Context Navigation

Changes between Version 2 and Version 3 of FeddConfigExamples

Timestamp:: Dec 11, 2008 1:53:23 PM (15 years ago)
Author:: faber
Comment:: --

Legend:

: Unmodified
: Added
: Removed
: Modified

FeddConfigExamples

-                      v2
+                      v3
 == Static Access Only on Users ==
 This is the simplest configuration of `fedd`, used to allow users of other testbeds to use resources from yours using pre-configured projects.  The layout assumes that for each [FeddAbout#GlobalIdentifiers:Three-levelName] three-level name] you are willing to allow to use your testbed, you have set up a project that already has proper keys installed.  Because no local projects or local users need to be modified, `fedd` does not need access to boss.
+This is the simplest configuration of `fedd`, used to allow users of other testbeds to use resources from yours using pre-configured projects.  The layout assumes that for each [FeddAbout#GlobalIdentifiers:Three-levelName three-level name] you are willing to allow to use your testbed, you have set up a project that already has proper keys installed.  Because no local projects or local users need to be modified, `fedd` does not need access to boss.
 A commented fedd.conf (installed in `/usr/local/etc/fedd.conf`) on `users.isi.deterlab.net` might look like this:
 {{{
+[globals]
+# Identify this fedd by the fedid encoded as a certificate file (user file protections to protect it)
+ These types of node are not accessible by everyone
+restricted: rpc_30cert_file: /usr/local/etc/fedd/fedd.pem
+# Provide service on port 23235
+services: 23235
 [access]
 # Keep access state (which experiments are live) in this file
 …
 testbed: https://users.isi.deterlab.net:23235
 # The database that maps requester to local acces projects
+# The database that maps requester to local access projects (shown below)
 accessdb: /usr/local/etc/fedd/deter_access
 [allocate]
+# do not check allocations.  Assume that the static configuration of projects is correct.
 allocation_level: none
+# this could really be omitted.  Without modifications, there's no state to keep
+allocate_state: /var/db/fedd/deter_allocate.state
+}}}
+In addition the [FeddDatabases#AccessComponentAccessDB access component accessdb] in `/usr/local/etc/fedd/deter_access` might be similar to this one (the rules could be more explicit or looser, for example):
+{{{
+# Overrides for the connector image and type
+attribute: connectorImage value: FBSD7-TVF
+attribute: connectorType value: pc3000_tunnel
+# map users from the given testbed in the Deter group into the local Federation project.  Experiments will
+# be created by the local user "fedd" and accessable by users with the same name as requesters.  This
+# will require coordination.
+(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (Federation, fedd, <same>)
+}}}
+== Dynamic Keying only on Boss ==
+In this case there is still one running `fedd`, but it runs on `boss`, where it can add keys to user accounts and change project permissions.  While projects and users need to be kept in sync, the user keys need not.  The changes here are largely in the allocation section of the global configuration.
+The configuration assumes that patched versions of `addpubkey` and `grantnodetype` have been installed as `taddpubkey` and `tgrantnodetype` in `/usr/testbed/sbin` as described in the [FeddDownload#AdditionalScripts installation section].
+{{{
+[globals]
+# Identify this fedd by the fedid encoded as a certificate file (user file protections to protect it)
+cert_file: /usr/local/etc/fedd/fedd.pem
+# Provide service on port 23235
+services: 23235
+[access]
+# Keep access state (which experiments are live) in this file
+# Be sure it is writeable by the fedd user
+access_state: /var/db/fedd/deter_access.state
+# Parameters for remote fedds to instantiate experiments
+boss: boss
+ops: users
+domain: .isi.deterlab.net
+fileserver: fs
+eventserver: event-server
+# This machine's URI to discriminate proxy requests (NB: this runs on boss)
+testbed: https://boss.isi.deterlab.net:23235
+# The database that maps requester to local access projects (shown below)
+accessdb: /usr/local/etc/fedd/deter_access
+[allocate]
+# Allow keys and node types to be extended.
+allocation_level: dynamic_keys
+# Keep track of keys added and node types granted so that they can be removed when done.
 allocate_state: /var/db/fedd/deter_allocate.state
+[globals]
+cert_file: /usr/local/etc/fedd/fedd.pem
+services: 23235
+# Use the extended commands
+grantnodetype: /usr/testbed/sbin/tgrantnodetype
+addpubkey: /usr/testbed/sbin/taddpubkey
+}}}
+In addition the [FeddDatabases#AccessComponentAccessDB access component accessdb] in `/usr/local/etc/fedd/deter_access` might be similar to this one (the rules could be more explicit or looser, for example):
+{{{
+# Overrides for the connector image and type
+attribute: connectorImage value: FBSD7-TVF
+attribute: connectorType value: pc3000_tunnel
+# Nodes of this type are not generally accessible
+restricted: rpc_3000
+# Additional keys may be added to these groups.  Note that when a user with emulab-ops as the project in their
+# three-level name accesses the testbed, the fedd project will be given access to the restricted node type
+# rpc_3000.  Requesters with Deter as the project will be unable to successfully request access to such nodes.
+(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (Federation, fedd, <same>)
+(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, emulab-ops, <any>) -> (Federation, fedd:rpc_3000, <same>)
 }}}
+== Dynamic Keying with Distributed Operation on Users and Boss ==
+In this case two `fedd`s are running.  The one on users accepts and evaluates access requests but calls out to the `fedd` on boss to do the manipulation of local testbed state.  Boss may choose to firewall all other hosts (except users) away from the fedd port, though the    `fedd` access controls will also protect access.  The situation looks like this: