source: doc/design @ 7727f26

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 7727f26 was 7727f26, checked in by Mei <mei@…>, 13 years ago

1) add environment variables DUMP_DB, ABAC_CN.

ABAC_CN will switch to using CNs for keyid insead of SHAs

2) add/modified couple of doc files.

  • Property mode set to 100644
File size: 11.1 KB
Line 
1OVERVIEW
2
3ABAC proves attributes about principals.
4
5libabac is comprised of three main types of objects: credentials, roles,
6and contexts.
7
8A typical use of ABAC is:
9
10    - create a context
11    - load some certificates
12    - add more certificates, possibly presented by another party
13    - make a query 'does principal B have the role A.r1?'
14         or a query 'is object B part of the oset A.o1?'
15
16CREDENTIAL
17
18An ABAC credential is the most basic unit of an ABAC proof.
19
20It is a signed assertion by a principal A that some other entity has a
21role r1.  Abstractly, it is one of the following (A, B principals;
22r1, r2, r3 roles):
23
24    A.r1 <- B
25    A.r1 <- B.r2
26    A.r1 <- B.r2.r3
27
28It is a signed assertion by a principal A that some other entity is
29an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object):
30
31    A.o1 <- O
32    A.o1 <- B.o2
33    A.o1 <- B.r1.o2
34
35
36When interacting with libabac, a credential is represented by an X509
37attribute certificates and the associated issuer X509 identity
38certificate.
39
40A principal is represented by the SHA1 hash of the public key of its
41identity certificate. Therefore when a credential is encoded in an
42attribute certificate, it will look something along the lines of:
43
44    e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <-
45        e93547826455a80d9488825a1d083ef6ef264107
46
47ROLE
48
49ABAC roles are the atomic units that form the head and tail of a
50credential. The head will always be a proper role, which is to say it
51takes form:
52
53    A.r1
54
55As seen in the CREDENTIAL section, the tail of a role can take one of
56three forms:
57
58    principal:      B
59    role:           B.r2
60    linking role:   B.r2.r3
61
62For more information about the different types of roles, refer to
63[Li03rt].
64
65OSET
66
67ABAC osets are the atomic units that form the head and tail of a
68credential. The head will always be a proper oset, which is to say it
69takes form:
70
71    A.o1
72
73As seen in the CREDENTIAL section, the tail of a oset can take one of
74three forms:
75
76    object:         O
77    oset:           B.o2
78    linking oset:   B.r2.o3
79
80
81CONTEXT
82
83An ABAC context object encapsulates a set of ABAC credentials and its
84associated YAP clause db. The context supports the following operations:
85
86    - load X509 identity certificate
87    - load X509 attribute certificate
88    - list all the credentials (attribute identity certificate pairs)
89    - query whether a principal has a given role
90
91RT2
92
93RT2 is an more expressive logic than the original RT0 logic that ABAC
94supported.
95
96The RT2 specification extends the existing RT0 notation in 5 ways:
97
98        * More general principal specification to allow room for other
99          identity providers
100        * Explicit syntax for specifying RT2 objects
101        * Explicit type information to differentiate roles and o-sets.
102        * Explicit type information for RT1 and RT2 parameters
103        * Syntax for constraints
104
105These additions make the syntax both much less terse and much less
106ambiguous.
107
108A few words about RT1 and RT2 before we describe syntax.  RT1 parameterizes
109roles, that is, it attaches ordered, typed data to roles.  It also adds
110matching requirements to role derivations, including constraints.  The
111RT1 rule
112
113A.r(?x, ?y) <- A.s(1, ?y:[1..3]) & A.t(?y, ?x)
114
115requires that all instances of ?x and ?y on the right side have the same
116type and that the constraints on ?y in the first term are valid for that
117type.  There's no explicit typing in the rule notation of the papers,
118which this specification addresses.
119
120The data types in the papers inlcude integers, floats, dates, closed
121enumerations, and open enumerations.  Closed enumerations are things
122like C or C++ enums, with boolean being a specific example.  Open
