Changes between Version 32 and Version 33 of UniformClearinghouseAPIV2

Timestamp:

12/10/13 12:11:12 (10 years ago)

Author:

mbrinn@bbn.com

Comment:

--

UniformClearinghouseAPIV2

@@ -27 +27 @@
  * '' Slice Authority '' [SA]: Manages slice objects and generates credentials for members with respect to slices.
 
-A '' Federation '' is a collection of Authorities and Aggregates that establish mutual trust and common policies to facilitate the sharing of resources among members. A Registry is a software service representing a given Federation, providing lists of Slice Authorities, Member Authorities and aggregates associated with that federation, and providing a set of PKI certificates that any aggregate belonging to a given federation accepts as trust roots. The relationship of Federations to Registries is 1:1.
+A '' Federation '' is a collection of Authorities and Aggregates that establish mutual trust and common policies to facilitate the sharing of resources among members. A Federation Registry is a software service representing a given Federation, providing lists of Slice Authorities, Member Authorities and aggregates associated with that federation, and providing a set of PKI certificates that any aggregate belonging to a given federation accepts as trust roots. The relationship of Federations to Federation Registries is 1:1.
 
 The Authorities of any given Federation are free to implement their own Authorization (AuthZ) scheme. The API’s allow for passing credentials to the calls, but an Authority may choose to allow or disallow calls using logic and policies that are internal to that Federation. There is no universal (cross-Federation) requirement for any particular policy regarding Authority AuthZ.
 
-Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority.  A Registry may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that Registry. Similarly, a given Slice Authority or Member Authority may be advertised by a single Registries or by multiple Registries. Registry API calls are unprotected. There is no notion of trust between Registries or between Registries and Authorities or Aggregates.
-
-This document describes the APIs of the Registry as well as the MA and SA. It is expected that a well-behaved GENI-compatible tool will allow for interacting with any Registry and Authority that implement the standard API’s described in this document.
+Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority.  A Federation Registry may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that Federation Registry. Similarly, a given Slice Authority or Member Authority may be advertised by a single Federation Registries or by multiple Federation Registries. Federation Registry API calls are unprotected. There is no notion of trust between Federation Registries or between Federation Registries and Authorities or Aggregates.
+
+This document describes the APIs of the Federation Registry as well as the MA and SA. It is expected that a well-behaved GENI-compatible tool will allow for interacting with any Federation Registry and Authority that implement the standard API’s described in this document.
 
 
@@ -50 +50 @@
  * Most calls are protected, running over SSL and thus requiring the caller to use its certificate and private key. Certain calls are unprotected and can be accessed with no requirement for a validated client-side certificate . Such calls will noted in the API documentation below.
  * Each call takes an ‘options’ argument, a dictionary allowing for passing specific non-standard/optional arguments
- * Each protected method takes a ‘credentials’ argument, a list of type/credential tuples that help the Registry or Authority invoke whatever AuthZ logic it may choose. As noted above, the Registry or Authority may choose to use or disregard these credentials. Unprotected methods do not take a ‘credentials’ argument.
- * Each Registry or Authority provides a get_version method, which describes the version number of the API provided, credential types supported, supplementary object fields and other data for interpreting API call returns.
- * A Registry or Authority is free to implement additional methods beyond those specified in this document.
+ * Each protected method takes a ‘credentials’ argument, a list of type/credential tuples that help the Federation Registry or Authority invoke whatever AuthZ logic it may choose. As noted above, the Federation Registry or Authority may choose to use or disregard these credentials. Unprotected methods do not take a ‘credentials’ argument.
+ * Each Federation Registry or Authority provides a get_version method, which describes the version number of the API provided, credential types supported, supplementary object fields and other data for interpreting API call returns.
+ * A Federation Registry or Authority is free to implement additional methods beyond those specified in this document.
  * The URN is the fundamental identifier in all Federation API’s. URN’s are globally unique at any given time, though not necessarily unique over time. Disambiguation for entities with the same URN over time may be provided by an optional UUID argument for certain API methods. The format of URN's is documented at http://groups.geni.net/geni/wiki/GeniApiIdentifiers.
 
@@ -79 +79 @@
 Different Federation Authorities will provide different sets of methods bundled into services. Further, they will manage different kinds of objects and support different details for these objects.
 
