Changes between Version 5 and Version 6 of GeniApiCredentials
- Timestamp:
- 04/19/12 11:13:09 (12 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GeniApiCredentials
v5 v6 9 9 In the API, method calls take a list of Credentials. The semantics of that list are not specified. The reference GCF implementation treats each credential as a separate option: if any ONE credential grants the subject ALL required privileges on the specified target, then allow the operation. An alternative implementation could accumulate privileges from each otherwise valid credential to determine total permissions. 10 10 11 GENI Credentials are signed XML documents, following [http://www.w3.org/TR/xmldsig-core/ the W3C standard], containing:11 GENI Credentials are signed XML documents, following [http://www.w3.org/TR/xmldsig-core/ the W3C XML Digital Signature standard], containing: 12 12 - Owner GID, which is a PEM format X509 certificate, containing the owner's URN in the Subject Alt Name field. See GeniApiCertificates. 13 13 - Owner URN to identify the owner (entity whose permissions are being specified). For information on URNs, see GeniApiIdentifiers. … … 16 16 - Expiration date 17 17 - List of privileges (string names) 18 - Signature of the issuer of the credential. The issuer should be an authority over the Target's namespace. See GeniApiIdentifiers. 19 18 - Signature of the issuer of the credential, per [http://www.w3.org/TR/xmldsig-core/ the W3C XML Digital Signature standard]. The issuer should be an authority over the Target's namespace. See GeniApiIdentifiers. 20 19 21 20 == Credential Format == … … 23 22 The schema is available at http://www.protogeni.net/trac/protogeni/attachment/wiki/Authentication/credential.rnc 24 23 24 Sample credential: 25 25 {{{ 26 26 #!xml … … 53 53 54 54 ''' Type ''' 55 Type can be one of 'privilege', 'ticket', and 'capability'. The GENI AM API is only concerned with privilege credentials.55 Type should be 'privilege'. 56 56 57 57 ''' Serial ''' … … 75 75 ''' Expires ''' 76 76 ISO 8601 date and time of when the credential becomes invalid. If no timezone is specified, times are assumed to be in UTC. 77 {{{ 78 #!comment 79 RFC3339 (http://www.ietf.org/rfc/rfc3339.txt) 80 }}} 77 81 78 82 ''' Privileges ''' 79 The privileges are the rights that are assigned to the owner of the credential on the target resource. The SFA-derived control frameworks use different permission names, but they have similar semantic meaning. If a privilege can be delegated, then that means the owner of the credential can delegate that permission to another entity. Currently, the only credentials used in the GENI API are slice credentials and user credentials. Privileges have not yet been agreed upon between the control frameworks. Currently, SFA assigns ['refresh', 'resolve', and 'info'] rights to user credentials. Slice credentials have "slice" rights. ProtoGENI defaults to the "*" privilege which means that the owner has rights to all methods associated with that credential type (user or slice). See https://www.protogeni.net/trac/protogeni/wiki/ReferenceImplementationPrivileges for more information on ProtoGENI privileges.83 The privileges are the rights that are assigned to the owner of the credential on the target resource. Different slice authorities use different permission names, but they have similar semantic meaning. If and only if a privilege can be delegated, then that means the owner of the credential can delegate that permission to another entity. Currently, the only credentials used in the GENI API are slice credentials and user credentials. Privileges have not yet been agreed upon between the control frameworks. Currently, SFA assigns ['refresh', 'resolve', and 'info'] rights to user credentials. Slice credentials have "slice" rights. ProtoGENI defaults to the "*" privilege which means that the owner has rights to all methods associated with that credential type (user or slice). See https://www.protogeni.net/trac/protogeni/wiki/ReferenceImplementationPrivileges for more information on ProtoGENI privileges. 80 84 81 85 ''' can_delegate'''