1 | ##################################################################### |
---|
2 | # access_rt2 |
---|
3 | # This example demonstrates using an oset (object set) to control access |
---|
4 | # to files based on the attributes of the principals. The script creates |
---|
5 | # three principals Alpha, Bob and Joe and sets out the access policy. |
---|
6 | # |
---|
7 | # files are named by URNs and are not principals. |
---|
8 | # |
---|
9 | # A principal's access rights are controlled by the Alpha principal. If a |
---|
10 | # principal has the role role::aceess(string:'Read', urn:filename) that |
---|
11 | # principal can Read filename. |
---|
12 | # The policy names 2 teams, proj1 and proj1. A principal is on proj1 if it |
---|
13 | # has the role team(string:'proj1') defined by Alpha (written |
---|
14 | # [keyid:Alpha}.role:team(string:'proj1')). Each project has an associated set |
---|
15 | # of files, defined by object sets. A file is in proj1's documents if it is in |
---|
16 | # the oset of documents('proj1') defined by Alpha, written |
---|
17 | # [keyid:Alpha].oset:documents(string:'proj1')) |
---|
18 | # |
---|
19 | # The example below lays out the policy that members of a given project can |
---|
20 | # Read the documents of that project in Credential 1 and adds file://fileA to |
---|
21 | # the document set for proj1 in Credential 2 - note that no principal is |
---|
22 | # required for fileA. Credentials 3 & 4 add Bob to proj1 and Joe to proj2. |
---|
23 | # |
---|
24 | # The attached query.py file runs 3 queries. First it confirms that Bob can Read |
---|
25 | # fileA, then it confirms that Joe cannot. Finally it confirms that Joe is in |
---|
26 | # proj2. |
---|
27 | # Credential 1 |
---|
28 | #[keyid:alpha].role:access([string:'Read'], |
---|
29 | # [urn:?F[keyid:alpha].oset:documents([string:?P])]) |
---|
30 | # <- [keyid:alpha].role:team([string:?P]) |
---|
31 | # Credential 2 |
---|
32 | #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] |
---|
33 | # Credential 3 |
---|
34 | # [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob] |
---|
35 | # Credential 4 |
---|
36 | # [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] |
---|
37 | creddy --attribute \ |
---|
38 | --issuer Alpha_ID.pem --key Alpha_private.pem \ |
---|
39 | --role "team([string:'proj2'])" \ |
---|
40 | --subject-cert Joe_ID.pem \ |
---|
41 | --out Alpha_team_proj2__Joe_attr.der |
---|