| 1 | OVERVIEW |
|---|
| 2 | |
|---|
| 3 | ABAC proves attributes about principals. |
|---|
| 4 | |
|---|
| 5 | libabac is comprised of three main types of objects: credentials, roles, |
|---|
| 6 | and contexts. |
|---|
| 7 | |
|---|
| 8 | A typical use of ABAC is: |
|---|
| 9 | |
|---|
| 10 | - create a context |
|---|
| 11 | - load some certificates |
|---|
| 12 | - add more certificates, possibly presented by another party |
|---|
| 13 | - make a query 'does principal B have the role A.r1?' |
|---|
| 14 | or a query 'is object B part of the oset A.o1?' |
|---|
| 15 | |
|---|
| 16 | CREDENTIAL |
|---|
| 17 | |
|---|
| 18 | An ABAC credential is the most basic unit of an ABAC proof. |
|---|
| 19 | |
|---|
| 20 | It is a signed assertion by a principal A that some other entity has a |
|---|
| 21 | role r1. Abstractly, it is one of the following (A, B principals; |
|---|
| 22 | r1, r2, r3 roles): |
|---|
| 23 | |
|---|
| 24 | A.r1 <- B |
|---|
| 25 | A.r1 <- B.r2 |
|---|
| 26 | A.r1 <- B.r2.r3 |
|---|
| 27 | |
|---|
| 28 | It is a signed assertion by a principal A that some other entity is |
|---|
| 29 | an object of oset o1. (A, B principals; r1 role; o1, o2 osets; O object): |
|---|
| 30 | |
|---|
| 31 | A.o1 <- O |
|---|
| 32 | A.o1 <- B.o2 |
|---|
| 33 | A.o1 <- B.r1.o2 |
|---|
| 34 | |
|---|
| 35 | |
|---|
| 36 | When interacting with libabac, a credential is represented by an X509 |
|---|
| 37 | attribute certificates and the associated issuer X509 identity |
|---|
| 38 | certificate. |
|---|
| 39 | |
|---|
| 40 | A principal is represented by the SHA1 hash of the public key of its |
|---|
| 41 | identity certificate. Therefore when a credential is encoded in an |
|---|
| 42 | attribute certificate, it will look something along the lines of: |
|---|
| 43 | |
|---|
| 44 | e65aace9237833ec775253cfde97f59a0af5bc3d.frobnicate <- |
|---|
| 45 | e93547826455a80d9488825a1d083ef6ef264107 |
|---|
| 46 | |
|---|
| 47 | ROLE |
|---|
| 48 | |
|---|
| 49 | ABAC roles are the atomic units that form the head and tail of a |
|---|
| 50 | credential. The head will always be a proper role, which is to say it |
|---|
| 51 | takes form: |
|---|
| 52 | |
|---|
| 53 | A.r1 |
|---|
| 54 | |
|---|
| 55 | As seen in the CREDENTIAL section, the tail of a role can take one of |
|---|
| 56 | three forms: |
|---|
| 57 | |
|---|
| 58 | principal: B |
|---|
| 59 | role: B.r2 |
|---|
| 60 | linking role: B.r2.r3 |
|---|
| 61 | |
|---|
| 62 | For more information about the different types of roles, refer to |
|---|
| 63 | [Li03rt]. |
|---|
| 64 | |
|---|
| 65 | OSET |
|---|
| 66 | |
|---|
| 67 | ABAC osets are the atomic units that form the head and tail of a |
|---|
| 68 | credential. The head will always be a proper oset, which is to say it |
|---|
| 69 | takes form: |
|---|
| 70 | |
|---|
| 71 | A.o1 |
|---|
| 72 | |
|---|
| 73 | As seen in the CREDENTIAL section, the tail of a oset can take one of |
|---|
| 74 | three forms: |
|---|
| 75 | |
|---|
| 76 | object: O |
|---|
| 77 | oset: B.o2 |
|---|
| 78 | linking oset: B.r2.o3 |
|---|
| 79 | |
|---|
| 80 | |
|---|
| 81 | CONTEXT |
|---|
| 82 | |
|---|
| 83 | An ABAC context object encapsulates a set of ABAC credentials and its |
|---|
| 84 | associated YAP clause db. The context supports the following operations: |
|---|
| 85 | |
|---|
| 86 | - load X509 identity certificate |
|---|
| 87 | - load X509 attribute certificate |
|---|
| 88 | - list all the credentials (attribute identity certificate pairs) |
|---|
| 89 | - query whether a principal has a given role |
|---|
| 90 | |
|---|
| 91 | REFERENCES |
|---|
| 92 | |
|---|
| 93 | [Li03rt] |
|---|
| 94 | Li, N. and Mitchell, J. C. RT: A role-based trust-management |
|---|
| 95 | framework. In Proceedings of the Third DARPA Information |
|---|
| 96 | Survivability Conference and Exposition. IEEE Computer Society |
|---|
| 97 | Press, 201212. |
|---|
| 98 | |
|---|
| 99 | |
|---|
| 100 | |
|---|
| 101 | http://groups.geni.net/geni/wiki/TIEDABACModel |
|---|
| 102 | |
|---|
| 103 | http://groups.geni.net/geni/wiki/TIEDABACDemo |
|---|
