#!/bin/sh ##################################################################### # This example demonstrates using an oset (object set) to control access # to files based on the attributes of the principals. The script creates # three principals Alpha, Bob and Joe and sets out the access policy. # # files are named by URNs and are not principals. # # A principal's access rights are controlled by the Alpha principal. If a # principal has the role role::aceess(string:'read', urn:filename) that # principal can read filename. # The policy names 2 teams, proj1 and proj1. A principal is on proj1 if it # has the role team(string:'proj1') defined by Alpha (written # [keyid:Alpha}.role:team(string:'proj1')). Each project has an associated set # of files, defined by object sets. A file is in proj1's documents if it is in # the oset of documents('proj1') defined by Alpha, written # [keyid:Alpha].oset:documents(string:'proj1')) # # The example below lays out the policy that members of a given project can # read the documents of that project in Credential 1 and adds file://fileA to # the document set for proj1 in Credential 2 - note that no principal is # required for fileA. Credentials 3 & 4 add Bob to proj1 and Joe to proj2. # # The attached ./rr file runs 3 queries. First it confirms that Bob can read # fileA, then it confirms that Joe cannot. Finally it confirms that Joe is in # proj2. rm -rf *.der *.pem # alpha.access(read,fileA)<-?-bob good # [keyid:Alpha].role:access([string:'read'],[urn:'file//fileA']) <-?- [keyid:Bob] (yes) creddy --generate --cn Alpha creddy --generate --cn Bob creddy --generate --cn Joe alpha_keyid=`creddy --keyid --cert Alpha_ID.pem` bob_keyid=`creddy --keyid --cert Bob_ID.pem` joe_keyid=`creddy --keyid --cert Joe_ID.pem` access_qFqP="access([string:'read'],[urn:?F[keyid:$alpha_keyid].oset:documents([string:?P])])" team_qP="team([string:?P])" #[keyid:alpha].role:access([string:'read'], # [urn:?F[keyid:alpha].oset:documents([string:?P])]) # <- [keyid:alpha].role:team([string:?P]) # Credential 1 creddy --attribute \ --issuer Alpha_ID.pem --key Alpha_private.pem --role "$access_qFqP" \ --subject-cert Alpha_ID.pem --subject-role "$team_qP" \ --out Alpha_access_qFqP__alpha_team_qP_attr.der #[keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] creddy --attribute \ --issuer Alpha_ID.pem --key Alpha_private.pem \ --oset "documents([string:'proj1'])" \ --subject-obj "[urn:'file//fileA']" \ --out Alpha_documents_proj1__fileA_attr.der # [keyid:alpha].role:team([string:'proj1'])<-[keyid:Bob] creddy --attribute \ --issuer Alpha_ID.pem --key Alpha_private.pem \ --role "team([string:'proj1'])" \ --subject-cert Bob_ID.pem \ --out Alpha_team_proj1__Bob_attr.der # [keyid:alpha].role:team([string:'proj2'])<-[keyid:Joe] creddy --attribute \ --issuer Alpha_ID.pem --key Alpha_private.pem \ --role "team([string:'proj2'])" \ --subject-cert Joe_ID.pem \ --out Alpha_team_proj2__Joe_attr.der ##################################################################### # alpha.access(read,?F:alpha.documents(?proj)) <- alpha.team(?proj) # [keyid:alpha].role:access([string:'read'], # [urn:?F[keyid:alpha].oset:documents([string:?P])]) # <- [keyid:alpha].role:team([string:?P]) # # [keyid:alpha].role:access([string:'read'], [urn:?F])<- [principal:?B] # [keyid:alpha].oset:documents([string:?P) <- [urn:?F] # [keyid:alpha].role:team([string:?P]) <- [principal:?B] # # # alpha.documents(proj1)<-fileA # [keyid:alpha].oset:documents([string:'proj1'])<-[urn:'file//fileA'] # isMember('file//fileA', oset(alpha,documents,'proj1')) # # alpha.team(proj1)<-bob # [keyid:alpha].role:team([string:'proj1'])<-[keyid:bob] # isMember(bob,role(alpha,team,'proj1')) # # query, # alpha.access(read,fileA)<-?-bob good # [keyid:alpha].role:access([string:'read'],[urn:'file//fileA']) <- [keyid:bob] # isMember(bob, role(alpha, access, 'read', 'file//fileA')). #