Changes between Version 5 and Version 6 of TIEDABACCredential


Ignore:
Timestamp:
01/15/14 12:58:22 (6 years ago)
Author:
Aaron Helsinger
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • TIEDABACCredential

    v5 v6  
    11= GENI ABAC Credentials =
    22
    3 GENI ABAC credentials are used to store or communicate ABAC statements directly.  This format describes a format for passing RT0 credentials, which can express the [wiki:TIEDABACModel statements described here].
     3GENI [http://abac.deterlab.net/ ABAC] credentials are used to store or communicate ABAC statements directly.  This format describes a format for passing RT0 credentials, which can express the [wiki:TIEDABACModel statements described here]. In GENI, credentials are typically passed around in a struct that identifies the type and version of the credential. For GENI API purposes, this page describes credentials of the type `geni_abac` and version `1`.
    44
    5 ABAC credentials are, like [GeniApiCredentials GENI Privilege credentials], XML documents signed using [http://www.w3.org/TR/xmldsig-core/ XML dsig].  The contents of an ABAC credential are contained in a {{{signed-credential}}} element.  The ABAC data is in a {{{credential}}} element and signature information in the {{{signatures}}} element.  The {{{signatures}}} element holds XML digital signature information, signing the {{{credential}}} element.
     5ABAC credentials are, like [GeniApiCredentials GENI SFA privilege credentials], XML documents signed using [http://www.w3.org/TR/xmldsig-core/ XML dsig].  The contents of an ABAC credential are contained in a {{{signed-credential}}} element.  The ABAC data is in a {{{credential}}} element and signature information in the {{{signatures}}} element.  The {{{signatures}}} element holds XML digital signature information, signing the {{{credential}}} element.
    66
    7 This page describes both the initial, deprecated version 1.0 abac credential and the new version 1.1 credential that more closely follows the ProtoGENI credential format.  Version 1.0 made changes to the credential element itself, while version 1.1 uses the type field to add an {{{abac}}} element parallel to the {{{privilege}}} element.  In addition, version 1.1 encodes the ABAC statement inside XML clauses so other XML tools can understand it should they need to.  In addition, the principal names - public key hashes - are annotated with human-readable names that can be used by [http://abac.deterlab.net libabac] or third party applications.
     7This page describes both the initial, deprecated version 1.0 abac credential and the new version 1.1 credential that more closely follows the GENI SFA credential format.  (Note that both are known within GENI as type `geni_abac` version `1`.) Version 1.0 (never deployed) made changes to the credential element itself, while version 1.1 uses the `type` field to add an {{{abac}}} element parallel to the {{{privilege}}} element.  In addition, version 1.1 encodes the ABAC statement inside XML clauses so other XML tools can understand it should they need to.  In addition, the principal names - SHA-1 public key hashes - are annotated with human-readable names that can be used by [http://abac.deterlab.net libabac] or third party applications.
    88
    99== Version 1.1 Credentials ==
    1010
    11 Intuitively, Version 1.1 credentials modify the GENI API credentials by making a type of "abac" valid in the {{{type}}} element, and adding an {{{abac}}} element parallel to the {{{privilege}}}, {{{ticket}}}, and {{{capabilities}}} elements.  The {{{abac}}} field includes the version of the ABAC encoding (1.1) and the ABAC statement encoded in XML.
     11Intuitively, Version 1.1 credentials modify the GENI SFA credentials by making a type of "abac" valid in the {{{type}}} element, and adding an {{{abac}}} element parallel to the {{{privilege}}}, {{{ticket}}}, and {{{capabilities}}} elements.  The {{{abac}}} field includes the version of the ABAC encoding (1.1) and the ABAC statement encoded in XML.
    1212
    13 Some fields of the GENIAPI credential make little sense for the ABAC credential.  The libabac implementation produces empty elements for these fields and ignores their presence when parsed:
     13 * The `version` element is 2 non-negative integers separated by a period.  No spaces. A major and minor version number.  This section describes version 1.1
     14
     15Some fields of the GENI SFA credential make little sense for the ABAC credential.  The libabac implementation produces empty elements for these fields and ignores their presence when parsed:
    1416
    1517 * serial
     
