source: examples/access_rt2_typed/README @ 7727f26

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 7727f26 was 9806e76, checked in by Mei <mei@…>, 13 years ago

1) add handling for typed anonymous term, [int:?]
2) make a pass through abac/doc
3) fix up creddy to take oset option at different calls

  • Property mode set to 100755
File size: 4.1 KB
Line 
1#!/bin/sh
2
3#####################################################################
4# This example demonstrates using an oset (object set) to control access
5# to files based on the attributes of the principals.  The script creates
6# three principals Alpha, Bob and Joe and sets out the access policy.
7#
8# files are named by URNs and are not principals.
9#
10# A principal's access rights are controlled by the Alpha principal.  If a
11# principal has the role role::aceess(string:'Read', urn:filename) that
12# principal can Read filename. 
13# The policy names 2 teams, proj1 and proj1.  A principal is on proj1 if it
14# has the role team(string:'proj1') defined by Alpha (written
15# [keyid:Alpha}.role:team(string:'proj1')).  Each project has an associated set
16# of files, defined by object sets.  A file is in proj1's documents if it is in
17# the oset of documents('proj1') defined by Alpha, written
18# [keyid:Alpha].oset:documents(string:'proj1'))
19#
20# The example below lays out the policy that members of a given project can
21# Read the documents of that project in Credential 1 and adds file://fileA to
22# the document set for proj1 in Credential 2 - note that no principal is
23# required for fileA.  Credentials 3 & 4 add Bob to proj1 and Joe to proj2.
24#
25# The attached ./rr file runs 3 queries.  First it confirms that Bob can Read
26# fileA, then it confirms that Joe cannot.  Finally it confirms that Joe is in
27# proj2.
28
29rm -rf *.der *.pem
30
31# alpha.access(Read,fileA)<-?-bob  good
32# [keyid:Alpha].role:access([string:'Read'],[urn:'file//fileA']) <-?- [keyid:Bob] (yes)
33
34creddy --generate --cn Alpha
35creddy --generate --cn Bob
36creddy --generate --cn Joe
37
38alpha_keyid=`creddy --keyid --cert Alpha_ID.pem`
39bob_keyid=`creddy --keyid --cert Bob_ID.pem`
40joe_keyid=`creddy --keyid --cert Joe_ID.pem`
41
42
43access_qFqP="access([string:'Read'],[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])])"
44team_qP="team([string:?P])"
45
46#[keyid:alpha].role:access([string:'Read'],
47#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
48#                                     <- [keyid:alpha].role:team([string:?P])
49# Credential 1
50creddy --attribute \
51       --issuer Alpha_ID.pem --key Alpha_private.pem --role "$access_qFqP" \
52       --subject-cert Alpha_ID.pem --subject-role "$team_qP" \
53       --out Alpha_access_qFqP__alpha_team_qP_attr.der
54
55
56#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
57creddy --attribute \
58        --issuer Alpha_ID.pem --key Alpha_private.pem \
59        --oset "documents([string:'proj1'])" \
60        --subject-obj "[urn:'file//fileA']" \
61        --out Alpha_documents_proj1__fileA_attr.der
62
63# [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob]
64creddy --attribute \
65        --issuer Alpha_ID.pem --key Alpha_private.pem \
66        --role "team([string:'proj1'])" \
67        --subject-cert Bob_ID.pem \
68        --out Alpha_team_proj1__Bob_attr.der
69
70# [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]
71creddy --attribute \
72        --issuer Alpha_ID.pem --key Alpha_private.pem \
73        --role "team([string:'proj2'])" \
74        --subject-cert Joe_ID.pem \
75        --out Alpha_team_proj2__Joe_attr.der
76
77
78#####################################################################
79# alpha.access(Read,?F:alpha.documents(?proj)) <- alpha.team(?proj)
80# [keyid:alpha].role:access([string:'Read'],
81#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
82#                                     <- [keyid:alpha].role:team([string:?P])
83#
84# [keyid:alpha].role:access([string:'Read'], [urn:?F])<- [principal:?B]
85#                [keyid:alpha].oset:documents([string:?P) <- [urn:?F]
86#                [keyid:alpha].role:team([string:?P]) <- [principal:?B]
87#
88#
89# alpha.documents(proj1)<-fileA
90# [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
91# isMember('file//fileA', oset(alpha,documents,'proj1'))
92#
93# alpha.team(proj1)<-bob
94# [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob]
95# isMember(bob,role(alpha,team,'proj1'))
96#
97# query,
98# alpha.access(Read,fileA)<-?-bob  good
99# [keyid:alpha].role:access([string:'Read'],[urn:'file//fileA']) <- [keyid:bob]
100# isMember(bob, role(alpha, access, 'Read', 'file//fileA')).
101#
Note: See TracBrowser for help on using the repository browser.