TOC |
|
This memo defines the ANANA datastore, a policy-neutral service for managing registries, namespaces, and entries.
This document is a work-in-progress. Do not copy, cite, or redistribute.
TOC |
TOC |
[1] introduces the concept of a policy-free registrar. To paraphrase:
Typically, a registry contains a single namespace, which in turn contains a single block having many entries (with each entry having exactly one key). However, it may be desirable to have both multiple namespaces within a registry, and multiple blocks within a namespace. For example, if a registry corresponded to the parameters for a particular protocol, then:
(Readers familiar with XML terminology should note that the term namespace, as used in this document, has no relationship to the XML namespace concept.)
This memo describes a datastore that may be used to realize a policy-free registry service. As a reminder to the reader, the problem domain for the service has several notable requirements. In particular, the service:
In particular, the reader should appreciate that the problem domain for this service is manifestly different than the one solved by traditional registry-registrar protocols, such as RRP[2].
TOC |
ANANA registries are modeled as XML[3] documents, and logically reside in a datastore with three conceptual layers:
layer services approach ----- -------- -------- +-------------+ | | externally-defined services | reporting | are accessed via URI in policy-defined | | response to certain layer | conformance | datastore events | | +-------------+ | | | access | intra-document access policy neutral | control | control and structural layer | | (DTD) conformance | validity | +-------------+ | | | operations | a "generic" XML document XML database | | database (perhaps emulated layer | well- | by an RDBMS) | formedness | +-------------+
This layer is responsible for:
The datastore contains XML documents, each of which correspond to a registry.
Documents are uniquely identified using the ANANA URI scheme. Within a datastore, documents are named using the abs_path syntax defined in RFC 2396[4] (e.g., /anana/identities). Within a document, fragments are named using an XML Path Language[5] (XPath) expression (e.g., //key[@id='anana']). Note that since an XPath expression (typically) evaluates to a node-set containing zero or more XML fragments, the number of fragments identified by this expression depends on the contents of the corresponding document.
Any document residing in the datastore meets two requirements:
The first requirement is essentially the "entry cost for doing XML". The second requirement limits the implementation complexity of the datastore and removes a large class of potential ambiguities when searching.
Finally, the document named /root, and any document whose name starts with /root/, is reserved for use by the datastore.
The datastore supports two sets of operations:
Two document-wide operations are defined:
Operations on the fragments within a document are specified using either:
Note that in the interests of simplicity, the XUpdate expression is limited to a single modification per operation.
This layer is responsible for:
The ANANA Registry DTD defines the validity constraints for an XML document that models an ANANA registry. Each document has the <registry/> element at its root.
Each <registry/> element contains:
The first fundamental concept about ANANA registries is that they are largely pointers to other resources, and often the resource is an XML fragment within the datastore.
For example, here is the top-level and front part of an ANANA registry:
<registry name='anana://anana.org/anana/identities' title='ANANA list of identities (people, roles)'> <fore> <registrar uri='anana://anana.org/anana/identities#xpath(//key[text()="ANANA"])' /> <comment><t>This is the registry used by the ANANA to identify itself and other registrars.</t></comment> <date month='May' year='2002' /> </fore> ...
In this example, note that the value of the <registrar/> element's uri attribute points to another portion of the document in which it resides.
Each <namespace/> element contains:
Each <template/> element contains:
The value of type attribute is one of:
If the type attribute has the value numeric, then the ABNF[7] of the character data of each corresponding <key/> element is:
numeric = range *(" " range) range = number ".." number number = [prefix] 1*("0" / "1" / "2" / "3" / "4" / "5" / "6" / "7" / "8" / "9") prefix = "0x" | "0" ;; "0x" indicates hexadecimal ;; "0" indicates octal
If the type attribute has the value character, then the character data of each corresponding each corresponding <key/> element matches the Name syntax defined in XML[3] documents.
If the type attribute has the value arbitrary, then no restrictions are placed on the character data of each corresponding <key/> element.
The second fundamental concept about ANANA registries is that id attributes for each entry's keys are algorithmically-generated within each registry. Because the uniqueness of id attributes is a requirement of well-formedness, the uniqueness of registered values within a registry is also datastore requirement.
