| 89 | | === ABAC Conversion Utilities === |
| 90 | | |
| 91 | | There are several [wiki:FeddABAC#ConversionUtilities conversion utilities] for converting existing configurations to ABAC. |
| | 89 | === ABAC Utilities === |
| | 90 | |
| | 91 | There are several utilities for converting text-based configurations to ABAC and manipulating ABAC logic statements directly. |
| | 92 | |
| | 93 | === fedd_to_abac.py === |
| | 94 | |
| | 95 | {{{fedd_to_abac.py}}} converts an fedd experiment controller configuration into an ABAC configuration. A certificate and key are required as well as an output directory for the ABAC authorizer (target of the '''auth_dir''' parameter in the configuration file. |
| | 96 | |
| | 97 | It takes the following arguments: |
| | 98 | {{{--cert=}}}''file'':: |
| | 99 | A file containing an X.509 certificate in pem format. This is the identity that will assert the attributes and should probably be the same as the experiment controller's identity. It may be a combination certificate and key file. |
| | 100 | {{{--key=}}}''file'':: |
| | 101 | The key for signing attributes. It should be a pem file with an RSA key in it. This can be omitted if {{{--cert}}} specifies a combination file. |
| | 102 | {{{--dir=}}}''dir'':: |
| | 103 | The output directory for the authorizer. (This must be an absolute pathname). |
| | 104 | |
| | 105 | {{{--make_dir}}}:: |
| | 106 | If given, make the output directory. |
| | 107 | {{{--debug}}}:: |
| | 108 | Just output the creddy commands that would be issued to create the certificates. |
| | 109 | {{{--policy_only}}}:: |
| | 110 | Only output the ABAC certificates, not the full ABAC authorizer. This is primarily for debugging. |
| | 111 | {{{--update}}}:: |
| | 112 | Update the output directory rather than creating it. This allows the authorizer to remember credentials it has learned or issued while updating the policy. |
| | 113 | |
| | 114 | After the named arguments are given, the [FeddDatabases#ExperimentControlComponentAccessDB aceess DB file] is a required argument. |
| | 115 | |
| | 116 | === access_to_abac.py === |
| | 117 | |
| | 118 | {{{access_to_abac.py}}} converts access controller policies into ABAC and generates a DB for mapping the derived attributes into an appropriate credential mapping database, the target of the '''accessdb''' configuration directive. Keys and certificates are required parameters as well as a directory for the ABAC authorizer and a file for the access DB. |
| | 119 | |
| | 120 | It takes the following arguments: |
| | 121 | |
| | 122 | {{{--cert=}}}''file'':: |
| | 123 | A file containing an X.509 certificate in pem format. This is the identity that will assert the attributes and should probably be the same as the experiment controller's identity. It may be a combination certificate and key file. |
| | 124 | {{{--key=}}}''file'':: |
| | 125 | The key for signing attributes. It should be a pem file with an RSA key in it. This can be omitted if {{{--cert}}} specifies a combination file. |
| | 126 | {{{--dir=}}}''dir'':: |
| | 127 | The output directory for the authorizer. (This must be an absolute pathname). |
| | 128 | {{{--type=}}}''type'':: |
| | 129 | The type of access controller used by the [FeddConfig#AccessOptions access_type] configuration directive. Used to parse the various formats of the old accessDB. |
| | 130 | {{{--quiet}}}:: |
| | 131 | Do not produce extra output |
| | 132 | {{{--no_create_creds}}}:: |
| | 133 | Do not create the authorizer (debugging only) |
| | 134 | {{{--file=}}}''old_accessdb'':: |
| | 135 | The accessDB to convert. May also be specified as a bare parameter after the named parameters have been given. |
| | 136 | {{{--mapfile=}}}''new_accessdb'':: |
| | 137 | The new accessDB to create. It must be a different file name than the file being converted. |
| | 138 | {{{--no_delegate}}}:: |
| | 139 | By default the ABAC created attributes include a layer of delegation for a standalone fedd running with a different principal. Specifying this parameter eliminates a layer of delegation. Even for single-user experiment controllers, this option is rarely necessary. |
| | 140 | {{{--no_auth}}}:: |
| | 141 | Do not create an authorizer. For debugging only. |
| | 142 | {{{--debug}}}:: |
| | 143 | Just produce debugging output. |
| | 144 | |
| | 145 | If {{{--file}}} is not given, the [FeddDatabases#AccessComponentAccessDB accessDB] to convert must follow. |
| | 146 | |
| | 147 | === dump_abac_authorizer.py === |
| | 148 | |
| | 149 | The {{{dump_abac_authorizer.py}}} program prints the contenst of an abac authorizer. It takes one parameter, the directory containing the authorizer, and prints the contents of the authorizer. The first line is the keyid of the fedd that uses the authorizer. Each line after that is an ABAC credential in RT0 logic (the logic described [http://groups.geni.net/geni/wiki/TIEDABACModel here]). |
| | 150 | |
| | 151 | For example: |
| | 152 | {{{ |
| | 153 | $ dump_abac_authorizer.py abac/ |
| | 154 | b9325180cc55b2af23bbfed6435d365449ab4afa |
| | 155 | b9325180cc55b2af23bbfed6435d365449ab4afa.new <- d18901f621eaa03507867212cd48c2b8d686d742 |
| | 156 | b9325180cc55b2af23bbfed6435d365449ab4afa.create <- d18901f621eaa03507867212cd48c2b8d686d742 |
| | 157 | b9325180cc55b2af23bbfed6435d365449ab4afa.faber <- d18901f621eaa03507867212cd48c2b8d686d742 |
| | 158 | b9325180cc55b2af23bbfed6435d365449ab4afa.feduser <- d18901f621eaa03507867212cd48c2b8d686d742 |
| | 159 | }}} |
| | 160 | |
| | 161 | === import_abac_creds.py === |
| | 162 | |
| | 163 | The import_abac_creds.py program adds ABAC credential held in X.509 certificates directly to an ABAC authorizer used by fedd. This authorizer is created by either fedd_to_abac.py or access_to_abac.py. The command takes an argument of the form: |
| | 164 | |
| | 165 | {{{--dir=}}}''dir'':: |
| | 166 | The output directory for the authorizer. (This must be an absolute pathname). |
| | 167 | |
| | 168 | The remaining parameters are a list of files containing the certificates to add. These can be identity or attribute certificates. To add an attribute certificate signed by issuer.pem and contained in attr.der to an authroizer in {{{/usr/local/etc/fedd/abac}}} the command is: |
| | 169 | |
| | 170 | {{{ |
| | 171 | $ import_abac_creds.py --dir /usr/local/etc/fedd/abac issuer.pem attr.der |
| | 172 | }}} |
| | 173 | |
| | 174 | You can confirm the addition of the certificates using dump_abac_authorizer.py. |
| | 175 | |
| | 176 | === cert_to_fedid.py === |
| | 177 | |
| | 178 | The fedd tools expect the identity of the user to be a self-signed certificate. This is accomplished using the command: |
| | 179 | |
| | 180 | {{{ |
| | 181 | $ cert_to_fedid.py --cn $USER --out $HOME/.ssl/fedid.pem $HOME/.ssl/emulab.pem |
| | 182 | }}} |
| | 183 | |
| | 184 | The '''cert_to_fedid.py''' utility will list other parameters, but most are not needed for users. The fedid_tools search for {{{.ssl/fedid.pem}}} as a default identity, so putting the output there will make things simple. |
| | 185 | |
