Changes between Version 17 and Version 18 of UniformClearinghouseAPIV2
- Timestamp:
- 11/13/13 08:18:39 (10 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
UniformClearinghouseAPIV2
v17 v18 64 64 # Arguments: 65 65 # argl : ... 66 # credentials : list of {type : credential} tuples representing credentials provided by caller to support AuthZ on method call. 66 # credentials : list of {type : credential} tuples representing credentials 67 # provided by caller to support AuthZ on method call. 67 68 # [NB: This argument will be omitted in descriptions below. ] 68 69 # options : … [ Recognized options: ….] 69 70 # 70 71 # Return: 71 # E.g. a list of dictionaries with these fields mandatory (…) and these fields optional (…) 72 # E.g. a list of dictionaries with these fields mandatory (…) 73 # and these fields optional (…) 72 74 def fed_func (arg1, arg2, credentials, options) 73 75 }}} … … 93 95 * “PROTECT” attributes may be labeled as “PUBLIC”, “PRIVATE” or “IDENTIFYING”. These are for the Member Authority Only to differentiate between public, identifying and private data fields on members. The default, if not provided, is "PUBLIC", and thus this attribute is optional. 94 96 95 The FIELDS element of the get_version should contain all supplementary (non-mandatory) field objects supported by a given service. Additionally, it shouldcontain mandatory field objects for which the default semantics (for "CREATE", "MATCH", "UPDATE", "PROTECT") should be overridden. The FIELDS element is thus optional for all services.97 The FIELDS element of the get_version should contain all supplementary (non-mandatory) field objects supported by a given service. Additionally, it may contain mandatory field objects for which the default semantics (for "CREATE", "MATCH", "UPDATE", "PROTECT") should be overridden. The FIELDS element is thus optional for all services. 96 98 97 99 Supplementary field names should be placed in a distinct namespace by a prefix unique to that federation, and starting with an underscore (e.g _GENI_, _OFELIA_ , _FED4FIRE_ or _PROTOGENI_ etc.). … … 102 104 {{{ 103 105 #!python 104 # Return information about version and options (filter, query, credential types) accepted by this service 106 # Return information about version and options 107 # (e.g. filter, query, credential types) accepted by this service 105 108 # 106 109 # Arguments: None … … 212 215 {{{ 213 216 #!python 214 # Creates a new instance of the given object with a ‘fields’ option specifying particular field values that are to be associated with the object. 215 # These may only include those fields specified as ‘ALLOWED or ‘REQUIRED’ in the ‘Creation’ column of the object descriptions below 216 # or in the “CREATE’ key in the supplemental fields in the get_version specification for that object. 217 # If successful, the call returns a dictionary of the fields associated with the newly created object. 217 # Creates a new instance of the given object with a ‘fields’ option 218 # specifying particular field values that are to be associated with the object. 219 # These may only include those fields specified as ‘ALLOWED or ‘REQUIRED’ 220 # in the ‘Creation’ column of the object descriptions below 221 # or in the “CREATE’ key in the supplemental fields in the 222 # get_version specification for that object. 223 # If successful, the call returns a dictionary of the fields 224 # associated with the newly created object. 218 225 # 219 226 # … … 225 232 # 226 233 # Return: 227 # Dictionary of field/value pairs for created slice (e.g. slice URN, slice UUID, expiration and slice credential) 228 # 229 # Should return DUPLICATE_ERROR if creating a slice for which a non-expired slice of same name exists. 234 # Dictionary of field/value pairs for created slice 235 # (e.g. slice URN, slice UUID, expiration and slice credential) 236 # 237 # Should return DUPLICATE_ERROR if creating a slice for 238 # which a non-expired slice of same name exists. 230 239 def create(type, credentials, options) 231 240 }}} … … 233 242 {{{ 234 243 #!python 235 # Updates an object instance specified by URN with a ‘fields’ option specifying the particular fields to update. 236 # Only a single object can be updated from a single update call. The fields may include those specified as ‘Yes’ in the ‘Update’ column 237 # of the object descriptions below, or ’TRUE’ in the ‘UPDATE’ key in the supplemental fields provided by the get_version call. 238 # Note: There may be more than one entity of a given URN at an authority, but only one ‘live’ one (any other is archived and cannot be updated). 244 # Updates an object instance specified by URN with a ‘fields’ option 245 # specifying the particular fields to update. 