1 <?xml version="1.0" encoding="UTF-8"?>
5 Copyright (c) 2008-2009 University of Utah and the Flux Group.
10 PlanetLab credential specification. The key points:
12 * A credential is a set of privileges or a Ticket, each with a flag
13 to indicate delegation is permitted.
14 * A credential is signed and the signature included in the body of the
16 * To support delegation, a credential will include its parent, and that
17 blob will be signed. So, there will be multiple signatures in the
18 document, each with a reference to the credential it signs.
20 default namespace = "http://www.planet-lab.org/resources/ext/credential/1"
22 <xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
23 <xs:include schemaLocation="protogeni-rspec-common.xsd"/>
24 <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
25 <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
26 <xs:group name="anyelementbody">
28 <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
31 <xs:attributeGroup name="anyelementbody">
32 <xs:anyAttribute processContents="skip"/>
34 <!-- This is where we get the definition of RSpec from -->
35 <xs:element name="privilege">
38 <xs:element ref="name"/>
39 <xs:element name="can_delegate" type="xs:boolean"/>
43 <xs:element name="name">
45 <xs:restriction base="xs:string">
46 <xs:minLength value="1"/>
50 <xs:element name="privileges">
53 <xs:element minOccurs="0" maxOccurs="unbounded" ref="privilege"/>
57 <xs:element name="capability">
60 <xs:element ref="name"/>
61 <xs:element name="can_delegate">
63 <xs:restriction base="xs:token">
64 <xs:enumeration value="0"/>
65 <xs:enumeration value="1"/>
72 <xs:element name="capabilities">
75 <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
79 <xs:element name="ticket">
80 <xs:complexType mixed="true">
82 <xs:element name="can_delegate" type="xs:boolean">
84 <xs:documentation>Can the ticket be delegated?</xs:documentation>
87 <xs:element ref="redeem_before"/>
88 <xs:group ref="anyelementbody">
90 <xs:documentation>A desciption of the resources that are being promised</xs:documentation>
94 <xs:attributeGroup ref="anyelementbody"/>
97 <xs:element name="redeem_before" type="xs:dateTime">
99 <xs:documentation>The ticket must be "cashed in" by this date </xs:documentation>
102 <xs:element name="signatures">
105 <xs:element maxOccurs="unbounded" ref="sig:Signature"/>
109 <xs:complexType name="credentials">
111 <xs:documentation>A credential granting privileges or a ticket.</xs:documentation>
114 <xs:element ref="credential"/>
117 <xs:element name="credential">
120 <xs:element ref="type"/>
121 <xs:element ref="serial"/>
122 <xs:element ref="owner_gid"/>
123 <xs:element minOccurs="0" ref="owner_urn"/>
124 <xs:element ref="target_gid"/>
125 <xs:element minOccurs="0" ref="target_urn"/>
126 <xs:element ref="uuid"/>
127 <xs:element ref="expires"/>
130 <xs:documentation>Privileges or a ticket</xs:documentation>
132 <xs:element ref="privileges"/>
133 <xs:element ref="ticket"/>
134 <xs:element ref="capabilities"/>
136 <xs:element minOccurs="0" maxOccurs="unbounded" ref="extensions"/>
137 <xs:element minOccurs="0" ref="parent"/>
139 <xs:attribute ref="xml:id" use="required"/>
142 <xs:element name="type">
144 <xs:documentation>The type of this credential. Currently a Privilege set or a Ticket.</xs:documentation>
147 <xs:restriction base="xs:token">
148 <xs:enumeration value="privilege"/>
149 <xs:enumeration value="ticket"/>
150 <xs:enumeration value="capability"/>
154 <xs:element name="serial" type="xs:string">
156 <xs:documentation>A serial number.</xs:documentation>
159 <xs:element name="owner_gid" type="xs:string">
161 <xs:documentation>GID of the owner of this credential. </xs:documentation>
164 <xs:element name="owner_urn" type="xs:string">
166 <xs:documentation>URN of the owner. Not everyone can parse DER</xs:documentation>
169 <xs:element name="target_gid" type="xs:string">
171 <xs:documentation>GID of the target of this credential. </xs:documentation>
174 <xs:element name="target_urn" type="xs:string">
176 <xs:documentation>URN of the target.</xs:documentation>
179 <xs:element name="uuid" type="xs:string">
181 <xs:documentation>UUID of this credential</xs:documentation>
184 <xs:element name="expires" type="xs:dateTime">
186 <xs:documentation>Expires on</xs:documentation>
189 <xs:element name="extensions">
191 <xs:documentation>Optional Extensions</xs:documentation>
193 <xs:complexType mixed="true">
194 <xs:group ref="anyelementbody"/>
195 <xs:attributeGroup ref="anyelementbody"/>
198 <xs:element name="parent" type="credentials">
200 <xs:documentation>Parent that delegated to us</xs:documentation>
203 <xs:element name="signed-credential">
206 <xs:extension base="credentials">
208 <xs:element minOccurs="0" ref="signatures"/>