wiki:FeddPluginCalls

Version 6 (modified by faber, 14 years ago) (diff)

--

Plug-in Interfaces

Access controllers respond to a series of standard calls from the experiment controller to create local allocations. These are described in conceptual detail elsewhere on this site and in a document about the design of the ProtoGENI plug-in. This section discussed the calls and their encoding for developers interested in reading and extending existing plug-in code.

The interfaces are all described in xsd and SOAP, and these are easy enough to convert into python data structures once you know how. Below we describe the semantics of each call, and the tools available to plug-in writers to assist in implementation. These tools are available when plug-ins derive from federation.access, as federation.skeleton_access is.

Each python method in the plug-in that corresponds to a plug-in interface is called with the same parameters:

  • the request: a python dict representing the parameters to the call as encoded in SOAP
  • the calling fid: a fedid object holding the caller's identity

Each method should return the python dict encoding the response or raise a service_error containing information about the error. The service_error class contains error codes (in either the XSD or python definitions.

Initialization

This is not an interface from the experiment controller, but we discuss it to mention the tools available for implementors. These include routines to save state and interpret the standard parts of the access database, including specializing for testbed dependent data. The method read_access(file, local_info_parser) takes the file to read and a function that takes the string following the access attribute and returns the local testbed attributes, stored into the self.access dict, keyed by the three-name being authorized. The ___init___() routine of source:fedd/trunk/federation/skeleton_access.py federation.skeleton_access] includes an example of this.

In addition, the initializer of the federation.access base class parses standard parameters from [access] section from the configuration file. The fields and corresponding class instance attributes are:

cert_file
The certificate file that contains the fedid that identifies this access controller. It is stored in self.cert_file.
cert_pw
Password for the certificate file, if any. Stored in self.cert_pw.
trusted_certs
Certificates used to validate the signatures of other fedd principals. Generally unused. Stored in self.trusted_certs.

Those first three attributes are initialized by the [access] section, if given, or [globals], if not.

access_state
The file storing persistent state. Stored in self.state_file.
certdir
Directory to store local certificates for allocations in. Stored in self.certdir.
project_priority
Affects the standard access lookup routines by preferring matches on project if true. Stored in self.project_priority, though most implementations will not need to access it.
create_debug
Intended to keep the plug-in from making any persistent changes to the facility. Plug-in writers are expected to honor it. It is stored in self.create_debug.
leave_tmpfiles
Intended to tell the plug-in not to delete temporary files. Plug-in writers are expected to honor it. Stored in self.cleanup, negated; that is if leave_tempfiles is false in the configuration self.cleanup is true. self.cleanup defaults to true.
type
Distinguishes between sub-types of the plug-in. Stored in self.access_type; semantics are up to the plug-in writer.
log_level
The level of log entries to pass to the logger. Any of the values in the standard python logging choices are acceptable. It is only stored as internal state of self.log, a logger allocated by the initializer.

Finally, the default initializer allocates a Lock to be acquired when accessing persistent state and reads that state from self.state_file.

The plug-in initializer is largely plug-in depenent, but must also set the methods to be called for each interface call in the self.soap_services and self.xmlrpcservices dicts.

RequestAccess

The RequestAccess command asks the testbed to map the three-level name on the call into local permissions and to do any bookkeeping associated with later attachment of resources to that allocation. Specifically, a fedid must be created. Requests from this allocation back to the central experiment controller will be made under that principal/fedid. Such requests gather configuration information or parameters passed between sub-experiments during creation. The per-allocation fedid allows fine-grained control of access to thie information at the experiment controller, as well as the ability to name (and therefore request operation on) the various allocations made on this plug-in.

A RequestAccess message has the following format:

request = {
    # list of strings of the form user:name project:name (these will be replaced by ABAC credentials in fedd 3.1)
    'credential': [ 'user:u', 'project:p' ]
    # Requested services
    'service': [
        # Each of these has an identifier, service name, server (optional), and a list of attributes as service parameters
        { 'id': '0001', 'name': 'project_export', 'visibility': 'export', 'fedAttr: [ { 'attribute': 'att_name', 'value': 'val1'} ] }
    ],
}

The credentials are opaquely and correctly handled by the access controller base class. Service requests encode the various services that the facility will be asked for in this allocation.

There are also some scheduling fields that are for future expansion. The DETER experiment controller never includes them.

The response message has the form:

response = {
    'allocID': { 'fedid': fedidobj },
    'service': [
        # The meta service 'export_project' in the request has become 2 actual service descriptions with the same ID as the request 
        { 'id': '0001', 'name': 'SMB', 'visibility': 'export', 'fedAttr: [ { 'attribute': 'att_name', 'value': 'val1'} ] } ] },
        { 'id': '0001', 'name': 'userconf', 'visibility': 'export', 'fedAttr: [ { 'attribute': 'att_name', 'value': 'val1'} ] },
     ]
}

The response includes the fedid of the allocation and the actual services exported. Note that in the example the single export_project request has become 2 specific service exports. See the [sources:fedd/trunk/federation/emulab_access.py emulab plug-in] for an example of how services are decoded and managed.

StartSegment

This is the operation where the plug-in has the most to do. The resources described in the segment description are attached to the allocation and configured to provide the various services, including interconnection with other testbeds.

The request has the format:

request = {
    'allocID' { 'fedid': fedid_obj },
    'segmentdescription': {
        'topdldescription': { 
             # a topdl description as a dict (see below)
        },
    },
    'service': [
        # The meta service 'export_project' in the request has become 2 actual service descriptions with the same ID as the request 
        { 'id': '0001', 'name': 'SMB', 'visibility': 'export', 'fedAttr: [ { 'attribute': 'att_name', 'value': 'val1'} ] } ] },
        { 'id': '0001', 'name': 'userconf', 'visibility': 'export', 'fedAttr: [ { 'attribute': 'att_name', 'value': 'val1'} ] },
     ],
     'connection': [ 
        {
        'type': 'transit',
        'portal': 'hostname',
        'peer': 'remote_hostname',
        'parameter': [
                  { 
                      # The parameter
                      'name': 'ssh_port', 
                      # Where to get it (local part of a url)
                      'key': 'djfahlshl/val',
                      # where to get it (host running the synchronized store)
                      'store': 'https://users.isi.deterlab.net:13232',
                      # Whether we need to send or receive the value
                      'type': 'output',
                   },
             ]
        }
    ],
}