The idPattern attribute corresponds to the Name syntax defined in XML[3] documents, with one addition: the % character. When the id attribute for a <key/> element is generated, the normalized value corresponding to the registered value (character data) of that element replaces the % character, where
For example, here is the middle part of an ANANA registry:
<namespace id='identity' title='List of Identities'> <comment><t>This is ANANA's registry of identities. Typically, registrars are listed here. Other folks (e.g., registrants) may also be listed here, or in other registries.</t></comment> <template idPattern='id.%' type='character' keyText='Registrar' /> <block> <entry> <key id='id.anana'>ANANA</key> <citation uri='http://www.anana.org' /> </entry> <entry> <key id='id.iana'>IANA</key> <citation uri='http://www.iana.org' /> </entry> ... </block> </namespace>
Each <block/> element contains:
Each <entry/> element contains:
Each <key/> element contains:
Each <citation/> element contains:
There are two kinds of access control policies enforced by the datastore:
In each case, the datastore consults the appropriate document's <acl/> element to determine the policy in effect.
The <acl/> element contains zero or more <ac/> elements. Each <ac/> element contains:
The subject attribute is specified as an XPath expression; similarly, the actor attribute is often given as an ANANA URI. Accordingly, a single access control entry may refer to multiple fragments within an XML document and/or multiple client identities.
For example, here is an <acl/> element for a particular ANANA registry:
<acl> <ac subject='/' permitted='all' actor='anana://anana.org/anana/identities#xpath(//key[text()="ANANA"])' /> <ac subject='/' permitted='read' /> </acl>
In this example, note that while both access control entries refer to the entire document, different access is granted based on the client identity.
Ordering of access control entries is important: the first access control entry with a matching subject/actor pair is used. Of course, if none of the access control entries apply, then no access is allowed.
This layer is responsible for:
A registrar may place additional conformance requirements on the entries in a registry. Before performing any modifications, the datastore consults the document's <conformance/> element to determine the policy in effect. Conformance policies are implemented remotely from the datastore, and are accessed via a remote resource.
The <conformance/> element contains zero or more <conform/> elements. Each <conform/> element contains:
The subject attribute is specified as an XPath expression; accordingly, a single conformance entry may refer to multiple fragments within an XML document.
For example, here is a <conformance/> element for a particular ANANA registry:
<conformance> <conform subject='/registry/namespace/block/entry'> <trigger uri='http://anana.org/cgi-bin/nph-validate.cgi'> <param name='mode'>validate-citations</param> </trigger> </conform> </conformance>
which says that whenever an entry is modified, then an HTTP-based resource is asked to examine the citations in the entry.
A conformance trigger reports three possible outcomes:
On deferral or failure, any response data from the trigger is returned to the client and no further action is taken by the datastore. Typically, a deferral indicates that a registrar will examine the entry later on (typically out-of-band), and that no other action is required by the client.
Ordering of conformance entries is important: the first conformance entry with a matching subject is used.
A registrar may place additional reporting requirements on the entries in a registry. After performing any modifications, the datastore consults the document's <reporting/> element to determine the policy in effect. Reporting policies are implemented remotely from the datastore, and are accessed via a remote resource.
The <reporting/> element contains zero or more <report/> elements. Each <report/> element contains:
The subject attribute is specified as an XPath expression; similarly, the actor attribute is often given as an ANANA URI. Accordingly, a single reporting entry may refer to multiple fragments within an XML document and/or multiple client identities.
The outcome of a reporting trigger may be logged, but is otherwise ignored by the datastore. Ordering of reporting entries is important, the first reporting entry with a matching subject/actor pair is used.
TOC |
When a client wishes to interact with the datastore, it selects an access protocol, optionally authenticates itself, and then submits one or more requests to the datastore, which returns a result or an error for each request.
The ANANA Operations DTD defines the format of requests and results, using the <request/> and <result/> elements, respectively. The <error/> element, defined in Section 7.1 of [9], is used to convey error information.
