Authentication: credential.rnc

File credential.rnc, 3.2 kB (added by stoller, 4 years ago)
Line 
1 #
2 # EMULAB-COPYRIGHT
3 # Copyright (c) 2008 University of Utah and the Flux Group.
4 # All rights reserved.
5 #
6
7 # ProtoGENI credential and privilege specification. The key points:
8 #
9 # * A credential is a set of privileges or a Ticket, each with a flag
10 #   to indicate delegation is permitted.
11 # * A credential is signed and the signature included in the body of the
12 #   document.
13 # * To support delegation, a credential will include its parent, and that
14 #   blob will be signed. So, there will be multiple signatures in the
15 #   document, each with a reference to the credential it signs.
16 #
17 #default namespace = "http://www.protogeni.net/resources/credential/0.1"
18
19 namespace sig  = "http://www.w3.org/2000/09/xmldsig#"
20 datatypes xs   = "http://www.w3.org/2001/XMLSchema-datatypes"
21 anyelementbody = (attribute * {text} | text | element * {anyelementbody} )*
22
23 # This is where we get the definition of RSpec from
24 include "../rspec/protogeni-rspec-common.rnc"
25
26 ## Representation of a single privileges.
27 PrivilegeSpec = element privilege {
28         # Name of the privilege.
29         element name { xsd:string { minLength = "1" }},
30         # Flag indicating this privilege can be delegated
31         element can_delegate { xsd:boolean }
32 }
33
34 ## A set of privileges.
35 PrivilegesSpec = element privileges {
36         PrivilegeSpec*
37 }
38
39 ## Backwards compat my original credential spec.
40 CapabilitySpec = element capability {
41         # Name of the capability.
42         element name { xsd:string { minLength = "1" }},
43         # Flag indicating this capability can be delegated
44         element can_delegate { "0" | "1" }
45 }
46 ## Backwards compat my original credential spec.
47 CapabilitiesSpec = element capabilities {
48         CapabilitySpec*
49 }
50
51 ## Define a stub for future ticket.
52 TicketSpec = element ticket {
53         ## Can the ticket be delegated?
54         element can_delegate { xsd:boolean },
55         ## The ticket must be "cashed in" by this date
56         element redeem_before { xsd:dateTime },
57         ## A desciption of the resources that are being promised
58         # Note: What I really want to do here is reference RSpec as being
59         # in a separate namespace. But, it's not clear to me how to do this,
60         # so we basically just use by inclusion
61         anyelementbody
62 }
63
64 ## A list of signatures.
65 signatures = element signatures {
66     element sig:Signature { anyelementbody }+
67 }
68
69 ## A credential granting privileges or a ticket.
70 credentials = element credential {
71     ## The ID for signature referencing.
72     attribute xml:id {xs:ID},
73     ## The type of this credential. Currently a Privilege set or a Ticket.
74     element type { "privilege" | "ticket" | "capability" },
75     ## A serial number.
76     element serial { xsd:string },
77     ## GID of the owner of this credential.
78     element owner_gid { xsd:string },
79     ## GID of the target of this credential.
80     element target_gid { xsd:string },
81     ## UUID of this credential
82     element uuid { xsd:string },
83     ## Expires on
84     element expires { xsd:dateTime },
85     ## Privileges or a ticket
86     (PrivilegesSpec | TicketSpec | CapabilitiesSpec),
87     ## Optional Extensions
88     element extensions { anyelementbody }*,
89     ## Parent that delegated to us
90     element parent { credentials }?
91 }
92
93 SignedCredential = element signed-credential {
94     credentials,
95     signatures?
96 }
97
98 start = SignedCredential