Changes between Version 33 and Version 34 of TIEDABACDemo


Ignore:
Timestamp:
07/14/09 17:41:42 (15 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACDemo

    v33 v34  
    4949In order to assign that attribute to a principal using the explorer, one connects the principal representation (an ellipse with that prinicpal's name in it) to the attribute in question.  The following shows the BBNAdmin principal being assigned the '''GENI.CTFadmin''' attribute.
    5050
    51 [[Image(example0.png)]]
     51[[Image(explorer1.png)]]
    5252
    5353Every arrow we draw in the explorer represents the creation of a credential (though some arrows will appear later without being drawn that do not represent credentials).  A credential is a statement about either a principal having an attribute (as in this case) or the relationship between a attributes as we see below.  The credential is always issued by the controller of the attribute at the head of the arrow (GENI, in this case) and contains enough information to recreate the edge and nodes in the graph.  In this case a credential saying "the BBNAdmin principal has the GENI.CTFadmin attribute, signed the GENI principal" is created.
     
    5757Surprisingly, that administrator does not possess the '''GENI.CTFaccess''' attribute.  While we could assume that the administrator privilege subsumes access rights, that makes queries about users who have asserted access rights more difficult as the query engine needs to understand the semantics of access.  Rather than do that, the GENI principal connects the two attributes by drawing an arrow from the '''GENI.CTFadmin''' attribute to the '''GENI.CTFaccess''' attribute.
    5858
    59 [[Image(example13.png)]]
     59[[Image(explorer2.png)]]
    6060
    6161Drawing that line creates a credential that says "Any principal that has the GENI.CTFadmin attribute has the GENI.CTFaccess attribute, signed GENI".  Notice that only the GENI principal can create such a credential: it controls the GENI.CTFaccess attribute, and any assignment of that attribute must be done by the controlling prinicpal.