Changes between Version 86 and Version 87 of GAPI_AM_API_DRAFT


Ignore:
Timestamp:
05/15/13 09:07:17 (12 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GAPI_AM_API_DRAFT

    v86 v87  
    364364 - When `true`, all strings specified in this API may be unicode. In particular, regular expressions that limit to ASCII characters shall be interpreted to include the unicode equivalents. The aggregate will still accept ASCII input. Returns will remain ASCII where the API defines ASCII constants or content allows it.
    365365
     366== Change Set P: Support proxy clients that 'Speak For' an experimenter ==
     367
     368GENI tools invoke AM API methods on behalf of experimenters. When that tool instance is well known and trusted by the experimenter, and runs local to a single experimenter, then it is reasonable for that tool to be given the experimenter's private key and public certificate, and 'speak as' the experimenter. But for a hosted tool that might act for multiple experimenters it is both more secure and more clear what is happening for such tools to have their own identity certificate and private key by which each tool instance authenticates to AM API calls, and use a new 'Speaks For' credential (or credential set) to authorize the tool instance to take a given action. The experimenter will issue such credentials to the tool instance (possibly scoped by time, slice, aggregate, or other dimension), and the aggregate can then properly assign the resources to the experimenter, while logging and reporting that the tool performed the operation. This functionality can also be used for an experimenter to authorize a 'proxy' aggregate or an aggregate of aggregates.
     369
     370Two changes are required in the AM API to support this functionality. First, not all aggregates will support 'Speaks For' yet, so tools must be able to distinguish. Second, we require an explicit way for the aggregate to determine on whose behalf a tool is taking this action.
     371
     372 1. Add a new optional return entry from `GetVersion`:
     373
     374  `geni_handles_speaksfor`: A boolean (0 or 1 in XML-RPC), default is false (0).
     375
     376   When present and true, the aggregate is capable of authorizing AM API actions using a GENI 'Speaks For' credential (or credential set), and accepting the option `geni_experimenter_urn` (see below). When the aggregate supports 'Speaks For', tools should authenticate using their own GENI issued certificate and key, supply a 'Speaks For' credential (or credential set) from the experimenter authorizing the tool instance to perform the given action, and supply the URN of the experimenter on whose behalf the tool is acting in the  `geni_experimenter_urn` option. When the aggregate does not support  'Speaks For', the tool is expected to 'speak as' the experimenter,  using the experimenter's own GENI issued certificate and key. Aggregates should however attempt to support 'Speaks For', as 'Speaks As' is undesirable deprecated behavior. If a client supplies 'Speaks For' arguments to an aggregate that does not advertise support for 'Speaks For', the aggregate will typically ignore these, and attempt to authorize the client directly (though that behavior is not required), likely resulting in an authorization failure.
     377
     378 2. Add a new option to the `options` field of each AM API call:
     379
     380  `geni_experimenter_urn`. <string URN>
     381
     382  When supplied, this is the URN of the experimenter on whose behalf the client is acting. The aggregate should expect to find a 'Speaks For' credential or credential set in the `credentials` argument, by which the given experimenter authorizes the client (as authenticated by the SSL client certificate) to perform the given action on their behalf. If such a credential is not found, the aggregate should fail the request with an authorization error (e.g. error code `3`: `FORBIDDEN`). When omitted, the aggregate need not look for a 'Speaks For' credential, but should look to authorize the client itself ('speaks as'). If the client is not itself directly authorized to perform the given action, the aggregate should fail the request with an authorization error (e.g. error code `3`: `FORBIDDEN`).
     383
     384Two other additions are required: we must define the 'Speaks For' credential and its semantics, and we must define the URN and certificates for tools.
     385
     386The 'Speaks For' credential will be specified elsewhere. Several points are worth noting
     387 - The credential includes the certificates of the tool instance and the user. For the credential to be accepted, each certificate must itself be trusted by the aggregate; current recommended GENI policy requires [GeniApiCertificates a particular format] for that certificate, and requires that it be signed (directly or indirectly) by a trusted GENI root.
     388 - The credential includes an expiration
     389 - The credential may include scope limitations (including slice, aggregate, operation)
     390 - When the aggregate authorizes a 'Speaks For' operation, the aggregate must treat the operation as though performed by the experimenter, but also log that it was done via the given tool. That is, resources will be owned by the experimenter, and logs and monitoring reports will include both the experimenter URN and the tool URN.
     391
     392=== Tool Certificates ===
     393
     394Tool instances may be issued GENI identity certificates, using the same format and rules as for users.
     395 - The URN will be the URN of the tool instance. With this change, we introduce a new 'type' for the URN field: `tool`. The name of a tool is subject to the same restrictions as the name for users:
     396  - Tool names are case-insensitive internally, though they may be case-sensitive in display.
     397   - EG `JohnSmth` as a display name is `johnsmth` internally, and there cannot also be a user `JOHNSMTH`.
     398  - Tool names should begin with a letter and be alphanumeric or underscore, hyphen, at sign or period: (`'^[a-zA-Z][a-ZA-Z0-9\-_@\.]{0,63}$'`).
     399  - Tool names are limited to 64 characters.
     400  - Tool URNs (which contain the authority name and the tool instance name) are required to be temporally and globally unique.
     401 - The tool email address should be a way to contact the administrators of the tool instance - the organization or individual who applied for the certificate and who stands behind its integrity.
     402
     403Note that this functionality also supports proxy aggregates, or aggregates of aggregates. See a previous related change proposal:
     404http://groups.geni.net/geni/wiki/GAPI_AM_API_DRAFT?version=47#ChangeSetJ:Proxyaggregatemanagersaresupported
     405
    366406== Older Proposals ==
    367407Older proposals, withdrawn, superseded, or postponed:
     
    409449 - including in ads, requests, and manifests.
    410450 - Advertise available VLANs, attempt to honor requested VLANs, reserve VLANs with tickets, and report reserved or instantiated VLANs in manifests
    411  - Use schema http://hpn.east.isi.edu/rspec/ext/stitch/0.1/stitch-schema.xsd
    412 
    413 Update stitching schema per changes here: https://geni.maxgigapop.net/twiki/bin/view/GENI/NetworkStitchingGeniApiAndRspec
     451 - Use schema http://hpn.east.isi.edu/rspec/ext/stitch/0.1/stitch-schema.xsd, or even better, version 2 of the schema as specified here: http://www.geni.net/resources/rspec/ext/stitch/2/stitch-schema.xsd
     452  - Follow guidelines here: http://geni.maxgigapop.net/twiki/bin/view/GENI/NetworkStitchingExt
     453 - Follow general stitching approach as outlined here: http://geni.maxgigapop.net/twiki/bin/view/GENI/NetworkStitchingOverview