gazagnaire.org / ocaml-delegation
X.509 certificate-based hierarchical resource delegation (extracted from Albatross)
fork atom
OCaml 95.3%
Dune 1.8%
Other 3.0%
9 1 0

Clone this repository

https://tangled.org/gazagnaire.org/ocaml-delegation https://tangled.org/did:plc:jhift2vwcxhou52p3sewcrpx/ocaml-delegation
git@git.recoil.org:gazagnaire.org/ocaml-delegation git@git.recoil.org:did:plc:jhift2vwcxhou52p3sewcrpx/ocaml-delegation

For self-hosted knots, clone URLs may differ based on your setup.

Download tar.gz
README.md

ocaml-delegation#

X.509 certificate-based hierarchical resource delegation for OCaml.

ISC License

Overview#

This library provides a generic framework for hierarchical resource delegation using X.509 certificate chains. It is extracted and generalized from Albatross by Hannes Mehnert.

The key concepts:

  • Hierarchical Names: Resources are named using colon-separated paths (e.g., operator:tenant-a:webapp)

  • Policy Delegation: Each level in the hierarchy can constrain what resources are available to subordinate levels. A child's policy must always be a subset of its parent's.

  • Certificate Chains: The delegation hierarchy is encoded in X.509 certificate chains. Intermediate CAs define scopes and limits, leaf certificates name specific resources.

Installation#

opam install delegation

Usage#

open Delegation

(* Parse a hierarchical name *)
let name =
  match Name.of_string "operator:tenant:webapp" with
  | Ok n -> n
  | Error (`Msg m) -> failwith m

(* Define resource policies *)
let operator_policy = Policy.Service.{
  services = 100;
  cpuids = Policy.Int_set.of_list [0; 1; 2; 3];
  memory = 4096;
  block = Some 1000;
  bridges = Policy.String_set.of_list ["br0"; "br1"];
}

let tenant_policy = Policy.Service.{
  services = 10;
  cpuids = Policy.Int_set.of_list [0; 1];
  memory = 512;
  block = Some 100;
  bridges = Policy.String_set.of_list ["br0"];
}

(* Verify delegation is valid *)
let () = assert (Policy.Service.is_subset ~super:operator_policy ~sub:tenant_policy)

(* Store data in hierarchical trie *)
let trie = Trie.empty
let trie, _ = Trie.insert name "webapp-config" trie
let config = Trie.find name trie  (* Some "webapp-config" *)

Modules#

  • Name - Hierarchical naming with labels and paths
  • Trie - Prefix tree for hierarchical data storage
  • Policy - Generic resource policy functor with service example
  • Asn_ext - ASN.1 encoding for X.509 extensions
  • Extract - Certificate chain parsing and validation

Custom Resource Types#

You can define your own resource types using the Policy.Make functor:

module My_resource = struct
  type t = {
    cpu_shares : int;
    memory_mb : int;
    network_bandwidth_kbps : int;
  }

  let is_subset ~super ~sub =
    sub.cpu_shares <= super.cpu_shares &&
    sub.memory_mb <= super.memory_mb &&
    sub.network_bandwidth_kbps <= super.network_bandwidth_kbps

  let pp ppf t =
    Fmt.pf ppf "cpu:%d mem:%d net:%d"
      t.cpu_shares t.memory_mb t.network_bandwidth_kbps

  let equal a b =
    a.cpu_shares = b.cpu_shares &&
    a.memory_mb = b.memory_mb &&
    a.network_bandwidth_kbps = b.network_bandwidth_kbps
end

module My_policy = Policy.Make(My_resource)

This library implements concepts from several X.509 and PKI standards:

  • RFC 5280 - X.509 PKI Certificate Profile: Defines certificate extensions used for encoding policies
  • RFC 3647 - Certificate Policy and Certification Practices Framework: Terminology for policy hierarchies
  • RFC 6125 - Service Identity: Name matching in certificates

Credits#

This library is extracted and adapted from Albatross by Hannes Mehnert at robur.coop.

Albatross is a unikernel orchestrator for MirageOS that uses X.509 certificate chains for hierarchical access control. This library generalizes Albatross's delegation mechanism to work with any workload type, not just Solo5 unikernels.

The original Albatross code is copyright (c) 2017-2024 Hannes Mehnert.

Albatross Resources#

Licence#

ISC License. See LICENSE.md.