--- /dev/null
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+
+ GENIPUBLIC-COPYRIGHT
+ Copyright (c) 2008-2009 University of Utah and the Flux Group.
+ All rights reserved.
+
+-->
+<!--
+ ProtoGENI credential and privilege specification. The key points:
+
+ * A credential is a set of privileges or a Ticket, each with a flag
+ to indicate delegation is permitted.
+ * A credential is signed and the signature included in the body of the
+ document.
+ * To support delegation, a credential will include its parent, and that
+ blob will be signed. So, there will be multiple signatures in the
+ document, each with a reference to the credential it signs.
+
+ default namespace = "http://www.protogeni.net/resources/credential/0.1"
+-->
+<xs:schema xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" xmlns:sig="http://www.w3.org/2000/09/xmldsig#">
+ <xs:include schemaLocation="protogeni-rspec-common.xsd"/>
+ <xs:import namespace="http://www.w3.org/2000/09/xmldsig#" schemaLocation="sig.xsd"/>
+ <xs:import namespace="http://www.w3.org/XML/1998/namespace" schemaLocation="xml.xsd"/>
+ <xs:group name="anyelementbody">
+ <xs:sequence>
+ <xs:any minOccurs="0" maxOccurs="unbounded" processContents="skip"/>
+ </xs:sequence>
+ </xs:group>
+ <xs:attributeGroup name="anyelementbody">
+ <xs:anyAttribute processContents="skip"/>
+ </xs:attributeGroup>
+ <!-- This is where we get the definition of RSpec from -->
+ <xs:element name="privilege">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element ref="name"/>
+ <xs:element name="can_delegate" type="xs:boolean"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="name">
+ <xs:simpleType>
+ <xs:restriction base="xs:string">
+ <xs:minLength value="1"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ <xs:element name="privileges">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element minOccurs="0" maxOccurs="unbounded" ref="privilege"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="capability">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element ref="name"/>
+ <xs:element name="can_delegate">
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="0"/>
+ <xs:enumeration value="1"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="capabilities">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element minOccurs="0" maxOccurs="unbounded" ref="capability"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="ticket">
+ <xs:complexType mixed="true">
+ <xs:sequence>
+ <xs:element name="can_delegate" type="xs:boolean">
+ <xs:annotation>
+ <xs:documentation>Can the ticket be delegated?</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element ref="redeem_before"/>
+ <xs:group ref="anyelementbody">
+ <xs:annotation>
+ <xs:documentation>A desciption of the resources that are being promised</xs:documentation>
+ </xs:annotation>
+ </xs:group>
+ </xs:sequence>
+ <xs:attributeGroup ref="anyelementbody"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="redeem_before" type="xs:dateTime">
+ <xs:annotation>
+ <xs:documentation>The ticket must be "cashed in" by this date </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="signatures">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element maxOccurs="unbounded" ref="sig:Signature"/>
+ </xs:sequence>
+ </xs:complexType>
+ </xs:element>
+ <xs:complexType name="credentials">
+ <xs:annotation>
+ <xs:documentation>A credential granting privileges or a ticket.</xs:documentation>
+ </xs:annotation>
+ <xs:sequence>
+ <xs:element ref="credential"/>
+ </xs:sequence>
+ </xs:complexType>
+ <xs:element name="credential">
+ <xs:complexType>
+ <xs:sequence>
+ <xs:element ref="type"/>
+ <xs:element ref="serial"/>
+ <xs:element ref="owner_gid"/>
+ <xs:element minOccurs="0" ref="owner_urn"/>
+ <xs:element ref="target_gid"/>
+ <xs:element minOccurs="0" ref="target_urn"/>
+ <xs:element ref="uuid"/>
+ <xs:element ref="expires"/>
+ <xs:choice>
+ <xs:annotation>
+ <xs:documentation>Privileges or a ticket</xs:documentation>
+ </xs:annotation>
+ <xs:element ref="privileges"/>
+ <xs:element ref="ticket"/>
+ <xs:element ref="capabilities"/>
+ </xs:choice>
+ <xs:element minOccurs="0" maxOccurs="unbounded" ref="extensions"/>
+ <xs:element minOccurs="0" ref="parent"/>
+ </xs:sequence>
+ <xs:attribute ref="xml:id" use="required"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="type">
+ <xs:annotation>
+ <xs:documentation>The type of this credential. Currently a Privilege set or a Ticket.</xs:documentation>
+ </xs:annotation>
+ <xs:simpleType>
+ <xs:restriction base="xs:token">
+ <xs:enumeration value="privilege"/>
+ <xs:enumeration value="ticket"/>
+ <xs:enumeration value="capability"/>
+ </xs:restriction>
+ </xs:simpleType>
+ </xs:element>
+ <xs:element name="serial" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>A serial number.</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="owner_gid" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>GID of the owner of this credential. </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="owner_urn" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>URN of the owner. Not everyone can parse DER</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="target_gid" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>GID of the target of this credential. </xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="target_urn" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>URN of the target.</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="uuid" type="xs:string">
+ <xs:annotation>
+ <xs:documentation>UUID of this credential</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="expires" type="xs:dateTime">
+ <xs:annotation>
+ <xs:documentation>Expires on</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="extensions">
+ <xs:annotation>
+ <xs:documentation>Optional Extensions</xs:documentation>
+ </xs:annotation>
+ <xs:complexType mixed="true">
+ <xs:group ref="anyelementbody"/>
+ <xs:attributeGroup ref="anyelementbody"/>
+ </xs:complexType>
+ </xs:element>
+ <xs:element name="parent" type="credentials">
+ <xs:annotation>
+ <xs:documentation>Parent that delegated to us</xs:documentation>
+ </xs:annotation>
+ </xs:element>
+ <xs:element name="signed-credential">
+ <xs:complexType>
+ <xs:complexContent>
+ <xs:extension base="credentials">
+ <xs:sequence>
+ <xs:element minOccurs="0" ref="signatures"/>
+ </xs:sequence>
+ </xs:extension>
+ </xs:complexContent>
+ </xs:complexType>
+ </xs:element>
+</xs:schema>