| 108 | == Using libabac == |
| 109 | |
| 110 | Libabac allows developers to import signed ABAC statements about principals and attributes and prove that certain principals have those attributes ([http://groups.geni.net/geni/wiki/TIEDABACModel more detail about ABAC logic]). The basic structures that libabac uses to support those operations are identities, attributes, and a context for those. |
| 111 | |
| 112 | |
| 113 | === Identities === |
| 114 | |
| 115 | An identity in ABAC is a principal who has issued or can issue attributes (valid ABAC statements). libabac allows one to create new principals and to import identities from X.509 identity certificates. To create a principal from scratch (in python): |
| 116 | |
| 117 | {{{ |
| 118 | import ABAC |
| 119 | |
| 120 | id = ABAC.ID("newGuy", 5*365*3600*24) |
| 121 | }}} |
| 122 | |
| 123 | The first parameter is a common name to use for the identity and the second parameter is the validity. Associated with this identity is a public/private key pair that can be used to sign new ABAC attributes. In ABAC statements the principal is referred to an identifier derived from its public key. You can access that identitfer using the keyid() method: |
| 124 | |
| 125 | |
| 126 | {{{ |
| 127 | import ABAC |
| 128 | |
| 129 | id = ABAC.ID("newGuy", 5*365*3600*24) |
| 130 | print id.keyid() |
| 131 | }}} |
| 132 | prints something like: |
| 133 | |
| 134 | {{{ |
| 135 | 481365b6eced33c0b06674d506b92f01f69e05fd |
| 136 | }}} |
| 137 | |
| 138 | The other way to initialize an idenitiy is to read the contents from an X.509 certificate file, or from the contents of such a file (referred to as a chunk): |
| 139 | |
| 140 | {{{ |
| 141 | import ABAC |
| 142 | |
| 143 | id1 = ABAC.ID("./newGuy.pem") |
| 144 | |
| 145 | try: |
| 146 | f = open("./newGuy.pem") |
| 147 | id2 = ABAC.ID_chunk(f.read()) |
| 148 | f.close() |
| 149 | except: |
| 150 | pass |
| 151 | |
| 152 | print "%s %s" % (id1.keyid(), id2.keyid()) |
| 153 | |
| 154 | |
| 155 | }}} |
| 156 | |