Changes between Version 16 and Version 17 of GeniApiCredentials
- Timestamp:
- 01/15/14 13:41:53 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
GeniApiCredentials
v16 v17 7 7 In the AM API, credentials have a type and version string. This page documents the GENI SFA credential format, and specifically credentials of type `geni_sfa` and version '''3'''. These GENI SFA credentials specify the permissions of the Owner relative to a Target object. 8 8 9 The same basic structure is used to specify [ TIEDABACCredential GENI ABAC credentials] (type `geni_abac` and version '''1'''), but with some important [TIEDABACCredential differences].9 The same basic structure is used to specify [wiki:TIEDABACCredential GENI ABAC credentials] (type `geni_abac` and version '''1'''), but with some important [wiki:TIEDABACCredential differences]. 10 10 11 11 A GENI SFA credential provides the credential's owner with permissions on a target object (identified by a URN). For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice. The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials. The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema11-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}. … … 59 59 60 60 ''' Type ''' 61 Type should be 'privilege' for GENI SFA credentials. (For [ TIEDABACCredential GENI ABAC credentials], the type is 'abac'.)61 Type should be 'privilege' for GENI SFA credentials. (For [wiki:TIEDABACCredential GENI ABAC credentials], the type is 'abac'.) 62 62 63 63 ''' Serial ''' … … 105 105 106 106 == Delegation == 107 Credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges.107 GENI SFA credentials may be delegated, if the owner (subject) has `can_delegate` for one or more privileges. To generate a delegated credential, the owner re-signs their own credential, granting a subset of their own rights to a new owner. The delegated credential should be for the same target, for the same or a shorter duration, include the original credential in the `parent` field, be signed by the original credential's subject (subject of parent == issuer of delegated credential), and grant a subset of the original credential's privileges. 108 108 109 109 == Credential Validation ==