| 1 | |
|---|
| 2 | This directory contains various ABAC scenarios that exercise |
|---|
| 3 | various feature of the current RT2 implmentation using YAP prolog. |
|---|
| 4 | |
|---|
| 5 | The frontend query client is abac_prover_yap. |
|---|
| 6 | |
|---|
| 7 | Each subdirectory has a README script which includes a description |
|---|
| 8 | of the scenario, and the calls that generate the needed credentials. |
|---|
| 9 | There is a run_query script which sets up and runs couple of typical |
|---|
| 10 | query using abac_prover_yap. |
|---|
| 11 | |
|---|
| 12 | runall, is the top level script that will cleanup and setup the |
|---|
| 13 | credentials needed in each subdirectories |
|---|
| 14 | |
|---|
| 15 | runcheck, is the top level script that initiates the run_query scripts |
|---|
| 16 | within each subdirectory with ABAC_CN mode (see below); captures the |
|---|
| 17 | result and compares with the baseline result stored in allout.save. |
|---|
| 18 | runcheck also makes a complete run_query run without ABAC_CN enabled as |
|---|
| 19 | a regression testing and runs a query using python in one of the |
|---|
| 20 | subdirectory |
|---|
| 21 | |
|---|
| 22 | abac_prover_yap |
|---|
| 23 | |
|---|
| 24 | Usage: abac_prover_yap |
|---|
| 25 | --keystore <keystore> |
|---|
| 26 | --role <keyid.role> --principal <keyid> |
|---|
| 27 | --oset <keyid.oset> --object <otype> |
|---|
| 28 | loads the keystore and runs the query role <-?- principal |
|---|
| 29 | the query oset <-?- object |
|---|
| 30 | --dump <file> |
|---|
| 31 | extracts all credentials from the prolog db |
|---|
| 32 | |
|---|
| 33 | keystore is the location where the prover will search to load credentials. |
|---|
| 34 | All accessible identity credentials and attribute credentials will be |
|---|
| 35 | picked up one file at a time. |
|---|
| 36 | |
|---|
| 37 | role, oset, principal, and object are specified with principal's SHA1 |
|---|
| 38 | value extracted from the credentials that are loaded from keystore location |
|---|
| 39 | using creddy. Example can be found in the run_queryscript. |
|---|
| 40 | |
|---|
| 41 | An actual example from balltime_rt2_typed, |
|---|
| 42 | |
|---|
| 43 | abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed |
|---|
| 44 | --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium |
|---|
| 45 | ([string:'access'],[boolean:true],[time:20120228T130000]) |
|---|
| 46 | --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] |
|---|
| 47 | |
|---|
| 48 | Currently, the dump option might fail if not enough information is |
|---|
| 49 | stored in the backend db. It will be reimplemented in the near future. |
|---|
| 50 | |
|---|
| 51 | Two useful environment variables, |
|---|
| 52 | |
|---|
| 53 | DUMP_DB, extract the complete yap db to stdout |
|---|
| 54 | ABAC_CN, use CN instead of SHA1 value for identifying the principals. This |
|---|
| 55 | is useful for debugging purpose but will not resolve conflict when CN is not |
|---|
| 56 | uniquely associated with each principal's SHA1 value. |
|---|
| 57 | |
|---|
| 58 | env ABAC_CN=1 runall run |
|---|
| 59 | or |
|---|
| 60 | env DUMP_DB=1 ABAC_CN=1 run_query |
|---|
| 61 | |
|---|
| 62 | |
|---|
