1 | ##################################################################### |
---|
2 | # This example shows the use of multiple contexts in one session. |
---|
3 | # This is based on access_rt2. It demonstrates using an oset (object set) |
---|
4 | # to control access to files based on the attributes of the principals. |
---|
5 | # The script creates three principals Alpha, Bob and Joe and sets out |
---|
6 | # the access policy. |
---|
7 | # |
---|
8 | # files are named by URNs and are not principals. |
---|
9 | # |
---|
10 | # A principal's access rights are controlled by the Alpha principal. If a |
---|
11 | # principal has the role role::acess(string:'Read', urn:filename) that |
---|
12 | # principal can Read filename. |
---|
13 | # The policy names 2 teams, proj1 and proj2. A principal is on proj1 if it |
---|
14 | # has the role team(string:'proj1') defined by Alpha (written |
---|
15 | # [keyid:Alpha].role:team(string:'proj1')). Each project has an associated set |
---|
16 | # of files, defined by object sets. A file is in proj1's documents if it is in |
---|
17 | # the oset of documents('proj1') defined by Alpha, written |
---|
18 | # [keyid:Alpha].oset:documents(string:'proj1')) |
---|
19 | # |
---|
20 | # The example below lays out the policy that members of a given project can |
---|
21 | # Read the documents of that project in Credential 1 and adds file://fileA to |
---|
22 | # the document set for proj1 in Credential 2 - note that no principal is |
---|
23 | # required for fileA. It adds file://fileB to the proj2 in Credential 3 and |
---|
24 | # file://fileC to proj2 in Credential 4 and to proj1 in Credential 5 (shared |
---|
25 | # by both projects). |
---|
26 | # Credentials 6 & 7 add Bob to proj1 and Joe to proj2. |
---|
27 | # |
---|
28 | # The attached query.py file runs queries in multiple contexts. |
---|
29 | # 3 kinds of contexts are made. context#A includes Credential 1-7. |
---|
30 | # context#B is partial dup of context#A with Credential from 1,(no 2),3-7. |
---|
31 | # context#C includes Credential 1-3,(no 4),5-7. Various queries are made againt each context. |
---|
32 | # First it confirms that Bob can Read fileA from context#A and context#C but not |
---|
33 | # context#B, then it confirms that Joe cannot read fileA from any of contexts. |
---|
34 | # Finally it confirms that Joe can read fileC from context#A and context#B but not |
---|
35 | # context#C. |
---|
36 | |
---|
37 | # access_ctxt_rt2 |
---|
38 | |
---|
39 | # Credential 1 |
---|
40 | #[keyid:alpha].role:access([string:'Read'], |
---|
41 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
---|
42 | # <- [keyid:alpha].role:team([string:?P]) |
---|
43 | |
---|
44 | # Credential 2 |
---|
45 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
---|
46 | # Credential 3 |
---|
47 | #[keyid:alpha].oset:documents([string:'proj2'])<-[urn:'file//fileB'] |
---|
48 | # Credential 4 |
---|
49 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileC'] |
---|
50 | # Credential 5 |
---|
51 | #[keyid:alpha].oset:documents([string:'proj2'])<-[urn:'file//fileC'] |
---|
52 | |
---|
53 | # Credential 6 |
---|
54 | # [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob] |
---|
55 | # Credential 7 |
---|
56 | # [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] |
---|
57 | |
---|
58 | |
---|