GeniApiCredentials: credential.xsd

File credential.xsd, 10.4 KB (added by Aaron Helsinger, 6 years ago)

GENI credential schema v2

Line 
1<?xml version="1.0" encoding="UTF-8"?>
2<!--
3 
4  Copyright (c) 2014 Raytheon BBN Technologies
5 
6  Permission is hereby granted, free of charge, to any person obtaining
7  a copy of this software and/or hardware specification (the "Work") to
8  deal in the Work without restriction, including without limitation the
9  rights to use, copy, modify, merge, publish, distribute, sublicense,
10  and/or sell copies of the Work, and to permit persons to whom the Work
11  is furnished to do so, subject to the following conditions:
12
13  The above copyright notice and this permission notice shall be
14  included in all copies or substantial portions of the Work.
15 
16  THE WORK IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
17  OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
18  MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
19  NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
20  HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
21  WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22  OUT OF OR IN CONNECTION WITH THE WORK OR THE USE OR OTHER DEALINGS
23  IN THE WORK.
24
25  Portions have this copyright:
26
27  GENIPUBLIC-COPYRIGHT
28  Copyright (c) 2008-2009 University of Utah and the Flux Group.
29  All rights reserved.
30 
31-->
32<!--
33  GENI credential and privilege specification. The key points:
34 
35  * A credential is a set of privileges or a Ticket, each with a flag
36    to indicate delegation is permitted. Or an ABAC RT0 statement.
37  * A credential is signed and the signature included in the body of the
38    document.
39  * To support delegation, a credential will include its parent, and that
40    blob will be signed. So, there will be multiple signatures in the
41    document, each with a reference to the credential it signs.
42 
43  Default namespace = "http://www.geni.net/resources/ext/credential/2"
44-->
45<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
46  <xs:include schemaLocation="protogeni-rspec-common.xsd"/>
47  <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
48  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
49  <xs:group name="anyelementbody">
50    <xs:sequence>
51      <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
52    </xs:sequence>
53  </xs:group>
54  <xs:attributeGroup name="anyelementbody">
55    <xs:anyAttribute processContents="skip"/>
56  </xs:attributeGroup>
57  <!-- This is where we get the definition of RSpec from -->
58  <xs:element name="privilege">
59    <xs:complexType>
60      <xs:sequence>
61        <xs:element ref="name"/>
62        <xs:element name="can_delegate" type="xs:boolean"/>
63      </xs:sequence>
64    </xs:complexType>
65  </xs:element>
66  <xs:element name="name">
67    <xs:simpleType>
68      <xs:restriction base="xs:string">
69        <xs:minLength value="1"/>
70      </xs:restriction>
71    </xs:simpleType>
72  </xs:element>
73  <xs:element name="privileges"> <!-- For type 'privilege' only -->
74    <xs:complexType>
75      <xs:sequence>
76        <xs:element minOccurs="0" maxOccurs="unbounded" ref="privilege"/>
77      </xs:sequence>
78    </xs:complexType>
79  </xs:element>
80  <xs:element name="capability">
81    <xs:complexType>
82      <xs:sequence>
83        <xs:element ref="name"/>
84        <xs:element name="can_delegate">
85          <xs:simpleType>
86            <xs:restriction base="xs:token">
87              <xs:enumeration value="0"/>
88              <xs:enumeration value="1"/>
89            </xs:restriction>
90          </xs:simpleType>
91        </xs:element>
92      </xs:sequence>
93    </xs:complexType>
94  </xs:element>
95  <xs:element name="capabilities"> <!-- For type 'capability' only -->
