| | 1 | = Fedd Databases = |
| | 2 | |
| | 3 | There are several small databases that control how `fedd` operates. They are the various access databases that control which [FeddAbout#GlobalIdentifiers:Fedids fedids] can access services and how they will be mapped into three-level names or local testbed parameters, and the database that maps local testbed names into service URIs. |
| | 4 | |
| | 5 | == Access Component accessdb == |
| | 6 | |
| | 7 | This is the most complex of the accessdbs. Its purpose is to configure how an access control component maps a [FeddAbout#GlobalIdentifiers:Three-levelNames three level name] to a local testbed user and project, as well as the rights the project must possess (the node types it can access). It also includes information about which kinds of nodes are restricted and allows a testbed owner to supply additional attributes used in accessing the testbed. |
| | 8 | |
| | 9 | The file is a text file. Each line containing a -> represents a rule for mapping from one or more three-level names to local testbed entities. The format for a three-level name to project info mapping has the format: |
| | 10 | |
| | 11 | {{{ |
| | 12 | (testbed, project, user) -> (local_project[:node_type[,node_type]], local_creation_user, local_service_user) |
| | 13 | }}} |
| | 14 | |
| | 15 | The triple on the left is the three-level name. One of those fields must be a [FeddAbout#GlobalIdentifiers:Fedids fedid], given as fedid:xxxxx . The x's are the text of the hexadecimal representation of the fedid. After the fedid, the fields can either be strings or more fedids. Recall that a valid [FeddAbout#GlobalIdentifiers:Three-levelNames three-level name] must be anchored in a fedid. |
| | 16 | |
| | 17 | The `local_project` is a project on the testbed, and `local_creation_user` and `local_service_user` are testbed users that are members of that project. The `local_experiment_user` will run commands on behalf of `fedd` that create the sub-experiment on this testbed and needs appropriate authority. The `local_service-user` may be accessed by the experimenter once the experiment is in progress, and need not have the authority to create or delete experiments. The optional list of node types after the `local_project` (separated by a colon) are the node types that the project can access. |
| | 18 | |
| | 19 | An example of the simplest sort of access accessdb line is: |
| | 20 | |
| | 21 | {{{ |
| | 22 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, faber) -> (fed, foo, bar) |
| | 23 | }}} |
| | 24 | |
| | 25 | That line grants access to a user `faber` in project `Deter` from the testbed with the given fedid. That user will be mapped into local testbed project `fed` as local testbed user `foo` for experiment creation and `bar` for service access. Notice that the strings to the left of the arrow refer to global three-level names and those on the right to local testbed entities. |
| | 26 | |
| | 27 | Special fields can appear in either the three-level name or the local entity clauses. In the three level name, they determine how the rule matches. Two special fields are `<any>` which matches any value and `<none>` which explicitly indicates the field is absent. Here are examples with those rules: |
| | 28 | |
| | 29 | {{{ |
| | 30 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, bill) -> (fed, foo, bar) |
| | 31 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <none>, faber) -> (fed, baz, quux) |
| | 32 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, <none>) -> (fed, foo, fred) |
| | 33 | }}} |
| | 34 | |
| | 35 | The first rule will match the `bill` user from the given testbed regardless of the project that the testbed asserts (including no project). The second line matches the `faber` user from the given testbed only if no project is asserted by that testbed. The third line matches any three-level name that originates from the given testbed and includes only a project (and any project will match). |
| | 36 | |
| | 37 | On the local entity side, the special fields are `<same>` which indicates that the corresponding value in the three-level name should be used as the local name and `<dynamic>` which indicates that a new project or user should be allocated for this access. For example: |
| | 38 | |
| | 39 | {{{ |
| | 40 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (fed, foo, <same>) |
| | 41 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <none>, faber) -> (<dynamic>, <dynamic>, <dynamic>) |
