Changes between Version 15 and Version 16 of GeniApiCredentials


Ignore:
Timestamp:
01/15/14 13:25:21 (10 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GeniApiCredentials

    v15 v16  
    33= GENI Credentials =
    44
    5 Credentials are used to authorize actions (where certificates authenticate and URNs identify). They specify the permissions of the Owner relative to a Target object.
    6 
    7 In the AM API, credentials have a type and version string. This page documents credentials of type `geni_sfa` and version '''3'''.
    8 
    9 A credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema11-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
     5Credentials are signed assertions used to authorize actions (where certificates authenticate and URNs identify).
     6
     7In the AM API, credentials have a type and version string. This page documents the GENI SFA credential format, and specifically credentials of type `geni_sfa` and version '''3'''. These GENI SFA credentials specify the permissions of the Owner relative to a Target object.
     8
     9The same basic structure is used to specify [TIEDABACCredential GENI ABAC credentials] (type `geni_abac` and version '''1'''), but with some important [TIEDABACCredential differences]. 
     10
     11A GENI SFA credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema11-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
    1012
    1113In the API, method calls take a list of Credentials. The semantics of that list are not specified. The reference GCF implementation treats each credential as a separate option: if any ONE credential grants the subject ALL required privileges on the specified target, then allow the operation. An alternative implementation could accumulate privileges from each otherwise valid credential to determine total permissions.
     
    5759
    5860''' Type '''
    59 Type should be 'privilege'
     61Type should be 'privilege' for GENI SFA credentials. (For [TIEDABACCredential GENI ABAC credentials], the type is 'abac'.)
    6062
    6163''' Serial '''