wiki:TIEDABACCredential

Version 1 (modified by faber@isi.edu, 6 years ago) (diff)

--

GENI ABAC Credentials

GENI ABAC credentials are used to store or communicate ABAC statements directly. This format describes a format for passing RT0 credentials, which can express the statements described here.

ABAC credentials are, like GENI Privilege credentials, XML documents signed using XML dsig. The contents of an ABAC credential are contained in a signed-credential element. The ABAC data is in a credential element and signature information in the signatures element. The signatures element holds XML digital signature information, signing the credential element.

The credential element contains:

  • A type element whose content is "abac" this differentiates it from a GENI privilege credential
  • A version element whose content is 2 non-negative integers separated by a period. No spaces. A major and minor version number. This page describes version 1.0
  • An expires element whose content defines the last time the credential is valid. It is in the same format as the [GeniApiCredential GENI privilege credential].
  • An rt0 element that includes an encoding of the RT0 rule. All take the form Principal.Attr <- RHS according to the following rules
    • Principals are encoded by their Subject Key Identifier - a SHA1 hash fo their public key data. These are shown in italics below.
    • Attributes are space-free strings containing alpha-numeric data and underscores.
    • An assignment of an attribute to a principal is of the form issuer.attr <- principal
    • An assignment of an attribute to a set of principals that have an attribute os of the form issuer.role1 <- principal.role2
    • An assignment of an attribute to a set of principals assigned a given arrtibute by a principal with a given linking attribute has the form issuer.role1 <- principal.linking_attribute.role2. See here for examples of this type of role.
    • The right side of the assignment may be a conjunction of the various principal types of this form issuer.role0 <- principal1.role1 & principal2.role2

Attachments (1)

Download all attachments as: .zip