| [7211a95] | 1 | ##################################################################### |
|---|
| 2 | # This example demonstrates using an oset (object set) to control access |
|---|
| 3 | # to files based on the attributes of the principals. The script creates |
|---|
| 4 | # three principals League, John and Mark and sets out the access policy. |
|---|
| 5 | # |
|---|
| 6 | # files are named by URNs and are not principals. |
|---|
| 7 | # |
|---|
| 8 | # A principal's access rights are controlled by the League principal. If a |
|---|
| 9 | # principal has the role role::stadium(string:'access',boolean:true,time:now) |
|---|
| 10 | # that principal can go into stadium if principal's team has a scheduled |
|---|
| 11 | # gametime. A principal is in team's roster if it is in |
|---|
| 12 | # the oset of players(team) defined by League, written |
|---|
| 13 | # [keyid:League].oset:players(string:'north')) |
|---|
| 14 | # |
|---|
| [f824a9e] | 15 | # The file, attr.py, lays out the policy that players of a given team can |
|---|
| [7211a95] | 16 | # go to the stadium when it is their team's gametime -- credential 1. |
|---|
| 17 | # or any player of a team that is controlled by the League principal can |
|---|
| 18 | # go to the stadium during stadium's free for all time -- credential 2. |
|---|
| 19 | # |
|---|
| 20 | # Credentials 3 & 4 establish the afernoon gametimes for team(north) |
|---|
| 21 | # and for team(south) |
|---|
| 22 | # Credentials 5 & 6 establish John as player of team(north) and Mark as |
|---|
| 23 | # a player for team(south) |
|---|
| 24 | # |
|---|
| [f824a9e] | 25 | # The query.py file runs 3 queries. First it confirms that John can |
|---|
| [7211a95] | 26 | # go to stadium at his team's gametime, then it confirms that Mark cannot |
|---|
| 27 | # go because it is not his gametime, but Mark can go to the stadium during |
|---|
| 28 | # stadium's free-for-all early morning time |
|---|
| 29 | |
|---|
| [f824a9e] | 30 | # balltime_rt2 |
|---|
| [7211a95] | 31 | |
|---|
| [f824a9e] | 32 | # Credential 1 |
|---|
| [7211a95] | 33 | #[keyid:league].role:stadium([string:'access'],[boolean:true], |
|---|
| 34 | # [time:?F:[keyid:league].oset.gametime([string:?T])]) |
|---|
| 35 | # <-[keyid:league].role:players([string:?T]) |
|---|
| 36 | |
|---|
| [f824a9e] | 37 | # Credential 2 |
|---|
| [7211a95] | 38 | #[keyid:league].role:stadium([string:'access'],[boolean:?B:[true], |
|---|
| 39 | # [time:?F:[20120228T080000..20120228T090000]]) |
|---|
| 40 | # <- [keyid:league].role:players(string:?T) |
|---|
| 41 | |
|---|
| [f824a9e] | 42 | # Credential 3 |
|---|
| [7211a95] | 43 | # [keyid:league].oset:gametime([time:20120228T130000]) |
|---|
| 44 | # <- [keyid:league].oset:players([string:'north') |
|---|
| 45 | |
|---|
| [f824a9e] | 46 | # Credential 4 |
|---|
| [7211a95] | 47 | # [keyid:league].oset:gametime([time:20120228T140000]) |
|---|
| 48 | # <- [keyid:league].oset:players([string:'south') |
|---|
| 49 | |
|---|
| [f824a9e] | 50 | # Credential 5 |
|---|
| [7211a95] | 51 | # [keyid:league].role:players([string:'north'])<-[keyid:John] |
|---|
| 52 | |
|---|
| [f824a9e] | 53 | # Credential 6 |
|---|
| [7211a95] | 54 | # [keyid:league].role:players([string:'south'])<-[keyid:Mark] |
|---|
| 55 | |
|---|
