wiki:DRAFT_GAPI_AM_API_V3

Version 1 (modified by tmitchel@bbn.com, 7 years ago) (diff)

--

Proposed changes for GENI Aggregate Manager API version 3

If this is all approved, there will be a lot in APIv3.

Clients are reminded that these methods are requests - based on the AM type and resource types, these requests may fail or not make sense. Clients should watch for UNSUPPORTED returns.

AMs are encouraged to implement as much of this API as reasonable to provide a common front for clients. When a function is not possible, return UNSUPPORTED, document publicly what functions do work, and suggest alternative ways to get the result the client desired.

We will aim for an agreement on what the new methods/constructs will be at GEC13. We plan on driving out details (syntax, semantics, error codes) after the GEC. We will not worry before or at GEC13 about specific error codes, details of certificate or credential formats, or such things.

Summary

Proposed Changes

At the top level, the proposed changes for AM API v3 include:

  • Add methods using tickets to do negotiated reservations
  • Add UpdateSliversNow to immediately modify your reservation
  • Change methods to clarify that there may be multiple slivers per slice at an AM, and to allow operating on individual slivers
  • Define sliver states, and the state changes that various methods cause
  • Add a new general ActOnSlivers method allowing AMs to support AM and resource-type specific operations
  • Generalize the credentials argument, allowing ABAC support
  • Clarify: a 2nd call to CreateSliver means replace the previous reservation for the slice
  • SliverStatus return structure includes sliver expiration
  • SliverStatus return includes SSH logins/key for nodes that support SSH access
  • Support proxy aggregates with 2 new options and aggregate SSL client certificate authorization rules
  • Standardize certificate contents to include a real serial number, holder email, holder uuid, and authority URL
  • Define slice ID as the UUID in slice certificates
  • Define slice name, sliver name, and username restrictions, and similar for URNs
  • Standardize credential privileges
  • Publish schemas for credentials and certificates
  • Various RSpec schema changes, resulting in GENI v4 RSpecs

Tickets

APIv3 adds support for negotiated reservations or two-phase commit, by ADDing methods that allow an experimenter to reserve resources for a slice without committing to using them, or forcing the AM to incur the cost of instantiating them.

Methods

  1. GetTicket (slice_urn, credentials[], requestRSpec, options {geni_start_time, geni_end_time, others})
  • Return: ticket; state: ticketed
  • Re start/end: if left out then start is 'now or really soon' and end is the default sliver duration.
  1. RedeemTicket(slice_urn, credentials[], ticket, users (as in CreateSlivers), options)
  • Return: manifest RSpec & end time; state: ??
  • FIXME: State after RedeemTicket: started? Or do you have to use ActOnSlivers to do that?
  1. ReleaseTicket(slice_urn, credentials, ticket, options)
  • Return: True or error
  1. UpdateTicket (atomic release/get) (slice_urn, credentials[], requestRSpec, ticket, options {geni_start_time, geni_end_time, others})
  • Re start/end: if left out then start is 'now or really soon' and end is the default sliver duration.
  • Return: Ticket; state: ticketed
  1. UpdateSliversWithTicket (slice_urn, credentials[], requestRSpec (or edited manifest), options {geni_start_time, geni_end_time})
  • Re start/end: if left out then start is 'now or really soon' and end is the default sliver duration.
  • Return: ticket; state: ?ticketed?

UpdateSliversNow and sliver-specific operations

A slice may have multiple slivers at a single AM. Experimenters can operate on slivers independently, if the AM supports it. AMs define slivers as groups of resources, and give them locally unique sliver_urns for identifying that group of resources.

UpdateSliversNow

  • Add new method UpdateSliversNow
    • Takes full request RSpec of desired final state
      • FIXME: Want manifest to be readily modifiable to be a request (include component_ids and sliver_ids)
      • FIXME: Could call this just 'RSpec' and let the AMs decide if this is diff or full? This leaves the window open for Ilia to implement the diff version if he wants. But it is less clean I think. So I think no.
    • AMs may, as always, return UNSUPPORTED
    • As with CreateSlivers, AM should start/restart resources immediately, as necessary.
    • Request is either fully satisfied, or fails.
    • See UpdateSliversWithTicket above
    • AMs must document the level of service they provide: will any state be lost on existing resources?
      • FIXME: ideally this would be a per node or resource-type specification
      • FIXME: Could allow experimenter to specify what level of disruption they can tolerate? EG I can live with losing in memory state, but not with losing disk state.
struct UpdateSliversNow(string slice_urn,
                    string credentials[],
                    <GENIV3 request RSpec schema compliant XML string> rspec,
                    struct users[],
  		    struct options)
return value is GENI v3 Manifest RSpec string

This method moves the overall sliver to configuring and then ready if it succeeds.

Addressable Slivers

  • Modify some existing methods to clarify that they act on 1+ slivers
    • CreateSliver -> CreateSlivers
    • RenewSliver -> RenewSlivers
    • DeleteSliver -> DeleteSlivers
    • SliverStatus -> SliversStatus
  • Some methods that take slice_urn now take urn that may be slice or sliver
    • RenewSlivers, DeleteSlivers, SliversStatus
    • AMs are free to refuse to Renew, Delete, or provide status on an individual sliver, if the local AM or that resource type does not support it.
      • AMs should return an error message that indicates 'use UpdateSliversNow!'
      • E.G. renewing part of a reservation but not all has the same issues as UpdateSliversNow with only a partial RSpec: dependencies or implications on other parts of the slice at this AM may be unclear.
      • FIXME: If we dislike this, then we only rename the methods and don't allow the sliver_urn argument here

Support AM and resource-type specific methods.

