Changes between Version 37 and Version 38 of FeddCommands


Ignore:
Timestamp:
Jun 12, 2014 3:24:53 PM (10 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddCommands

    v37 v38  
    371371
    372372There are several utilities for converting text-based configurations to ABAC and manipulating ABAC logic statements directly.
    373 
    374 === fedd_to_abac.py ===
    375 
    376 {{{fedd_to_abac.py}}} converts an fedd experiment controller configuration into an ABAC configuration.  A certificate and key are required as well as an output directory for the ABAC authorizer (target of the '''auth_dir''' parameter in the configuration file.
    377 
    378 It takes the following arguments:
    379   {{{--cert=}}}''file''::
    380     A file containing an X.509 certificate in pem format.  This is the identity that will assert the attributes and should probably be the same as the experiment controller's identity.  It may be a combination certificate and key file.
    381   {{{--key=}}}''file''::
    382     The key for signing attributes.  It should be a pem file with an RSA key in it.  This can be omitted if {{{--cert}}} specifies a combination file.
    383   {{{--dir=}}}''dir''::
    384     The output directory for the authorizer.   (This must be an absolute pathname).
    385 
    386   {{{--make_dir}}}::
    387     If given, make the output directory.
    388   {{{--debug}}}::
    389     Just output the creddy commands that would be issued to create the certificates.
    390   {{{--policy_only}}}::
    391     Only output the ABAC certificates, not the full ABAC authorizer.  This is primarily for debugging.
    392   {{{--update}}}::
    393     Update the output directory rather than creating it.  This allows the authorizer to remember credentials it has learned or issued while updating the policy.
    394 
    395 After the named arguments are given, the [FeddDatabases#ExperimentControlComponentAccessDB aceess DB file] is a required argument.
    396373
    397374=== access_to_abac.py ===
     
    426403If {{{--file}}} is not given, the [FeddDatabases#AccessComponentAccessDB accessDB] to convert must follow.
    427404
     405
     406
     407=== cert_to_fedid.py ===
     408
     409The fedd tools expect the identity of the user to be a self-signed certificate.  This is accomplished using the command:
     410
     411{{{
     412$ cert_to_fedid.py --cn $USER --out $HOME/.ssl/fedid.pem $HOME/.ssl/emulab.pem
     413}}}
     414
     415The '''cert_to_fedid.py''' utility will list other parameters, but most are not needed for users.  The fedid_tools search for {{{.ssl/fedid.pem}}} as a default identity, so putting the output there will make things simple.
     416
     417
     418=== creddy_split.py ===
     419
     420Split a combination PEM file (that contains both a key and a certificate) into a key and a certificate file.  Early versions of ABAC were finicky about combination PEM files.  It takes a single parameter, the combination to split.  By default the output files are `./cert.pem` and `./key.pem`.
     421
     422The arguments are:
     423
     424 '''--cert='''''filename'''::
     425  Store the certificate in ''filename''
     426 '''--force'''::
     427  Overwrite existing output files
     428 '''--key='''''filename''::
     429  Store the key in ''filename''
     430
    428431=== dump_abac_authorizer.py ===
    429432
     
    440443}}}
    441444
     445=== fedd_to_abac.py ===
     446
     447{{{fedd_to_abac.py}}} converts an fedd experiment controller configuration into an ABAC configuration.  A certificate and key are required as well as an output directory for the ABAC authorizer (target of the '''auth_dir''' parameter in the configuration file.
     448
     449It takes the following arguments:
     450  {{{--cert=}}}''file''::
     451    A file containing an X.509 certificate in pem format.  This is the identity that will assert the attributes and should probably be the same as the experiment controller's identity.  It may be a combination certificate and key file.
     452  {{{--key=}}}''file''::
     453    The key for signing attributes.  It should be a pem file with an RSA key in it.  This can be omitted if {{{--cert}}} specifies a combination file.
     454  {{{--dir=}}}''dir''::
     455    The output directory for the authorizer.   (This must be an absolute pathname).
     456
     457  {{{--make_dir}}}::
     458    If given, make the output directory.
     459  {{{--debug}}}::
     460    Just output the creddy commands that would be issued to create the certificates.
     461  {{{--policy_only}}}::
     462    Only output the ABAC certificates, not the full ABAC authorizer.  This is primarily for debugging.
     463  {{{--update}}}::
     464    Update the output directory rather than creating it.  This allows the authorizer to remember credentials it has learned or issued while updating the policy.
     465
     466After the named arguments are given, the [FeddDatabases#ExperimentControlComponentAccessDB aceess DB file] is a required argument.
     467
    442468=== import_abac_creds.py ===
    443469
     
    455481You can confirm the addition of the certificates using dump_abac_authorizer.py.
    456482
    457 === cert_to_fedid.py ===
    458 
    459 The fedd tools expect the identity of the user to be a self-signed certificate.  This is accomplished using the command:
    460 
    461 {{{
    462 $ cert_to_fedid.py --cn $USER --out $HOME/.ssl/fedid.pem $HOME/.ssl/emulab.pem
    463 }}}
    464 
    465 The '''cert_to_fedid.py''' utility will list other parameters, but most are not needed for users.  The fedid_tools search for {{{.ssl/fedid.pem}}} as a default identity, so putting the output there will make things simple.
    466 
    467 
    468 
    469