Changes between Version 58 and Version 59 of UniformClearinghouseAPI


Ignore:
Timestamp:
09/15/13 09:10:23 (11 years ago)
Author:
mbrinn@bbn.com
Comment:

SR is all unprotected, MA/SA are all protected.

Legend:

Unmodified
Added
Removed
Modified
  • UniformClearinghouseAPI

    v58 v59  
    2929The Authorities of any given Federation are free to implement their own Authorization (AuthZ) scheme. The API’s allow for passing credentials to the calls, but an Authority may choose to allow or disallow calls using logic and policies that are internal to that Federation. There is no universal (cross-Federation) requirement for any particular policy regarding Authority AuthZ.
    3030
    31 Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority.  A Registry may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that Registry. Similarly, a given Slice Authority or Member Authority may be advertised by a single Registries or by multiple Registries. Registry API calls are unprotected: there is no notion of trust between Registries or between Registries and Authorities or Aggregates.
     31Authorities are fundamentally independent of one another. The objects defined at one Authority are not necessarily entitled to any services provided by another Authority. Each aggregate may choose to trust or not trust any particular Authority. Likewise, any Authority may chose to trust or not trust any other Authority.  A Registry may choose to advertise or not advertise any particular aggregate, regardless of whether that aggregate trusts the Authorities advertised by that Registry. Similarly, a given Slice Authority or Member Authority may be advertised by a single Registries or by multiple Registries. Registry API calls are unprotected. There is no notion of trust between Registries or between Registries and Authorities or Aggregates.
    3232
    3333This document describes the APIs of the Registry as well as the MA and SA. It is expected that a well-behaved GENI-compatible tool will allow for interacting with any Registry and Authority that implement the standard API’s described in this document.
     
    4646The APIs described here share some common properties, which should be assumed for the rest of this document:
    4747 * The wire-protocol is XML/RPC. It is thus language independent on both client and server side of the API calls.
    48  * Most calls are protected, running over SSL and thus requiring the caller to use its certificate and private key. Certain calls are unprotected and can be accessed with no certificate and private key.
    49  * Unprotected calls will be identified in API documentation with the annotation:
    50         ''NB: This is an ''' unprotected call ''', no client cert required.''
     48 * Most calls are protected, running over SSL and thus requiring the caller to use its certificate and private key. Certain calls are unprotected and can be accessed with no requirement for a validated client-side certificate . Such calls will noted in the API documentation below.
    5149 * Each call takes an ‘options’ argument, a dictionary allowing for passing specific non-standard/optional arguments
    5250 * Each protected method takes a ‘credentials’ argument, a list of type/credential tuples that help the Registry or Authority invoke whatever AuthZ logic it may choose. As noted above, the Registry or Authority may choose to use or disregard these credentials. Unprotected methods do not take a ‘credentials’ argument.
     
    342340The Registry provides a list of Slice Authorities, Member Authorities and Aggregates associated with a given Federation. The URL for accessing these methods (i.e. the URL of the Registry) is to be provided out-of-band (i.e. there is no global service for gaining access to Registry addressees).
    343341
     342All Registry calls are unprotected; they have no requirement for passing a client-side cert or validating any client-cert cert that is passed.
     343
    344344The following table describes the default fields for services (aggregates and authorities) provided by Registry API calls:
    345345
     
    357357Provide a structure detailing the version information as well as details of accepted options for Registry API calls.
    358358
    359 NB: This is an '''unprotected''' call, no client cert required.
    360 
    361359'''Arguments:'''
    362360
     
    375373Return information about all aggregates associated with the Federation
    376374
    377 
    378 NB: This is an unprotected call, no client cert required.
    379 
    380375'''Arguments:'''
    381376
     
    394389Return information about all MA’s associated with the Federation
    395390
    396 NB: This is an '''unprotected''' call, no client cert required.
    397 
    398391'''Arguments:'''
    399392
     
    411404
    412405Return information about all SA’s associated with the Federation
    413 
    414 NB: This is an '''unprotected''' call, no client cert required.
    415406
    416407'''Arguments:'''
     
    440431|| Member || urn:publicid:IDN+ma_name+user+user_name || urn:publicid:IDN+ma_name+authority+ma ||
    441432
    442 NB: This is an unprotected call, no client cert required.
    443 
    444433'''Arguments:'''
    445434
     
    460449Often this is a concatenatation of the trust roots of the included authorities.
    461450
    462 NB: This is an '''unprotected''' call, no client cert required.
    463 
    464451'''Arguments:'''
    465452
     
    476463== Slice Authority API ==
    477464
    478 The Slice Authority API provides services to manage slices and their associated permissions. To support its AuthZ policies, a particular SA may choose to manage objects and relationships such as projects and slice/project membership. The SA API is thus divided into a set of services, each of which consists of a set of methods. Of these, only the SLICE service is required, the others are optional. If an SA implements a given service, it should implement the entire service as specified. All available SA service methods are available form the same SA URL. The get_version method should indicate, in the ‘SERVICES’ tag, which services the given SA supports. The following is a list of potential SA services.
     465The Slice Authority API provides services to manage slices and their associated permissions. To support its AuthZ policies, a particular SA may choose to manage objects and relationships such as projects and slice/project membership. The SA API is thus divided into a set of services, each of which consists of a set of methods. Of these, only the SLICE service is required, the others are optional. If an SA implements a given service, it should implement the entire service as specified. All available SA service methods are available from the same SA URL. The get_version method should indicate, in the ‘SERVICES’ tag, which services the given SA supports.
     466
     467All SA calls are protected; passing and validating a client-side cert is required.
     468
     469The following is a list of potential SA services.
    479470
    480471
     
    513504Provide details on the version, services and options supported by this SA
    514505
    515 NB: This is an unprotected call, no client cert required.
    516 
    517506'''Arguments:'''
    518507
     
    853842As noted above, this document does not specify required policies for Federations. A given MA is free to implement its own policies. That said, the management of member private information is a subject for particular attention and care.
    854843
    855 The protected APIs described here are standard SSL calls and can be invoked by anyone with their own SSL cert and private key. Reasonable security policy, however, should allow this call to succeed only if the following criteria are met:
     844All MA calls are protected; passing and validating a client-side cert is required.
     845
     846 While each MA is free to implement its own authorization policy, reasonable security policy should allow calls to succeed only if the following criteria are met:
    856847
    857848 * The user/tool cert is signed by someone in the Federation's trust chain
     
    860851 * Access to private info (SSL or SSH keys) should be restricted only to the user’s own keys for ordinary users.
    861852
    862 Like the Slice Authority, he Member Authority provides a set of services each consisting of a set of methods. Some services are required for any MA implementation, others are optional, as indicated by this table:
     853Like the Slice Authority, the Member Authority provides a set of services each consisting of a set of methods. Some services are required for any MA implementation, others are optional, as indicated by this table:
    863854
    864855|| '''Service''' || '''Description''' || '''Required''' ||
     
    889880Return information about version and options (filter, query, credential types) accepted by this member authority
    890881
    891 NB: This is an unprotected call, no client cert required.
    892 
    893882'''Arguments:'''
    894883
     
    905894/*
    906895Lookup public information about members matching given criteria
    907 
    908 NB: This is an unprotected call, no client cert required.
    909896
    910897'''Arguments:'''