123enumerations include things like principals.  For tractability we're
124going to want to define a specific set of data types, which we do
125below.
126
127RT2 allows principals to label data in the same way that they label
128principals.  The ABAC authors helpfully use the exact same syntax for
129assigining a label to a data object as they do for assigning a role to a
130principal, but the semantics are slightly different.  We add syntax
131that clarfies when data is being labelled and when principals are being
132labelled.  These "data roles" are called o-sets.
133
134On with the specification, from the basic chunks up to rules.
135
136Principal Names
137
138We've been using self-signed X.509 identity certificates as identities,
139and that's been a useful way to get started, but it would be nice to be
140able to use other identities in the future.  Now a principal name is not
141marked in the representation at all.  New principal IDs will be of the
142form: [idtype:A].  The idtype will define what valid characters in A
143will be, but in any event "]" must be escaped with a backslash.
144
145The current id's will be of idtype 'keyid', so only applying the
146principal extensions, the role A.r would be written [keyid:A].r, where A
147is the sha1 hash of the public key.  keyid principal names can include
148[0-9a-fA-F] (hex digits).
149
150I'm going to continue to use [keyid:A] here so not everything runs off
151the page.
152
153Data Objects
154
155The RT1 and RT2 parameters are loosely data objects.  RT1 allows one to
156reason about them, RT2 adds the ability to have principals make
157statements about these data objects.  Just as we need to represent
158principals including their type, we need to represent objects with their
159type.  We support following types:
160
161        int: 32-bit signed integers
162        float: floats in the range of an IEEE float.
163        time: a time expressed as yyyymmddThhmmss where the lower case
164                letters are digits and the T is a T.  Zulu time,
165                everything after the T is optional
166        boolean: true or false
167        urn: a resource named by a URN
168        string: a UTF-8 string.  This is a free space for people to
169                define local free-form attributes
170
171A particular object is specified by:
172
173[ type: name]
174
175Objects are always specified this way, because rules and assignments may
176come from many places and the typing information must mesh.  The {}
177indicates this is data constant, as opposed to the variables below.
178
179Examples:
180
181        [boolean: true]
182        [int: 3454]
183        [float: -323.0] also [ float: 1]
184        [time: 20111109T122300] also [ time: 20101010T]
185        [urn:"file:///usr/local/bin/ls"]
186        [urn:"uuid://106c0cdd-0afb-11e1-90d8-14feb5e4012d"]
187        [string:"a string"]
188
189Roles and O-Sets
190
191In the ABAC papers, roles and o-sets look exactly alike, and one may
192have trouble understanding that they are different.  This spec
193explicitly types them for clarity.  Roles are prefixed by "role:" and
194o-sets by "o-set:".
195
196The rule that places principal P in role A.r is written in the paper as
197
198A.r <- P
199
200In our notation:
201
202[keyid:A].role:r <- [keyid:P]
203
204The rule that places file P in o-set A.r is written in the paper as
205
206A.r <- P
207
208In our notation:
209
210[keyid:A].oset:r <- ["urn:file://P"]
211
212Similarly derivation rules like:
213
214A.r <- B.r
215
216become
217
218[keyid:A].role:r <- [keyid:B].role:r
219
220or
221
222[keyid:A].oset:r <- [keyid:B].oset:r
223
224depending on their intent.  It is an error to try (or probably to think):
225
226[keyid:A].oset:r <- [keyid:B].role:r
227
228Note also that
229
230[keyid:A].oset:os <- [keyid:B].role:r.oset:os
231
232Is the only valid linking credential for assigning o-sets.
233[keyid:B].role:r is a set of principals that may have defined an o-set
234(oset:os), but the members of an o-set could not have done so.
235
236Variables
237
238Both RT1 and RT2 allow rules defining roles or osets to match
239parameters using variable bindings.  We illustrate with roles here,
240though all of this holds for osets.  The variables may be named to
241specify connections between the role to be defined and the roles used to