In other words, define the control API (the AM API) as about moving slices through various states at an AM.

ActOnSliver

Generic action for acting on slivers in an AM or resource type specific way

  • ActOnSlivers(command, credentials[], URN, requested_state, options)
  • return is a struct that includes: URN, newState, and any others
  • URN may be slice or sliver
  • state is the state of the sliver or slice. Values may be one of the geni status values, or AM-specific

Define Sliver States

Define explicitly states of slivers or the whole slice at an AM:

1) add 'ticketed', 'allocated', 'shutdown', 'closed' as standard geni_status values in SliversStatus

(ticketed being the state after GetTicket, allocated after RedeemTicket but before start, Shutdown for after shutdown, and closed for after Delete)

2) State that AMs are encouraged to add their own states (ie AMs are encouraged to have an am_specific status field with other values)

  • AMs must document these states. This API does not define how or where.

(Question: Can they use those values where we call for a single state? Do we add a parallel am_specific_state? If so, we need some geni states that make sense being modified.)

3) Specify an additional optional member of the return struct for CreateSlivers, DeleteSlivers, Shutdown: geni_status, which contains one of those values

  • plus for a bunch of the new methods

4) Clarify in the API that calling CreateSlivers moves the sliver through ticketed, allocated, configuring, and then ready (or failed or unknown on error) 5) Similarly clarify that DeleteSlivers changes from allocated/configuring/ready/unknown/failed to closed (or failed or unknown) 6) Shutdown moves from allocated/configuring/ready/unknown/failed to shutdown

There are specific rules for rolling up states or operating.

  • If not all resources in the sliver/slice can be moved to the desired next state, then the call fails. (All or nothing)
  • Status that is reported rolls up similarly: The slice is ready only when all slivers are ready. The slice is failed when any slivers are failed. Whem moving from state 1 to 2, the slice is in 1 until all slivers are in 2 (ticketed->allocated, allocated -> configuring, configuring->ready)
  • unknown and closed are different: some slivers can be unknown - slice follows the rest. Similarly closed. Unless all slivers are unknown/closed.

Credentials are general authorization tokens.

This change modifies the credentials argument to all methods. Each credential is now defined only as a signed document. A given list of credentials may contain credentials in multiple formats. The list may be empty. A given authorization policy at an AM may require 0, 1, or many credentials.

  • AM may get other authorization material from other sources: EG a future Credential Store service.
  • An AM must pick credentials out of the list that it understands and be robust to receiving credentials it does not understand.
  • AMs are required to continue to accept current-format credentials.
    • In particular, a single standard slice credential remains sufficient for most authorization policies.
  • Other credential formats might include ABAC x509 Attribute certificates, eg.

Changes to existing methods

Proxy aggregate managers are supported

  • Define a new option geni_am_id for all methods. Proxy AMs may use this ID to look up the URL of the real AM, and pass the call along.
  • Define a new option geni_experimenter_urn. Proxy AMs will retrieve the experimenter URN from the subjectAltName of the client SSL certificate, and then supply this value in calls to the 'real AM' where the call is being redirected.
  • Require that AMs support separately authorizing accepted SSL client certficiates, from authorizing accepted certificates in credentials. In particular, proxiable AMs must support restricting client connections to their configured proxy AM, while succesfully validating all certificates in authorized slice credentials.

Others

  • ListResources returns a struct, 1 member is RSpec, other is list of tickets (but see below) To support retrieving open tickets.
  • CreateSlivers takes full RSpec, it is not 'add'. 2nd such call means update. Just clarifying from AM API v1
  • Add ssh logins/keys to each node that supports SSH login in SliversStatus (but see below)
    'users' => [{'urn'   => $user1_urn.
                 'login' => $login,
                 'keys'  => [...] },
                {'urn'   => $user2_urn.
                 'login' => $login,
                 'keys'  => [...] }
               ]
    

Standardize certificates and credentials

  • Standardize contents
    • Certificates: real serial number, users have email, slices have email, slices have uuid, users too?,
      • URL of the issuing authority?
  • Specify a slice ID (require UUID in slice certs?)
  • Standardize slice and user name and URN restrictions
    • Usernames are case-insensitive internally, though they may be case-sensitive in display
      • . allowed? Limited to 8 characters?
    • Slice names are <=19 characters, only alphanumeric plus hyphen not in first character ('^[a-zA-Z0-9][-a-zA-Z0-9]+$')
      • Require PL do something?
  • Define sliver_urn as following same rules as slice_urns, ditto sliver names
    • urn:publicid:IDN:<am name>+sliver+<sliver name>
  • Revocation/expiration policy & procedures
  • Publish schemas for certificates & credentials on geni.net

Change SFA credentials' privileges

Our goal is to simplify and standardize privilege strings. Currently there are wildcards, bind, embed, and others. We also want extensibility. Kinds of operations:

  • Learn about the slice
  • Add/Modify/Delete resources in the slice
  • Read slice details like I&M?
  • Use the slice

Proposal

  • CanWrite
  • CanRead
  • CanReadDetails
  • CanUse

RSpec changes resulting in GENI v4 RSpecs

  • Support unbound manifests
  • Make manifest an extension of Request, so you can readily edit & resubmit a manifest
  • Make configuration information in request and manifest optional, so it can be supplied/returned separately
  • Fully implement the compute ontology from Ilia
  • Ilia's other requests
  • Document process for updates per my dev list email