| 152 | == Printing Credentials Using Mnemonic Names Instead of Keyids == |
| 153 | |
| 154 | Internally libabac uses the SHA1 hash of a principal's public key to identify them, but when printing credentials and debugging policy it can be confusing to keep track of the hashes. The latest release keeps track of mnemonic names for principals within the scope of a Context. The names can be specified in the common name of an X.509 identity certificate, the {{{mnemonic}}} element of a [http://http://groups.geni.net/geni/wiki/TIEDCredentials version 1.1 GENI abac credential], or specified on a per-Context basis using the Context's {{{set_nickname}} method. |
| 155 | |
| 156 | When printing a role from a credential, the {{{short_string(}}}''context''{{{)}}} method will scan the role for keyids that have mnemonics in that context and return a translated string. For exmaple: |
| 157 | |
| 158 | {{{ |
| 159 | import ABAC |
| 160 | |
| 161 | ctx = ABAC.Context() |
| 162 | |
| 163 | ctx.load_attribute_file('./GENIcred.xml') |
| 164 | |
| 165 | for c in ctx.credentials(): |
| 166 | print "Raw: %s -> %s" % (c.head().string(), c.tail().string()) |
| 167 | print "Short: %s -> %s" % (c.head().short_string(ctx), c.tail().short_string(ctx)) |
| 168 | }}} |
| 169 | |
| 170 | Produces output similar to: |
| 171 | |
| 172 | {{{ |
| 173 | Raw: cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.experiment_create -> cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.partner.experiment_create |
| 174 | Short: Acme.experiment_create -> Acme.partner.experiment_create |
| 175 | }}} |
| 176 | |
| 177 | The nicknames are initialized by the common name in the X.509 certificate, and will be overwritten by the most {{{mnemonic}}} field of the most recent credential imported. The following resets the nicknames of all the identities: |
| 178 | |
| 179 | {{{ |
| 180 | import ABAC |
| 181 | |
| 182 | ctx = ABAC.Context() |
| 183 | |
| 184 | ctx.load_attribute_file('./GENIcred.xml') |
| 185 | |
| 186 | for c in ctx.credentials(): |
| 187 | print "Raw: %s -> %s" % (c.head().string(), c.tail().string()) |
| 188 | print "Short: %s -> %s" % (c.head().short_string(ctx), c.tail().short_string(ctx)) |
| 189 | |
| 190 | # Collect the identity keyids into ids |
| 191 | ids = [] |
| 192 | for c in ctx.credentials(): |
| 193 | i = ABAC.ID_chunk(c.issuer_cert()) |
| 194 | if i.keyid() not in ids: |
| 195 | ids.append(i.keyid()) |
| 196 | |
| 197 | # Change all the nicknames |
| 198 | for n, i in enumerate(ids): |
| 199 | ctx.set_nickname(i, "identity%d" % n) |
| 200 | |
| 201 | # Print the credentials with the new nicknames |
| 202 | print "" |
| 203 | print "After modifications" |
| 204 | print "" |
| 205 | for c in ctx.credentials(): |
| 206 | print "Raw: %s -> %s" % (c.head().string(), c.tail().string()) |
| 207 | print "Short: %s -> %s" % (c.head().short_string(ctx), c.tail().short_string(ctx)) |
| 208 | |
| 209 | }}} |
| 210 | |
| 211 | It produces output like: |
| 212 | |
| 213 | {{{ |
| 214 | Raw: cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.experiment_create -> cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.partner.experiment_create |
| 215 | Short: Acme.experiment_create -> Acme.partner.experiment_create |
| 216 | |
| 217 | After modifications |
| 218 | |
| 219 | Raw: cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.experiment_create -> cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd.partner.experiment_create |
| 220 | Short: identity0.experiment_create -> identity0.partner.experiment_create |
| 221 | }}} |
| 222 | |
| 223 | The names in a context can be exported new credentials by calling bake with the context containing the nickname: |
| 224 | |
| 225 | {{{ |
| 226 | import sys |
| 227 | import ABAC |
| 228 | |
| 229 | ctx = ABAC.Context() |
| 230 | ctx.load_id_file('./issuer.pem') |
| 231 | |
| 232 | i = ABAC.ID('./issuer.pem') |
| 233 | ctx.set_nickname(i.keyid(), 'Ted Faber') |
| 234 | |
| 235 | a = ABAC.Attribute(i, 'ABAC_Guy', 20 * 365 * 24 * 3600) |
| 236 | a.principal(i.keyid()) |
| 237 | a.bake(ctx) |
| 238 | |
| 239 | a.write(sys.stdout) |
| 240 | }}} |
| 241 | |
| 242 | Produces (note the {{{mnemonic}}} elements): |
| 243 | |
| 244 | {{{ |
| 245 | <?xml version="1.0" encoding="UTF-8"?> |
| 246 | <signed-credential> |
| 247 | <credential xml:id="ref0"> |
| 248 | <type>abac</type> |
| 249 | <serial/> |
| 250 | <owner_gid/> |
| 251 | <target_gid/> |
| 252 | <uuid/> |
| 253 | <expires>2033-06-13T00:44:54Z</expires> |
| 254 | <abac> |
| 255 | <rt0> |
| 256 | <version>1.1</version> |
| 257 | <head> |
| 258 | <ABACprincipal><keyid>cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd</keyid><mnemonic>Ted Faber</mnemonic></ABACprincipal> |
| 259 | <role>ABAC_Guy</role> |
| 260 | </head> |
| 261 | <tail> |
| 262 | <ABACprincipal><keyid>cf3cf09b762d89f0f6660e48b1b804e1fe7d53fd</keyid><mnemonic>Ted Faber</mnemonic></ABACprincipal> |
| 263 | </tail> |
| 264 | |
| 265 | </rt0> |
| 266 | </abac> |
| 267 | </credential> |
| 268 | <signatures> |
| 269 | <!-- elided --> |
| 270 | </signatures> |
| 271 | </signed-credential> |
| 272 | |
| 273 | }}} |