1 | |
---|
2 | This directory contains various ABAC scenarios that exercise |
---|
3 | various feature of the current RT2 implmentation using YAP prolog. |
---|
4 | |
---|
5 | The frontend query client is abac_yap_prover. |
---|
6 | |
---|
7 | Each subdirectory has a README script which includes a description |
---|
8 | of the scenario, and the calls that to generate the needed credentials. |
---|
9 | There is a run_query script which sets up and runs couple of typical |
---|
10 | query using abac_yap_prover. |
---|
11 | |
---|
12 | runall, is the top level script that will cleanup and setup the |
---|
13 | credentials needed in each subdirectories |
---|
14 | |
---|
15 | runcheck, is the top level script that initiates the run_query scripts |
---|
16 | within each subdirectory with ABAC_CN mode (see below); captures the |
---|
17 | result and compares with the baseline result stored in allout.save. |
---|
18 | runcheck also makes a complete run_query run without ABAC_CN enabled as |
---|
19 | a regression testing and runs a query using python in one of the |
---|
20 | subdirectory |
---|
21 | |
---|
22 | abac_yap_prover |
---|
23 | |
---|
24 | Usage: abac_prover_yap |
---|
25 | --keystore <keystore> |
---|
26 | --role <keyid.role> --principal <keyid> |
---|
27 | --oset <keyid.oset> --object <otype> |
---|
28 | loads the keystore and runs the query role <-?- principal |
---|
29 | the query oset <-?- object |
---|
30 | --dump <file> |
---|
31 | extracts all credentials from the prolog db |
---|
32 | |
---|
33 | keystore is the location where the prover will search to load credentials. |
---|
34 | All accessible identity credentials and attribute credentials will be |
---|
35 | picked up one file at a time. |
---|
36 | |
---|
37 | role, oset, principal, and object are specified with principal's SHA1 |
---|
38 | value extracted from the credentials that are loaded from keystore location |
---|
39 | using creddy. Example can be found in the run_queryscript. |
---|
40 | |
---|
41 | An actual example from balltime_rt2_typed, |
---|
42 | |
---|
43 | abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed |
---|
44 | --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium |
---|
45 | ([string:'access'],[boolean:true],[time:20120228T130000]) |
---|
46 | --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] |
---|
47 | |
---|
48 | Currently, the dump option might fail if not enough information is |
---|
49 | stored in the backend db. It will be reimplemented in the near future. |
---|
50 | |
---|
51 | Two useful environment variables, |
---|
52 | |
---|
53 | DUMP_DB, extract the complete yap db to stdout |
---|
54 | ABAC_CN, use CN instead of SHA1 value for identifying the principals. This |
---|
55 | is useful for debugging purpose but will not resolve conflict when CN is not |
---|
56 | uniquely associated with each principal's SHA1 value. |
---|
57 | |
---|
58 | env ABAC_CN=1 runall run |
---|
59 | or |
---|
60 | env DUMP_DB=1 ABAC_CN=1 run_query |
---|
61 | |
---|
62 | |
---|