Changes between Version 58 and Version 59 of UniformClearinghouseAPI
- Timestamp:
- 09/15/13 09:10:23 (11 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
UniformClearinghouseAPI
v58 v59 29 29 The Authorities of any given Federation are free to implement their own Authorization (AuthZ) scheme. The API’s allow for passing credentials to the calls, but an Authority may choose to allow or disallow calls using logic and policies that are internal to that Federation. There is no universal (cross-Federation) requirement for any particular policy regarding Authority AuthZ. 30 30 31 Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority. A Registry may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that Registry. Similarly, a given Slice Authority or Member Authority may be advertised by a single Registries or by multiple Registries. Registry API calls are unprotected : there is no notion of trust between Registries or between Registries and Authorities or Aggregates.31 Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority. A Registry may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that Registry. Similarly, a given Slice Authority or Member Authority may be advertised by a single Registries or by multiple Registries. Registry API calls are unprotected. There is no notion of trust between Registries or between Registries and Authorities or Aggregates. 32 32 33 33 This document describes the APIs of the Registry as well as the MA and SA. It is expected that a well-behaved GENI-compatible tool will allow for interacting with any Registry and Authority that implement the standard API’s described in this document. … … 46 46 The APIs described here share some common properties, which should be assumed for the rest of this document: 47 47 * The wire-protocol is XML/RPC. It is thus language independent on both client and server side of the API calls. 48 * Most calls are protected, running over SSL and thus requiring the caller to use its certificate and private key. Certain calls are unprotected and can be accessed with no certificate and private key. 49 * Unprotected calls will be identified in API documentation with the annotation: 50 ''NB: This is an ''' unprotected call ''', no client cert required.'' 48 * Most calls are protected, running over SSL and thus requiring the caller to use its certificate and private key. Certain calls are unprotected and can be accessed with no requirement for a validated client-side certificate . Such calls will noted in the API documentation below. 51 49 * Each call takes an ‘options’ argument, a dictionary allowing for passing specific non-standard/optional arguments 52 50 * Each protected method takes a ‘credentials’ argument, a list of type/credential tuples that help the Registry or Authority invoke whatever AuthZ logic it may choose. As noted above, the Registry or Authority may choose to use or disregard these credentials. Unprotected methods do not take a ‘credentials’ argument. … … 342 340 The Registry provides a list of Slice Authorities, Member Authorities and Aggregates associated with a given Federation. The URL for accessing these methods (i.e. the URL of the Registry) is to be provided out-of-band (i.e. there is no global service for gaining access to Registry addressees). 343 341 342 All Registry calls are unprotected; they have no requirement for passing a client-side cert or validating any client-cert cert that is passed. 343 344 344 The following table describes the default fields for services (aggregates and authorities) provided by Registry API calls: 345 345 … … 357 357 Provide a structure detailing the version information as well as details of accepted options for Registry API calls. 358 358 359 NB: This is an '''unprotected''' call, no client cert required.360 361 359 '''Arguments:''' 362 360 … … 375 373 Return information about all aggregates associated with the Federation 376 374 377 378 NB: This is an unprotected call, no client cert required.379 380 375 '''Arguments:''' 381 376 … … 394 389 Return information about all MA’s associated with the Federation 395 390 396 NB: This is an '''unprotected''' call, no client cert required.397 398 391 '''Arguments:''' 399 392 … … 411 404 412 405 Return information about all SA’s associated with the Federation 413 414 NB: This is an '''unprotected''' call, no client cert required.415 406 416 407 '''Arguments:''' … … 440 431 || Member || urn:publicid:IDN+ma_name+user+user_name || urn:publicid:IDN+ma_name+authority+ma || 441 432 442 NB: This is an unprotected call, no client cert required.443 444 433 '''Arguments:''' 445 434 … … 460 449 Often this is a concatenatation of the trust roots of the included authorities. 461 450 462 NB: This is an '''unprotected''' call, no client cert required.463 464 451 '''Arguments:''' 465 452 … … 476 463 == Slice Authority API == 477 464 478 The Slice Authority API provides services to manage slices and their associated permissions. To support its AuthZ policies, a particular SA may choose to manage objects and relationships such as projects and slice/project membership. The SA API is thus divided into a set of services, each of which consists of a set of methods. Of these, only the SLICE service is required, the others are optional. If an SA implements a given service, it should implement the entire service as specified. All available SA service methods are available form the same SA URL. The get_version method should indicate, in the ‘SERVICES’ tag, which services the given SA supports. The following is a list of potential SA services. 465 The Slice Authority API provides services to manage slices and their associated permissions. To support its AuthZ policies, a particular SA may choose to manage objects and relationships such as projects and slice/project membership. The SA API is thus divided into a set of services, each of which consists of a set of methods. Of these, only the SLICE service is required, the others are optional. If an SA implements a given service, it should implement the entire service as specified. All available SA service methods are available from the same SA URL. The get_version method should indicate, in the ‘SERVICES’ tag, which services the given SA supports. 466 467 All SA calls are protected; passing and validating a client-side cert is required. 468 469 The following is a list of potential SA services. 479 470 480 471 … … 513 504 Provide details on the version, services and options supported by this SA 514 505 515 NB: This is an unprotected call, no client cert required.516 517 506 '''Arguments:''' 518 507 … … 853 842 As noted above, this document does not specify required policies for Federations. A given MA is free to implement its own policies. That said, the management of member private information is a subject for particular attention and care. 854 843 855 The protected APIs described here are standard SSL calls and can be invoked by anyone with their own SSL cert and private key. Reasonable security policy, however, should allow this call to succeed only if the following criteria are met: 844 All MA calls are protected; passing and validating a client-side cert is required. 845 846 While each MA is free to implement its own authorization policy, reasonable security policy should allow calls to succeed only if the following criteria are met: 856 847 857 848 * The user/tool cert is signed by someone in the Federation's trust chain … … 860 851 * Access to private info (SSL or SSH keys) should be restricted only to the user’s own keys for ordinary users. 861 852 862 Like the Slice Authority, he Member Authority provides a set of services each consisting of a set of methods. Some services are required for any MA implementation, others are optional, as indicated by this table:853 Like the Slice Authority, the Member Authority provides a set of services each consisting of a set of methods. Some services are required for any MA implementation, others are optional, as indicated by this table: 863 854 864 855 || '''Service''' || '''Description''' || '''Required''' || … … 889 880 Return information about version and options (filter, query, credential types) accepted by this member authority 890 881 891 NB: This is an unprotected call, no client cert required.892 893 882 '''Arguments:''' 894 883 … … 905 894 /* 906 895 Lookup public information about members matching given criteria 907 908 NB: This is an unprotected call, no client cert required.909 896 910 897 '''Arguments:'''