1 | |
---|
2 | Example directories |
---|
3 | |
---|
4 | This directory contains various ABAC scenario that exercises |
---|
5 | various feature of the current implmentation with YAP prolog db. |
---|
6 | |
---|
7 | The frontend query client is abac_yap_prover. |
---|
8 | |
---|
9 | Each subdirectory has a README script which includes a description |
---|
10 | of the scenario and the calls that are needed to generate the |
---|
11 | credentials. There is a rr script which sets up and run couple |
---|
12 | of typical query using abac_yap_prover. |
---|
13 | |
---|
14 | runall, is the top level script that will cleanup and setup the |
---|
15 | credentials needed in each subdirectories |
---|
16 | |
---|
17 | runcheck, is the top level script that initiate the run_query script |
---|
18 | within each subdirectories; capture the result and diff with the |
---|
19 | baseline output in allout.save. |
---|
20 | |
---|
21 | abac_yap_prover |
---|
22 | |
---|
23 | Usage: abac_prover_yap |
---|
24 | --keystore <keystore> |
---|
25 | --role <keyid.role> --principal <keyid> |
---|
26 | --oset <keyid.oset> --object <otype> |
---|
27 | loads the keystore and runs the query role <-?- principal |
---|
28 | the query oset <-?- object |
---|
29 | --dump <file> |
---|
30 | extracts all credentials from the prolog db |
---|
31 | |
---|
32 | keystore is the location where the prover will search for credentials. |
---|
33 | All accessible iden credentials and attribute credentials will be |
---|
34 | picked up one file at a time. |
---|
35 | |
---|
36 | role, oset, principal, and object are specified with principal's SHA |
---|
37 | value extracted from keystore location using creddy. Example can be found |
---|
38 | in the rr script. |
---|
39 | |
---|
40 | An actual example from balltime_rt2_typed is here, |
---|
41 | abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed |
---|
42 | --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium |
---|
43 | ([string:'access'],[boolean:true],[time:20120228T130000]) |
---|
44 | --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] |
---|
45 | |
---|
46 | Currently, the dump option might fail if not enough information is |
---|
47 | stored in the backend db. It will be reimplemented in the near future. |
---|
48 | |
---|
49 | Two useful environment variables, |
---|
50 | |
---|
51 | DUMP_DB, extract the complete yap db to stdout |
---|
52 | ABAC_CN, use CN instead of SHA value for identifying the principal keyid. This |
---|
53 | is useful for debugging purpose but will not resolve conflict when CN is not |
---|
54 | uniquely associated with each principal SHA value. |
---|
55 | |
---|
56 | env ABAC_CN=1 runall run |
---|
57 | or |
---|
58 | env DUMP_DB=1 ABAC_CN=1 rr |
---|
59 | |
---|
60 | |
---|
61 | |
---|
62 | |
---|