Skip to content

ABAC_credentials

Jump to bottom
Carolina Fernández edited this page Jan 21, 2016 · 2 revisions

Home > Experimenting > CH > CBAS > ABAC credentials

ABAC credentials

Compared to typical SFA credentials, ABAC credentials provide a set of new features:

  • speaks for: delegate permissions on resources to external software modules; yet preserving the rights and obligations of the issuer
  • TODO: fill

Installing ABAC library

In order to generate ABAC credentials, you are required to install the ABAC library, written in C and providing wrappers in Python.

You may follow the installation steps or follow this steps in your shell (Debian environments):

current=$PWD
abac_dep=abac-0.1.9
felix_dependencies=/opt/felix/dependencies
mkdir -p $felix_dependencies
cd $felix_dependencies

wget http://abac.deterlab.net/src/$abac_dep.tar.gz -P $felix_dependencies/
tar -zxvf $felix_dependencies/$abac_dep.tar.gz -C $felix_dependencies/
cd $abac_dep

./configure
make
sudo make install

Troubleshooting

If the installation above fails (and you installed the required dependencies mentioned in the website), you can follow some extra steps:

  1. Use ./configure --prefix=/usr (Ubuntu environments) instead of ./configure

  2. Manually perform steps for [re-]linking the C libraries: * Error: cannot import ABAC module in Python and noticed a couple of warnings during make install:

import ABAC Traceback (most recent call last): File "", line 1, in File "/usr/lib/python2.7/dist-packages/ABAC.py", line 25, in _ABAC = swig_import_helper() File "/usr/lib/python2.7/dist-packages/ABAC.py", line 17, in swig_import_helper import _ABAC ImportError: libabac.so.2: cannot open shared object file: No such file or directory # sudo make install ... libtool: warning: relinking 'swig/python/_ABAC.la' ... libtool: warning: relinking 'swig/perl/ABAC.la' ```

  Then, from the directory where you placed the source of the ABAC library, follow some of the steps performed internally by "_make install_", e.g.:

  ```
libtool: install: /usr/bin/install -c swig/python/.libs/_ABAC.so.0.0.0T /usr/local/lib/python2.7/dist-packages/_ABAC.so.0.0.0

libtool: install: (cd /usr/local/lib/python2.7/dist-packages && { ln -s -f _ABAC.so.0.0.0 _ABAC.so.0 || { rm -f _ABAC.so.0 && ln -s _ABAC.so.0.0.0 _ABAC.so.0; }; }) libtool: install: (cd /usr/local/lib/python2.7/dist-packages && { ln -s -f _ABAC.so.0.0.0 _ABAC.so || { rm -f _ABAC.so && ln -s _ABAC.so.0.0.0 _ABAC.so; }; }) libtool: install: /usr/bin/install -c swig/python/.libs/_ABAC.lai /usr/local/lib/python2.7/dist-packages/_ABAC.la libtool: install: /usr/bin/install -c swig/python/.libs/_ABAC.a /usr/local/lib/python2.7/dist-packages/_ABAC.a libtool: install: chmod 644 /usr/local/lib/python2.7/dist-packages/_ABAC.a libtool: install: ranlib /usr/local/lib/python2.7/dist-packages/_ABAC.a libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/local/lib/python2.7/dist-packages ```

  If everything went good, you should see dynamic linked libraries in the Python packages folder of your distribution (here, Python 2.7):
  
  ```
  # ls -la /usr/lib/python2.7/dist-packages/ | grep ABAC

-rw-r--r-- 1 root root 3473978 Jan 15 12:09 _ABAC.a -rwxr-xr-x 1 root root 1035 Jan 15 12:09 _ABAC.la -rw-r--r-- 1 root root 29080 Jan 15 12:09 ABAC.py -rw-r--r-- 1 root root 48515 Jan 15 12:09 ABAC.pyc -rw-r--r-- 1 root root 48515 Jan 15 12:09 ABAC.pyo lrwxrwxrwx 1 root root 14 Jan 15 12:09 _ABAC.so -> _ABAC.so.0.0.0 lrwxrwxrwx 1 root root 14 Jan 15 12:09 _ABAC.so.0 -> _ABAC.so.0.0.0 -rwxr-xr-x 1 root root 1434202 Jan 15 12:09 _ABAC.so.0.0.0 ```

  And you should now be able to import the module in the Python console. If not, uninstall the libraries ("_sudo make uninstall_"), remove the directory with the ABAC library sources and repeat again full installation process; or trying alternative methods to remove the full library.

Generating ABAC credentials

Place the attached gen_speaks_for_cred.py under CBAS root directory.

  1. At the location of the user:
    • Run script, select option 1 to generate speaks_for cred (e.g. <user>-cred.xml)
  2. At the location of RO:
    • Run script, select option 3 to generate credential for RO (e.g. alice-cred.xml)
      • Copy credential to cert/alice-cred.xml within RO
    • Run script again, select option 3 to generate credential for master island (e.g. alice-cred.xml)
      • Copy credential to cert/alice-cred.xml within MRO
  3. At the location of MRO:
    • Run script with option 4 to generate credential for all peer islands (e.g. {eict|i2cat|...}-cred.xml)

Forwarding ABAC credentials

  1. At the location of the user:
    • <user>-cred.xml will be given to OMNI via command line, using the --cred <cred_path> parameter
  2. At the location of RO:
    • Scenario A (user contacts RO using OMNI): two credentials will be received from user: 1) user/slice cred, 2) speaks_for cred
    • Scenario B (MRO contacts RO): multiple creds will be received from MRO, e.g. user/slice cred, user's speaks_for cred, alice-cred.xml, etc
    • In both scenarios, when RO contacts local RM it replay above list of received creds appended with ro.xml and master.xml
  3. At the location of MRO:
    • Scenario X (user contacts MRO using OMNI): two creds will be received from user: 1) user/slice cred, 2) speaks_for cred
    • Scenario Y (RO contacts MRO): multiple creds will be received from RO, e.g. user/slice cred, user's speaks_for cred, ro.xml, etc
    • In both scenarios, when MRO contacts a peer RO, it replay the above list of received credentials appended with the peer islands cred (e.g. if MRO has to contact RO of island X, then x-cred.xml will be appended)
Clone this wiki locally