[7727f26] | 1 | |
---|
| 2 | This directory contains various ABAC scenario that exercises |
---|
| 3 | various feature of the current implmentation with YAP prolog db. |
---|
| 4 | |
---|
| 5 | The frontend query client is abac_yap_prover. |
---|
| 6 | |
---|
| 7 | Each subdirectory has a README script which includes a description |
---|
[9502c50] | 8 | of the scenario, and the calls that to generate the needed credentials. |
---|
| 9 | There is a run_query script which sets up and runs couple of typical |
---|
| 10 | query using abac_yap_prover. |
---|
[7727f26] | 11 | |
---|
| 12 | runall, is the top level script that will cleanup and setup the |
---|
| 13 | credentials needed in each subdirectories |
---|
| 14 | |
---|
| 15 | runcheck, is the top level script that initiate the run_query script |
---|
| 16 | within each subdirectories; capture the result and diff with the |
---|
| 17 | baseline output in allout.save. |
---|
| 18 | |
---|
| 19 | abac_yap_prover |
---|
| 20 | |
---|
| 21 | Usage: abac_prover_yap |
---|
| 22 | --keystore <keystore> |
---|
| 23 | --role <keyid.role> --principal <keyid> |
---|
| 24 | --oset <keyid.oset> --object <otype> |
---|
| 25 | loads the keystore and runs the query role <-?- principal |
---|
| 26 | the query oset <-?- object |
---|
| 27 | --dump <file> |
---|
| 28 | extracts all credentials from the prolog db |
---|
| 29 | |
---|
[9502c50] | 30 | keystore is the location where the prover will search to load credentials. |
---|
| 31 | All accessible identity credentials and attribute credentials will be |
---|
[7727f26] | 32 | picked up one file at a time. |
---|
| 33 | |
---|
[9502c50] | 34 | role, oset, principal, and object are specified with principal's SHA1 |
---|
| 35 | value extracted from the credentials that are loaded from keystore location |
---|
| 36 | using creddy. Example can be found in the run_queryscript. |
---|
| 37 | |
---|
| 38 | An actual example from balltime_rt2_typed, |
---|
[7727f26] | 39 | |
---|
| 40 | abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed |
---|
| 41 | --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium |
---|
| 42 | ([string:'access'],[boolean:true],[time:20120228T130000]) |
---|
| 43 | --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] |
---|
| 44 | |
---|
| 45 | Currently, the dump option might fail if not enough information is |
---|
| 46 | stored in the backend db. It will be reimplemented in the near future. |
---|
| 47 | |
---|
| 48 | Two useful environment variables, |
---|
| 49 | |
---|
| 50 | DUMP_DB, extract the complete yap db to stdout |
---|
[9502c50] | 51 | ABAC_CN, use CN instead of SHA1 value for identifying the principals. This |
---|
[7727f26] | 52 | is useful for debugging purpose but will not resolve conflict when CN is not |
---|
[9502c50] | 53 | uniquely associated with each principal's SHA1 value. |
---|
[7727f26] | 54 | |
---|
| 55 | env ABAC_CN=1 runall run |
---|
| 56 | or |
---|
[9502c50] | 57 | env DUMP_DB=1 ABAC_CN=1 run_query |
---|
[7727f26] | 58 | |
---|
| 59 | |
---|
| 60 | |
---|
| 61 | |
---|