wiki:CrudgeDocs

Version 6 (modified by faber, 13 years ago) (diff)

--

The Crudge RT0 Browser

Intro

Crudge is a browser for credentials implementing the RT0 logic used by ABAC. The credentials are visualized as a directed graph where principals and roles/attributes are nodes in the graph and credentials are edges. If a principal has an attribute (can act in a role) there is a path through the directed graph from principal to attribuet (role).

Crudge uses the same visualizations for roles that our description of ABAC for TIED uses. That description is a good starting point the visualiations and ABAC.

Crudge allows a user to visualize an ABAC proof or explore a policy. One can make queries against the policy and save all or parts of the policy. It can be used to create credentials and principals, that interoperate with the rest of ABAC. It can be used as a simple management interface for small systems using ABAC.

Running Crudge

Crudge is available as a webstart download. If you have java installed you should be able to run crudge by opening the URL http://abac.deterlab.net/java/crudge.jnlp. The various jar files are self-signed by the ISI ABAC team; if you're unwilling to trust self signed web start code you will have to download the jars separately and run them locally.

If you need java, you can get it at Oracle's Java site. A source repository will be available shortly.

Crudge makes use of the jabac library as well as the bouncycastle cryptographic libraries and Jung graph framework. All the relevant jar files are downloaded transparently from the webstart link above.

Using Crudge

This section describes navigating crudge. We describe the screens, how to manipulate credentials, and how to load and save credential sets. If everything seems intuitive to you, feel free to treat this reference as a tutorial.

Crudge Screens

When you first run crudge, you will be presented with a split screen like the one below.

initial screen

The left side of the screen holds the worldviews. These are the views of credentials controlled by a given principal, and currently there is one worldview with all credentials visible. Because there are no credentials loaded, there are none displayed. The text entry box is used to restrict the view. When a principal name is entered, only those credentials controlled by that principal are shown. Multiple views can be shown simultaneously.

On the right is the results of the current query, which is used to test if a given principal has a given attribute/role. The role is entered in the left text box and the principal in the right. If the query is successful, the query success icon turns into a green smiling face; a failed query shows the red "X".

These details are summarized below.

Annotated entry

Running A Query

To demonstrate running a query, load an example set of credentials from http://abac.deterlab.net/examples/rockets_intersection.zip . Select "Open a URL" from the File menu and type http://abac.deterlab.net/examples/rockets_intersection.zip into the dialog box and hit return.

A set of credentials will appear layed out roughly as a tree. You will probably need to move the boxes around a bit to see the structure. You can move a vertex by putting the pointer on it, holding doen the left mouse button and dragging the box. You can pan around the space by putting the pointer on the background, holding the left button and dragging the whole frame. With a little moving you should see something like the image below.

Load intersection

If you enter Acme.buy_rockets in the leftmost query box and Coyote in the other and hit enter, you will see the following.

The query pane shows the similing face icon and the part of the graph containing the path from Coyote to Acme.buy_rockets. The credential graph encodes the idea that to buy rockets from Acme, a principal must be a preferred customer of Acme (the Acme.preferred_customer role) and be a WarnerBros character (the WarnerBros.character role). The Coyote meets both conditions, but Batman meets only one in this example.

To see that Batman cannot buy rockets enter Acme.buy_rockets in the leftmost query box and Coyote in the other and hit enter. You will see an empty query with the red "X".

Attachments (12)

Download all attachments as: .zip