| 1 | |
|---|
| 2 | Example directories |
|---|
| 3 | |
|---|
| 4 | This directory contains various ABAC scenario that exercises |
|---|
| 5 | various feature of the current implmentation with YAP prolog db. |
|---|
| 6 | |
|---|
| 7 | The frontend query client is abac_yap_prover. |
|---|
| 8 | |
|---|
| 9 | Each subdirectory has a README script which includes a description |
|---|
| 10 | of the scenario and the calls that are needed to generate the |
|---|
| 11 | credentials. There is a rr script which sets up and run couple |
|---|
| 12 | of typical query using abac_yap_prover. |
|---|
| 13 | |
|---|
| 14 | runall, is the top level script that will cleanup and setup the |
|---|
| 15 | credentials needed in each subdirectories |
|---|
| 16 | |
|---|
| 17 | runcheck, is the top level script that initiate the run_query script |
|---|
| 18 | within each subdirectories; capture the result and diff with the |
|---|
| 19 | baseline output in allout.save. |
|---|
| 20 | |
|---|
| 21 | abac_yap_prover |
|---|
| 22 | |
|---|
| 23 | Usage: abac_prover_yap |
|---|
| 24 | --keystore <keystore> |
|---|
| 25 | --role <keyid.role> --principal <keyid> |
|---|
| 26 | --oset <keyid.oset> --object <otype> |
|---|
| 27 | loads the keystore and runs the query role <-?- principal |
|---|
| 28 | the query oset <-?- object |
|---|
| 29 | --dump <file> |
|---|
| 30 | extracts all credentials from the prolog db |
|---|
| 31 | |
|---|
| 32 | keystore is the location where the prover will search for credentials. |
|---|
| 33 | All accessible iden credentials and attribute credentials will be |
|---|
| 34 | picked up one file at a time. |
|---|
| 35 | |
|---|
| 36 | role, oset, principal, and object are specified with principal's SHA |
|---|
| 37 | value extracted from keystore location using creddy. Example can be found |
|---|
| 38 | in the rr script. |
|---|
| 39 | |
|---|
| 40 | An actual example from balltime_rt2_typed is here, |
|---|
| 41 | abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed |
|---|
| 42 | --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium |
|---|
| 43 | ([string:'access'],[boolean:true],[time:20120228T130000]) |
|---|
| 44 | --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] |
|---|
| 45 | |
|---|
| 46 | Currently, the dump option might fail if not enough information is |
|---|
| 47 | stored in the backend db. It will be reimplemented in the near future. |
|---|
| 48 | |
|---|
| 49 | Two useful environment variables, |
|---|
| 50 | |
|---|
| 51 | DUMP_DB, extract the complete yap db to stdout |
|---|
| 52 | ABAC_CN, use CN instead of SHA value for identifying the principal keyid. This |
|---|
| 53 | is useful for debugging purpose but will not resolve conflict when CN is not |
|---|
| 54 | uniquely associated with each principal SHA value. |
|---|
| 55 | |
|---|
| 56 | env ABAC_CN=1 runall run |
|---|
| 57 | or |
|---|
| 58 | env DUMP_DB=1 ABAC_CN=1 rr |
|---|
| 59 | |
|---|
| 60 | |
|---|
| 61 | |
|---|
| 62 | |
|---|
