Changes between Version 21 and Version 22 of FeddGettingStarted


Ignore:
Timestamp:
Jun 11, 2014 4:28:50 PM (10 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • FeddGettingStarted

    v21 v22  
    99This document will discuss the relevant fedd components, what they do, and what they need in order to do those jobs.  We also discuss the tools an experimenter uses to create and monitor federated experiments.  Then we briefly discuss how to get the ABAC credentials necessary to access the federated environment.
    1010
    11 Fedd really is two entities, an '''Access Controler''' that mediates access to federated resources and provides standard interfaces for allocating them, and an '''Experiment Controller''' that acts as a credential store and coordinates requests across multiple access controllers.  The [FeddAbout discussion of the Deter Federation Architecture] has more to say about these entities, but this is enough to get started. DETERLab runs an experiment controller that can be reached at [https://users.isi.deterlab.net:23235] and new federation users can use that experiment controller, but when setting up and administering a federated testbed it can be very helpful to install and configure an experiment controller locally.
     11Fedd really is two entities, an '''Access Controler''' that mediates access to federated resources and provides standard interfaces for allocating them, and an '''Experiment Controller''' that acts as a credential store and coordinates requests across multiple access controllers.  The [FeddAbout discussion of the Deter Federation Architecture] has more to say about these entities, but this is enough to get started. DETERLab runs an experiment controller that can be reached at !https://users.isi.deterlab.net:23235 and new federation users can use that experiment controller, but when setting up and administering a federated testbed it can be very helpful to install and configure an experiment controller locally.
    1212
    1313Here is a block diagram of a user making a request for a federated experiment.  We will show how to configure the credentials that users and the experiment controller pass to access controllers, how to configure the policies at the access controlers to allow access and map federated users into local users.  We will also configure the experiment controller to find the access controlers and the access controllers to allocate resources (start DETER experiments) on behalf of local users.
     
    2929== Installation ==
    3030
    31 There are detailed instructions for [FeddDownload installation of fedd and the required software].  As we prepare for the fedd 4.0 release, it is best to [FeddDownload#Gitaccess install from git].
     31There are detailed instructions for [FeddDownload installation of fedd and the required software].
    3232
    3333Before downloading and installing the code, there are network connectivity requirements to consider.  The experiment controller must be reachable by user tools and must be able to reach and be reached by access controllers.  These are SSL protected TCP connections, though the port is configurable.  Additionally, the some experimental nodes in the testbeds must be able to reach each other.
     
    3636
    3737The experiment controller needs a directory in which to store credentials and configuration information.  This includes SSL credentials, so it should be protected.  You can create a user to run the experiment controller if necessary.
     38
     39There is a detailed reference for the [FeddConfig configuration files].
    3840
    3941This directory will contain the following configuration files
     
    180182
    181183 * copy {{{exp_access_db}}} to your experiment controller's home ({{{/usr/local/etc/fedd/experiment}}})
    182  * run [wiki:FeddABAC#fedd_to_abac.py fedd_to_abac.py] to create the ABAC
     184 * run [wiki:FeddCommands#fedd_to_abac.py fedd_to_abac.py] to create the ABAC
    183185   * {{{fedd_to_abac.py --cert fedd.pem --dir /usr/local/etc/fedd/experiment/abac --make_dir exp_access_db}}} should do it
    184186
     
    322324In order for users to use the federation system, two things need to be done.  Their emulab credentials need to be converted to federation credentials and they need to allow the access controller to act on their behalf by adding the access controller's ssh key to their login keys using the DETER web interface.  Both of these can be done programmatically at large institutions.
    323325
    324 Conversion of emulab credentials is done [wiki:FeddABAC#UserCredentials like this].
     326Conversion of emulab credentials is done [wiki:FeddConfig#ConvertingUserCredentialstofedids like this].
    325327
    326328== Trying it out ==
     
    356358While each federation agreement is different, the procedure is generally to negotiate some access with DETER and then receive a credential from the DETER experiment controller that delegates some rights to the federated system.  This will be one or more X.509 attribute certificates that need to be installed in the policy of your local experiment controller.  (Actually, you could also put them into each user's ABAC credentials directory, but the experiment controller is easier.)
    357359
    358 To do this, use the [wiki:FeddABAC#import_abac_creds.py import_abac_creds.py] program to add these credentials to your policy.  If the experiment controller's ABAC is kept in {{{/usr/local/etc/fedd/abac}}} the command will be something like:
     360To do this, use the [wiki:FeddCommands#import_abac_creds.py import_abac_creds.py] program to add these credentials to your policy.  If the experiment controller's ABAC is kept in {{{/usr/local/etc/fedd/abac}}} the command will be something like:
    359361
    360362{{{