Version 1 (modified by 14 years ago) (diff) | ,
---|
TIED – Trial Integration Environment Based on DETER
QPR June 30 2010
Introduction
This quarter the members of the TIED project have focused on releasing the ProtoGENI plug-in code with attendant documentation and examples to make writing future plug-ins simple for developers. We also worked on creating a support framework for integrating ABAC with TIED components.
Major Accomplishments
- Release of fedd 3.00 which includes the ProtoGENI plug-in (Milestone S2.c delivered 30 Jun 2010)
- Additional documentation (part of the fedd 3.00 release) of the new features including:
- The ProtoGENI plug-in source code
- Plug-in interface descriptions
- Sample, simple plug-in code to understand and start from
- Begun initial work on a lightweight ABAC implementation
Description of Work Performed During the Quarter
One of the key contributions of the TIED project is the ability to interconnect testbeds of different underlying architecture and programmatic interface to make unified experimental environments. This is accomplished through a very high-level experiment description architecture that is customizable at each participating testbed. The well defined interfaces provide a narrow waist at the points where testbeds interconnect.
The customization at the testbed interface is referred to as a TIED plug-in (or access controller). Plug-ins currently exist for testbeds that export an Emulab interface, for DRAGON/OSCARS provisioned interconnection networks, for DETER's internal interconnection network, and for ProtoGENI.
The work this quarter has focused on polishing, documenting and releasing the ProtoGENI plug-in that we designed, prototyped, and demonstrated last quarter. This code, along with supporting documentation and example code, is part of the fedd 3.00 release. This code will be the basis for the later GENIAPI plug-in; the GENIAPI will build on the same slice-based facility architecture (SFA) as ProtoGENI.
We summarize the major accomplishments below
Improvements to the ProtoGENI Plug-in for Release
This quarter we extended the work done last quarter on designing and prototyping of the ProtoGENI plug-in. It supports allocation and integration of resources from the ProtoGENI facility to a TIED experiment. That plug-in was demonstrated as functional at GEC7, and has been polished and documented since then.
Though the code demonstrated at GEC7 was functional, it was not well factored for future extension nor was it easy to understand for new developers. This quarter that code was re-factored to meet those needs as well as being more extensively commented to promote developer understanding. In addition to re-factoring the ProtoGENI plug-in, we looked over our growing body of plug-ins and were able to abstract out common code and common tasks into a shared base class. This simplifies future plug-ins.
The base plug-in class supports reading and writing standard database formats as well as encapsulating much of the authorization decision making. This last feature will simplify our coming move to ABAC authorization control.
The plug-in is part of the fedd 3.00 release.
This code release meets the S2.c milestone, and is a stepping stone toward the S2.d and S2.f milestones.
ProtoGENI Plug-in and General Plug-in Documentation
One of the primary goals of TIED is to encourage as many facilities as possible to make their resources available to other TIED participants. To this end we want to encourage the simple development of plug-ins. We have now created enough plug-ins that we believe the model to be useful, and to lay out what can be done under it. One of the accomplishments this quarter has been to document these interfaces and provide simple, running sample code for developers to work from.
A high level view of the plug-in architecture is available from the ProtoGENI plug-in design document as well as from the fedd documentation. Those documents frame the basic design choices and control flow through a plug-in. Though they remain useful reading for plug-in developers, they do not describe the interfaces and parameters in sufficient detail to implement a new plug-in. The documentation released with fedd 3.0 includes the interface and parameter definitions that a developer will need.
In addition to the commented ProtoGENI plug-in source code and interface definitions, the distribution includes a minimal skeleton plug-in. That code can be run remotely to see the interfaces in action and can act as a starting point for new developers. The documentation includes detailed instructions for running the code locally.
In addition, DETER/TIED provides credentials and infrastructure to remotely exercise this and other plug-in code, in the form of globally available guest credentials and standard access databases. A developer can download and install fedd and make requests from the DETER site that are delivered to their local plug-in without any coordination with TIED (or DETER).
Finally the documents describe how to dynamically load plug-in code into fedd. Developers can integrate their software into fedd without having access to the fedd source code. This document explains the conventions to follow to ensure that the plug-in is recognized and loaded.
Most of the documentation and example code described in this section goes beyond that strictly required by any particular milestone, but we believe it is essential to acceptance of the TIED model and code base.
ABAC Development
We believe that the ABAC authorization framework is a powerful and essential system for large scale, decentralized authorization. We are dedicated to realizing the system in a way that is useful to practical system designers. Wide scale adoption of the system requires new tools at a variety of levels as well as educating system designers about its power.
In order for ABAC to be integrated with existing systems, it needs to be realized in a portable, efficient library. The need for efficiency in an authorization system is probably self-evident. Portability is key so that ABAC can be integrated with applications across a range of control frameworks. While we have learned a considerable amount from our early efforts with high-level implementations of ABAC, we believe that a simplified, low-level prover library is a key next step in bringing ABAC to TIED and GENI. To that end we are developing such a library.
Also key to ABAC acceptance is providing administrators and designers with the sort of high level tools that allow them to visualize and design an authorization and access policy that can be realized in ABAC terms. At GEC6 we demonstrated a simple application, the TIED attribute explorer, that provides a simple visualization of ABAC credentials and policies. While not a solution for large-scale complex policies, it may be a starting point for future work we are undertaking here.
Finally, we have committed, with our colleagues at Cobham, to present a tutorial/mini-workshop on ABAC at GEC8 and the current tools available to work with it. This is part of our continuing effort to educate and evangelize designers on the merits of ABAC.
Project participants
- Individuals directly supported by TIED award:
- John Wroclawski, PI
- Ted Faber, Research Computer Scientist
- Tom Lehman, Research Computer Scientist
- Individuals contributing to the project with outside support:
- Jelena Mirkovic, Research Computer Scientist
- Mike Ryan, Systems Programmer
- Jay Jacobs, Systems Programmer
- Brett Wilson, Systems Programmer
Publications
- Fedd 3.00 Documentation, http://fedd.isi.deterlab.net, Ted Faber
- This describes the use of the TIED federation software including installation, configuration, and plug-in design and operation.
Collaborations
- Utah Emulab group (Rob Ricci and staff) – development and testing of the DETER Federation Architecture software and ProtoGENI debugging.
- WAIL (Paul Barford and staff) – development and testing of the DETER Federation Architecture software.
- Cobham/SPARTA (Steve Schwab, Jay Jacobs) – Development and prototyping of attribute based security models for federation. See discussion under Activities and Findings, above.
- Cobham/SPARTA (Steve Schwab, Brett Wilson) – Development of support for federated experiments within the SEER Experiment Control Environment.
- DRAGON project at ISI-East, CENIC, Los Nettos. VLAN interconnection and debugging.