GENI ABAC Credentials

GENI ABAC credentials are used to store or communicate ABAC statements directly. This format describes a format for passing RT0 credentials, which can express the statements described here.

ABAC credentials are, like GENI Privilege credentials, XML documents signed using ​XML dsig. The contents of an ABAC credential are contained in a signed-credential element. The ABAC data is in a credential element and signature information in the signatures element. The signatures element holds XML digital signature information, signing the credential element.

The credential element contains:

• A type element whose content is "abac" this differentiates it from a GENI privilege credential
• A version element whose content is 2 non-negative integers separated by a period. No spaces. A major and minor version number. This page describes version 1.0
• An expires element whose content defines the last time the credential is valid. It is in the same format as the [GeniApiCredential GENI privilege credential].
• An rt0 element that includes an encoding of the RT0 rule. All take the form Principal.Attr <- RHS according to the following rules
  • Principals are encoded by their Subject Key Identifier - a SHA1 hash fo their public key data. These are shown in italics below.
  • Attributes are space-free strings containing alpha-numeric data and underscores.
  • An assignment of an attribute to a principal is of the form issuer.attr <- principal
  • An assignment of an attribute to a set of principals that have an attribute os of the form issuer.role1 <- principal.role2
  • An assignment of an attribute to a set of principals assigned a given arrtibute by a principal with a given linking attribute has the form issuer.role1 <- principal.linking_attribute.role2. See here for examples of this type of role.
  • The right side of the assignment may be a conjunction of the various principal types of this form issuer.role0 <- principal1.role1 & principal2.role2