-Each Registry or Authority API provides a ‘get_version’ method, which provides information to the caller (or a tool composing calls for a tool user) about versions and options supported by that API. The call takes no argument and is unguarded (anyone can call it). The return from the get_version call will be a dictionary including the following entries (by key):
+Each Federation Registry or Authority API provides a ‘get_version’ method, which provides information to the caller (or a tool composing calls for a tool user) about versions and options supported by that API. The call takes no argument and is unguarded (anyone can call it). The return from the get_version call will be a dictionary including the following entries (by key):
  * VERSION: A string with the version number of the Federation API (e.g. “2”, the version for this document). Note: this is the version of the API not the version of the implementation. This field is mandatory for all services.
- * URN : The URN of the service being contacted. This field is mandatory for SA and MA services, optional for Registry service.
+ * URN : The URN of the service being contacted. This field is mandatory for SA and MA services, optional for Federation Registry service.
  * IMPLEMENTATION: A dictionary of information of the implantation of the service: {"code_version" : code_version, "code_url" : code_url, "code_release_date" : code_release_date, "site_update_date" : site_update_date"}. Of these, code_version is of type STRING, code_url is of type URL,  code_release_date and site_update_date are of format DATETIME. The format of the code_version string is implementation specific. This field is optional for services.
  * SERVICES: The list of names of services the given URL supports. This field is optional (with default being the default service for that authority, i.e. SERVICE for Federation Registry, SLICE for Slice Authority, MEMBER for MemberAuthority).  
  * CREDENTIAL_TYPES: A list of recognized credential types (e.g. [geni_sfa, geni_abac]) and list of supported credential versions on protected API methods.  Format is analogous to that in the AM API: a list of {"type": cred_type, "version" : cred_version} dictionaries of all supported credential types and versions. ''[Required for Authorities only]''
- * ROLES : A list of recognized roles for slice/project membership (optional for those Slice Authorities supporting membership).  ''[Required for SA only]''
+ * ROLES : A list of recognized roles for slice/project membership (required only for those Slice Authorities supporting membership). The same set of roles refers to both slice and project membership at a given SA.
  * SERVICE_TYPES. A list of service types provided by the Federation Registry ''[Required for Federation Registry only]''
  * API_VERSIONS A dictionary of different peer implementation of different version of the same service. This field is optional for all services.
@@ -98 +98 @@
 The FIELDS element of the get_version should contain all supplementary (non-mandatory) field objects supported by a given service. Additionally, it may contain mandatory field objects for which the default semantics (for "CREATE", "MATCH", "UPDATE", "PROTECT") should be overridden. Specifically, any values specified override the default values and any values unspecified are defined to be the defaults for that object/field in this document. The FIELDS element is thus optional for all services.
 
+The set of ROLES may vary across Slice Authorities based on local policy. However, the following roles should be defined at any Slice Authority:
+
+|| '''Role''' || '''Contex'''' || '''Description''' ||
+|| LEAD || PROJECT || May change project membership and create slices within a given project ||
+|| || SLICE || May change slice membership  and perform operations on a given slice||
+|| MEMBER || PROJECT || May create slices within given project ||
+|| || SLICE || May perform operations on given slice ||
+
 Supplementary field names should be placed in a distinct namespace by a prefix unique to that federation, and starting with an underscore (e.g. _GENI_,  _OFELIA_ , _FED4FIRE_ or _PROTOGENI_ etc.). 
 
@@ -108 +116 @@
 }}}
 
-The return from the get_version call will be used to construct and validate options to Registry and Authority API calls, as described in subsequent sections.
+The return from the get_version call will be used to construct and validate options to Federation Registry and Authority API calls, as described in subsequent sections.
 
 The get_version method at any service has the following signature:
@@ -214 +222 @@
 All method calls return a tuple [code, value, output]. What is described as ‘Return’ in the API’s described below is the ‘value’ of this tuple in case of a successful execution. ‘Code’ is the error code returned and ‘output’ is the returned text (e.g. descriptive error message).
 
-Each Registry and Authority is free to define and return its own specific error codes. However we suggest the following essential set of error codes to report on generic conditions:
+Each Federation Registry and Authority is free to define and return its own specific error codes. However we suggest the following essential set of error codes to report on generic conditions:
 
 || ''' CODE_NAME ''' || ''' CODE_VALUE ''' || ''' DESCRIPTION ''' ||
@@ -228 +236 @@
 == Standard API Method ==
 
-Each Registry and Authority manages the state of or access to objects. There are some standard methods that apply to standard operations on objects of specific types. All services support the following API's for the object types that are required or provided in get_version.
+Each Federation Registry and Authority manages the state of or access to objects. There are some standard methods that apply to standard operations on objects of specific types. All services support the following API's for the object types that are required or provided in get_version.
 
 {{{
@@ -453 +461 @@
 Best practices dictate that individuals should speak as themselves: that is, the entity on the other side of an SSL connection is the one referred to by the certificate on the connection. Obviously, people typically use tools or software interfaces to create these connections. When a tool is acting directly on a user’s desktop using the user’s key and cert with the user’s explicit permission, it may be acceptable to consider the tool as speaking as the user. But for many tools, the tool is acting on behalf of the user in invoking Federation or AM API calls. In this case, it is important for the tool to not speak as the user but to speak for the user, and to have the service to whom the tool is speaking handle the authorization and accountability of this request accordingly.
 