246 # Only a single object can be updated from a single update call. 247 # The fields may include those specified as ‘Yes’ in the ‘Update’ column 248 # of the object descriptions below, or ’TRUE’ in the ‘UPDATE’ key in the 249 # supplemental fields provided by the get_version call. 250 # Note: There may be more than one entity of a given URN at an authority, 251 # but only one ‘live’ one (any other is archived and cannot be updated). 239 252 # 240 253 # Arguments: 241 254 # type: type of object to be updated 242 255 # urn: URN of object to update 243 # 244 # Options: Contains ‘fields’ key referring dictionary of name/value pairs to update256 # options: Contains ‘fields’ key referring dictionary of name/value pairs to update 257 # 245 258 # Return: None 246 259 # … … 266 279 #!python 267 280 # Lookup requested details for objects matching ‘match’ options. 268 # This call takes a set of ‘match’ criteria provided in the ‘options’ field, and returns a dictionary of dictionaries of object attributes keyed by object URN matching these criteria. 281 # This call takes a set of ‘match’ criteria provided in the ‘options’ field, 282 # and returns a dictionary of dictionaries of object attributes keyed by object URN matching these criteria. 269 283 # If a ‘filter’ option is provided, only those attributes listed in the ‘filter’ options are returned. 270 284 # The requirements on match criteria supported by a given service are service-specific; 271 # however it is recommended that policies restrict lookup calls to requests that are bounded to particular sets of explicitly listed objects (and not open-ended queries). 285 # however it is recommended that policies restrict lookup calls to requests that are bounded 286 # to particular sets of explicitly listed objects (and not open-ended queries). 287 # 288 # See additional details on the lookup method in the document section below. 272 289 # 273 290 # 274 291 # Arguments: 275 292 # type: type of objects for which details are being requested 276 # options: What details to provide (filter options) for which slices (match options) 277 # 278 # Return: List of dictionaries (indexed by object URN) with field/value pairs for each returned object 293 # options: What details to provide (filter options) 294 # for which objects (match options) 295 # 296 # Return: List of dictionaries (indexed by object URN) with field/value pairs 297 # for each returned object 279 298 # 280 299 def lookup (type, credentials, options) … … 434 453 { 435 454 … 436 "TYPES" : ["SLICE_AUTHORITY", "MEMBER_AUTHORITY", "AGGREGATE_MANAGER", ...] 455 "TYPES" : ["SLICE_AUTHORITY", "MEMBER_AUTHORITY", 456 "AGGREGATE_MANAGER", ...] 437 457 … 438 458 } 439 459 }}} 440 460 441 This table contains a set of exampleservices types (of which only SLICE_AUTHORITY, MEMBER_AUTHORITY and AGGREGATE_MANAGER are required for any given federation):461 This table contains a set of ''example'' services types (of which only SLICE_AUTHORITY, MEMBER_AUTHORITY and AGGREGATE_MANAGER are required for any given federation): 442 462 443 463 || ''' Service ''' || ''' Description ''' || … … 445 465 || MEMBER_AUTHORITY || An instance of the Member Authority Federation service described in this document || 446 466 || AGGREGATE_MANAGER || An instance of an Aggregate Manager satisfying the Aggregate Manager API || 447 || STITCHING_COMPUTATION_SERVICE || A top logy service for supporting cross-aggregate stitching ||467 || STITCHING_COMPUTATION_SERVICE || A topology service for supporting cross-aggregate stitching || 448 468 || CREDENTIAL_STORE || A service holding credentials for the federation, typically for supporting federation authentication services || 449 469 || LOGGING_SERVICE || A service to support federation-level event logging || … … 459 479 || SERVICE_NAME || String || Short name of service || Yes || No || 460 480 || SERVICE_DESCRIPTION || String || Descriptive name of service || No || No || 461 || SERVICE_PEERS || URLs and version info for other running version of same service (see below) || No || No ||462 463 The SERVICE_PEERS field is similar to that in the AM API: a list of {version", 'url'} dictionaries for other supported peer services . An example would be as follows:481 || SERVICE_PEERS || List of Dictionaries || URLs and version info for other running version of same service (see below) || No || No || 482 483 The SERVICE_PEERS field is similar to that in the AM API: a list of {version", 'url'} dictionaries for other supported peer services of different versions. An example would be as follows: 464 484 {{{ 465 485 [ … … 470 490 }}} 471 491 472 {{{ 473 #!python 474 # Provide a structure detailing the version information as well as details of accepted options for Registry API calls. 