The <request/> element contains:
The <docRequest/> element contains:
The <fragRequest/> element contains either:
When the datastore receives a <request/> element, it performs these steps:
If the <request/> element contains a <docRequest/> element whose operation attribute has the value create then:
If the <request/> element contains a <docRequest/> element whose operation attribute has the value delete then:
If the <request/> element contains a <fragRequest/> element that contains a <fetch/> element, then:
If the <request/> element contains a <fragRequest/> element that contains a <xupdate:modifications/> element, then:
Triggers implement registrar-specific policies by accessing a remote resource.
The <trigger/> element contains:
In addition to whatever parameters are specified in the trigger element, the datastore also includes these two parameters when a trigger is evaluated:
The datastore evaluates the trigger using an algorithm specific to the scheme used in the trigger's URI. The algorithm must define:
At present, the algorithm for two schemes, http and https, are specified.
A trigger specified via http or https is evaluated using the HTTP[10] POST operation containing the parameters to the trigger.
The datastore examines the HTTP response code when a reply is returned, to determine the trigger's outcome, either:
When the datastore is asked to performed an operation, it must make two determinations:
The datastore determines the required access token by consulting this table:
request pattern access token ------------------------------------------- ------------ /request/docRequest[@operation='create'] create /request/docRequest[@operation='delete'] delete /request/fragRequest/fetch read /request/fragRequest/xupdate:modifications /xupdate:insert-before insert /request/fragRequest/xupdate:modifications /xupdate:insert-after insert /request/fragRequest/xupdate:modifications /xupdate:append write /request/fragRequest/xupdate:modifications /xupdate:update write /request/fragRequest/xupdate:modifications /xupdate:remove write /request/fragRequest/xupdate:modifications /xupdate:rename write
Determining the appropriate access control entry depends on whether the operation pertains to an entire document (the <request/> element contains a <docRequest/>) or the fragments within a document (the <request/> element contains a <fragRequest/>).
If the operation pertains to an entire document, a document-specific policy is consulted.
The datastore retrieves the <acl/> element contained in a document named /root/access, and examines each <ac/> element in the order they appear. For each access entry:
then this <ac/> element is the appropriate access control entry.
If no access control entry is appropriate, then a transient access entry is returned having:
If the operation pertains to the fragments within a document, a fragment-specific policy is consulted.
The datastore retrieves the <acl/> element contained in the document containing the fragments, and examines each <ac/> element in the order they appear. For each access entry:
then this <ac/> element is the appropriate access control entry.
If no access control entry is appropriate, then a transient access entry is returned having:
TOC |
To access the datastore, a client requires:
This memo defines two ways to access the ANANA Datastore:
For interactive access to the datastore, BEEP is used.
The BEEP profile for the ANANA Datastore is identified as:
http://anana.org/beep/anana-datastore
in the BEEP <profile/> element during channel creation.
In BEEP, when the first channel is successfully created, the serverName attribute in the <start/> element identifies the virtual host associated with the peer acting in the server role, e.g.,
<start number='1' serverName='anana.org'> <profile uri='http://anana.org/beep/anana-datastore' /> </start>
The serverName attribute is analagous to HTTP's Host request-header field (cf., Section 14.23 of [10]).
No elements are required to be exchanged during channel creation; however, the BEEP initiator may choose to piggyback a <request/> element during channel creation. If the channel is successfully created, then the BEEP listener performs the piggyback'd operation and returns either a <result/> element or an <error/> element as piggyback'd data. (Note well that Section 2.3.1.2 of [9] limits the amount of piggyback'd data to 4K octets.)
All messages are exchanged as application/beep+xml, and only one-to-one exchanges are permitted, i.e.,
role MSG RPY ERR ==== === === === I request result error
where the <request/> and <result/> elements are defined in The Operations DTD, and the <error/> element is defined in Section 7.1 of [9].
For batch access to the datastore, email is used.
The <reqbatch/> and <rspbatch/> elements (defined in The Operations DTD) are used to batch multiple requests and results into a single message, tagged as application/xml[12].
The <reqbatch/> element contains:
The <rspbatch/> element contains zero or more <result/> and <error/> elements.
The client may choose to to use MIME-based security (cf., Security Considerations) for the message. If so, the datastore must be pre-configured to understand the mapping between the cryptographic information used by the client and the corresponding client identity. If there is an error in processing the MIME-based security wrappers, then a message containing a <rspbatch/> element that contains a single <error/> element is sent to the client, and no further processing occurs.
