Changes between Version 6 and Version 7 of FeddDatabases


Ignore:
Timestamp:
Jun 29, 2010 3:26:18 AM (14 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddDatabases

    v6 v7  
    4949=== Access Component AccessDB ===
    5050
    51 This is the most complex of the accessDBs.  Its purpose is to configure how an access control component maps a [FeddAbout#GlobalIdentifiers:Three-levelNames three level name] to a local testbed user and project, as well as the rights the project must possess (the node types it can access).  It also includes information about which kinds of nodes are restricted and allows a testbed owner to supply additional attributes used in accessing the testbed.
     51This is the most complex of the accessDBs.  Its purpose is to configure how an access control component maps a [FeddAbout#GlobalIdentifiers:Three-levelNames three level name] to a authorization attribute and local access control information.  Usually the authorization attribute information is 'access' implying the ability to create new experiments.  Other plug-ins are free to create and interpret other attributes.
     52
     53In addition to that, a mapping can have local values, interpreted by the plug-in.  By convention the attribute is unadorned and the optional plug-in dependent information is separated by a comman and enclosed in parentheses.
     54
     55The general format looks like:
     56{{{
     57(testbed, project, user) -> attribute
     58}}}
     59
     60With testbed dependent information:
     61
     62{{{
     63(testbed, project, user) -> attribute, (some, testbed, stuff)
     64}}}
     65
    5266
    5367==== Emulab Mappings ====
     
    5670
    5771{{{
    58 (testbed, project, user) -> (local_project[:node_type[,node_type]], local_creation_user, local_service_user)
     72(testbed, project, user) -> attribute, (local_project, local_creation_user, local_service_user)
    5973}}}
    6074
     
    6680
    6781{{{
    68 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, faber) -> (fed, foo, bar)
     82(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, faber) -> access, (fed, foo, bar)
    6983}}}
    7084
     
    7488
    7589{{{
    76 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, bill) -> (fed, foo, bar)
    77 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <none>, faber) -> (fed, baz, quux)
    78 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, <none>) -> (fed, foo, fred)
     90(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, bill) -> access, (fed, foo, bar)
     91(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <none>, faber) -> access, (fed, baz, quux)
     92(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, <none>) -> access, (fed, foo, fred)
    7993}}}
    8094
     
    86100
    87101{{{
    88 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (fed, foo, <same>)
    89 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <none>, faber) -> (<dynamic>, <dynamic>, <dynamic>)
     102(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> access, (fed, foo, <same>)
     103(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <none>, faber) -> access, (<dynamic>, <dynamic>, <dynamic>)
    90104}}}
    91105
     
    95109
    96110{{{
    97 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> (foo, <same>, <same>)
    98 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, faber) -> (bar, <same>, <same>)
     111(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, Deter, <any>) -> access, (foo, <same>, <same>)
     112(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea, <any>, faber) -> access, (bar, <same>, <same>)
    99113}}}
    100114
    101115the outcome is determined by the setting of the '''project_priority''' option in the [FeddConfig#AccessOptions access section] of the global configuration file.  If it is true, the user will map to local project `foo`, otherwise to `bar`.
    102116
    103 Other than the access rules, two types of line can appear in the acesss accessdb.  A line of the form:
    104 
    105 {{{
    106 restricted: node_type
    107 }}}
    108 
    109 indicates that the use of `node_type` is not open to all users.  If a requester asks for access to a restricted node type and is mapped to a project that does not include access to that type, the `fedd` will deny the request.  To specify multiple such types, include multiple such lines.
    110 
    111 For example if `node_type` is restricted and `(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber)` makes an access request, that user will succeed if he or she matches:
    112 
    113 {{{
    114 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber) -> (emulab-ops:node_type, <same>, <same>)
    115 }}}
    116 
    117 but fail if the matching line is:
    118 
    119 {{{
    120 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber) -> (emulab-ops:pc3000, <same>, <same>)
    121 }}}
    122117
    123118==== DRAGON Mappings ====
     
    126121
    127122{{{
    128 (fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber) -> (/usr/local/OSCARS/local_repo)
     123(fedid:ce90957dd5b7d20f9c3890c4599313b7f1cf31ea,emulab-ops, faber) -> access, (/usr/local/OSCARS/local_repo)
    129124}}}
    130125
    131126Maps the given three-level name to the keys stored in /usr/local/OSCARS/local_repo.  That directory should be protected appropriately.
    132127
    133 ==== Attributes ====
    134 
    135 A line of the form:
    136 
    137 {{{
    138 attribute: connectorImage value: FBSD7-TVF
    139 }}}
    140 
    141 specifies an attribute to be passed back to the requester.  In this case the attribute specifies that nodes used to connect this testbed to another federant should use local Emulab image FBSD7-TVF.  Attribute values start with the first non-whitespace character after '''value:''' and continue until the end of the line.
    142 
    143 Currently `fedd`'s experiment system understands the following attributes:
    144 
    145  '''!ConnectorImage'''::
    146   The local image to load on federation connectors
    147  '''!ConnectorType'''::
    148   The Emulab node type to request for federation connectors.  For example, this type may have access to the wide area Internet when others do not.
    149  '''!MasterConnectorStartCmd'''::
    150   When this testbed is a master, run the given command on starting a federation connector node.
    151  '''!MasterNodeStartCmd'''::
    152   When this testbed is a master, run the given command on starting an experimental node.
    153  '''!SlaveConnectorStartCmd'''::
    154   When this testbed is a slave, run the given command on starting a federation connector node.
    155  '''!SlaveNodeStartCmd'''::
    156   When this testbed is a slave, run the given command on starting an experimental node.
    157  '''SMBShare'''::
    158   The name of the machine that the SMB file system is exported from.  Defaults to USERS which is usually correct.  If not, swap in a windows experiment and see where your testbed exports from.
    159  '''dragon'''::
    160   The endpoint designator of this testbed to DRAGON.  This indicates that the testbed is DRAGON-connected.
    161  '''vlans'''::
    162   The acceptable vlan numbers to allocate from DRAGON, if any.  Ranges and comma separated lists (and lists of ranges) are acceptable.
    163 
    164 Generally the '''!StartCmd''' attributes do not need to be modified.
    165128
    166129=== Experiment Control Component AccessDB ===