credential.rnc 3.25 KB
Newer Older
1
2
3
4
5
6
#
# EMULAB-COPYRIGHT
# Copyright (c) 2008 University of Utah and the Flux Group.
# All rights reserved.
#

7
# ProtoGENI credential and privilege specification. The key points:
8
#
9
# * A credential is a set of privileges or a Ticket, each with a flag
10
11
12
13
14
15
16
#   to indicate delegation is permitted.
# * A credential is signed and the signature included in the body of the
#   document.
# * To support delegation, a credential will include its parent, and that
#   blob will be signed. So, there will be multiple signatures in the
#   document, each with a reference to the credential it signs.
#
17
#default namespace = "http://www.protogeni.net/resources/credential/0.1"
18

19
20
21
22
namespace sig  = "http://www.w3.org/2000/09/xmldsig#"
datatypes xs   = "http://www.w3.org/2001/XMLSchema-datatypes"
anyelementbody = (attribute * {text} | text | element * {anyelementbody} )*

23
24
25
# This is where we get the definition of RSpec from
include "../rspec/protogeni-rspec-common.rnc"

26
27
28
## Representation of a single privileges. 
PrivilegeSpec = element privilege {
	# Name of the privilege. 
29
	element name { xsd:string { minLength = "1" }},
30
	# Flag indicating this privilege can be delegated
31
        element can_delegate { xsd:boolean }
32
33
}

34
35
36
## A set of privileges.
PrivilegesSpec = element privileges {
	PrivilegeSpec*
37
38
}

39
40
41
42
43
44
45
46
47
48
49
50
## Backwards compat my original credential spec.
CapabilitySpec = element capability {
	# Name of the capability. 
	element name { xsd:string { minLength = "1" }},
	# Flag indicating this capability can be delegated
        element can_delegate { "0" | "1" }
}
## Backwards compat my original credential spec.
CapabilitiesSpec = element capabilities {
	CapabilitySpec*
}

51
52
53
## Define a stub for future ticket.
TicketSpec = element ticket {
        ## Can the ticket be delegated?
54
55
56
57
58
59
60
        element can_delegate { xsd:boolean },
        ## The ticket must be "cashed in" by this date 
        element redeem_before { xsd:dateTime },
        ## A desciption of the resources that are being promised
        # Note: What I really want to do here is reference RSpec as being
        # in a separate namespace. But, it's not clear to me how to do this,
        # so we basically just use by inclusion
61
	anyelementbody
62
63
64
65
66
67
68
}

## A list of signatures.
signatures = element signatures {
    element sig:Signature { anyelementbody }+
}

69
## A credential granting privileges or a ticket.
70
71
72
credentials = element credential {
    ## The ID for signature referencing.
    attribute xml:id {xs:ID},
73
    ## The type of this credential. Currently a Privilege set or a Ticket.
74
    element type { "privilege" | "ticket" | "capability" },
Leigh B. Stoller's avatar
Leigh B. Stoller committed
75
76
    ## A serial number.
    element serial { xsd:string },
77
78
    ## UUID of the owner of this credential. 
    element owner_uuid { xsd:string },
79
80
    ## UUID of the target of this credential. 
    element target_uuid { xsd:string },
81
    ## UUID of this credential
82
83
84
85
86
    element uuid { xsd:string },
    ## HRN
    element hrn { xsd:string },
    ## Expires on
    element expires { xsd:dateTime },
87
    ## Privileges or a ticket
88
    (PrivilegesSpec | TicketSpec | CapabilitiesSpec),
89
90
    ## Optional Extensions
    element extensions { anyelementbody }*,
91
92
93
94
    ## Parent that delegated to us
    element parent { credentials }?
}

95
SignedCredential = element signed-credential {
96
    credentials,
97
    signatures?
98
99
}

100
start = SignedCredential