| 6 | |
| 7 | This page describes both the initial, deprecated version 1.0 abac credential and the new version 1.1 credential that more closely follows the ProtoGENI credential format. Version 1.0 made changes to the credential element itself, while version 1.1 uses the type field to add an {{{abac}}} element parallel to the {{{privilege}}} element. In addition, version 1.1 encodes the ABAC statement inside XML clauses so other XML tools can understand it should they need to. In addition, the principal names - public key hashes - are annotated with human-readable names that can be used by [http://abac.deterlab.net libabac] or third party applications. |
| 8 | |
| 9 | == Version 1.1 Credentials == |
| 10 | |
| 11 | Intuitively, Version 1.1 credentials modify the GENI API credentials by making a type of "abac" valid in the {{{type}}} element, and adding an {{{abac}}} element parallel to the {{{privilege}}}, {{{ticket}}}, and {{{capabilities}}} elements. The {{{abac}}} field includes the version of the ABAC encoding (1.1) and the ABAC statement encoded in XML. |
| 12 | |
| 13 | Some fields of the GENIAPI credential make little sense for the ABAC credential. The libabac implementation produces empty elements for these fields and ignores their presence when parsed: |
| 14 | |
| 15 | * serial |
| 16 | * owner_gid |
| 17 | * owner_urn (not generated) |
| 18 | * target_gid |
| 19 | * target_urn (not generated) |
| 20 | * uuid |
| 21 | |
| 22 | The {{{expires}}} expires element is used as the expiration of the credential. |
| 23 | |
| 24 | When the {{{type}}} element is abac, an {{{abac}}} element should be present. The {{{abac}}} field contains a single {{{rt0}}} element with one {{{head}}} element and one or more {{{tail}}} elements. Each {{{head}}} or {{{tail}}} element contains |
| 25 | |
| 26 | * an {{{ABACprincipal}}} element. This contains |
| 27 | * a {{{keyid}}} element that contains the hash of the principal's public key |
| 28 | * an optional {{{mnemonic}}} element that contains a human-readable name of the principal, used in prsenting the contents to people. |
| 29 | * an optional {{{role}}} element. This contains a string, the last clause in the RT0 term. |
| 30 | * an optional {{{linking_role}}} element. This contains a string, the middle in an RT0 term. A {{{linking_role}}} element must not appear without a {{{role}}} element. |
| 31 | |
| 32 | The RT0 term e80dc149dfdfaf18e2ecd230a2b214d731d8910f.partner.experiment_create looks like this in the XML representation: |
| 33 | |
| 34 | {{{ |
| 35 | <ABACprincipal> |
| 36 | <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid> |
| 37 | </ABACprincipal> |
| 38 | <role>experiment_create</role> |
| 39 | <linking_role>partner</linking_role> |
| 40 | }}} |
| 41 | |
| 42 | If the keyid e80dc149dfdfaf18e2ecd230a2b214d731d8910f refers to a principal named "Acme" the term might be annotated with a {{{mnemonic}}} element: |
| 43 | |
| 44 | {{{ |
| 45 | <ABACprincipal> |
| 46 | <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid> |
| 47 | <mnemonic>Acme</mnemonic> |
| 48 | </ABACprincipal> |
| 49 | <role>experiment_create</role> |
| 50 | <linking_role>partner</linking_role> |
| 51 | }}} |
| 52 | |
| 53 | A full Version 1.1 credential encoding the RT0 statement Acme.experiment_create <- Acme.partner.experiment_create (with signature contents trimmed) looks like: |
| 54 | |
| 55 | {{{ |
| 56 | <?xml version="1.0" encoding="UTF-8" standalone="no"?> |
| 57 | <signed-credential> |
| 58 | <credential xml:id="ref0"> |
| 59 | <serial/> |
| 60 | <owner_gid/> |
| 61 | <target_gid/> |
| 62 | <uuid/> |
| 63 | <type>abac</type> |
| 64 | <expires>2014-06-14T22:41:36Z</expires> |
| 65 | <abac> |
| 66 | <rt0> |
| 67 | <version>1.1</version> |
| 68 | <head> |
| 69 | <ABACprincipal> |
| 70 | <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid> |
| 71 | <mnemonic>Acme</mnemonic> |
| 72 | </ABACprincipal> |
| 73 | <role>experiment_create</role> |
| 74 | </head> |
| 75 | <tail> |
| 76 | <ABACprincipal> |
| 77 | <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid> |
| 78 | <mnemonic>Acme</mnemonic> |
| 79 | </ABACprincipal> |
| 80 | <role>experiment_create</role> |
| 81 | <linking_role>partner</linking_role> |
| 82 | </tail> |
| 83 | </rt0> |
| 84 | </abac> |
| 85 | </credential> |
| 86 | <signatures> |
| 87 | ... |
| 88 | </signatures> |
| 89 | </signed-credential> |
| 90 | |
| 91 | }}} |
| 92 | |
| 93 | Multiple tail elements are an intersection element - all the tails must hold to assign the head. |
| 94 | |
| 95 | == Version 1.0 Credentials (deprecated) == |