242define it.
243
244For example the rule (in paper notation):
245
246A.evaluatorOf(?x) <- A.managerOf(?x)
247
248means that if
249
250A.managerOf(mikeryan) <- faber
251
252then
253
254A.evaluatorOf(mikeryan) <- faber
255
256is also true.  The two ?x es bind to the same thing.  For more complex
257rules, we have to make sure that the types are also consistent:
258
259A.example(?x) <- A.isInteger(?x) & A.isFloat(?x)
260
261?x is not allowed to match an integer-typed data object in the first
262clause and a float-typed one in the second.  The papers say this is an
263invalid rule, but without knowing the types of the parameters it cannot
264be checked.
265
266We adopt the same variable naming convention, but require them to be
267prefixed with the types above.  Variable names start with a ? and can
268contain [_a-zA-Z0-9], that is, alphanumerics and the underscore. 
269? is a valid anonymous variable name.  Multiple instances of ? in
270the same rule can bind to different types.
271
272This is OK:
273
274[keyid:A].role:weird([urn:?x]) <- [keyid:B].role:a([urn:?x], [int:?]) &
275        [keyid:C].role:b([urn:?x], [boolean:?])
276
277Other examples:
278
279[keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) &
280        [keyid:A].role:isFloat([int:?x])
281
282is valid
283
284[keyid:A].role:example([int:?x]) <- [keyid:A].role:isInteger([int:?x]) &
285        [keyid:A].role:isFloat([float:?x])
286
287is not because the types of ?x are different.
288
289
290In addition to the data object types, the "principal" type is allowed as
291well, indicating that the variable must match an ABAC principal.  The
292first example in this section is written:
293
294[keyid:A].role:evaluatorOf([principal:?x]) <-
295        [keyid:A].role:managerOf([principal:?x])
296
297Constraints
298
299A constraint is a static (RT1) or dynamic (RT2) set of valid choices for
300a parameter.  There are two kinds of constraint sets, static and
301dynamic.  A dynamic constraint set is an oset or role.  Static
302constraint sets are a list of valid values.  Constraints are separated
303from a variable name by a colon (:).
304
305We specify a static set by enclosing the values in [] separated by
306commas.  Because the set is bound to a typed variable the values in the
307set omit the [type:], so we write:
308
309[keyid:A].role:r([int:?x:[1,3,5])
310
311not
312
313[keyid:A].role:r([int:?x:[[int:1],[int:3],[int:5]])
314
315For ordered sets like integers, floats and dates, the .. sequence
316specifies a range:
317
318[keyid:A].role:r(int:?x:[1..5])
319
320in static constraint sets, commas, elipses (..), and the bracket
321characters [, ] must be escaped using a backslash (\) prefix.
322
323The constraint can also be an oset (for objects) or a role (for a principal).
324
325[keyid:A].role:r([principal:?x:[[keyid:A].role:r1])
326[keyid:A].role:r([urn:?x:[[keyid:A].oset:o1])
327
328A Complex Example
329
330The example on p. 10 of "Design of a Role-Based Trust Management
331Framework" starts with the rule
332
333Alpha.fileAc(read, ?F:Alpha.documents(?proj)) <- Alpha.team(?proj)
334
335and says that given
336
337Alpha.documents(proj1) <- fileA
338Alpha.team(proj1) <- Bob
339
340one can conclude
341
342Alpha.fileAc(read, fileA) <- Bob
343
344In our notation the initial rule is encoded (note the mingling of o-sets
345and roles)
346
347[keyid:Alpha].role:fileAc([string:"read"],
348        [string:?F:[keyid:Alpha].oset:documents([string:?proj])])
349                <- [keyid:Alpha].role:team([string:?proj])
350
351and given
352
353[keyid:Alpha].oset:documents([string:"proj1"]) <- [string:"fileA"]
354[keyid:Alpha].role:team([string:"proj1"]) <- [keyid:Bob]
355
356one can conclude
357
358[keyid:Alpha].role:fileAc([string:"read"], [string:"fileA"]) <- [keyid:Bob]
359
360It is more verbose, but draws out the different roles and o-sets in
361play. 
362
363REFERENCES
364
365[Li03rt]
366    Li, N. and Mitchell, J. C. RT: A role-based trust-management
367    framework. In Proceedings of the Third DARPA Information
368    Survivability Conference and Exposition. IEEE Computer Society
369    Press, 201­212.
370
371
372
373http://groups.geni.net/geni/wiki/TIEDABACModel
374
375http://groups.geni.net/geni/wiki/TIEDABACDemo
Note: See TracBrowser for help on using the repository browser.