the different types of roles, refer to
63[Li03rt].
64
65OSET
66
67ABAC osets are the atomic units that form the head and tail of a
68credential. The head will always be a proper oset, which is to say it
69takes form:
70
71    A.o1
72
73As seen in the CREDENTIAL section, the tail of a oset can take one of
74three forms:
75
76    object:         O
77    oset:           B.o2
78    linking oset:   B.r2.o3
79
80
81CONTEXT
82
83An ABAC context object encapsulates a set of ABAC credentials and its
84associated YAP clause db. The context supports the following operations:
85
86    - load X509 identity certificate
87    - load X509 attribute certificate
88    - list all the credentials (attribute identity certificate pairs)
89    - query whether a principal has a given role
90
91REFERENCES
92
93[Li03rt]
94    Li, N. and Mitchell, J. C. RT: A role-based trust-management
95    framework. In Proceedings of the Third DARPA Information
96    Survivability Conference and Exposition. IEEE Computer Society
97    Press, 201­212.
98
99
100
101http://groups.geni.net/geni/wiki/TIEDABACModel
102
103http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.