credential.xsd 6.58 KB
Newer Older
1 2 3 4 5 6 7 8 9
<?xml version="1.0" encoding="UTF-8"?>
<!--
  
  EMULAB-COPYRIGHT
  Copyright (c) 2008 University of Utah and the Flux Group.
  All rights reserved.
  
-->
<!--
10
  ProtoGENI credential and privilege specification. The key points:
11
  
12
  * A credential is a set of privileges or a Ticket, each with a flag
13 14 15 16 17 18 19
    to indicate delegation is permitted.
  * A credential is signed and the signature included in the body of the
    document.
  * To support delegation, a credential will include its parent, and that
    blob will be signed. So, there will be multiple signatures in the
    document, each with a reference to the credential it signs.
  
20
  default namespace = "http://www.protogeni.net/resources/credential/0.1"
21
-->
22
<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
23
  <xs:include schemaLocation="protogeni-rspec-common.xsd"/>
24 25
  <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
  <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
26
  <xs:group name="anyelementbody">
27 28 29
    <xs:sequence>
      <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
    </xs:sequence>
30 31
  </xs:group>
  <xs:attributeGroup name="anyelementbody">
32
    <xs:anyAttribute processContents="skip"/>
33
  </xs:attributeGroup>
34
  <!-- This is where we get the definition of RSpec from -->
35
  <xs:element name="privilege">
36 37
    <xs:complexType>
      <xs:sequence>
38
        <xs:element ref="name"/>
39
        <xs:element name="can_delegate" type="xs:boolean"/>
40 41 42
      </xs:sequence>
    </xs:complexType>
  </xs:element>
43
  <xs:element name="name">
44 45 46 47 48 49
    <xs:simpleType>
      <xs:restriction base="xs:string">
        <xs:minLength value="1"/>
      </xs:restriction>
    </xs:simpleType>
  </xs:element>
50
  <xs:element name="privileges">
51 52
    <xs:complexType>
      <xs:sequence>
53
        <xs:element minOccurs="0" maxOccurs="unbounded" ref="privilege"/>
54 55 56
      </xs:sequence>
    </xs:complexType>
  </xs:element>
57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
  <xs:element name="capability">
    <xs:complexType>
      <xs:sequence>
        <xs:element ref="name"/>
        <xs:element name="can_delegate">
          <xs:simpleType>
            <xs:restriction base="xs:token">
              <xs:enumeration value="0"/>
              <xs:enumeration value="1"/>
            </xs:restriction>
          </xs:simpleType>
        </xs:element>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:element name="capabilities">
73
    <xs:complexType>
74 75 76 77 78 79 80
      <xs:sequence>
        <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:element name="ticket">
    <xs:complexType mixed="true">
81
      <xs:sequence>
82
        <xs:element name="can_delegate" type="xs:boolean">
83 84 85 86
          <xs:annotation>
            <xs:documentation>Can the ticket be delegated?</xs:documentation>
          </xs:annotation>
        </xs:element>
87 88
        <xs:element ref="redeem_before"/>
        <xs:group ref="anyelementbody">
89 90 91
          <xs:annotation>
            <xs:documentation>A desciption of the resources that are being promised</xs:documentation>
          </xs:annotation>
92
        </xs:group>
93
      </xs:sequence>
94
      <xs:attributeGroup ref="anyelementbody"/>
95 96
    </xs:complexType>
  </xs:element>
97 98 99 100 101
  <xs:element name="redeem_before" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>The ticket must be "cashed in" by this date </xs:documentation>
    </xs:annotation>
  </xs:element>
102 103 104 105 106 107 108 109 110
  <xs:element name="signatures">
    <xs:complexType>
      <xs:sequence>
        <xs:element maxOccurs="unbounded" ref="sig:Signature"/>
      </xs:sequence>
    </xs:complexType>
  </xs:element>
  <xs:complexType name="credentials">
    <xs:annotation>
111
      <xs:documentation>A credential granting privileges or a ticket.</xs:documentation>
112 113
    </xs:annotation>
    <xs:sequence>
114
      <xs:element ref="credential"/>
115 116 117 118 119
    </xs:sequence>
  </xs:complexType>
  <xs:element name="credential">
    <xs:complexType>
      <xs:sequence>
120 121 122 123 124 125 126
        <xs:element ref="type"/>
        <xs:element ref="serial"/>
        <xs:element ref="owner_uuid"/>
        <xs:element ref="target_uuid"/>
        <xs:element ref="uuid"/>
        <xs:element ref="hrn"/>
        <xs:element ref="expires"/>
127 128
        <xs:choice>
          <xs:annotation>
129
            <xs:documentation>Privileges or a ticket</xs:documentation>
130
          </xs:annotation>
131 132 133
          <xs:element ref="privileges"/>
          <xs:element ref="ticket"/>
          <xs:element ref="capabilities"/>
134
        </xs:choice>
135
        <xs:element minOccurs="0" ref="parent"/>
136 137 138 139 140 141
      </xs:sequence>
      <xs:attribute ref="xml:id" use="required"/>
    </xs:complexType>
  </xs:element>
  <xs:element name="type">
    <xs:annotation>
142
      <xs:documentation>The type of this credential. Currently a Privilege set or a Ticket.</xs:documentation>
143 144 145
    </xs:annotation>
    <xs:simpleType>
      <xs:restriction base="xs:token">
146
        <xs:enumeration value="privilege"/>
147
        <xs:enumeration value="ticket"/>
148
        <xs:enumeration value="capability"/>
149 150 151
      </xs:restriction>
    </xs:simpleType>
  </xs:element>
Leigh B. Stoller's avatar
Leigh B. Stoller committed
152 153 154 155 156
  <xs:element name="serial" type="xs:string">
    <xs:annotation>
      <xs:documentation>A serial number.</xs:documentation>
    </xs:annotation>
  </xs:element>
157 158 159 160 161
  <xs:element name="owner_uuid" type="xs:string">
    <xs:annotation>
      <xs:documentation>UUID of the owner of this credential. </xs:documentation>
    </xs:annotation>
  </xs:element>
162 163 164 165 166 167
  <xs:element name="target_uuid" type="xs:string">
    <xs:annotation>
      <xs:documentation>UUID of the target of this credential. </xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="uuid" type="xs:string">
168 169 170 171
    <xs:annotation>
      <xs:documentation>UUID of this credential</xs:documentation>
    </xs:annotation>
  </xs:element>
172 173 174 175 176 177 178 179 180 181 182
  <xs:element name="hrn" type="xs:string">
    <xs:annotation>
      <xs:documentation>HRN</xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="expires" type="xs:dateTime">
    <xs:annotation>
      <xs:documentation>Expires on</xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="parent" type="credentials">
183 184 185 186 187 188 189
    <xs:annotation>
      <xs:documentation>Parent that delegated to us</xs:documentation>
    </xs:annotation>
  </xs:element>
  <xs:element name="signed-credential">
    <xs:complexType>
      <xs:complexContent>
190
        <xs:extension base="credentials">
191
          <xs:sequence>
192
            <xs:element minOccurs="0" ref="signatures"/>
193 194 195 196 197 198
          </xs:sequence>
        </xs:extension>
      </xs:complexContent>
    </xs:complexType>
  </xs:element>
</xs:schema>