1 | OVERVIEW |
---|
2 | |
---|
3 | ABAC proves attributes about principals. |
---|
4 | |
---|
5 | libabac is comprised of three main types of objects: credentials, roles, |
---|
6 | and contexts. |
---|
7 | |
---|
8 | A typical use of ABAC is: |
---|
9 | |
---|
10 | - create a context |
---|
11 | - load some certificates |
---|
12 | - clone the context |
---|
13 | - add more certificates, possibly presented by another party |
---|
14 | - make a query 'does principal B have the role A.r1?' |
---|
15 | |
---|
16 | CREDENTIAL |
---|
17 | |
---|
18 | An ABAC credential is the most basic unit of an ABAC proof. It is a |
---|
19 | signed assertion by a principal A that some other entity has a role r1. |
---|
20 | Abstractly, it is one of the following (A and B principls, r1, r2, r3 |
---|
21 | roles): |
---|
22 | |
---|
23 | A.r1 <- B |
---|
24 | A.r1 <- B.r2 |
---|
25 | A.r1 <- B.r2.r3 |
---|
26 | |
---|
27 | When interacting with libabac, a credential is represented by an X509 |
---|
28 | attribute certificates and the associated issuer X509 identity |
---|
29 | certificate. |
---|
30 | |
---|
31 | A principal is represented by the SHA1 hash of the public key of its |
---|
32 | identity certificate. Therefore when a credential is encoded in an |
---|
33 | attribute certificate, it will look something along the lines of: |
---|
34 | |
---|
35 | e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <- |
---|
36 | e93547826455a80d9488825a1d083ef6ef264107 |
---|
37 | |
---|
38 | ROLE |
---|
39 | |
---|
40 | ABAC roles are the atomic units that form the head and tail of a |
---|
41 | credential. The head will always be a proper role, which is to say it |
---|
42 | takes form: |
---|
43 | |
---|
44 | A.r1 |
---|
45 | |
---|
46 | As seen in the CREDENTIAL section, the tail of a role can take one of |
---|
47 | three forms: |
---|
48 | |
---|
49 | principal: B |
---|
50 | role: B.r2 |
---|
51 | linking role: B.r2.r3 |
---|
52 | |
---|
53 | For more information about the different types of roles, refer to |
---|
54 | [Li03rt]. |
---|
55 | |
---|
56 | CONTEXT |
---|
57 | |
---|
58 | An ABAC context object encapsulates a set of ABAC credentials and its |
---|
59 | associated proof graph. The context supports the following operations: |
---|
60 | |
---|
61 | - load X509 identity certificate |
---|
62 | - load X509 attribute certificate |
---|
63 | - list all the credentials (attribute identity certificate pairs) |
---|
64 | - query whether a principal has a given role |
---|
65 | - duplicate context |
---|
66 | |
---|
67 | REFERENCES |
---|
68 | |
---|
69 | [Li03rt] |
---|
70 | Li, N. and Mitchell, J. C. RT: A role-based trust-management |
---|
71 | framework. In Proceedings of the Third DARPA Information |
---|
72 | Survivability Conference and Exposition. IEEE Computer Society |
---|
73 | Press, 201212. |
---|