-Accordingly, a Registry and associated Authorities should support speaks-for API transactions. These API transactions use the same signatures as the calls described in this document, with these enhancements:
+Accordingly, a Federation Registry and associated Authorities should support speaks-for API transactions. These API transactions use the same signatures as the calls described in this document, with these enhancements:
 
 - A 'speaking-for' option containing the URN of the user being spoken for
@@ -463 +471 @@
 Aggregates are also encouraged to support speaks-for authentication and authorization, but this is an aggregate-internal policy and implementation decision, and outside the scope of this document.
 
-== Registry API ==
-
-The Registry provides a list of Slice Authorities, Member Authorities and Aggregates associated with a given Federation. The URL for accessing these methods (i.e. the URL of the Registry) is to be provided out-of-band (i.e. there is no global service for gaining access to Registry addressees).
-
-All Registry calls are unprotected; they have no requirement for passing a client-side cert or validating any client-cert cert that is passed.
-
-The Registry implements the SERVICE service and supports the SERVICE object.
-
-Services have a particular type that indicates the kind of service it represents. The full list of supported services should be provided by a TYPES key in the Registry get_version call, for example:
+== Federation Registry API ==
+
+The Federation Registry provides a list of Slice Authorities, Member Authorities and Aggregates associated with a given Federation. The URL for accessing these methods (i.e. the URL of the Federation Registry) is to be provided out-of-band (i.e. there is no global service for gaining access to Federation Registry addressees).
+
+All Federation Registry calls are unprotected; they have no requirement for passing a client-side cert or validating any client-cert cert that is passed.
+
+The Federation Registry implements the SERVICE service and supports the SERVICE object.
+
+Services have a particular type that indicates the kind of service it represents. The full list of supported services should be provided by a TYPES key in the Federation Registry get_version call, for example:
 
 {{{
@@ -492 +500 @@
 || LOGGING_SERVICE || A service to support federation-level event logging ||
 
-The following table describes the standard fields for services (aggregates and authorities) provided by Registry API calls. (The 'Required' column indicates whether the field must be present for a valid service, 'match' indicates whether the field can be used in a lookup match criterion):
+The following table describes the standard fields for services (aggregates and authorities) provided by Federation Registry API calls. (The 'Required' column indicates whether the field must be present for a valid service, 'match' indicates whether the field can be used in a lookup match criterion):
 
 
@@ -498 +506 @@
 || SERVICE_URN || URN || URN of given service || Yes || Yes ||
 || SERVICE_URL ||URL || URL by which to contact the service || Yes || Yes ||
-|| SERVICE_TYPE || STRING || Name of service type (from Registry get_version.TYPES) || Yes || Yes ||
+|| SERVICE_TYPE || STRING || Name of service type (from Federation Registry get_version.TYPES) || Yes || Yes ||
 || SERVICE_CERT || Certificate || Public certificate of service || No || No ||
 || SERVICE_NAME || String || Short name of service || Yes || No ||
@@ -517 +525 @@
 }}}
 
-The Registry API supports these standard API methods for type="SERVICE":
+The Federation Registry API supports these standard API methods for type="SERVICE":
 
 || ''' Method ''' || ''' Description ''' ||
 || lookup || lookup services matching given match criteria. ||
 
-Additionally, the Registry API supports the following methods:
+Additionally, the Federation Registry API supports the following methods:
 
 {{{
@@ -548 +556 @@
 # There should be at most one (potentially none) per URN. 
 # 
-# This requires extracting the authority from the URN and then looking up the authority in the Registry's set of services.
+# This requires extracting the authority from the URN and then looking up the authority in the Federation Registry's set of services.
 #
 # Arguments:
@@ -744 +752 @@
 == Project Service Methods ==
 
-Projects are groupings of slices and members for a particular administrative purpose. Some SA;s will chose to create and manage projects and apply policies about the invocation of SA methods (e.g. the creation of slice credentials based on roles or memberships in projects).
+Projects are groupings of slices and members for a particular administrative purpose. Some SA;s will chose to create and manage projects and apply policies about the invocation of SA methods (e.g. the creation of slice credentials based on roles or memberships in projects). A slice can belong to no more than one project; a project may have many slice members.
 
 The following table contains required fields for project objects and whether they are allowed in lookup ‘match’ criteria, required at creation or allowed at update:
@@ -904 +912 @@
 
 || ''' Authority ''' || ''' V1 method ''' || ''' V2 alternative '' ||
-|| Registry || || ||
+|| Federation Registry || || ||
 ||   || lookup_aggregates || lookup(type="AGGREGATE_MANAGER") ||
 ||  || lookup_slice_authorities || lookup(type="SLICE_AUTHORITY") ||