source: examples/file_read_rt2_typed/README @ 9806e76

mei_rt2mei_rt2_fix_1meiyap-rt1rt2
Last change on this file since 9806e76 was 2c01913, checked in by Ted Faber <faber@…>, 12 years ago

Added docs
  • Property mode set to 100755
File size: 3.5 KB
Line 
1#!/bin/sh
2
3rm -rf *.der *.pem
4#####################################################################
5# This example demonstrates using a parameters to control access to files based
6# on the attributes of the principals.  The script creates three principals
7# Alpha, Bob, Maryann and Joe and sets out the access policy.
8#
9# files are named by URNs and are not principals.
10#
11# A principal's access rights are controlled by the Alpha principal.  If a
12# principal has the role role::read(urn:filename) that
13# principal can read filename.  The policy is that the manager of the owner of
14# a file can read it. (Presumably the owner can, too, but that is not encoded
15# here.)
16#
17# The example below lays out the policy that the manager of the owner of a file
18# can read it in Credential 1. Credential 2 establishes Bob as the manager of
19# Joe. and Credential 3 establishes Joe as the woner fo the file.
20#
21# The attached ./rr file runs 2 queries.  First it confirms that Bob can read
22# fileA, then it confirms that Maryann cannot.
23
24
25# alpha.read(fileA) <-?- Bob
26#[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Bob] (yes)
27#[keyid:Alpha].role:read([urn:'file://fileA']) <-?- [keyid:Maryann] (yes)
28
29creddy --generate --cn Alpha
30creddy --generate --cn Bob
31creddy --generate --cn Maryann
32creddy --generate --cn Joe
33
34alpha_keyid=`creddy --keyid --cert Alpha_ID.pem`
35bob_keyid=`creddy --keyid --cert Bob_ID.pem`
36maryann_keyid=`creddy --keyid --cert Maryann_ID.pem`
37joe_keyid=`creddy --keyid --cert Joe_ID.pem`
38
39read_fileA="read([urn:'file://fileA'])"
40managerof_joe="managerOf([keyid:$joe_keyid])"
41ownerof_fileA="ownerOf([urn:'file://fileA'])"
42managerof_qE="managerOf([principal:?E[keyid:$alpha_keyid].role:ownerOf([urn:?F])])"
43
44# alpha.read(?F) <- alpha.managerOf(?E:alpha.ownerOf(?F))
45# [keyid:alpha].role:read([urn:?F])<-
46#    [keyid:alpha].role:managerOf([principal:?E[keyid:alpha].role:ownerOf([urn:?F])]
47creddy --attribute \
48       --issuer Alpha_ID.pem --key Alpha_private.pem --role "read([urn:?F])" \
49       --subject-cert Alpha_ID.pem --subject-role "$managerof_qE" \
50       --out Alpha_read_qF__alpha_managerof_qE_attr.der
51
52#[keyid:Alpha].role:managerOf([Keyid:Joe]) <- [keyid:Bob]
53creddy --attribute \
54        --issuer Alpha_ID.pem --key Alpha_private.pem --role "$managerof_joe" \
55        --subject-cert Bob_ID.pem \
56        --out Alpha_managerof_Joe__Bob_attr.der
57
58#[keyid:Alpha].role:ownerOf([urn:'file://fileA']) <- [keyid:Joe]
59creddy --attribute \
60        --issuer Alpha_ID.pem --key Alpha_private.pem --role "$ownerof_fileA" \
61        --subject-cert Joe_ID.pem \
62        --out Alpha_ownerof_fileA__Joe_attr.der
63
64####################################################################################
65# note:
66#
67# alpha.read(?F) <- alpha.manager(?E:alpha.owner(?F))
68# [keyid:alpha].role:read([urn:?F])<-
69#       #[keyid:alpha].role:manager([principal:?E[keyid:alpha].role:owner([urn:?F])])
70#
71# alpha.read(?F) <- alpha.manager(?E)
72# and alpha.owner(?F) <- ?E
73#
74# [keyid:alpha].role:read([urn:?F])<-[keyid:?M]
75#     [keyid:alpha].role:manager([principal:?E])<-[keyid:?M]
76#     [keyid:alpha].role:owner([urn:?F])<-[keyid:?E]
77#
78# isMember(M,role(alpha,read,F)) :-
79#       isMember(M, role(alpha,manager,E)),
80#       isMember(E, role(alpha,owner,F))  <-- constraining rule
81#
82# alpha.read(?F) <- alpha.manager(?E)
83# alpha.owner(?F) <- ?E
84#
85# condition like this,
86#          ?E:A.r  needs to be translate into constraining rule,  A.r<-?E
87#
88# query,
89# alpha.read(fileA) <-?- Bob
90# needs
91# alpha.manager(Joe)<-Bob
92# alpha.owner(fileA)<-Joe
93
Note: See TracBrowser for help on using the repository browser.