Changes between Version 6 and Version 7 of FeddABAC


Ignore:
Timestamp:
Jan 16, 2011 8:06:31 PM (14 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddABAC

    v6 v7  
    8282RT1 allows for parameterized attributes, that is an attribute is a string and 0 or more typed parameters.  Those attributes would take the form of {{{project(}}}''name''{{{)}}}, and would allow some more sophisticated deduction rules.  While the RT0 vs. RT1 distinction is only a convenience for the encoding of three-names, we intend to pursue implementing the more powerful logic.
    8383
     84== Conversion Utilities ==
    8485
     86This section describes the utilities for converting existing [FeddAbout#GlobalIdentifiers:Three-levelNames three-name-based]configurations into ABAC.  Users do not need to do anything, but there is a utility for converting experiment controllers and access controllers.
     87
     88In addition to running the utilties, add set '''auth_type''' to '''abac''' and '''auth_dir''' to the ABAC directory created by the utilities below. For access controllers, the '''accessdb''' variable should point to the generated map file.
     89
     90=== fedd_to_abac.py ===
     91
     92{{{fedd_to_abac.py}}} converts an existing fedd experiment controller configuration into an ABAC configuration.  A certificate and key are required as well as an output directory for the ABAC authorizer (target of the '''auth_dir''' parameter in the configuration file.
     93
     94It takes the following arguments:
     95  {{{--cert=}}}''file''::
     96    A file containing an X.509 certificate in pem format.  This is the identity that will assert the attributes and should probably be the same as the experiment controller's identity.  It may be a combination certificate and key file.
     97  {{{--key=}}}''file''::
     98    The key for signing attributes.  It should be a pem file with an RSA key in it.  This can be omitted if {{{--cert}}} specifies a combination file.
     99  {{{--dir=}}}''dir''::
     100    The output directory for the authorizer.
     101  {{{--make_dir}}}::
     102    If given, make the output directory.
     103  {{{--debug}}}::
     104    Just output the creddy commands that would be issued to create the certificates.
     105  {{{--policy_only}}}::
     106    Only output the ABAC certificates, not the full ABAC authorizer.  This is primarily for debugging.
     107  {{{--update}}}::
     108    Update the output directory rather than creating it.  This allows the authorizer to remember credentials it has learned or issued while updating the policy.
     109
     110After the named arguments are given, the [FeddDatabases#ExperimentControlComponentAccessDB aceess DB file] is a required argument.
     111
     112=== access_to_abac.py ===
     113
     114{{{access_to_abac.py}}} converts access controller policies into ABAC and generates a DB for mapping the derived attributes into an appropriate credential mapping database, the target of the '''accessdb''' configuration directive.  Keys and certificates are required parameters as well as a directory for the ABAC authorizer and a file for the access DB.
     115
     116It takes the following arguments:
     117
     118  {{{--cert=}}}''file''::
     119    A file containing an X.509 certificate in pem format.  This is the identity that will assert the attributes and should probably be the same as the experiment controller's identity.  It may be a combination certificate and key file.
     120  {{{--key=}}}''file''::
     121    The key for signing attributes.  It should be a pem file with an RSA key in it.  This can be omitted if {{{--cert}}} specifies a combination file.
     122  {{{--dir=}}}''dir''::
     123    The output directory for the authorizer.
     124  {{{--type=}}}''type''::
     125    The type of access controller, '''emulab''', '''dragon''', etc.  Used to parse the various formats of the old accessDB.
     126  {{{--quiet}}}::
     127    Do not produce extra output
     128  {{{--no_create_creds}}}::
     129    Do not create the authorizer (debugging only)
     130  {{{--file=}}}''old_accessdb''::
     131    The accessDB to convert.  May also be specified as a bare parameter after the named parameters have been given.
     132  {{{--mapfile=}}''new_accessdb''::
     133    The new accessDB to create.  It must be a different file name than the file being converted.
     134  {{{--no_delegate}}}::
     135    By default the ABAC created attributes include a layer of delegation for a standalone fedd running with a different principal.  Specifying this parameter eliminates a layer of delegation.  Even for single-user experiment controllers, this option is rarely necessary.
     136  {{{--no_auth}}}::
     137    Do not create an authorizer.  For debugging only.
     138  {{{--debug}}}::
     139    Just produce debugging output.
     140
     141If {{{--file}}} is not given, the [FeddDatabases#AccessComponentAccessDB accessDB] to convert must follow.