Changes between Version 16 and Version 17 of GeniApiCredentials


Ignore:
Timestamp:
01/15/14 13:41:53 (8 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GeniApiCredentials

    v16 v17  
    77In the AM API, credentials have a type and version string. This page documents the GENI SFA credential format, and specifically credentials of type `geni_sfa` and version '''3'''. These GENI SFA credentials specify the permissions of the Owner relative to a Target object.
    88
    9 The same basic structure is used to specify [TIEDABACCredential GENI ABAC credentials] (type `geni_abac` and version '''1'''), but with some important [TIEDABACCredential differences]. 
     9The same basic structure is used to specify [wiki:TIEDABACCredential GENI ABAC credentials] (type `geni_abac` and version '''1'''), but with some important [wiki:TIEDABACCredential differences]. 
    1010
    1111A GENI SFA credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema11-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
     
    5959
    6060''' Type '''
    61 Type should be 'privilege' for GENI SFA credentials. (For [TIEDABACCredential GENI ABAC credentials], the type is 'abac'.)
     61Type should be 'privilege' for GENI SFA credentials. (For [wiki:TIEDABACCredential GENI ABAC credentials], the type is 'abac'.)
    6262
    6363''' Serial '''
     
    105105
    106106== Delegation ==
    107 Credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges.
     107GENI SFA credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges.
    108108
    109109== Credential Validation ==