source: examples/python_tests/access_rt2/README @ 669b481

mei_rt2mei_rt2_fix_1
Last change on this file since 669b481 was 669b481, checked in by Mei <mei@…>, 12 years ago

1) finish test conversion from creddy-prover to python
2) update the abac.hh/API doc more, adding more intermediate calls

to make abac.hh more uniform

3) found out why a very long attribute rule can not survive in/out of

ietf_attribute_t call (m64 en/decoding - abac_verifier, alice_rt1)
  • Property mode set to 100755
File size: 2.0 KB
Line 
1#####################################################################
2# access_rt2
3# This example demonstrates using an oset (object set) to control access
4# to files based on the attributes of the principals.  The script creates
5# three principals Alpha, Bob and Joe and sets out the access policy.
6#
7# files are named by URNs and are not principals.
8#
9# A principal's access rights are controlled by the Alpha principal.  If a
10# principal has the role role::aceess(string:'Read', urn:filename) that
11# principal can Read filename. 
12# The policy names 2 teams, proj1 and proj1.  A principal is on proj1 if it
13# has the role team(string:'proj1') defined by Alpha (written
14# [keyid:Alpha}.role:team(string:'proj1')).  Each project has an associated set
15# of files, defined by object sets.  A file is in proj1's documents if it is in
16# the oset of documents('proj1') defined by Alpha, written
17# [keyid:Alpha].oset:documents(string:'proj1'))
18#
19# The example below lays out the policy that members of a given project can
20# Read the documents of that project in Credential 1 and adds file://fileA to
21# the document set for proj1 in Credential 2 - note that no principal is
22# required for fileA.  Credentials 3 & 4 add Bob to proj1 and Joe to proj2.
23#
24# The attached query.py file runs 3 queries.  First it confirms that Bob can Read
25# fileA, then it confirms that Joe cannot.  Finally it confirms that Joe is in
26# proj2.
27# Credential 1
28#[keyid:alpha].role:access([string:'Read'],
29#                    [urn:?F[keyid:alpha].oset:documents([string:?P])])
30#                                     <- [keyid:alpha].role:team([string:?P])
31# Credential 2
32#[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA']
33# Credential 3
34# [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob]
35# Credential 4
36# [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe]
37creddy --attribute \
38        --issuer Alpha_ID.pem --key Alpha_private.pem \
39        --role "team([string:'proj2'])" \
40        --subject-cert Joe_ID.pem \
41        --out Alpha_team_proj2__Joe_attr.der
Note: See TracBrowser for help on using the repository browser.