Example directories This directory contains various ABAC scenario that exercises various feature of the current implmentation with YAP prolog db. The frontend query client is abac_yap_prover. Each subdirectory has a README script which includes a description of the scenario and the calls that are needed to generate the credentials. There is a rr script which sets up and run couple of typical query using abac_yap_prover. runall, is the top level script that will cleanup and setup the credentials needed in each subdirectories runcheck, is the top level script that initiate the run_query script within each subdirectories; capture the result and diff with the baseline output in allout.save. abac_yap_prover Usage: abac_prover_yap --keystore --role --principal --oset --object loads the keystore and runs the query role <-?- principal the query oset <-?- object --dump extracts all credentials from the prolog db keystore is the location where the prover will search for credentials. All accessible iden credentials and attribute credentials will be picked up one file at a time. role, oset, principal, and object are specified with principal's SHA value extracted from keystore location using creddy. Example can be found in the rr script. An actual example from balltime_rt2_typed is here, abac_prover_yap --keystore /home/mei/Deter/abac/examples/balltime_rt2_typed --role [keyid:212146063d65264e8f27c31f0da592e386fc59aa].role:stadium ([string:'access'],[boolean:true],[time:20120228T130000]) --principal [keyid:49bdcd1278fce71d7c5cb3ee9138c22f7379e8e0] Currently, the dump option might fail if not enough information is stored in the backend db. It will be reimplemented in the near future. Two useful environment variables, DUMP_DB, extract the complete yap db to stdout ABAC_CN, use CN instead of SHA value for identifying the principal keyid. This is useful for debugging purpose but will not resolve conflict when CN is not uniquely associated with each principal SHA value. env ABAC_CN=1 runall run or env DUMP_DB=1 ABAC_CN=1 rr