[2e9455f] | 1 | ##################################################################### |
---|
| 2 | # This example shows the use of multiple contexts in one session. |
---|
| 3 | # This is based on access_rt2. It demonstrates using an oset (object set) |
---|
| 4 | # to control access to files based on the attributes of the principals. |
---|
| 5 | # The script creates three principals Alpha, Bob and Joe and sets out |
---|
| 6 | # the access policy. |
---|
| 7 | # |
---|
| 8 | # files are named by URNs and are not principals. |
---|
| 9 | # |
---|
| 10 | # A principal's access rights are controlled by the Alpha principal. If a |
---|
| 11 | # principal has the role role::acess(string:'Read', urn:filename) that |
---|
| 12 | # principal can Read filename. |
---|
| 13 | # The policy names 2 teams, proj1 and proj2. A principal is on proj1 if it |
---|
| 14 | # has the role team(string:'proj1') defined by Alpha (written |
---|
| 15 | # [keyid:Alpha].role:team(string:'proj1')). Each project has an associated set |
---|
| 16 | # of files, defined by object sets. A file is in proj1's documents if it is in |
---|
| 17 | # the oset of documents('proj1') defined by Alpha, written |
---|
| 18 | # [keyid:Alpha].oset:documents(string:'proj1')) |
---|
| 19 | # |
---|
| 20 | # The example below lays out the policy that members of a given project can |
---|
| 21 | # Read the documents of that project in Credential 1 and adds file://fileA to |
---|
| 22 | # the document set for proj1 in Credential 2 - note that no principal is |
---|
| 23 | # required for fileA. It adds file://fileB to the proj2 in Credential 3 and |
---|
| 24 | # file://fileC to proj2 in Credential 4 and to proj1 in Credential 5 (shared |
---|
| 25 | # by both projects). |
---|
| 26 | # Credentials 6 & 7 add Bob to proj1 and Joe to proj2. |
---|
| 27 | # |
---|
| 28 | # The attached query.py file runs queries in multiple contexts. |
---|
| 29 | # 3 kinds of contexts are made. context#A includes Credential 1-7. |
---|
| 30 | # context#B is partial dup of context#A with Credential from 1,(no 2),3-7. |
---|
| 31 | # context#C includes Credential 1-3,(no 4),5-7. Various queries are made againt each context. |
---|
| 32 | # First it confirms that Bob can Read fileA from context#A and context#C but not |
---|
| 33 | # context#B, then it confirms that Joe cannot read fileA from any of contexts. |
---|
| 34 | # Finally it confirms that Joe can read fileC from context#A and context#B but not |
---|
| 35 | # context#C. |
---|
| 36 | |
---|
| 37 | # access_ctxt_rt2 |
---|
| 38 | |
---|
| 39 | # Credential 1 |
---|
| 40 | #[keyid:alpha].role:access([string:'Read'], |
---|
| 41 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
---|
| 42 | # <- [keyid:alpha].role:team([string:?P]) |
---|
| 43 | |
---|
| 44 | # Credential 2 |
---|
| 45 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
---|
| 46 | # Credential 3 |
---|
| 47 | #[keyid:alpha].oset:documents([string:'proj2'])<-[urn:'file//fileB'] |
---|
| 48 | # Credential 4 |
---|
| 49 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileC'] |
---|
| 50 | # Credential 5 |
---|
| 51 | #[keyid:alpha].oset:documents([string:'proj2'])<-[urn:'file//fileC'] |
---|
| 52 | |
---|
| 53 | # Credential 6 |
---|
| 54 | # [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob] |
---|
| 55 | # Credential 7 |
---|
| 56 | # [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] |
---|
| 57 | |
---|
| 58 | |
---|