If the client does not use MIME-based security, then the datastore retrieves the <entry/> element associated with the originator attribute of the <reqbatch/> element, and looks for a <citation/> element with:
If no such element exists, then a message containing a <rspbatch/> element that contains a single <error/> element having code 530 is sent to the client, and no further processing occurs. Otherwise:
The duration to wait for an acceptable response is a local policy matter.
Regardless of the mechanism, if the message is deemed authentic, then the datastore processes each <request/> element in the order in which it appears in the <reqbatch/> element. Upon completion, a message containing a <rspbatch/> element (having the same number of subordinate elements as the <reqbatch/> element) is sent to the client.
In order to facilitate the management of authentication information, whenever an <entry/> element is successfully added or modified, the datastore examines each <citation/> element in the order they appear. If the value of the element's contentType attribute is ContentType:application/anana+xml?type="authInfo", and if the element's uri attribute contains an https URI, then:
The <authInfo/> element contains zero or more <param/> elements, each containing a name/value pair.
This mem defines two parameter names:
- sharedSecret:
- The value of this parameter is a shared secret that may be used with SASL mechanisms such as DIGEST-MD5[13].
- otpInfo:
- The value of this parameter is an init-hex response defined in [14] (where the current-OTP field is ignored) that may be used with the SASL OTP mechanism[15].
TOC |
<!-- DTD data types: entity syntax/reference example ====== ================ ======= uniform resource identifier URI cf., RFC 2396 http://anana.org/ XML document name PATH cf., abs_path in /anana/identities RFC 2396 XPath expression XPATH cf., W3C REC XPath //key[@id='anana'] --> <!ENTITY % URI "CDATA"> <!ENTITY % PATH "CDATA"> <!ENTITY % XPATH "CDATA"> <!-- Requests --> <!ELEMENT request (docRequest|fragRequest)> <!ATTLIST request docName %PATH; #REQUIRED> <!-- contents are meaningful only on create operations --> <!ELEMENT docRequest ANY> <!ATTLIST docRequest operation (create|delete) "create"> <!-- cf., XUpdate specification for the "xupdate:modifications" element Note that for simplicity, the xupdate:modifications element MUST have exactly one subordinate element --> <!ELEMENT fragRequest (fetch|xupdate:modifications)> <!ELEMENT fetch EMPTY> <!ATTLIST fetch xpath %XPATH; #REQUIRED> <!-- Results --> <!-- contents are meaningful only if responding to a fetch request --> <!ELEMENT result ANY> <!ATTLIST result count CDATA "0"> <!-- email wrappers --> <!ELEMENT reqbatch (request)*> <!ATTLIST reqbatch originator %URI; #REQUIRED> <!ELEMENT rspbatch (result|error)*>
<!-- DTD data types: entity syntax/reference example ====== ================ ======= uniform resource identifier URI cf., RFC 2396 http://anana.org/ URI or the empty string ACTOR cf., RFC 2396 '' localization language LANG cf., RFC 1766 en, en-US, etc. XPath expression XPATH cf., W3C REC XPath //key[@id='anana'] --> <!ENTITY % URI "CDATA"> <!ENTITY % ACTOR "CDATA"> <!ENTITY % LANG "CDATA"> <!ENTITY % XPATH "CDATA"> <!ENTITY % rfc2629.dtd PUBLIC '' 'http://xml.resource.org/public/rfc/xml/rfc2629.dtd'> %rfc2629.dtd; <!-- The top-level --> <!ELEMENT registry (fore,namespace*,aft)> <!ATTLIST registry name %URI; #REQUIRED title CDATA #REQUIRED> <!-- The front --> <!ELEMENT fore (registrar+,comment?,date)> <!ELEMENT registrar EMPTY> <!ATTLIST registrar uri %URI; #REQUIRED> <!-- cf., RFC 2629 for the "date", "t", and "figure" elements --> <!ELEMENT comment (t|figure)+> <!