| | 1 | == GENI Clearinghouse API’s == |
| | 2 | Marshall Brinn, GPO |
| | 3 | |
| | 4 | DRAFT: August 6, 2013 |
| | 5 | |
| | 6 | |
| | 7 | |
| | 8 | == Introduction == |
| | 9 | |
| | 10 | |
| | 11 | |
| | 12 | This document proposes a set of standard API’s that any GENI Clearinghouse (CH) should or may provide. The document describes what is required and what is optional in the calls and responses to these APIs. |
| | 13 | |
| | 14 | The GENI Software Architecture rests on the interaction between different entities: |
| | 15 | |
| | 16 | ''' Aggregates ''' : Collections of resources managed and presented in accordance with the AM API |
| | 17 | |
| | 18 | ''' Members ''' : Experimenters or other human consumers of aggregate resources |
| | 19 | |
| | 20 | ''' Authorities ''' : Services that manage assertions about members and their permissions with respect to aggregate resources. |
| | 21 | |
| | 22 | There are two fundamental authority types in GENI: |
| | 23 | |
| | 24 | * '' Member Authority '' [MA]: Manages and asserts attributes about particular members |
| | 25 | * '' Slice Authority '' [SA]: Manages slice objects and generates credentials for members with respect to slices. |
| | 26 | |
| | 27 | A '' Federation '' is a collection of Authorities and Aggregates that establish mutual trust and common policies to facilitate the sharing of resources among members. A Clearinghouse (CH) is a set of software services representing a given Federation, providing lists of Slice Authorities, Member Authorities and aggregates associated with that federation, and providing a set of PKI certificates that any aggregate belonging to a given federation accepts as trust roots. The relationship of Federations to Clearinghouses is 1:1. |
| | 28 | |
| | 29 | The Authorities of any given Federation are free to implement their own Authorization (AuthZ) scheme. The API’s allow for passing credentials to the calls, but an Authority may choose to allow or disallow calls using logic and policies that are internal to that Federation. There is no universal (cross-Federation) requirement for any particular policy regarding Authority AuthZ. |
| | 30 | |
| | 31 | Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority. A CH may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that CH. Similarly, a given Slice Authority or Member Authority may be advertised by a single CH or by multiple CH’s. CH API calls are unprotected: there is no notion of trust between CH’s or between CH’s and Authorities or Aggregates. |
| | 32 | |
| | 33 | This document describes the APIs of the GENI CH as well as the MA and SA. It is expected that a well-behaved GENI tool will allow for interacting with any CH and Authority that implement the standard API’s described in this document. |
| | 34 | |
| | 35 | |
| | 36 | |
| | 37 | |
| | 38 | |
| | 39 | |
| | 40 | |
| | 41 | |
| | 42 | |
| | 43 | |
| | 44 | == API General Properties == |
| | 45 | |
| | 46 | The APIs described here share some common properties, which should be assumed for the rest of this document: |
| | 47 | * The wire-protocol is XML/RPC. It is thus language independent on both client and server side of the API calls. |
| | 48 | * Most calls are protected, running over SSL and thus requiring the caller to use its certificate and private key. Certain calls are unprotected and can be accessed with no certificate and private key. |
| | 49 | * Unprotected calls will be identified in API documentation with the annotation: |
| | 50 | ''NB: This is an ''' unprotected call ''', no client cert required.'' |
| | 51 | * Each call takes an ‘options’ argument, a dictionary allowing for passing specific non-standard/optional arguments |
| | 52 | * Each protected method takes a ‘credentials’ argument, a list of type/credential tuples that help the CH or Authority invoke whatever AuthZ logic it may choose. As noted above, the CH or Authority may choose to use or disregard these credentials. Unprotected methods do not take a ‘credentials’ argument. |
| | 53 | * Each CH or Authority provides a get_version method, which describes the version number of the API provided, credential types supported, supplementary object fields and other data for interpreting API call returns. |
| | 54 | * A CH or Authority is free to implement additional methods beyond those specified in this document. |
| | 55 | * The URN is the fundamental identifier in all GENI CH API’s. URN’s are globally unique at any given time, though not necessarily unique over time. Disambiguation for entities with the same URN over time may be provided by an optional UUID argument for certain API methods. |
| | 56 | |
| | 57 | These API’s are provided in pseudo-code (i.e. language independent) format, with inputs and outputs (optional and required) described by comments, e.g. |
| | 58 | |
| | 59 | /* |
| | 60 | |
| | 61 | ''Perform method ‘ch_func’'' |
| | 62 | |
