Changes between Version 14 and Version 15 of TIEDCredentials
- Timestamp:
- 05/13/13 18:56:46 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
TIEDCredentials
v14 v15 75 75 76 76 {{{ 77 AM.privilege(Target ) <- Issuer.privilege(Target)77 AM.privilege(Target, Principal) <- Issuer.privilege(Target, Principal) 78 78 }}} 79 79 … … 81 81 82 82 {{{ 83 AM.resolve(Target ) <- Issuer.resolve(Target)84 AM.info(Target ) <- Issuer.info(Target)83 AM.resolve(Target, Principal) <- Issuer.resolve(Target, Principal) 84 AM.info(Target, Principal) <- Issuer.info(Target, Principal) 85 85 }}} 86 86 87 The Principal argument to the privilege attribute allows requesters to differentiate between a principal acting for themself and a tool acting for another principal. If a tool T submits a request asserting that it speaks for principal P the AM would ask the ABAC prover to prove that AM.privilege(Target, P) is true of principal T. If that attribute is provable about T the speaks for is in effect. 87 88 88 89 Issuers, such as Slice Authorities and Clearinghoses, issue credentials to users. Here we describe how libabac will translate a credential into multiple ABAC statements inside the prover. … … 91 92 92 93 {{{ 93 (1) Issuer.privilege(Target ) <- Issuer.speaks_for(P)94 (1) Issuer.privilege(Target, P) <- Issuer.speaks_for(P) 94 95 (2) Issuer.speaks_for(P) <- P 95 (3) Issuer.speaks_for(P) <- P.speaks_for(P)96 (3) Issuer.speaks_for(P) <- Issuer.TrustedTool & P.speaks_for(P) 96 97 }}} 97 98 98 These ABAC statements mean: (1) The Issuer says that anyone that speaks for P has the privilege. (2) The Issuer says P speaks for itself. (3) The Issuer says that anyoneP says speaks for P speaks for P. When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC. The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential.99 These ABAC statements mean: (1) The Issuer says that anyone that speaks for P can exercise the privilege as P (the second parameter). (2) The Issuer says P speaks for itself. (3) The Issuer says that anyone that the Issuer believes is a trusted tool and that P says speaks for P speaks for P. When an Issuer hands out a GENI credential assigning {{{privilege}}} with respect to Target, it is making those three statements in ABAC. The first line is repeated for each privilege in the credential; the last two are added to the prover once per credential. 99 100 100 101 When a user (P) issues a speaks-for credential for a tool (T), that credential is translated into ABAC as: … … 108 109 To be concrete: if (in GENI terms) 109 110 * AM trusts Issuer about {{{resolve}}} on {{{Target}}} 110 * Issuer has handed P a GENI credential assigning {{{resolve}}} on {{{Target}}}111 * Issuer has handed P a GENI privilege credential assigning {{{resolve}}} on {{{Target}}} 111 112 * P has issued a "speaks-for" credential to tool T 113 * The issuer trusts tool T 112 114 * T makes a request including both credentials 113 115 … … 120 122 Issuer.speaks_for(P) <- P.speaks_for(P) /* From Issuer GENI privilege credential */ 121 123 P.speaks_for(P) <- T /* From User GENI privilege credential (speaks_for) */ 124 Issuer.TrustedTool <- T /* Separate TrustedTool ABAC credential */ 122 125 }}} 123 126 … … 133 136 134 137 {{{ 135 Issuer.privilege(Target ) <- Issuer.can_delegate_privilege(Target).privilege(Target)136 Issuer.can_delegate_privilege(Target ) <- P138 Issuer.privilege(Target, P) <- Issuer.can_delegate_privilege(Target, P).privilege(Target, P) 139 Issuer.can_delegate_privilege(Target, P) <- P 137 140 }}} 138 141