    2022 * uuid
    2123
    22 The {{{expires}}} expires element is used as the expiration of the credential.
     24The {{{expires}}} element specifies the expiration of the credential.  It is in the same format as the [GeniApiCredentials GENI privilege credential] (ISO 8601 with UTC assumed if no timezone is specified, RFC 3339 format preferred).
    2325
    24 When the {{{type}}} element is abac, an {{{abac}}} element should be present.  The {{{abac}}} field contains a single {{{rt0}}} element with one {{{head}}} element and one or more {{{tail}}} elements.  Each {{{head}}} or {{{tail}}} element contains
     26When the {{{type}}} element is "abac", an {{{abac}}} element must be present.  The {{{abac}}} field contains a single {{{rt0}}} element with one {{{head}}} element and one or more {{{tail}}} elements.  Each {{{head}}} or {{{tail}}} element contains
    2527
    26  * an {{{ABACprincipal}}} element.  This contains
    27    * a {{{keyid}}} element that contains the hash of the principal's public key
    28    * an optional {{{mnemonic}}} element that contains a human-readable name of the principal, used in prsenting the contents to people.
    29  * an optional {{{role}}} element.  This contains a string, the last clause in the RT0 term.
    30  * an optional {{{linking_role}}} element.  This contains a string, the middle in an RT0 term.  A {{{linking_role}}} element must not appear without a {{{role}}} element.
     28 * An {{{ABACprincipal}}} element.  This contains
     29   * A {{{keyid}}} element that contains the SHA-1 hash of the principal's public key (from the principal's X509 certificate)
     30   * An optional {{{mnemonic}}} element that contains a human-readable name of the principal, used in presenting the contents to people (E.G. something from the DN or SubjectAltName of the principal's certificate; In GENI, typically the [GeniApiIdentifiers URN].
     31 * An optional {{{role}}} element.  This contains a string, the last clause in the RT0 term.
     32 * An optional {{{linking_role}}} element.  This contains a string, the middle clause in an RT0 term.  A {{{linking_role}}} element must not appear without a {{{role}}} element.
    3133
    32 The RT0 term  e80dc149dfdfaf18e2ecd230a2b214d731d8910f.partner.experiment_create looks like this in the XML representation:
     34The RT0 term  "e80dc149dfdfaf18e2ecd230a2b214d731d8910f.partner.experiment_create" looks like this in the XML representation:
    3335
    3436{{{
     
    4042}}}
    4143
    42 If the keyid e80dc149dfdfaf18e2ecd230a2b214d731d8910f refers to a principal named "Acme" the term might be annotated with a {{{mnemonic}}} element:
     44If the `keyid` "e80dc149dfdfaf18e2ecd230a2b214d731d8910f" refers to a principal named "Acme" then the element might be annotated with a {{{mnemonic}}} element:
    4345
    4446{{{
     
    5153}}}
    5254
    53 A full Version 1.1 credential encoding the RT0 statement Acme.experiment_create <- Acme.partner.experiment_create (with signature contents trimmed) looks like:
     55A full Version 1.1 credential encoding the RT0 statement `Acme.experiment_create <- Acme.partner.experiment_create` (with signature contents trimmed) looks like:
    5456
    5557{{{
     
    9193}}}
    9294
    93 Multiple tail elements are an intersection element - all the tails must hold to assign the head.
     95Multiple `tail` elements are treated an intersection element - all the tails must hold to assign the head.
    9496
    95 The xsd addtitions to [http://www.protogeni.net/resources/credential/credential.xsd the GENIAPI credential XSD] are [attachment:rt0.xsd attached] to this page.  They encode the {{{rt0}}} element inside the {{{abac}}} element.  Minor additions need to be made to add the {{{abac}}} element as a choice.
     97The xsd additions to [http://www.protogeni.net/resources/credential/credential.xsd the GENIAPI credential XSD] are [attachment:rt0.xsd attached] to this page.  They encode the {{{rt0}}} element inside the {{{abac}}} element.  Minor additions need to be made to add the {{{abac}}} element as a choice.
    9698
    9799== Version 1.0 Credentials (deprecated) ==
     
    99101The credential element contains:
    100102
    101  * A type element whose content is "abac" this differentiates it from a GENI privilege credential
    102  * A version element whose content is 2 non-negative integers separated by a period.  No spaces. A major and minor version number.  This page describes version 1.0
    103  * An expires element whose content defines the last time the credential is valid.  It is in the same format as the [GeniApiCredentials GENI privilege credential].
    104  * An rt0 element that includes an encoding of the RT0 rule.  All take the form Principal.Attr {{{<-}}} RHS according to the following rules
    105    * Principals are encoded by their Subject Key Identifier - a SHA1 hash fo their public key data.  These are shown in ''italics'' below.
     103 * A `type` element whose content is "abac" this differentiates it from a GENI privilege credential
     104 * A `version` element whose content is 2 non-negative integers separated by a period.  No spaces. A major and minor version number.  This page describes version 1.0
     105 * An `expires` element whose content defines the last time the credential is valid.  It is in the same format as the [GeniApiCredentials GENI privilege credential].
     106 * An `rt0` element that includes an encoding of the RT0 rule.  All take the form Principal.Attr {{{<-}}} RHS according to the following rules
     107   * Principals are encoded by their Subject Key Identifier - a SHA1 hash of their public key data.  These are shown in ''italics'' below.
    106108   * Attributes are space-free strings containing alpha-numeric data and underscores.
    107109   * An assignment of an attribute to a principal is of the form ''issuer''.attr <- ''principal''
    108    * An assignment of an attribute to a set of principals that have an attribute os of the form ''issuer''.role1 <- ''principal''.role2
    109    * An assignment of an attribute to a set of principals assigned a given arrtibute by a principal with a given linking attribute has the form ''issuer''.role1 <- ''principal''.linking_attribute.role2.  See [wiki:TIEDABACModel here] for examples of this type of role.
     110   * An assignment of an attribute to a set of principals that have an attribute is of the form ''issuer''.role1 <- ''principal''.role2
     111   * An assignment of an attribute to a set of principals assigned a given attribute by a principal with a given linking attribute has the form ''issuer''.role1 <- ''principal''.linking_attribute.role2.  See [wiki:TIEDABACModel here] for examples of this type of role.
    110112   * The right side of the assignment (RHS) may be a conjunction of the various RHS types above, e.g.,  ''issuer''.role0 <- ''principal1''.role1 & ''principal2''.role2
    111113