Changes between Version 10 and Version 11 of CrudgeDocs


Ignore:
Timestamp:
Apr 11, 2011 11:14:21 AM (14 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • CrudgeDocs

    v10 v11  
    3535[[Image(crudge_first_annotated_test.png)]]
    3636
     37=== Viewing a Graph ===
    3738
    38 === Running A Query ===
    39 
    40 To demonstrate running a query, load an example set of credentials from http://abac.deterlab.net/examples/rockets_intersection.zip .  Select "Open a URL" from the File menu and type http://abac.deterlab.net/examples/rockets_intersection.zip into the dialog box and hit return.  (You can also get the dialog box by typing Ctrl-U).
     39A credential graph represents a view of a set of ABAC credentials, for example the credentials that make up a proof or a policy.  There are several ways to load a proof (described in more detail below), but to see the basics load an example set of credentials from http://abac.deterlab.net/examples/rockets_intersection.zip .  Select "Open a URL" from the File menu and type http://abac.deterlab.net/examples/rockets_intersection.zip into the dialog box and hit return.  (You can also get the dialog box by typing Ctrl-U).
    4140
    4241A set of credentials will appear layed out roughly as a tree.  You will probably need to move the boxes around a bit to see the structure.  You can move a vertex by putting the pointer on it, holding down the left mouse button and dragging the box. You can pan around the space by putting the pointer on the background, holding the left button and dragging the whole frame. With a little moving you should see something like the image below.
     
    4443[[Image(batman.png)]]
    4544
    46 If you enter Acme.buy_rockets in the leftmost query box and Coyote in the other and hit enter, you will see the following.
     45This set of credentials represents the policy of a company called Acme that is in the business of selling armaments to fictional characters.  There are four roles displayed and two principals.  The principals are the two blue circles labelled "Coyote" and "Batman".  The green rectangles are simple roles assigned by two principals not depicted ("Acme" and "WarnerBros").  A simple role is controlled by the principal to the left of the dot in the rectangle.  Acme controls Acme.preferred_customer.  WarnerBros controls WarnerBros.character.
     46
     47The red rectangle represents an intersection role, which is the logical conjunction of the two roles separated by the ampersand, in this case Acme.preferred_customer and WarnerBros.character.  A principal has an intersection role if it also has all of the individual roles.  When the prerequisites for an intersection role are met by a principal, crudge connects the principal to the intersection role with a dotted line.  In this example, Coyote has edges to both Acme.preferred_customer and WarnerBros.character, so it has a connection to the red role.
     48
     49The solid lines represent credentials, the dotted lines represent deductions.  This graph captures the idea that Acme will allow characters that are both its preferred customers and WarnerBros characters to buy rockets.
     50
     51There is another kind of role, a linking role, that is described in more detail in the [http://groups.geni.net/geni/wiki/TIEDABACModel ABAC description referenced above.]
     52
     53=== Running A Query ===
     54
     55The paths through this simple graph are easily traced by eye, but the query interface can be used to find the relevant paths through more tangled graphs.  We demonstrate the query interface on the graph loaded above.
     56
     57If a user enterd Acme.buy_rockets in the leftmost query box and Coyote in the other and hits enter, that requests a proof that Coyote has the Acme.buy_rockets role.  After that request is made (by hitting return) the query pane displays the following:
    4758
    4859[[Image(coyote_query.png)]]
     
    5061The query pane shows the smiling face icon and the part of the graph containing the path from Coyote to Acme.buy_rockets.  The credential graph encodes the idea that to buy rockets from Acme, a principal must be a preferred customer of Acme (the Acme.preferred_customer role) and be a !WarnerBros character (the !WarnerBros.character role).  The Coyote meets both conditions, but Batman meets only one in this example.
    5162
    52 To see that Batman cannot buy rockets enter Acme.buy_rockets in the leftmost query box and Coyote in the other and hit enter.  You will see an empty query with the red "X".
     63To see that Batman cannot buy rockets enter Acme.buy_rockets in the leftmost query box and Coyote in the other and hit enter.  The pane will show an empty query with the red "X".
    5364
    5465[[Image(batman_query.png)]]
    5566
    56 While Batman cannot buy rockets, he is a preferred customer.
     67While Batman cannot buy rockets, he is a preferred customer, demonstrated by this query:
    5768
    5869[[Image(batman_query2.png)]]
     
    7485=== Editing Credential Graphs ===
    7586
    76 Editing credential graphs is fairly straightforward.  When editing, crudge created any missing but implied roles and principals, and credentials can be assigned by drawing arcs between nodes.  For example, clear the current credentials by choosing "New" from the "File" menu, and then left click on the empty graph.  A menu with an "Add Vertex entry will appear.  If you enter "test.a & test.b" and hit enter, 4 nodes will appear in the graph (after a short wait).
     87Editing credential graphs is fairly straightforward.  When editing, crudge created any missing but implied roles and principals, and credentials can be assigned by drawing arcs between nodes.  For example, clear the current credentials by choosing "New" from the "File" menu, and then left click on the empty graph.  A menu with an "Add Vertex entry will appear.  Entering "test.a & test.b" and hit enter, will cause 4 nodes to appear in the graph (after a short wait).
    7788
    7889[[Image(edit1.png)]]
     90
     91To get all the nodes in sight, they may need to be moved by dragging them with the left mouse button
    7992
    8093A fair amount has happened.  First because the vertex requested depended on two other roles, test.a and test.b, those roles were also created.  In order to create those roles, a principal named test was needed to assign them, so crudge also created that principal.  That principal has private and public keys known to crudge, and it can generate credentials issued by test.