Changes between Initial Version and Version 1 of OldFeddAbout


Ignore:
Timestamp:
Dec 10, 2008 1:34:45 PM (16 years ago)
Author:
faber
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • OldFeddAbout

    v1 v1  
     1= The DETER Federation Architecture (DFA) =
     2
     3This is a basic overview of the DETER federation system.  More details
     4on this implementation and configuration are in later documents.  You
     5can also read these academic papers that capture the evolution of the
     6design to this point.
     7
     8DFA is a system that allows a researcher to construct experiments that
     9span testbeds by dynamically acquiring resources from other testbeds and
     10configuring them into a single experiment.  As closely as possible that
     11experiment will mimic a single DETER/Emulab experiment.
     12
     13Though the experiment appears to be a cohesive whole, the testbeds that
     14loan the resources retain control of those resources.  Because testbeds
     15retain this control, each testbed may issue credential necessary for
     16manipulating the federated resources.  For example, a testbed that has
     17loaned nodes to an experiment may require the experimenter to present a
     18credential issued by that testbed (e.g., an SSH key or SSL certificate)
     19to reboot those nodes.  The system acquires those credentials on behalf
     20of experimenters and distributes them on behalf of testbeds.
     21
     22Testbed administrators may use the system to establish regular policies
     23between testbeds to share resources across many users of a testbed.
     24Similarly, a single user with accounts on multiple testbeds can use the
     25same interfaces to coordinate experiments that share his testbed
     26resource, assuming sharing those resources does not violate the policy
     27of any of the constituent testbeds.
     28
     29= Fedd: The DETER Federation Daemon =
     30
     31Fedd is the daemon process responsible for:
     32
     33 * Creating and terminating federated experiments
     34 * Requesting access to remote resources on an experimenter's behalf
     35 * Granting access to local resources based on the testbed's policy
     36
     37Generally fedd is configured by the testbed's administration to allow
     38controlled sharing of the resources, though the same software and
     39interfaces can be used by single users to coordinate federated
     40resources.
     41
     42Creating a federated experiment consists of breaking an annotated
     43experiment into sub-experiments, gaining access to testbeds that can
     44host those experiments, and coordinating the creation and connection of
     45those sub-experiments.  Fedd insulates the user from the various
     46complexities of creating sub-experiments and dealing with cleanup and
     47partial failures.  Once an experiment is created, fedd returns
     48credentials necessary to administer the experiment.
     49
     50On termination, fedd cleans up the various sub-experiments and
     51deallocates any dynamic resources or credentials.
     52
     53= Access Control =
     54
     55This section describes the basic model of access control that fedd
     56implements.  We start by explaining how users are represented between
     57fedds and then describe the process of acquiring and releasing access to
     58a testbed's resources.
     59
     60This section documents the current access control system of fedd.  It is
     61undergoing development.
     62
     63== Global Identifiers: Fedids ==
     64
     65In order to avoid collisions between local user names the DFA defines a
     66global set of names called DETER federation IDs, or more concisely
     67fedids.  A fedid has two properties:
     68
     69 * An entity claiming to be named by a fedid can prove it interactively
     70 * Two entities referring to the same fedid can be sure that they are referring to the same entity
     71
     72An example implementation of a fedid is an RSA public key.  An entity
     73claiming to be identified by a given public key can prove it by
     74responding correctly to a challenge encrypted by that key.  For a large
     75enough key size, collisions are rare enough that the second property
     76holds probabilistically.
     77
     78We adopt public keys as the basis for DFA fedids, but rather than tie
     79ourselves to one public key format, we use subject key identifiers as
     80derived using method (1) in RFC3280.  That is, we use the 160 bit SHA-1
     81hash of the public key.  While this allows a slightly higher chance of
     82collisions than using the key itself, the advantage of a single
     83representation in databases and configuration files outweighs the
     84increase in risk for this application.
     85
     86== Three-level Names ==
     87
     88In Emulab, projects are created by users within projects and those
     89attributes determine what resources can be accessed.  We generalized
     90this idea into a testbed, project, user triple that is used for access
     91control decisions.  A requester identified as ("DETER", "proj1",
     92"faber") is a user from the DETER testbed, proj1 project, user faber.
     93Testbeds contain projects and users, projects contain users, and users
     94do not contain anything.
     95
     96Parts of the triple can be left blank: (,,"faber") is a user named faber
     97without a testbed or project affiliation.
     98
     99Though the examples used simple strings, the outermost non-blank field
     100of a name must be a fedid to be valid, and are treated as the entity
     101asserting the name.  Contained fields can either be fedids or local
     102names.  This allows a testbed to continue to manage its namespace
     103locally.
     104
     105If DETER has fedid:1234 then the name (fedid:1234, "proj1", "faber")
     106refers to the DETER user faber in proj1, if and only if the requester
     107can prove they are identified by fedid:1234.  Note that by making
     108decisions on the local names a testbed receiving a request is trusting
     109the requesting testbed about the membership of those projects and names
     110of users.