475 # 476 # Arguments: 477 # None 478 # 479 # Return: 480 # get_version structure information as described above 481 def get_version() 482 }}} 483 484 {{{ 485 #!python 486 # Return information about all aggregates associated with the Federation 487 # 488 # Arguments: 489 # options: 'match' and 'filter' options as described in standard lookup methods 490 # 491 # Return: 492 # dictionary indexed by service URN of name/value pairs for each returned service 493 def lookup(options) 494 }}} 495 492 The Registry API supports these standard API methods for type="SERVICE", with elaboration in the following table: 493 494 || ''' Method ''' || ''' Description ''' || 495 || lookup || lookup services matching given match criteria. || 496 497 Additionally, the Registry API supports the following methods: 496 498 497 499 The following method maps object URN's to authority URN's. Note that the transformation from the URN's of objects (e.g. slice, project, member) to the URN's of their authority is a simple one, for example: … … 569 571 || SLICE_PROJECT_URN || URN || URN of project to which slice is associated (if SA supports project) || Yes || Required (if SA supports project) || No || 570 572 571 To clarify the semantics of the SLICE_PROJECT_URN field ,it is a required field for those SAs that support the PROJECT service (and in this context may be matched and is required at creation time, but not updatable). In SAs that do not support projects, the field is not meaningful and should not be supported.573 To clarify the semantics of the SLICE_PROJECT_URN field: it is a required field for those SAs that support the PROJECT service (and in this context may be matched and is required at creation time, but not updatable). In SAs that do not support projects, the field is not meaningful and should not be supported. 572 574 573 575 NB: SLICE_NAME must adhere to the restrictions for slice names in the Aggregate Manager (AM) API, namely that it must be <= 19 characters, only alphanumeric plus hyphen, no leading hyphen. … … 578 580 || create || Creates a new slice with provided details || 579 581 || update || Updates given slice || 580 || --delete--|| Note: No SA should support slice deletion since there is no authoritative way to know that there aren't live slivers associated with that slice. ||581 || lookup || lookup slices matching given match criteria subject to authorization restrictions. ||582 || ~~delete~~ || Note: No SA should support slice deletion since there is no authoritative way to know that there aren't live slivers associated with that slice. || 583 || lookup || lookup slices matching given match criteria subject to authorization restrictions. || 582 584 583 585 Additionally, the Slice service provides the following methods: … … 585 587 {{{ 586 588 #!python 587 # Provide list of credentials for the invoking member relative to the given slice. If the invocation is in a speaks-for context, the credentials will be for the ‘spoken-for’ member, not the invoking tool. 588 # 589 # For example, this call may return a standard SFA Slice Credential and some ABAC credentials indicating the role of the member with respect to the slice. 590 # 591 # Note: When creating an SFA-style Slice Credential, the following roles typically allow users to operate at known GENI-compatible aggregates: "*" (asterisk) or the list of "refresh", "embed", "bind", "control" "info". 589 # Provide list of credentials for the invoking member relative to the given slice. 590 # If the invocation is in a speaks-for context, the credentials will be for the 591 # ‘spoken-for’ member, not the invoking tool. 592 # 593 # For example, this call may return a standard SFA Slice Credential and some 594 # ABAC credentials indicating the role of the member with respect to the slice. 595 # 596 # Note: When creating an SFA-style Slice Credential, the following roles typically 597 # allow users to operate at known GENI-compatible aggregates: "*" (asterisk) 598 # or the list of "refresh", "embed", "bind", "control" "info". 592 599 # 593 600 # Arguments: 594 601 # slice_urn: URN of slice for which to get member’s credentials 595 # options: Potentially contains ‘speaking-for’ key indicating a speaks-for invocation (with certificate of the accountable member in the credentials argument) 602 # options: Potentially contains ‘speaking-for’ key indicating a speaks-for 603 # invocation (with certificate of the accountable member in the credentials argument) 596 604 # Return: 597 # List of credential in “CREDENTIALS” format, i.e. a list of credentials with type information suitable for passing to aggregates speaking AM API V3. 