Changes between Version 2 and Version 3 of GeniApiCredentials


Ignore:
Timestamp:
06/22/11 13:05:30 (13 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • GeniApiCredentials

    v2 v3  
    55Credentials are used to authorize actions (where certificates authenticate and URNs identify). They specify the permissions of the Owner relative to a Target object.
    66
    7 A credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA).
     7A credential provides the credential's owner with permissions on a target object (identified by a URN).  For instance, with a 'slice credential,' the user is given rights to allocate and remove resources from a slice.  The credential format that the GENI AM API uses is adapted from ProtoGENI's credential format described at: http://www.protogeni.net/trac/protogeni/wiki/Credentials.  The only differences between the two formats is that the GENI credential allows for different privileges (those from other control frameworks such as Planet Lab's SFA). Also note that the value of {{{can_delegate}}} on privileges is an [http://www.w3.org/TR/xmlschema-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
    88
    99In the API, method calls take a list of Credentials. The semantics of that list are not specified. The reference GCF implementation treats each credential as a separate option: if any ONE credential grants the subject ALL required privileges on the specified target, then allow the operation. An alternative implementation could accumulate privileges from each otherwise valid credential to determine total permissions.
     
    7979The privileges are the rights that are assigned to the owner of the credential on the target resource.  The SFA-derived control frameworks use different permission names, but they have similar semantic meaning.  If a privilege can be delegated, then that means the owner of the credential can delegate that permission to another entity.  Currently, the only credentials used in the GENI API are slice credentials and user credentials.  Privileges have not yet been agreed upon between the control frameworks.  Currently, SFA assigns ['refresh', 'resolve', and 'info'] rights to user credentials.    Slice credentials have "slice" rights.  ProtoGENI defaults to the "*" privilege which means that the owner has rights to all methods associated with that credential type (user or slice).  See https://www.protogeni.net/trac/protogeni/wiki/ReferenceImplementationPrivileges for more information on ProtoGENI privileges.
    8080
     81''' can_delegate'''
     82Privileges can be delegated. Every privilege gets a sub-element {{{can_delegate}}}. The value is an [http://www.w3.org/TR/xmlschema-2/#boolean xsd:boolean], meaning it should be one of 1, 0, {{{true}}}, or {{{false}}}.
     83
    8184''' Signatures '''
    8285The preceding XML is signed using the XML Signature specification (see http://www.w3.org/TR/xmldsig-core/).   SFA and ProtoGENI use the xmlsec1 binary to sign credentials.  For more information on using xmlsec1, please see the bottom of this page.  If a credential is delegated, then the owner creating the new (delegated) credential signs the new credential and the original signature and the new signature are placed in the <Signatures> section.   For more information on delegation please see: http://www.protogeni.net/trac/protogeni/wiki/Credentials