     111
     112Testbeds make decisions about access based on these three level names.
     113For example, any user in the "emulab-ops" project of a trusted testbed may
     114be granted access to federated resources.  It may also be the case that
     115any user from a trusted testbed is granted some access, but that users
     116from the emulab-ops project of that testbed are granted access to more
     117kinds of resources.
     118
     119These three level names are used only for testbed access control.  All
     120other entities in the system are identified by a single fedid.
     121
     122== Granting Access: Emulab Projects ==
     123
     124Once a fedd has decided to grant a researcher access to resources, it
     125implements that decision by granting the researcher access to an Emulab
     126project with relevant permissions on the local testbed.  The terminology
     127is somewhat unfortunate in that the fedd is configured to grant access
     128based on the global three-level name that includes project and user
     129components and implements that decision by granting access to a local
     130Emulab project and Emulab user.
     131
     132The Emulab project to which the fedd grants access may exist and contain
     133static users and resource rights, may exist but be dynamically
     134configured by fedd with additional resource rights and access keys, or
     135may be created completely by fedd.  Completely static projects are
     136primarily used when a user wants to tie together his or her accounts on
     137multiple testbeds that do not bar that behavior, but do not run fedd.
     138
     139Whether to dynamically modify or dynamically create files depends
     140significantly on testbed administration policy and how widespread and
     141often federation is conducted.  In Emulabs projects are intended as
     142long-term entities, and creating and destroying them on a per-experiment
     143basis may not appeal to some users.  However, static projects require
     144some administrator investment per-project.
     145
     146= Experiments =
     147
     148A federated experiment exports a master testbed's runtime environment
     149into the other testbeds.  The resulting experiment exports the shared
     150file space of the home testbed, though a different filesystem, SMB, is
     151used to export it.  Emulab events can be sent to nodes throughout the
     152federated experiment, though some naming slight-of-hand may be required.
     153Users who want to reboot nodes or links in federated testbeds will need
     154to access those testbeds directly using the credentials provided by
     155fedd.
     156
     157Currently experiments are described in the same ns2 syntax that DETER
     158and Emulab use, except that additional annotations for the testbed on
     159which to place each node have been ad dded.  (The extension is
     160set-node-testbed, and described elsewhere.)  The testbed name here is a
     161local string meaningful to the experimenter.  Each fedd knows some set
     162of such strings, and experimenters can also inform fedd of the
     163appropriate mapping between local testbed name and fedd address to
     164contact.
     165
     166An experimenter creates an experiment by presenting it to a fedd that
     167knows him or her - usually the fedd on their local testbed - along with
     168the master testbed name, local Emulab project to export and local
     169mappings.  That fedd will map the local user into the global (testbed,
     170project, user) namespace and acquire and configure resources to create
     171the experiment.  A fedd may try different mappings of the experimenter
     172into the global namespace in order to acquire all the resources.  For
     173example a local experimenter may be a member of several local Emulab
     174projects that map into different global testbed-scoped projects.
     175
     176Once created the user receives the various keys under which he or she
     177can access the sub-experiment services and a local and global name by
     178which the experiment can be referenced.  (Experiments are identified by
     179fedids).  The local name is mnemonic and can be used locally to access
     180information about the experiment and to terminate it.  The experimenter
     181can suggest a name when requesting experiment creation.
     182
     183In order to create a fedid, a key pair is created.  The public and
     184private keys for the fedid representing the experiment are returned in
     185an encrypted channel from fedd to the requesting experimenter.  The
     186experimenter can use this key pair as a capability to grant access to the
     187experiment to other users.
     188
     189While an experiment exists, experimenters can access the nodes directly
     190using the credentials passed back and can acquire information about the
     191experiment's topology from fedd.  Only the experimenter who created it
     192or one given the capability to manipulate it can get this information.
     193
     194Finally, fedd will terminate an experiment on behalf of the experimenter
     195who created it, or one who has been granted control of it.  Fedd is
     196responsible for deallocating the running experiments and telling the
     197testbeds that this experimenter is done with their access.
     198
     199= Interfaces to fedd =
     200
     201The fedd interfaces are completely specified in WDSL and SOAP bindings.
     202For simplicity and backward compatibility, fedd can export the same
     203interfaces over XMLRPC, where the message formats are trivial
     204translations.
     205
     206All fedd accesses are through HTTP over SSL.  Fedd can support
     207traditional SSL CA chaining for access control, but the intention is to
     208use self-signed certificates representing fedids.  The fedid semantics
     209are always enforced.
     210
     211There are also several internal interfaces also specified in WSDL/SOAP
     212and accessible through XMLRPC used to simplify the distributed
     213implementation of fedd.  You can read about those in the development
     214section.