source: examples/access_rt2_typed/README @ b84753b

mei_rt2mei_rt2_fix_1rt2
Last change on this file since b84753b was 9502c50, checked in by Mei <mei@…>, 13 years ago

1) rename examples' rr to run_query
2) updated some doc
3) add decode to creddy --roles and creddy --display --show so it will

show more useful attribute rule string

4) stub in the python script in one of the example directory

  • Property mode set to 100755
File size: 4.1 KB
Line 
1#!/bin/sh
2
3#####################################################################
4# This example demonstrates using an oset (object set) to control access
5# to files based on the attributes of the principals.  The script creates
6# three principals Alpha, Bob and Joe and sets out the access policy.
7#
8# files are named by URNs and are not principals.
9#
10# A principal's access rights are controlled by the Alpha principal.  If a
11# principal has the role role::aceess(string:'Read', urn:filename) that
12# principal can Read filename. 
13# The policy names 2 teams, proj1 and proj1.  A principal is on proj1 if it
14# has the role team(string:'proj1') defined by Alpha (written
15# [keyid:Alpha}.role:team(string:'proj1')).  Each project has an associated set
16# of files, defined by object sets.  A file is in proj1's documents if it is in
17# the oset of documents('proj1') defined by Alpha, written
18# [keyid:Alpha].oset:documents(string:'proj1'))
19#
20# The example below lays out the policy that members of a given project can
21# Read the documents of that project in Credential 1 and adds file://fileA to
22# the document set for proj1 in Credential 2 - note that no principal is
23# required for fileA.  Credentials 3 & 4 add Bob to proj1 and Joe to proj2.
24#
25# The attached ./run_query file runs 3 queries.  First it confirms that Bob can Read
26# fileA, then it confirms that Joe cannot.  Finally it confirms that Joe is in
27# proj2.
28
29# access_rt2_typed
30
31# alpha.access(Read,fileA)<-?-bob  good
32# [keyid:Alpha].role:access([string:'Read'],[urn:'file//fileA']) <-?- [keyid:Bob] (yes)
33
34creddy --generate --cn Alpha
35creddy --generate --cn Bob
36creddy --generate --cn Joe
37
38alpha_keyid=`creddy --keyid --cert Alpha_ID.pem`
39bob_keyid=`creddy --keyid --cert Bob_ID.pem`
40joe_keyid=`creddy --keyid --cert Joe_ID.pem`
41
42access_qFqP="access([string:'Read'],[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])])"
43team_qP="team([string:?P])"
44
45#[keyid:alpha].role:access([string:'Read'],
46#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
47#                                     <- [keyid:alpha].role:team([string:?P])
48# Credential 1
49creddy --attribute \
50       --issuer Alpha_ID.pem --key Alpha_private.pem --role "$access_qFqP" \
51       --subject-cert Alpha_ID.pem --subject-role "$team_qP" \
52       --out Alpha_access_qFqP__alpha_team_qP_attr.der
53
54
55# Credential 2
56#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
57creddy --attribute \
58        --issuer Alpha_ID.pem --key Alpha_private.pem \
59        --oset "documents([string:'proj1'])" \
60        --subject-obj "[urn:'file//fileA']" \
61        --out Alpha_documents_proj1__fileA_attr.der
62
63# Credential 3
64# [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob]
65creddy --attribute \
66        --issuer Alpha_ID.pem --key Alpha_private.pem \
67        --role "team([string:'proj1'])" \
68        --subject-cert Bob_ID.pem \
69        --out Alpha_team_proj1__Bob_attr.der
70
71# Credential 4
72# [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]
73creddy --attribute \
74        --issuer Alpha_ID.pem --key Alpha_private.pem \
75        --role "team([string:'proj2'])" \
76        --subject-cert Joe_ID.pem \
77        --out Alpha_team_proj2__Joe_attr.der
78
79
80#####################################################################
81# alpha.access(Read,?F:alpha.documents(?proj)) <- alpha.team(?proj)
82# [keyid:alpha].role:access([string:'Read'],
83#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
84#                                     <- [keyid:alpha].role:team([string:?P])
85#
86# [keyid:alpha].role:access([string:'Read'], [urn:?F])<- [principal:?B]
87#                [keyid:alpha].oset:documents([string:?P) <- [urn:?F]
88#                [keyid:alpha].role:team([string:?P]) <- [principal:?B]
89#
90#
91# alpha.documents(proj1)<-fileA
92# [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
93# isMember('file//fileA', oset(alpha,documents,'proj1'))
94#
95# alpha.team(proj1)<-bob
96# [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob]
97# isMember(bob,role(alpha,team,'proj1'))
98#
99# query,
100# alpha.access(Read,fileA)<-?-bob  good
101# [keyid:alpha].role:access([string:'Read'],[urn:'file//fileA']) <- [keyid:bob]
102# isMember(bob, role(alpha, access, 'Read', 'file//fileA')).
103#
Note: See TracBrowser for help on using the repository browser.