Changes between Version 4 and Version 5 of FeddABAC


Ignore:
Timestamp:
Jan 16, 2011 5:26:58 PM (14 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddABAC

    v4 v5  
    3434
    3535
     36== Expressing Three-names as ABAC credentials ==
     37
     38[FeddAbout#GlobalIdentifiers:Three-levelNames Three-names] are really an encoding of a fairly small attribute space used by access controllers to control which fedids can perform operations and how to map authorized fedids into the local identifier space.  Experiment controllers assert the attributes.
     39
     40The attributes an experiment controller asserts are given in its [FeddDatabases#ExperimentControlComponentAccessDB access database] in lines of the form:
     41
     42{{{
     43fedid:xxx -> (proj1, user1)
     44}}}
     45
     46That line asserts that this controller will assert that a user with fedid of xxx is in project {{{proj1}}} and is user {{{user1}}}.  This encodes in ABAC (using the RT0 syntax supported by [http://abac.deterlab.net libabac] as:
     47
     48{{{
     49ec_fedid.user_user1 <- fedid:xxx
     50ec_fedid.project_proj1 <- fedid:xxx
     51}}}
     52
     53{{{ec_fedid}}} is the fedid of the experiment controller.  The {{{fedd_to_abac.py}}} script converts an experiment controller's access DB to an ABAC credential store with those credentials, encoded as X.509 attribute certificates.
     54
     55The access controller uses three-names to both make the access control decision (does a requester have the right to make this call) and a mapping of the fedid into the user access space.  For example a line like:
     56
     57{{{
     58(ec_fedid, proj1, user1) -> create, (DETER, faber, faber)
     59}}}
     60
     61says that a user with a project of {{{proj1}}} and a user of {{user1}} attested by the controller with fedid {{{ec_fedid}}} can create experiments as local user {{{faber}}} on the local {{{DETER}}} project.  The ABAC credentials for the access control decision look like:
     62
     63{{{
     64ac_fedid.project_proj1_user_user1 <- ec_fedid.project_proj1 & ec_fedid.user_user1
     65ac_fedid.create <- ac_fedid.project_proj1_user_user1
     66}}}
     67
     68The first rule names the conjunction of two experiment controller attributes and the second line maps that to a local create attribute.  The first attibute is used to map to local credentials.
     69
     70The mapping to local credentials is accomplished by a