| | 42 | }}} |
| | 43 | |
| | 44 | The top line indicates that any user in the `Deter` project of the given testbed will be mapped to the local `fed` project using user `foo` to create the experiment and an account with the same user name as the user in the three-level name for service access. (NB `<same>` means "use the same string as in the three-level name" not "use the same string as for the other local user.") The administrator should guarantee that the mebers of the `foo` group on his or her testbed are a superset of the users for which the given testbed will assert `Deter` as a project in the three-level name. That may be done out of band. The next line indicates that user `faber` without a project from the given testbed should be allocated a dynamic project. Currently if one field is `<dynamic>` all three must be, a restriction that will be relaxed in the future. |
| | 45 | |
| | 46 | If a rule with no `<any>` fields matches, that rule is preferred to others with `<any>` fields. If multiple `<any>` fields match, the match with the fewest `<any>` matches has precedence. An `<any>` field cannot anchor a three-level matching rule (that it is, `<any>` cannot match an initial fedid). That leaves one ambiguity - if (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, faber) requests access from a testbed with only the rules: |
| | 47 | |
| | 48 | {{{ |
| | 49 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (foo, <same>, <same>) |
| | 50 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, faber) -> (bar, <same>, <same>) |
| | 51 | }}} |
| | 52 | |
| | 53 | the outcome is determined by the setting of the '''project_priority''' option in the [FeddConfig#AccessOptions access section] of the global configuration file. If it is true, the user will map to local project `foo`, otherwise to `bar`. |
| | 54 | |
| | 55 | Other than the access rules, two types of line can appear in the acesss accessdb. A line of the form: |
| | 56 | |
| | 57 | {{{ |
| | 58 | restricted: node_type |
| | 59 | }}} |
| | 60 | |
| | 61 | indicates that the use of `node_type` is not open to all users. If a requester asks for access to a restricted node type and is mapped to a project that does not include access to that type, the `fedd` will deny the request. To specify multiple such types, include multiple such lines. |
| | 62 | |
| | 63 | For exmaple if `node_type` is restricted and `(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber)` makes an access request, that user will succeed if he or she matches: |
| | 64 | |
| | 65 | {{{ |
| | 66 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber) -> (emulab-ops:node_type, <same>, <same>) |
| | 67 | }}} |
| | 68 | |
| | 69 | but fail if the matching line is: |
| | 70 | |
| | 71 | {{{ |
| | 72 | (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber) -> (emulab-ops:pc3000, <same>, <same>) |
| | 73 | }}} |
| | 74 | |
| | 75 | A line of the form: |
| | 76 | |
| | 77 | {{{ |
| | 78 | attribute: connectorImage value: FBSD7-TVF |
| | 79 | }}} |
| | 80 | |
| | 81 | specifies an attribute to be passed back to the requester. In this case the attribute specifies that nodes used to connect this testbed to another federant should use local Emulab image FBSD7-TVF. Attribute values start with the first non-whitespace character after '''value:''' and continue until the end of the line. |
| | 82 | |
| | 83 | Currently `fedd`'s experiment control system understands the following attributes: |
| | 84 | |
| | 85 | '''!ConnectorImage''':: |
| | 86 | The local image to load on federation connectors |
| | 87 | '''!ConnectorType''':: |
| | 88 | The Emulab node type to request for federation connectors. For example, this type may have access to the wide area Internet when others do not. |
| | 89 | '''!MasterConnectorStartCmd''':: |
| | 90 | When this testbed is a master, run the given command on starting a federation connector node. |
| | 91 | '''!MasterNodeStartCmd''':: |
| | 92 | When this testbed is a master, run the given command on starting an experimental node. |
| | 93 | '''!SlaveConnectorStartCmd''':: |
| | 94 | When this testbed is a slave, run the given command on starting a federation connector node. |
| | 95 | '''!SlaveNodeStartCmd''':: |
| | 96 | When this testbed is a slave, run the given command on starting an experimental node. |
| | 97 | |
| | 98 | Generally the '''!StartCmd''' attributes do not need to be modified. |