-- The middle --> <!ELEMENT namespace (comment?,template,block*)> <!ATTLIST namespace id ID #IMPLIED title CDATA #REQUIRED> <!ELEMENT template EMPTY> <!ATTLIST template idPattern CDATA "%" type (numeric|character|arbitrary) "character" xml:lang %LANG; #IMPLIED keyText CDATA #REQUIRED commentText CDATA #IMPLIED> <!ELEMENT block (comment?,entry*)> <!-- the first key element is considered the primary key for the entry --> <!ELEMENT entry (key+,citation*,comment?,date)> <!ELEMENT key (#PCDATA)> <!ATTLIST key id ID #REQUIRED> <!ELEMENT citation (#PCDATA)> <!ATTLIST citation uri %URI; #REQUIRED contentType %URI; #IMPLIED> <!-- The back --> <!ELEMENT aft (acl,conformance,reporting)> <!ELEMENT acl (ac*)> <!ELEMENT ac EMPTY> <!ATTLIST ac subject %XPATH; #REQUIRED actor %ACTOR; "" permitted NMTOKENS "none"> <!ELEMENT conformance (conform*)> <!ELEMENT conform (trigger)> <!ATTLIST conform subject %XPATH; #REQUIRED> <!ELEMENT reporting (report*)> <!ELEMENT report (trigger)> <!ATTLIST report subject %XPATH; #REQUIRED actor %ACTOR; ""> <!ELEMENT trigger (param*)> <!ATTLIST trigger resource %URI; #REQUIRED> <!ELEMENT param (#PCDATA)> <!ATTLIST param name CDATA #REQUIRED>
<!ELEMENT authInfo (param*)> <!ELEMENT param (#PCDATA)> <!ATTLIST param name CDATA #REQUIRED>
TOC |
The "anana" URI scheme uses the "generic URI" syntax defined in Section 3 of [4], specifically:
The values of both the scheme and authority components are case-insensitive. If the path component is absent, then it defaults to the root document, /.
The ABNF of the anana URI scheme is:
anana_uri = "anana" ":" "//" authority [ abs_path [ frag_id ] ] frag_id = "#" "xpath" "(" balanced_parens ")" balanced_parens = *( escaped_parens | balanced_text ) escaped_parens = "^()^^" | "^^^^" | "^^(" | "^^)" ;; "^(" escapes "(" ;; "^)" escapes ")" ;; "^^" escapes "^" balanced_text = ( "(" balanced_parens ")" ) | noparens_text noparens_text = *<<any uric other than "(" and ")">> ;; authority, abs_path, uric are defined in RFC 2396
For example,
anana://anana.org/anana/identities#xpath(//key[text()="ANANA"]) anana://anana.org/anana/identities anana://anana.org:1026 anana://10.0.0.2/
are all valid ANANA URIs.
The anana URI scheme indicates the use of the BEEP profile for the ANANA datastore service running over TCP/IP.
If the authority component contains a domain name and a port number, e.g.,
anana://anana.org:1026
then the DNS is queried for the A RRs corresponding to the domain name, and the port number is used directly.
If the authority component contains a domain name and no port number, e.g.,
anana://anana.org
the SRV algorithm[16] is used with a service parameter of anana-store and a protocol parameter of tcp to determine the IP/TCP addressing information. If no appropriate SRV RRs are found (e.g., for _anana-store._tcp.anana.org), then the DNS is queried for the A RRs corresponding to the domain name and the port number used is assigned by the IANA for the registration in Registration: The System (Well-Known) TCP port number for the ANANA Datastore.
If the authority component contains an IP address, e.g.,
anana://10.0.0.2:1026
then the DNS is not queried, and the IP address is used directly. If a port number is present, it is used directly; otherwise, the port number used is assigned by the IANA for the registration in Registration: The System (Well-Known) TCP port number for the ANANA Datastore.
While the use of literal IPv6 addresses in URIs is discouraged, if a literal IPv6 address is used in an anana URI, it must conform to the syntax specified in [17].
TOC |
The IANA registers anana as a URI scheme, as specified in Registration: The anana URI Scheme.
The IANA registers ANANA datastore as a TCP port number, as specified in Registration: The System (Well-Known) TCP port number for the ANANA Datastore.
The IANA registers application/anana+xml as a MIME media type, as specified in The application/anana+xml Media Type.
