[5110d42] | 1 | ##################################################################### |
---|
[669b481] | 2 | # access_rt2 |
---|
| 3 | # This example demonstrates using an oset (object set) to control access |
---|
| 4 | # to files based on the attributes of the principals. The script creates |
---|
| 5 | # three principals Alpha, Bob and Joe and sets out the access policy. |
---|
| 6 | # |
---|
| 7 | # files are named by URNs and are not principals. |
---|
| 8 | # |
---|
| 9 | # A principal's access rights are controlled by the Alpha principal. If a |
---|
| 10 | # principal has the role role::aceess(string:'Read', urn:filename) that |
---|
| 11 | # principal can Read filename. |
---|
| 12 | # The policy names 2 teams, proj1 and proj1. A principal is on proj1 if it |
---|
| 13 | # has the role team(string:'proj1') defined by Alpha (written |
---|
| 14 | # [keyid:Alpha}.role:team(string:'proj1')). Each project has an associated set |
---|
| 15 | # of files, defined by object sets. A file is in proj1's documents if it is in |
---|
| 16 | # the oset of documents('proj1') defined by Alpha, written |
---|
| 17 | # [keyid:Alpha].oset:documents(string:'proj1')) |
---|
| 18 | # |
---|
| 19 | # The example below lays out the policy that members of a given project can |
---|
| 20 | # Read the documents of that project in Credential 1 and adds file://fileA to |
---|
| 21 | # the document set for proj1 in Credential 2 - note that no principal is |
---|
| 22 | # required for fileA. Credentials 3 & 4 add Bob to proj1 and Joe to proj2. |
---|
[5110d42] | 23 | # |
---|
[669b481] | 24 | # The attached query.py file runs 3 queries. First it confirms that Bob can Read |
---|
| 25 | # fileA, then it confirms that Joe cannot. Finally it confirms that Joe is in |
---|
| 26 | # proj2. |
---|
| 27 | # Credential 1 |
---|
| 28 | #[keyid:alpha].role:access([string:'Read'], |
---|
| 29 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
---|
| 30 | # <- [keyid:alpha].role:team([string:?P]) |
---|
| 31 | # Credential 2 |
---|
| 32 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
---|
| 33 | # Credential 3 |
---|
| 34 | # [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob] |
---|
| 35 | # Credential 4 |
---|
| 36 | # [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] |
---|
| 37 | creddy --attribute \ |
---|
| 38 | --issuer Alpha_ID.pem --key Alpha_private.pem \ |
---|
| 39 | --role "team([string:'proj2'])" \ |
---|
| 40 | --subject-cert Joe_ID.pem \ |
---|
| 41 | --out Alpha_team_proj2__Joe_attr.der |
---|