605 # List of credential in “CREDENTIALS” format, i.e. a list of credentials with 606 # type information suitable for passing to aggregates speaking AM API V3. 598 607 def get_credentials(slice_urn, credentials, options) 599 608 }}} … … 609 618 {{{ 610 619 #!python 611 # Modify object membership, adding, removing and changing roles of members with respect to given object 612 # 613 # Arguments: 614 # type: type of object for whom to lookup membership (in the case of Slice Member Service, "SLICE", in the case of Project Member Service, "PROJECT") 620 # Modify object membership, adding, removing and changing roles of members 621 # with respect to given object 622 # 623 # Arguments: 624 # type: type of object for whom to lookup membership (in the case of 625 # Slice Member Service, "SLICE", in the case of Project Member Service, "PROJECT") 615 626 # urn: URN of slice/project for which to modify membership 616 627 # Options: 617 # members_to_add: List of member_urn/role tuples for members to add to slice/project of form {‘SLICE_MEMBER’ : member_urn, ‘SLICE_ROLE’ : role} (or 'PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) 628 # members_to_add: List of member_urn/role tuples for members to add to 629 # slice/project of form {‘SLICE_MEMBER’ : member_urn, ‘SLICE_ROLE’ : role} 630 # (or 'PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) 618 631 # members_to_remove: List of member_urn of members to remove from slice/project 619 # members_to_change: List of member_urn/role tuples for members whose role should change as specified for given slice/project of form {‘SLICE_MEMBER’ : member_urn, ‘SLICE_ROLE’ : role} (or 'PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) 632 # members_to_change: List of member_urn/role tuples for members whose role 633 # should change as specified for given slice/project of form 634 # {‘SLICE_MEMBER’ : member_urn, ‘SLICE_ROLE’ : role} 635 # (or 'PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) 620 636 # 621 637 # Return: … … 629 645 # 630 646 # Arguments: 631 # type: type of object for whom to lookup membership (in the case of Slice Member Service, "SLICE", in the case of Project Member Service, "PROJECT") 647 # type: type of object for whom to lookup membership 648 # (in the case of Slice Member Service, "SLICE", 649 # in the case of Project Member Service, "PROJECT") 632 650 # urn: URN of object for which to provide current members and roles 633 651 # 634 652 # Return: 635 # List of dictionaries of member_urn/role pairs [{‘SLICE_MEMBER’: member_urn, ‘SLICE_ROLE’: role }...] (or PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) where ‘role’ is a string of the role name. 653 # List of dictionaries of member_urn/role pairs 654 # [{‘SLICE_MEMBER’: member_urn, ‘SLICE_ROLE’: role }...] 655 # (or PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) 656 # where ‘role’ is a string of the role name. 636 657 def lookup_members(type, urn, credentials, options) 637 658 }}} … … 645 666 # 646 667 # Return: 647 # List of dictionary of urn/role pairs [(‘SLICE_URN’ : slice_urn, ‘SLICE_ROLE’ : role} ...] (or PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) for each object to which a member belongs, where role is a string of the role name 668 # List of dictionary of urn/role pairs [(‘SLICE_URN’ : slice_urn, ‘SLICE_ROLE’ : role} ...] 669 # (or PROJECT_MEMBER/PROJECT_ROLE for Project Member Service) 670 # for each object to which a member belongs, where role is a string of the role name 648 671 def lookup_for_member(type, member_urn, credentials, options) 649 672 }}} … … 764 787 #!python 765 788 # Provide list of credentials (signed statements) for given member 766 # This is member-specific information suitable for passing as credentials in an AM API call for aggregate authorization. 789 # This is member-specific information suitable for passing as credentials in 790 # an AM API call for aggregate authorization. 767 791 # Arguments: 768 792 # member_urn: URN of member for which to retrieve credentials 769 # options: Potentially contains ‘speaking-for’ key indicating a speaks-for invocation (with certificate of the accountable member in the credentials argument) 793 # options: Potentially contains ‘speaking-for’ key indicating a speaks-for 794 # invocation (with certificate of the accountable member in the credentials argument) 770 795 # 771 796 # Return: 772 # List of credential in “CREDENTIALS” format, i.e. a list of credentials with type information suitable for passing to aggregates speaking AM API V3. 797 # List of credential in “CREDENTIALS” format, i.e. a list of credentials with 798 # type information suitable for passing to aggregates speaking AM API V3. 773 799 def get_credentials(member_urn, credentials, options) 774 800 }}}