The IANA registers the BEEP profile specified in The ANANA Datastore Profile for BEEP, and selects an IANA-specific URI, e.g.,
http://iana.org/beep/anana-datastore
- URI scheme name:
- anana
- URI scheme syntax:
- cf., The anana URI Scheme
- Character encoding considerations:
- cf., the "generic URI" syntax defined in Section 3 of [4]
- Intended usage:
- identifies an XML document or fragment in an ANANA datastore
- Applications using this scheme:
- cf., "Intended usage", above
- Interoperability considerations:
- n/a
- Security Considerations:
- cf., Security Considerations
- Relevant Publications:
- cf., this memo
- Contact Information:
- Marshall Rose <mrose@dbc.mtview.ca.us>
- Author/Change controller:
- the IESG
- Protocol Number:
- TCP
- Message Formats, Types, Opcodes, and Sequences:
- cf., The Operations DTD
- Functions:
- cf., Datastore Operations
- Use of Broadcast/Multicast:
- none
- Proposed Name:
- ANANA Datastore
- Short name:
- anana-store
- Contact Information:
- Marshall Rose <mrose@dbc.mtview.ca.us>
- MIME Media Type Name:
- Application
- MIME subtype name:
- anana+xml
- Required Parameters:
- type
- Optional Parameters:
- charset (defaults to UTF-8[18])
- Encoding Considerations:
- 8-bit
- Security Considerations:
- avoid third-party disclosure as this media type may contain authentication information
- Interoperability Considerations:
- n/a
- Published Specification:
- This media type contains an XML XML[3] document, as indicated by the type parameter.
Two restrictions are made. First, no entity references other than the five predefined general entities references ("&", "<", ">", "'", and """) and numeric entity references may be present. Second, neither the "XML" declaration (e.g., <?xml ...>) nor the "DOCTYPE" declaration (e.g., <!DOCTYPE ...>) may be present. (Accordingly, if another character set other than UTF-8 is desired, then the "charset" parameter must be present.) All other XML 1.0 instructions (e.g., CDATA blocks, processing instructions, and so on) are allowed.
If the type parameter has the value authInfo, then the document corresponds to the syntax given in The AuthInfo DTD.- Appliations which use this media type:
- the ANANA datastore
- Additional Information:
- none
- Intended usage:
- cf., Access Protocols
- Additional Information:
- none
- Intended usage:
- limited use
- Contact Information:
- Marshall Rose <mrose@dbc.mtview.ca.us>
- Author/Change controller:
- the IESG
- Profile Identification:
- http://anana.org/beep/anana-datastore
- Messages exchanged during Channel Creation:
- request,result
- Messages starting one-to-one exchanges:
- request
- Messages in positive replies:
- result
- Messages in negative replies:
- error
- Messages in one-to-many exchanges:
- none
- Message Syntax:
- cf., The Operations DTD
- Message Semantics:
- cf., Datastore Operations
- Contact Information:
- Marshall Rose <mrose@dbc.mtview.ca.us>
TOC |
Although service provisioning is a policy matter, at a minimum, all implementations must provide the following tuning profiles:
- for authentication:
- http://iana.org/beep/SASL/DIGEST-MD5
- for confidentiality:
- http://iana.org/beep/TLS (using the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher)
- for both:
- http://iana.org/beep/TLS (using the TLS_RSA_WITH_3DES_EDE_CBC_SHA cipher supporting client-side certificates)
Further, implementations may choose to offer MIME-based security services providing message integrity and confidentiality, such as OpenPGP[19] or S/MIME[20].
Regardless, consult:
Finally, any remote resource accessed by a trigger should ensure that traffic originating from the datastore is authentic before taking any action that changes state.
TOC |
TOC |
Marshall T. Rose | |
Dover Beach Consulting, Inc. | |
POB 255268 | |
Sacramento, CA 95865-5268 | |
US | |
Phone: | +1 916 483 8878 |
EMail: | mrose@dbc.mtview.ca.us |
TOC |
The author acknowledges the contributions of Graham Klyne and Carl Malamud. In addition, the syntax of the fragment identifier is based on the generic fragment identifier syntax proposed by Jonathan Borden and Simon St. Laurent.