Changes between Version 10 and Version 11 of FeddDatabases


Ignore:
Timestamp:
Jun 11, 2014 4:14:46 PM (10 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddDatabases

    v10 v11  
    11= Fedd Databases =
    22
    3 There are several small databases that control how `fedd` operates.  They are the various access databases that control which [FeddAbout#GlobalIdentifiers:Fedids fedids] can access services and how they will be mapped into three-level names or local testbed parameters, and the database that maps local testbed names into service URIs.
     3There are several small databases that control how `fedd` operates.  They are the various access databases that control which [FeddAuthorizationArchitecture#GlobalIdentifiers:Fedids fedids] can access services and how they will be mapped into three-level names or local testbed parameters, and the database that maps local testbed names into service URIs.
    44
    55All of the formats allow comments that begin with # and ignore blank lines.
     
    77== AccessDBs ==
    88
    9 The primary role of the various `fedd` accessDBs is to assign attributes to the [FeddAbout#GlobalIdentifiers:Fedids fedid]s or [FeddAbout#GlobalIdentifiers:Three-levelNames three-level name]s that a requester may assert.  Those attributes control the access to services.  A requester with the proper attribute may access the service, one without is denied.  The access component and experiment control component accessDBs assign the attributes necessary for their services implicitly in conjunction with specifying mapping information inherent to the function.  The other components' accessDBs are simple attribute assignments.
     9The primary role of the various `fedd` accessDBs is to assign attributes to the [FeddAuthorizationArchitecture#GlobalIdentifiers:Fedids fedid]s or [FeddAuthorizationArchitecture#GlobalIdentifiers:Three-levelNames three-level name]s that a requester may assert.  Those attributes control the access to services.  A requester with the proper attribute may access the service, one without is denied.  The access component and experiment control component accessDBs assign the attributes necessary for their services implicitly in conjunction with specifying mapping information inherent to the function.  The other components' accessDBs are simple attribute assignments.
     10
     11Once these databases are constructed in text format, the [FeddCommands#access_to_abac.py access_to_abac.py] command needs to be run to convert them into a map pointed to by the '''access_db''' parameter in the configuration and the ABAC permissions, pointed to by the '''auth_dir''' parameter.
    1012
    1113
    1214=== Access Component AccessDB ===
    1315
    14 This is the most complex of the accessDBs.  Its purpose is to configure how an access control component maps a [FeddAbout#GlobalIdentifiers:Three-levelNames three level name] to a authorization attribute and local access control information.  Usually the authorization attribute information is 'access' implying the ability to create new experiments.  Other plug-ins are free to create and interpret other attributes.
     16This is the most complex of the accessDBs.  Its purpose is to configure how an access control component maps a [FeddAuthorizationArchitecture#GlobalIdentifiers:Three-levelNames three level name] to a authorization attribute and local access control information.  Usually the authorization attribute information is 'access' implying the ability to create new experiments.  Other plug-ins are free to create and interpret other attributes.
    1517
    16 In addition to that, a mapping can have local values, interpreted by the plug-in.  By convention the attribute is unadorned and the optional plug-in dependent information is separated by a comman and enclosed in parentheses.
     18In addition to that, a mapping can have local values, interpreted by the plug-in.  By convention the attribute is unadorned and the optional plug-in dependent information is separated by a comma and enclosed in parentheses.
    1719
    1820The general format looks like:
     
