Changes between Version 5 and Version 6 of GeniApiCredentials


Ignore:
Timestamp:
04/19/12 11:13:09 (12 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GeniApiCredentials

    v5 v6  
    99In the API, method calls take a list of Credentials. The semantics of that list are not specified. The reference GCF implementation treats each credential as a separate option: if any ONE credential grants the subject ALL required privileges on the specified target, then allow the operation. An alternative implementation could accumulate privileges from each otherwise valid credential to determine total permissions.
    1010
    11 GENI Credentials are signed XML documents, following [http://www.w3.org/TR/xmldsig-core/ the W3C standard], containing:
     11GENI Credentials are signed XML documents, following [http://www.w3.org/TR/xmldsig-core/ the W3C XML Digital Signature standard], containing:
    1212 - Owner GID, which is a PEM format X509 certificate, containing the owner's URN in the Subject Alt Name field. See GeniApiCertificates.
    1313 - Owner URN to identify the owner (entity whose permissions are being specified). For information on URNs, see GeniApiIdentifiers.
     
    1616 - Expiration date
    1717 - List of privileges (string names)
    18  - Signature of the issuer of the credential. The issuer should be an authority over the Target's namespace. See GeniApiIdentifiers.
    19 
     18 - Signature of the issuer of the credential, per [http://www.w3.org/TR/xmldsig-core/ the W3C XML Digital Signature standard]. The issuer should be an authority over the Target's namespace. See GeniApiIdentifiers.
    2019
    2120== Credential Format  ==
     
    2322The schema is available at http://www.protogeni.net/trac/protogeni/attachment/wiki/Authentication/credential.rnc
    2423
     24Sample credential:
    2525{{{
    2626#!xml
     
    5353
    5454''' Type '''
    55 Type can be one of 'privilege', 'ticket', and 'capability'.  The GENI AM API is only concerned with privilege credentials
     55Type should be 'privilege'
    5656
    5757''' Serial '''
     
    7575''' Expires '''
    7676ISO 8601 date and time of when the credential becomes invalid. If no timezone is specified, times are assumed to be in UTC.
     77{{{
     78#!comment
     79RFC3339 (http://www.ietf.org/rfc/rfc3339.txt)
     80}}}
    7781
    7882''' Privileges '''
    79 The privileges are the rights that are assigned to the owner of the credential on the target resource.  The SFA-derived control frameworks use different permission names, but they have similar semantic meaning.  If a privilege can be delegated, then that means the owner of the credential can delegate that permission to another entity.  Currently, the only credentials used in the GENI API are slice credentials and user credentials.  Privileges have not yet been agreed upon between the control frameworks.  Currently, SFA assigns ['refresh', 'resolve', and 'info'] rights to user credentials.    Slice credentials have "slice" rights.  ProtoGENI defaults to the "*" privilege which means that the owner has rights to all methods associated with that credential type (user or slice).  See https://www.protogeni.net/trac/protogeni/wiki/ReferenceImplementationPrivileges for more information on ProtoGENI privileges.
     83The privileges are the rights that are assigned to the owner of the credential on the target resource. Different slice authorities use different permission names, but they have similar semantic meaning.  If and only if a privilege can be delegated, then that means the owner of the credential can delegate that permission to another entity.  Currently, the only credentials used in the GENI API are slice credentials and user credentials.  Privileges have not yet been agreed upon between the control frameworks.  Currently, SFA assigns ['refresh', 'resolve', and 'info'] rights to user credentials.    Slice credentials have "slice" rights.  ProtoGENI defaults to the "*" privilege which means that the owner has rights to all methods associated with that credential type (user or slice).  See https://www.protogeni.net/trac/protogeni/wiki/ReferenceImplementationPrivileges for more information on ProtoGENI privileges.
    8084
    8185''' can_delegate'''