Version 5 (modified by 12 years ago) (diff) | ,
---|
ABAC
Table of Contents
The ABAC project has designed and implemented tools for using Attribute-Based Access Control, a scalable authorization system based on formal logic. It maps principals to attributes and uses the attribute to make an authorization decision, e.g., if user1 has the login attribute the login program will alllow them to log in. This library, libabac, is a base on which to build those tools. It is in use in the DETER federation system and being integrated with the GENI network testbed.
If you are new to ABAC, you may find the introductory material from our TIED project helpful. That material summarizes the power and semantics of ABAC and links to examples of ABAC policy illustrated using an early example of the Crudge ABAC policy browser.
The latest ABAC RT0 version is ABAC 0.1.4. Jump down to Source to download it.
What's Included
The core libabac distribution includes:
- libabac, a linkable C/C++ library
- Perl and Python bindings to libabac
- A standalone java implementation
- creddy, a command line credential management tool
These ABAC tools use libabac
- crudge a visual editor for ABAC policies and proofs
- credential printer an XMLRPC service to convert credentials to a text representation
Getting started: Installing libabac
Installing libabac is a straightforward configure
, make
, make install
sequence. There are a few things to be careful of depending on your operating system.
Software Dependencies
Libabac depends on openssl and the xmlsec1 digital signature library. Most unix-like operating systems have openssl installed and have xmlsec1 as a standard package. The perl and python bingings are generated by swig 1.3, and the build system uses automake and some autoconf macros.
To set up Ubuntu for building libabac:
$ sudo apt-get -y install autoconf-archive automake g++ git-core libtool python-dev swig libxmlsec1-dev
Under FreeBSD, use the ports system to install the following packages:
devel/libtool devel/automake devel/autoconf-archive devel/swig13 devel/pkg-config security/xmlsec1 lang/perl lang/python
If you plan to build the java implementation on ubuntu you should also
$ apt-get -y install openjdk-7-jdk ant ant-optional
Similarly in FreeBSD install
devel/apache-ant java/openjdk6
We have seen no differences under the various JDKs.
Installation
Then get the source, untar it, change to the abac-0.1.4
directory and do the standars install sequence:
# Ubuntu users: ./configure --prefix=/usr $ ./configure $ make $ sudo make install
To confirm that your install succeeded:
$ cd examples $ make
Libabac uses the standard GNU install prefix of /usr/local
. If you are on Ububtu or another distribution that does not search /usr/local/lib for shared libraries, make sure you use ./configure --prefix=/usr
Tracking Development
If you would like to track the libabac development, you can pull code from out publically available git repository:
$ git clone git://abac.deterlab.net/abac.git
Current sources can be browsed on the web.
Releases
See the ChangeLog for details about each release
- 2013-05-XX: ABAC 0.1.4 released
- 2011-04-11: Crudge 1.0 released
- 2011-03-30: ABAC 0.1.3 released
- 2010-10-01: ABAC 0.1.2 released
2010-09-172010-09-20: ABAC 0.1.1 released- Update: We fixed a one-line bug in creddy. If you downloaded this over the weekend, please fetch it again.
Using libabac
Libabac allows developers to import signed ABAC statements about principals and attributes and prove that certain principals have those attributes (more detail about ABAC logic). The basic structures that libabac uses to support those operations are identities, attributes, and a context for those.
Identities
An identity in ABAC is a principal who has issued or can issue attributes (valid ABAC statements). libabac allows one to create new principals and to import identities from X.509 identity certificates. To create a principal from scratch (in python):
import ABAC id = ABAC.ID("newGuy", 5*365*3600*24)
The first parameter is a common name to use for the identity and the second parameter is the validity. Associated with this identity is a public/private key pair that can be used to sign new ABAC attributes. In ABAC statements the principal is referred to an identifier derived from its public key. You can access that identitfer using the keyid() method:
import ABAC id = ABAC.ID("newGuy", 5*365*3600*24) print id.keyid()
prints something like:
481365b6eced33c0b06674d506b92f01f69e05fd
The other way to initialize an idenitiy is to read the contents from an X.509 certificate file, or from the contents of such a file (referred to as a chunk):
import ABAC id1 = ABAC.ID("./newGuy.pem") try: f = open("./newGuy.pem") id2 = ABAC.ID_chunk(f.read()) f.close() except: pass print "%s %s" % (id1.keyid(), id2.keyid())
The write_cert
and write_cert_name
methods write the X.509 certificate from an identity. The private keys can similarly be read or written using read_privkey_name
and read_privkey
. The following snippet creates an identity, writes it to 2 files and reads it from those files printing the results. The output files will not contain the private key.
import ABAC id = ABAC.ID("newGuy", 5*365*3600*24) id.write_cert_name("./newGuy.pem") id1 = ABAC.ID("./newGuy.pem") try: f = open("./newGuy.pem") id2 = ABAC.ID_chunk(f.read()) f.close() except: pass print "%s %s %s" % (id.keyid(), id1.keyid(), id2.keyid())
Libabac generates self-signed certificates and does not check the signatures of imported certificates. Use an external library to do that.
Attributes
Attributes are the signed ABAC statements that make up proofs. libabac can import them from files and generate new ones. This section describes creating them.
As we have seen, an ABAC statement assigns an attribute (signed by an identity) to another identity or set of identities with a given attribute. Here is how libabac constructs an attribute encoding A.admin <- B
. That attirbute means that identity A is assigning identity B the admin
attribute for use in later proofs.
import ABAC a = ABAC.ID("A", 24 * 3600 * 365 * 20) b = ABAC.ID("B", 24 * 3600 * 365 * 20) attr = ABAC.Attribute(a, "admin", 24 * 3600 * 365 * 20) attr.principal(b.keyid()) attr.bake() attr.write_name("attr.xml")
The Attribute constructor takes the issuing identity, the attribute being assigned and the validity period of the assertion (in seconds). This code assigns a principal to that class using the principal
member. The role
member and linking_role
members can be used to construct the other kinds of attributes.
The bake
member finalizes the attribute and creates a signed format for export, which one can write using the write
and write_name
members, that are analogous to write_cert
and write_cert_name
members of identities.
The bake
method exists so that Attributes can contain conjunctions. If identity A wants to state that friendly admins are admins who are friendly (A.friendly_admin <- A.friendly & A.admin
), this code will it:
import ABAC a = ABAC.ID("A", 24 * 3600 * 365 * 20) attr = ABAC.Attribute(a, "friendly_admin", 24 * 3600 * 365 * 20) attr.role(a.keyid(), "friendly") attr.role(a.keyid(), "admin") attr.bake() attr.write_name("attr.xml")
Contacts
- devevelopers mailing list
- Ted Faber faber@…
- Mei-Hui Su mei@…
- Steve Schwab schwab@…