96    <xs:complexType>
97      <xs:sequence>
98        <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
99      </xs:sequence>
100    </xs:complexType>
101  </xs:element>
102  <xs:element name="ticket"> <!-- For type 'ticket' only -->
103    <xs:complexType mixed="true">
104      <xs:sequence>
105        <xs:element name="can_delegate" type="xs:boolean">
106          <xs:annotation>
107            <xs:documentation>Can the ticket be delegated?</xs:documentation>
108          </xs:annotation>
109        </xs:element>
110        <xs:element ref="redeem_before"/>
111        <xs:group ref="anyelementbody">
112          <xs:annotation>
113            <xs:documentation>A desciption of the resources that are being promised</xs:documentation>
114          </xs:annotation>
115        </xs:group>
116      </xs:sequence>
117      <xs:attributeGroup ref="anyelementbody"/>
118    </xs:complexType>
119  </xs:element>
120  <xs:element name="redeem_before" type="xs:dateTime">
121    <xs:annotation>
122      <xs:documentation>The ticket must be "cashed in" by this date </xs:documentation>
123    </xs:annotation>
124  </xs:element>
125
126  <!-- Elements used for type 'abac'. See http://groups.geni.net/geni/wiki/TIEDABACCredential -->
127  <xs:element name="ABACprincipal">
128    <xs:complexType>
129      <xs:sequence>
130        <xs:element name="keyid" type="xs:string"/> <!-- SHA1 hash of the principal's public key -->
131        <xs:element name="mnemonic" type="xs:string" minOccurs="0" maxOccurs="1"/> <!-- EG principal's URN -->
132      </xs:sequence>
133    </xs:complexType>
134  </xs:element>
135  <!-- A single rt0 element is required for creds of type 'abac'. Must have a single 'head'
136       and at least one 'tail'. -->
137  <xs:element name="rt0">
138    <xs:annotation>
139      <xs:documentation>An ABAC RT0 statement, used only for type 'abac'.</xs:documentation>
140    </xs:annotation>
141    <xs:complexType>
142      <xs:sequence>
143        <xs:element name="version" type="xs:string" /> <!-- 1.1 for this schema -->
144        <xs:element name="head">
145          <xs:complexType>
146            <xs:sequence>
147              <xs:element ref="ABACprincipal"/> <!-- Matching the cred signer -->
148              <xs:element name="role" type="xs:string"/>
149            </xs:sequence>
150          </xs:complexType>
151        </xs:element>
152        <xs:element name="tail" minOccurs="1" maxOccurs="unbounded">
153          <xs:complexType>
154            <xs:sequence>
155              <xs:element ref="ABACprincipal"/>
156              <xs:element name="role" type="xs:string" minOccurs="0" maxOccurs="1"/>
157              <xs:element name="linking_role" type="xs:string" minOccurs="0"
158                          maxOccurs="1"/>
159            </xs:sequence>
160          </xs:complexType>
161        </xs:element>
162      </xs:sequence>
163    </xs:complexType>
164  </xs:element>
165  <xs:element name="abac">
166    <xs:annotation>
167      <xs:documentation>An ABAC assertion containing a single RT0 statement, used only for type 'abac'.</xs:documentation>
168    </xs:annotation>
169    <xs:complexType>
170      <xs:sequence>
171        <xs:element minOccurs="1" maxOccurs="1" ref="rt0"/>
172      </xs:sequence>
173    </xs:complexType>
174  </xs:element>
175
176  <xs:element name="signatures">
177    <xs:complexType>
178      <xs:sequence>
179        <xs:element maxOccurs="unbounded" ref="sig:Signature"/>
180      </xs:sequence>
181    </xs:complexType>
182  </xs:element>
183  <xs:complexType name="credentials">
184    <xs:annotation>
185      <xs:documentation>A credential granting privileges or a ticket or making an ABAC assertion.</xs:documentation>
186    </xs:annotation>
187    <xs:sequence>
188      <xs:element ref="credential"/>
189    </xs:sequence>
