Changes between Version 10 and Version 11 of FeddAbout


Ignore:
Timestamp:
Mar 19, 2014 11:23:06 AM (5 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • FeddAbout

    v10 v11  
    100100A researcher creating a federated experiment uses our federation tools to talk directly to an experiment controller.  Commonly DETER users talk to DETER's experiment controller.  While experiment controllers can run on any testbed - in fact each user is welcome to run their own controller - using DETER's controller leverages the trust other testbeds place in that controller and the information it has gathered.
    101101
    102 The experiment controller is responsible for getting access to resources at the various testbeds, creating the sub-topologies that make up the federated experiment, and interconnecting them.  As the experiment runs, the experiment controller can monitor and
     102The experiment controller is responsible for
     103
     104 * Getting permission to access to resources at the various testbeds
     105 * Coordinating the creation of the sub-topologies that make up the federated experiment
     106 * Requesting their interconnection
     107
     108As the experiment runs, the experiment controller can monitor and perform coarse control operations on the various elements of the experiment.  Controls are coarse because of the wide variety of elements that might be federated.  In testbeds that require periodic renewals of resource reservations, the experiment controller handles them. Finally the experiment controller is responsible for coordinating the release of elements when the experiment ends.
     109
     110These functions are accessed by users via comand line tools available on DETER and packaged with the federation system.
     111
     112Each experiment controller creates a namespace of users and groups those users belong to.  When the experiment controller contacts an access controller to request resources, the user and group information (as the experiment controller knows it) is passed on.  The access controller makes its decisions based on that information.  All of the information and policies about dealing with that information is encoded in [http://groups.geni.net/geni/wiki/TIEDABACModel ABAC].  DETER provides tools for generating basic user/group mappings.
     113
     114The main DETER testbed (DETERLab) runs an experiment controller that exports DETER users and the projects to which they belong.  This provides a simple way for federating testbeds to add their users to the DETER namespace by registering as DETER users.  In addition, it is simple to map back from DETER user names and groups (projects) into local access control.
     115
     116Other documentation provides more information about running an [FeddExperimentController experiment controller].
     117
     118== The Access Controller ==
     119
     120An access controller runs for each testbed that makes resources available via the DFA. Researchers carrying out experiments rarely, if ever, interact directly with an access controller.  It is responsible for
     121
     122 * Authorizing accesses based on ABAC information provided by the experiment controller (and local policy)
     123 * Reserving, connecting and intializing local resources based on requests from the experiment controller (and local policy)
     124 * Implementing the coarse controls requested by the experiment controller (within local policy)
     125 * Safely releasing local resources
     126
     127The access controller translates between the fairly generic experiment ontroller primitives and the testbed-specific resource controls that a local testbed requires.
     128
     129There are access controllers available for several existing testbed architectures: [http://deter-project.org DETER], [http://emulab.org Emulab], [http://groups.geni.net/geni/wiki/GAPI_AM_API GENI AM], [http://ww.starbed.org StarBed], and [FeddDesktop desktops].  The existing controllers are configurable for a wide range of network connections (behind a NAT or not, etc.) and policies.
     130
     131For new testbeds, the architecture and code is structured as a [FeddPluginArchitecture plug-in architecture].  New code can make use of existing code to parse and handle the basic operations and act as a base for specialization.
     132
     133[FeddAccessController Access Controllers] are more deeply documented.
    103134
    104135= Fedd: The DETER Federation Daemon =