Changes between Version 100 and Version 101 of GAPI_AM_API_DRAFT


Ignore:
Timestamp:
01/16/14 09:11:48 (10 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GAPI_AM_API_DRAFT

    v100 v101  
    384384Two other additions are required: we must define the 'Speaks For' credential and its semantics, and we must define the URN and certificates for tools.
    385385
    386 The 'Speaks For' credential will be a signed XML document encoding of an ABAC credential (GENI type `geni_abac` version `1`) as specified [wiki:TIEDABACCredential here]. Several points are worth noting
     386The 'Speaks For' credential will be a signed XML document encoding of an ABAC credential (GENI type `geni_abac` version `1`) as specified [wiki:TIEDABACCredential here]. Several general points are worth noting:
    387387 - The credential includes the certificate of the user and an identifier for the tool. For the credential to be accepted, each certificate must itself be trusted by the aggregate; current recommended GENI policy requires [GeniApiCertificates a particular format] for that certificate, and requires that it be signed (directly or indirectly) by a trusted GENI root.
    388388 - The credential includes an expiration
    389  - The credential may include scope limitations (including slice, aggregate, operation)
     389 - The credential may in future include scope limitations (including slice, aggregate, operation)
    390390 - When the aggregate authorizes a 'Speaks For' operation, the aggregate must treat the operation as though performed by the experimenter, but also log that it was done via the given tool. That is, resources will be owned by the experimenter, and logs and monitoring reports will include both the experimenter URN and the tool URN.
     391
     392The specific ABAC assertion that this 'Speaks For' credential encodes is: `Experimenter.speaks_for_Experimenter <- Tool`. That is, the experimenter signs an assertion saying that the Tool has the attribute in the Experimenter's namespace `speaks_for_Experimenter`, where the Experimenter and Tool are identified (as with all ABAC assertions) by the SHA1 hash of their public key.
     393As an example, here is a selection from a 'Speaks For' credential:
     394{{{
     395    <expires>2014-02-12T20:10:32Z</expires>
     396    <abac>
     397      <rt0>
     398        <version>1.1</version>
     399        <head>
     400          <ABACprincipal>
     401            <keyid>097f010966eacbc0f8e2fc8c66c8abfdd55f6036</keyid>
     402          </ABACprincipal>
     403          <role>speaks_for_097f010966eacbc0f8e2fc8c66c8abfdd55f6036</role>
     404        </head>
     405        <tail>
     406          <ABACprincipal>
     407            <keyid>66dd9f3018e64c12130068f4a71d364fc9cbdfb6</keyid>
     408          </ABACprincipal>
     409        </tail>
     410      </rt0>
     411    </abac>
     412}}}
    391413
    392414=== Tool Certificates ===