190  </xs:complexType>
191  <xs:element name="credential">
192    <xs:complexType>
193      <xs:sequence>
194        <xs:element ref="type"/>
195        <xs:element ref="serial"/>
196        <xs:element ref="owner_gid"/>
197        <xs:element minOccurs="0" ref="owner_urn"/>
198        <xs:element ref="target_gid"/>
199        <xs:element minOccurs="0" ref="target_urn"/>
200        <xs:element ref="uuid"/>
201        <xs:element ref="expires"/>
202        <xs:choice>
203          <xs:annotation>
204            <xs:documentation>Privileges or a ticket or an ABAC assertion</xs:documentation>
205          </xs:annotation>
206          <xs:element ref="privileges"/>
207          <xs:element ref="ticket"/>
208          <xs:element ref="capabilities"/>
209          <xs:element ref="abac"/>
210        </xs:choice>
211        <xs:element minOccurs="0" maxOccurs="unbounded" ref="extensions"/>
212        <xs:element minOccurs="0" ref="parent"/>
213      </xs:sequence>
214      <xs:attribute ref="xml:id" use="required"/>
215    </xs:complexType>
216  </xs:element>
217  <xs:element name="type">
218    <xs:annotation>
219      <xs:documentation>The type of this credential. Currently a Privilege set or a Ticket or ABAC.</xs:documentation>
220    </xs:annotation>
221    <xs:simpleType>
222      <xs:restriction base="xs:token">
223        <xs:enumeration value="privilege"/>
224        <xs:enumeration value="ticket"/>
225        <xs:enumeration value="capability"/>
226        <xs:enumeration value="abac"/>
227      </xs:restriction>
228    </xs:simpleType>
229  </xs:element>
230  <xs:element name="serial" type="xs:string">
231    <xs:annotation>
232      <xs:documentation>A serial number.</xs:documentation>
233    </xs:annotation>
234  </xs:element>
235  <xs:element name="owner_gid" type="xs:string">
236    <xs:annotation>
237      <xs:documentation>GID of the owner of this credential. </xs:documentation>
238    </xs:annotation>
239  </xs:element>
240  <xs:element name="owner_urn" type="xs:string">
241    <xs:annotation>
242      <xs:documentation>URN of the owner. Not everyone can parse DER</xs:documentation>
243    </xs:annotation>
244  </xs:element>
245  <xs:element name="target_gid" type="xs:string">
246    <xs:annotation>
247      <xs:documentation>GID of the target of this credential. </xs:documentation>
248    </xs:annotation>
249  </xs:element>
250  <xs:element name="target_urn" type="xs:string">
251    <xs:annotation>
252      <xs:documentation>URN of the target.</xs:documentation>
253    </xs:annotation>
254  </xs:element>
255  <xs:element name="uuid" type="xs:string">
256    <xs:annotation>
257      <xs:documentation>UUID of this credential</xs:documentation>
258    </xs:annotation>
259  </xs:element>
260  <xs:element name="expires" type="xs:dateTime">
261    <xs:annotation>
262      <xs:documentation>Expires on in ISO8601 format but preferably RFC3339</xs:documentation>
263    </xs:annotation>
264  </xs:element>
265  <xs:element name="extensions">
266    <xs:annotation>
267      <xs:documentation>Optional Extensions</xs:documentation>
268    </xs:annotation>
269    <xs:complexType mixed="true">
270      <xs:group ref="anyelementbody"/>
271      <xs:attributeGroup ref="anyelementbody"/>
272    </xs:complexType>
273  </xs:element>
274  <xs:element name="parent" type="credentials">
275    <xs:annotation>
276      <xs:documentation>Parent that delegated to us</xs:documentation>
277    </xs:annotation>
278  </xs:element>
279  <xs:element name="signed-credential">
280    <xs:complexType>
281      <xs:complexContent>
282        <xs:extension base="credentials">
283          <xs:sequence>
284            <xs:element minOccurs="0" ref="signatures"/>
285          </xs:sequence>
286        </xs:extension>
287      </xs:complexContent>
288    </xs:complexType>
289  </xs:element>
290</xs:schema>