Changes between Version 1 and Version 2 of NewStuff


Ignore:
Timestamp:
Jun 17, 2013 5:47:51 PM (6 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • NewStuff

    v1 v2  
    33= New Features In The Coming Release =
    44
    5 This pagdescribes features being developed for libabac and currently availabel on the {{{tvf-new-xml}}} branch of the git repository.  There are three new features:
    6 
     5This page describes features being developed for libabac and currently available on the {{{tvf-new-xml}}} branch of the git repository.  There are three new features:
     6
     7 * Simplified input of self-contained credentials
    78 * Support for multiple credential formats
    89 * Support for Version 1.1 [http://http://groups.geni.net/geni/wiki/TIEDCredentials GENI credentials]
    910 * Support for human readable strings in credential printing
    1011
    11 == New Credentials ==
     12== Self-contained Credentials ==
     13
     14[http://http://groups.geni.net/geni/wiki/TIEDCredentials GENI credentials] are self-contained in that they include the issuer's identity certificate.  Earlier versions of libabac required applications to load an identity via {{{load_id_chunk}}} or {{{load_id_file}}}.  This version relazes this restriction.  A GENI credential can be read without calling any of the ID loading routines.
     15
     16Both of these load a GENI credential from {{{./GENIcred.xml}}} that was issued by the identity in {{{./issuer.pem}}}.
     17
     18Old code:
     19
     20{{{
     21import ABAC
     22
     23ctx = ABAC.Context()
     24ctx.load_id_file('./issuer.pem')
     25ctx.load_attribute_file('./GENIcred.xml')
     26}}}
     27
     28New code:
     29
     30{{{
     31import ABAC
     32
     33ctx = ABAC.Context()
     34ctx.load_attribute_file('./GENIcred.xml')
     35}}}
     36
     37Identities loaded incidentally are includes in the results of the Context's {{{identities}}} method.
     38
     39== New Credential Formats and Multiple Credential Formats ==
    1240
    1341This release supports multiple credential formats, specifically version 1 and version 1.1 [http://http://groups.geni.net/geni/wiki/TIEDCredentials GENI credentials] as well as reading GENI privilege credentials.  Credentials read from files or chunks are transparenlty output as read, for example if they appear in a proof or if they are extracted from a context.  Credentials that are created by an application are output in GENI v1.1 format by default, but can be created in GENI v1.0 using the set_output format of the Attribute object.  Valid parameters to {{{set_output_format}}} are:
     
    122150}}}
    123151
     152== Printing Credentials Using Mnemonic Names Instead of Keyids ==
     153
     154Internally libabac uses the SHA1 hash of a principal's public key to identify them, but when printing credentials and debugging policy it can be confusing to keep track of the hashes.  The latest release keeps track of mnemonic names for principals within the scope of a Context.  The names can be specified in the common name of an X.509 identity certificate, the {{{mnemonic}}} element of a [http://http://groups.geni.net/geni/wiki/TIEDCredentials version 1.1 GENI abac credential], or specified on a per-Context basis using the Context's {{{set_nickname}} method.
     155
     156When printing a role from a credential, the {{{short_string(}}}''context''{{{)}}} method will scan the role for keyids that have mnemonics in that context and return a translated string.  For exmaple:
     157
     158{{{
     159import ABAC
     160
     161ctx = ABAC.Context()
     162
     163ctx.load_attribute_file('./GENIcred.xml')
     164
     165for c in ctx.credentials():
     166    print "Raw: %s -> %s" % (c.head().string(), c.tail().string())
     167    print "Short: %s -> %s" % (c.head().short_string(ctx), c.tail().short_string(ctx))
     168}}}
     169
     170Produces output similar to:
     171
     172{{{
     173Raw: cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.experiment_create -> cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.partner.experiment_create
     174Short: Acme.experiment_create -> Acme.partner.experiment_create
     175}}}
     176
     177The nicknames are initialized by the common name in the X.509 certificate, and will be overwritten by the most {{{mnemonic}}} field of the most recent credential imported. The following resets the nicknames of all the identities:
     178
     179{{{
     180import ABAC
     181
     182ctx = ABAC.Context()
     183
     184ctx.load_attribute_file('./GENIcred.xml')
     185
     186for c in ctx.credentials():
     187    print "Raw: %s -> %s" % (c.head().string(), c.tail().string())
     188    print "Short: %s -> %s" % (c.head().short_string(ctx), c.tail().short_string(ctx))
     189
     190# Collect the identity keyids into ids
     191ids = []
     192for c in ctx.credentials():
     193    i = ABAC.ID_chunk(c.issuer_cert())
     194    if i.keyid() not in ids:
     195        ids.append(i.keyid())
     196
     197# Change all the nicknames
     198for n, i in enumerate(ids):
     199    ctx.set_nickname(i, "identity%d" % n)
     200
     201# Print the credentials with the new nicknames
     202print ""
     203print "After modifications"
     204print ""
     205for c in ctx.credentials():
     206    print "Raw: %s -> %s" % (c.head().string(), c.tail().string())
     207    print "Short: %s -> %s" % (c.head().short_string(ctx), c.tail().short_string(ctx))
     208
     209}}}
     210
     211It produces output like:
     212
     213{{{
     214Raw: cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.experiment_create -> cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.partner.experiment_create
     215Short: Acme.experiment_create -> Acme.partner.experiment_create
     216
     217After modifications
     218
     219Raw: cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.experiment_create -> cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.partner.experiment_create
     220Short: identity0.experiment_create -> identity0.partner.experiment_create
     221}}}
     222
     223The names in a context can be exported new credentials by calling bake with the context containing the nickname:
     224
     225{{{
     226import sys
     227import ABAC
     228
     229ctx = ABAC.Context()
     230ctx.load_id_file('./issuer.pem')
     231
     232i = ABAC.ID('./issuer.pem')
     233ctx.set_nickname(i.keyid(), 'Ted Faber')
     234
     235a = ABAC.Attribute(i, 'ABAC_Guy', 20 * 365 * 24 * 3600)
     236a.principal(i.keyid())
     237a.bake(ctx)
     238
     239a.write(sys.stdout)
     240}}}
     241
     242Produces (note the {{{mnemonic}}} elements):
     243
     244{{{
     245<?xml version="1.0" encoding="UTF-8"?>
     246<signed-credential>
     247    <credential xml:id="ref0">
     248        <type>abac</type>
     249        <serial/>
     250        <owner_gid/>
     251        <target_gid/>
     252        <uuid/>
     253        <expires>2033-06-13T00:44:54Z</expires>
     254        <abac>
     255            <rt0>
     256                <version>1.1</version>
     257                <head>
     258   <ABACprincipal><keyid>cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd</keyid><mnemonic>Ted Faber</mnemonic></ABACprincipal>
     259   <role>ABAC_Guy</role>
     260</head>
     261<tail>
     262   <ABACprincipal><keyid>cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd</keyid><mnemonic>Ted Faber</mnemonic></ABACprincipal>
     263</tail>
     264
     265            </rt0>
     266        </abac>
     267    </credential>
     268    <signatures>
     269    <!-- elided -->
     270    </signatures>
     271</signed-credential>
     272
     273}}}