[7727f26] | 1 | |
---|
[5ae5719] | 2 | This directory contains various ABAC scenarios that exercise |
---|
| 3 | various feature of the current RT2 implmentation using YAP prolog. |
---|
[7727f26] | 4 | |
---|
[0a81d0a] | 5 | The frontend query client is abac_prover_yap. |
---|
[7727f26] | 6 | |
---|
| 7 | Each subdirectory has a README script which includes a description |
---|
[5110d42] | 8 | of the scenario, and creddy calls that generate the needed credentials. |
---|
[9502c50] | 9 | There is a run_query script which sets up and runs couple of typical |
---|
[0a81d0a] | 10 | query using abac_prover_yap. |
---|
[7727f26] | 11 | |
---|
[302f477] | 12 | runcheck, is the top level script that initiates the run_query scripts |
---|
| 13 | within each subdirectory with ABAC_CN mode (see below); captures the |
---|
| 14 | result and compares with the baseline result stored in allout.save. |
---|
| 15 | runcheck also makes a complete run_query run without ABAC_CN enabled as |
---|
[e3462b4] | 16 | a round of regression testing. runcheck call .runall to cleanup all |
---|
| 17 | the byproducts of a run and also setup the credentials needed in each |
---|
| 18 | subdirectories |
---|
[7727f26] | 19 | |
---|
[0a81d0a] | 20 | abac_prover_yap |
---|
[7727f26] | 21 | |
---|
| 22 | Usage: abac_prover_yap |
---|
| 23 | --keystore <keystore> |
---|
| 24 | --role <keyid.role> --principal <keyid> |
---|
| 25 | --oset <keyid.oset> --object <otype> |
---|
| 26 | loads the keystore and runs the query role <-?- principal |
---|
| 27 | the query oset <-?- object |
---|
| 28 | --dump <file> |
---|
| 29 | extracts all credentials from the prolog db |
---|
[2efdff5] | 30 | --dbdump |
---|
| 31 | extracts all prolog rules directly from the prolog db |
---|
| 32 | |
---|
[7727f26] | 33 | |
---|
[9502c50] | 34 | keystore is the location where the prover will search to load credentials. |
---|
| 35 | All accessible identity credentials and attribute credentials will be |
---|
[7727f26] | 36 | picked up one file at a time. |
---|
| 37 | |
---|
[9502c50] | 38 | role, oset, principal, and object are specified with principal's SHA1 |
---|
| 39 | value extracted from the credentials that are loaded from keystore location |
---|
| 40 | using creddy. Example can be found in the run_queryscript. |
---|
| 41 | |
---|
| 42 | An actual example from balltime_rt2_typed, |
---|
[7727f26] | 43 | |
---|
| 44 | abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed |
---|
| 45 | --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium |
---|
| 46 | ([string:'access'],[boolean:true],[time:20120228T130000]) |
---|
| 47 | --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] |
---|
| 48 | |
---|
[5110d42] | 49 | One useful environment variable, |
---|
[7727f26] | 50 | |
---|
[9502c50] | 51 | ABAC_CN, use CN instead of SHA1 value for identifying the principals. This |
---|
[7727f26] | 52 | is useful for debugging purpose but will not resolve conflict when CN is not |
---|
[9502c50] | 53 | uniquely associated with each principal's SHA1 value. |
---|
[7727f26] | 54 | |
---|
| 55 | env ABAC_CN=1 runall run |
---|
| 56 | |
---|
| 57 | |
---|