Changes between Version 10 and Version 11 of GeniApiCredentials


Ignore:
Timestamp:
04/19/12 12:15:47 (12 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GeniApiCredentials

    v10 v11  
    55Credentials are used to authorize actions (where certificates authenticate and URNs identify). They specify the permissions of the Owner relative to a Target object.
    66
    7 A credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
     7A credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema11-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
    88
    99In the API, method calls take a list of Credentials. The semantics of that list are not specified. The reference GCF implementation treats each credential as a separate option: if any ONE credential grants the subject ALL required privileges on the specified target, then allow the operation. An alternative implementation could accumulate privileges from each otherwise valid credential to determine total permissions.
     
    9090
    9191''' can_delegate'''
    92 Privileges can be delegated. Every privilege gets a sub-element {{{can_delegate}}}. The value is an [http://www.w3.org/TR/xmlschema-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
     92Privileges can be delegated. Every privilege gets a sub-element {{{can_delegate}}}. The value is an [http://www.w3.org/TR/xmlschema11-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
    9393
    9494''' Signatures '''