Changes between Version 100 and Version 101 of GAPI_AM_API_DRAFT
- Timestamp:
- 01/16/14 09:11:48 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GAPI_AM_API_DRAFT
v100 v101 384 384 Two other additions are required: we must define the 'Speaks For' credential and its semantics, and we must define the URN and certificates for tools. 385 385 386 The 'Speaks For' credential will be a signed XML document encoding of an ABAC credential (GENI type `geni_abac` version `1`) as specified [wiki:TIEDABACCredential here]. Several points are worth noting386 The 'Speaks For' credential will be a signed XML document encoding of an ABAC credential (GENI type `geni_abac` version `1`) as specified [wiki:TIEDABACCredential here]. Several general points are worth noting: 387 387 - The credential includes the certificate of the user and an identifier for the tool. For the credential to be accepted, each certificate must itself be trusted by the aggregate; current recommended GENI policy requires [GeniApiCertificates a particular format] for that certificate, and requires that it be signed (directly or indirectly) by a trusted GENI root. 388 388 - The credential includes an expiration 389 - The credential may in clude scope limitations (including slice, aggregate, operation)389 - The credential may in future include scope limitations (including slice, aggregate, operation) 390 390 - When the aggregate authorizes a 'Speaks For' operation, the aggregate must treat the operation as though performed by the experimenter, but also log that it was done via the given tool. That is, resources will be owned by the experimenter, and logs and monitoring reports will include both the experimenter URN and the tool URN. 391 392 The specific ABAC assertion that this 'Speaks For' credential encodes is: `Experimenter.speaks_for_Experimenter <- Tool`. That is, the experimenter signs an assertion saying that the Tool has the attribute in the Experimenter's namespace `speaks_for_Experimenter`, where the Experimenter and Tool are identified (as with all ABAC assertions) by the SHA1 hash of their public key. 393 As an example, here is a selection from a 'Speaks For' credential: 394 {{{ 395 <expires>2014-02-12T20:10:32Z</expires> 396 <abac> 397 <rt0> 398 <version>1.1</version> 399 <head> 400 <ABACprincipal> 401 <keyid>097f010966eacbc0f8e2fc8c66c8abfdd55f6036</keyid> 402 </ABACprincipal> 403 <role>speaks_for_097f010966eacbc0f8e2fc8c66c8abfdd55f6036</role> 404 </head> 405 <tail> 406 <ABACprincipal> 407 <keyid>66dd9f3018e64c12130068f4a71d364fc9cbdfb6</keyid> 408 </ABACprincipal> 409 </tail> 410 </rt0> 411 </abac> 412 }}} 391 413 392 414 === Tool Certificates ===