Changes between Version 3 and Version 4 of TIEDABACCredential


Ignore:
Timestamp:
06/17/13 12:21:12 (6 years ago)
Author:
faber@isi.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACCredential

    v3 v4  
    44
    55ABAC credentials are, like [GeniApiCredentials GENI Privilege credentials], XML documents signed using [http://www.w3.org/TR/xmldsig-core/ XML dsig].  The contents of an ABAC credential are contained in a {{{signed-credential}}} element.  The ABAC data is in a {{{credential}}} element and signature information in the {{{signatures}}} element.  The {{{signatures}}} element holds XML digital signature information, signing the {{{credential}}} element.
     6
     7This page describes both the initial, deprecated version 1.0 abac credential and the new version 1.1 credential that more closely follows the ProtoGENI credential format.  Version 1.0 made changes to the credential element itself, while version 1.1 uses the type field to add an {{{abac}}} element parallel to the {{{privilege}}} element.  In addition, version 1.1 encodes the ABAC statement inside XML clauses so other XML tools can understand it should they need to.  In addition, the principal names - public key hashes - are annotated with human-readable names that can be used by [http://abac.deterlab.net libabac] or third party applications.
     8
     9== Version 1.1 Credentials ==
     10
     11Intuitively, Version 1.1 credentials modify the GENI API credentials by making a type of "abac" valid in the {{{type}}} element, and adding an {{{abac}}} element parallel to the {{{privilege}}}, {{{ticket}}}, and {{{capabilities}}} elements.  The {{{abac}}} field includes the version of the ABAC encoding (1.1) and the ABAC statement encoded in XML.
     12
     13Some fields of the GENIAPI credential make little sense for the ABAC credential.  The libabac implementation produces empty elements for these fields and ignores their presence when parsed:
     14
     15 * serial
     16 * owner_gid
     17 * owner_urn (not generated)
     18 * target_gid
     19 * target_urn (not generated)
     20 * uuid
     21
     22The {{{expires}}} expires element is used as the expiration of the credential.
     23
     24When the {{{type}}} element is abac, an {{{abac}}} element should be present.  The {{{abac}}} field contains a single {{{rt0}}} element with one {{{head}}} element and one or more {{{tail}}} elements.  Each {{{head}}} or {{{tail}}} element contains
     25
     26 * an {{{ABACprincipal}}} element.  This contains
     27   * a {{{keyid}}} element that contains the hash of the principal's public key
     28   * an optional {{{mnemonic}}} element that contains a human-readable name of the principal, used in prsenting the contents to people.
     29 * an optional {{{role}}} element.  This contains a string, the last clause in the RT0 term.
     30 * an optional {{{linking_role}}} element.  This contains a string, the middle in an RT0 term.  A {{{linking_role}}} element must not appear without a {{{role}}} element.
     31
     32The RT0 term  e80dc149dfdfaf18e2ecd230a2b214d731d8910f.partner.experiment_create looks like this in the XML representation:
     33
     34{{{
     35<ABACprincipal>
     36 <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid>
     37</ABACprincipal>
     38<role>experiment_create</role>
     39<linking_role>partner</linking_role>
     40}}}
     41
     42If the keyid e80dc149dfdfaf18e2ecd230a2b214d731d8910f refers to a principal named "Acme" the term might be annotated with a {{{mnemonic}}} element:
     43
     44{{{
     45<ABACprincipal>
     46 <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid>
     47 <mnemonic>Acme</mnemonic>
     48</ABACprincipal>
     49<role>experiment_create</role>
     50<linking_role>partner</linking_role>
     51}}}
     52
     53A full Version 1.1 credential encoding the RT0 statement Acme.experiment_create <- Acme.partner.experiment_create (with signature contents trimmed) looks like:
     54
     55{{{
     56<?xml version="1.0" encoding="UTF-8" standalone="no"?>
     57<signed-credential>
     58 <credential xml:id="ref0">
     59  <serial/>
     60  <owner_gid/>
     61  <target_gid/>
     62  <uuid/>
     63  <type>abac</type>
     64  <expires>2014-06-14T22:41:36Z</expires>
     65  <abac>
     66   <rt0>
     67    <version>1.1</version>
     68    <head>
     69     <ABACprincipal>
     70      <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid>
     71      <mnemonic>Acme</mnemonic>
     72     </ABACprincipal>
     73     <role>experiment_create</role>
     74    </head>
     75    <tail>
     76     <ABACprincipal>
     77      <keyid>e80dc149dfdfaf18e2ecd230a2b214d731d8910f</keyid>
     78      <mnemonic>Acme</mnemonic>
     79     </ABACprincipal>
     80     <role>experiment_create</role>
     81     <linking_role>partner</linking_role>
     82    </tail>
     83   </rt0>
     84  </abac>
     85 </credential>
     86 <signatures>
     87 ...
     88 </signatures>
     89</signed-credential>
     90
     91}}}
     92
     93Multiple tail elements are an intersection element - all the tails must hold to assign the head.
     94
     95== Version 1.0 Credentials (deprecated) ==
    696
    797The credential element contains: