source: examples/python_tests/access_ctxt_rt2/README @ da045c2

mei_rt2
Last change on this file since da045c2 was 2e9455f, checked in by Mei <mei@…>, 11 years ago

1) added namespace
2) tweak ?This,
3) allowing linking role/oset as constraining conditions
4) adding access_tests regression testing that uses GENI's access policy
5) added couple multi contexts regression tests
6) add compression/uncompression calls to abac_encode_string/abac_decode_string
(libstrongwan only allows 512 char for attribute rule storage)
7) add attribute_now option to creddy that takes a whole char string for attribute
rule
  • Property mode set to 100755
File size: 2.7 KB
RevLine 
[2e9455f]1#####################################################################
2# This example shows the use of multiple contexts in one session.
3# This is based on access_rt2. It demonstrates using an oset (object set)
4# to control access to files based on the attributes of the principals.
5# The script creates three principals Alpha, Bob and Joe and sets out
6# the access policy.
7#
8# files are named by URNs and are not principals.
9#
10# A principal's access rights are controlled by the Alpha principal.  If a
11# principal has the role role::acess(string:'Read', urn:filename) that
12# principal can Read filename. 
13# The policy names 2 teams, proj1 and proj2.  A principal is on proj1 if it
14# has the role team(string:'proj1') defined by Alpha (written
15# [keyid:Alpha].role:team(string:'proj1')).  Each project has an associated set
16# of files, defined by object sets.  A file is in proj1's documents if it is in
17# the oset of documents('proj1') defined by Alpha, written
18# [keyid:Alpha].oset:documents(string:'proj1'))
19#
20# The example below lays out the policy that members of a given project can
21# Read the documents of that project in Credential 1 and adds file://fileA to
22# the document set for proj1 in Credential 2 - note that no principal is
23# required for fileA.  It adds file://fileB to the proj2 in Credential 3 and
24# file://fileC to proj2 in Credential 4 and to proj1 in Credential 5 (shared
25# by both projects).
26# Credentials 6 & 7 add Bob to proj1 and Joe to proj2.
27#
28# The attached query.py file runs queries in multiple contexts.
29# 3 kinds of contexts are made. context#A includes Credential 1-7.
30# context#B is partial dup of context#A with Credential from 1,(no 2),3-7.
31# context#C includes Credential 1-3,(no 4),5-7.  Various queries are made againt each context.
32# First it confirms that Bob can Read fileA from context#A and context#C but not
33# context#B, then it confirms that Joe cannot read fileA from any of contexts.
34# Finally it confirms that Joe can read fileC from context#A and context#B but not
35# context#C.
36
37# access_ctxt_rt2
38
39# Credential 1
40#[keyid:alpha].role:access([string:'Read'],
41#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
42#                                     <- [keyid:alpha].role:team([string:?P])
43
44# Credential 2
45#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
46# Credential 3
47#[keyid:alpha].oset:documents([string:'proj2'])<-[urn:'file//fileB']
48# Credential 4
49#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileC']
50# Credential 5
51#[keyid:alpha].oset:documents([string:'proj2'])<-[urn:'file//fileC']
52
53# Credential 6
54# [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob]
55# Credential 7
56# [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]
57
58
Note: See TracBrowser for help on using the repository browser.