    4850}}}
    4951
    50 The triple on the left is the three-level name.  One of those fields must be a [FeddAbout#GlobalIdentifiers:Fedids fedid], given as fedid:xxxxx .  The x's are the text of the hexadecimal representation of the fedid.  After the fedid, the fields can either be strings or more fedids.  Recall that a valid [FeddAbout#GlobalIdentifiers:Three-levelNames three-level name] must be anchored in a fedid.
     52The triple on the left is the three-level name.  One of those fields must be a [FeddAuthorizationArchitecture#GlobalIdentifiers:Fedids fedid], given as fedid:xxxxx .  The x's are the text of the hexadecimal representation of the fedid.  After the fedid, the fields can either be strings or more fedids.  Recall that a valid [FeddAuthorizationArchitecture#GlobalIdentifiers:Three-levelNames three-level name] must be anchored in a fedid.
    5153
    5254The `local_project` is a project on the testbed, and `local_creation_user` and `local_service_user` are testbed users that are members of that project.  The `local_experiment_user` will run commands on behalf of `fedd` that create the sub-experiment on this testbed and needs appropriate authority.  The `local_service-user` may be accessed by the experimenter once the experiment is in progress, and need not have the authority to create or delete experiments.  The optional list of node types after the `local_project` (separated by a colon) are the node types that the project can access.
     
    9395==== DRAGON Mappings ====
    9496
    95 A dragon controller maps the [FeddAbout#GlobalIdentifiers:Three-levelNames three level name] to a directory holding the X.509 certificates to use for the allocation.  In OSCARS command-line terms, it maps the requester to the '''repo''' parameter.  This line;
     97A dragon controller maps the [FeddAuthorizationArchitecture#GlobalIdentifiers:Three-levelNames three level name] to a directory holding the X.509 certificates to use for the allocation.  In OSCARS command-line terms, it maps the requester to the '''repo''' parameter.  This line;
    9698
    9799{{{
     
    103105==== ProtoGENI Mappings ====
    104106
    105 A dragon controller maps the [FeddAbout#GlobalIdentifiers:Three-levelNames three level name] to an X.509 certificate used to make GENI calls, an optional password for that certificate, and a username and ssh_key with rights to move files around on ProtoGENI for configuration of nodes.  ProtoGENI supports less autometed installation than Emulab.This line;
     107A dragon controller maps the [FeddAuthorizationArchitecture#GlobalIdentifiers:Three-levelNames three level name] to an X.509 certificate used to make GENI calls, an optional password for that certificate, and a username and ssh_key with rights to move files around on ProtoGENI for configuration of nodes.  ProtoGENI supports less autometed installation than Emulab.This line;
    106108
    107109{{{
     
    113115=== Experiment Control Component AccessDB ===
    114116
    115 Like the access component accessDB, the experiment control component accessDB performs double duty - it both determines what [FeddAbout#GlobalIdentifiers:Fedids fedids] can be used to create experiments, and it determines what [FeddAbout#GlobalIdentifiers:Three-levelNames three-level name]s a `fedd` will assert on behalf of that user when acquiring access to other testbeds.
     117Like the access component accessDB, the experiment control component accessDB performs double duty - it both determines what [FeddAuthorizationArchitecture#GlobalIdentifiers:Fedids fedids] can be used to create experiments, and it determines what [FeddAuthorizationArchitecture#GlobalIdentifiers:Three-levelNames three-level name]s a `fedd` will assert on behalf of that user when acquiring access to other testbeds.
     118
     119Once this databases is constructed in text format, the [FeddCommands#fedd_to_abac.py fedd_to_abac.py] command needs to be run to convert them into the ABAC permissions, pointed to by the '''auth_dir''' parameter in the configuration file.
    116120
    117121Lines in the accessDB have the following format:
     
    128132Any fedid not appearing in this databses is denied access to the experiment control facility; that is, a fedid in this DB is granted the '''create''' attribute.  When an experiment is created, access to it is controlled independently of this database, so a fedid in this database does not automatically possess the right to terminate or interrogate an experiment they did not create.  These rights are controlled by non-string attributes that are not specified in the databases.
    129133
    130 To simplify creating this database, the fedd package supplies a utility script, [FeddCommands exp_access_db.py].
     134To simplify creating this database, the fedd package supplies a utility script, [FeddCommands#exp_access_db.py exp_access_db.py].
    131135
    132136== Experiment Name Mapping DB ==