Changes between Initial Version and Version 1 of GEMINI_TopicsIssuesTasks

04/04/12 17:24:18 (9 years ago)



  • GEMINI_TopicsIssuesTasks

    v1 v1  
     1GEMINI Topics, Issues and Tasks
     3Notes and tasks from 3/22/12 GEMINI status call:
     4Additions and corrections after call on 3/27/12 with Martin:
     5Additions and corrections after team call on 3/29/12, and call on 3/30/12 with Jim:
     6Additions and changes after call with Martin and Jim on 4/4/12:
     91)  Discussion of authentication and authorization:  multiple actor options:
     11a)  tool (outside slice) to AggMgr srvc;  AM API;  XMl-RPC + ssl   [protoGENI cert + GENI credential]
     13b)  tool (outside slice) to host (Slice A);  ssh, scp    [private/public keys]
     15c)  tool (outside slice) to I&M srvc (Slice A);  http(s)   [in LAMP, browser to GUI, https with protoGENI cert]  [can private/public keys be used for access to a GUI?]  [in OMF, signed messages using private/public keys;  more details?]
     17d)  I&M srvc (Slice A) to I&M srvc (Slice A);  http(s)   [in LAMP, service to service, https with LAMP cert, from LAMP CA]    [in GIMI/OML, not using http;  what is done there?]
     19e)  I&M srvc (Slice A) to I&M srvc (Slice B);  http(s)   [in European perfSONAR, SOAP interface with security tokens]  [can delegated GENI credentials be used?]  {can credentials based on ABAC be used?]
     21f)  I&M srvc (Slice A) to UNIS srvc;  http(s)   [in LAMP, service to UNIS, https with protoGENI cert]
     23g)  tool (outside slice) to iRODS archive srvc;  what is interface to iRODS?  ftp(s)?  can it be http(s)?  how is authentication/authorization handled?   [need info from Shu]
     25h)  option:  I&M srvc (Slice A) to iRODS archive srvc;  is there any way to move data from MC direct to iRODS?  perhaps mount iRODS on node with MC?  [need info from Shu]
     302)  Discussion of authentication and authorization:  multiple methods:
     32a)  [for ssh, ssl, etc.]  private/public keys   
     34a')  [in OMF]  signed messages using private/public keys
     36b)  user certificates
     38c)  GENI credentials  (user and slice)
     40c')  [in IMF, GENI credentials included with XML messages, for authorization?  how?  reuse?]
     42d)  ABAC  [Harry:  GPO believes that ABAC may eventually be used for resource assignment, but not soon]  [What code is available from ISI?  Jim is checking with Teb Faber;  waiting for a response]
     44        ABAC references:
     45        Deter web site:
     46        Authorization storyboard from Jeff Chase:
     47        Slides on credential store from Jeff Chase:
     48        Slides on future of authorization in GENI from Tom Mitchell:  [note options without and with credential store]
     49        Summary of GENI authorization discussion at GEC13 (and before): 
     533)  Discussion of target protoGENI environments:
     55a)  servers:  relatively few;  public IP available
     57b)  VMs:  OpenVZ;  expect move to LXC;  internal to an aggregate, private host name, private IP addresses, need more details
     59c)  To date, all LAMP/periscope has been on servers
     61c')  Task:  try to run all LAMP nodes (or just common node) on VMs   (Matt Jaffe)
     63d)  To date, all INSTOOLS has been with MC on server, and MPs on VMs
     65e)  Task:  Try to run INSTOOLS MC in a VM;  Nasir on 3/30:  still runs, although might need some small code changes; but would need to open http port, perhaps with extension to rspec;  need to discuss with protoGENI (Jonathan Deurig) about adding to mapping agent;  Jim had discussed with Jonathan and Rob earlier, quite doable, but would have to restart mapping agent;  perhaps could "piggyback" on opening ssh port? 
     67f)  Task:  can ssh into public host name (or public IP) , with special 5+ digit port number (from manifest) from port map
     69g)  Task:  (see e) above) how to access http interface?  tunnel through ssh?  port map, like ssh?  perhaps could "piggyback" on opening ssh port?  setup a separate proxy? 
     71g')  New task:  **Review possible tunnel through ssh (or use fo ssh to forward http port), to reuse available ssh port mapping.  (who?)
     73g'')  New task:  ** Review port mapping for http, like ssh, with protoGENI, to see how it might be done (Nasir/Jim)
     75g''') New task:  **Review need within GENI/GPO to open ports, and implications for rspec  (Harry)
     77h)  Task:  what about vnc tunnels?  how were they done in INSTOOLS?   which port on host?  (who?)
     79i)  Task:  what happens when VMs are on multiple aggregates?   (who?)
     81j)  Task:  consider separate host for managing communications?  VM?  server?  centralized?  include pub/sub?  is this GENI Event Messaging Service?     (who?)
     874)  LAMP/Periscope questions:
     88Per call with Martin on 3/27/12:
     90a)  Question:  Is there a local UNIS, or not??   (Martin) Not yet;  needs to be, with push from local UNIS to global UNIS.
     92b)  How does UNIS authenticate/authorize when receiving data?   (Martin)  [in LAMP, service to UNIS, https with protoGENI cert]
     94c)  Question:  Use web interface on common node to configure services, tests;  how does this push config to UNIS?  What authentication/authorization steps are included?
     96d)  How is data transfer from service to service, in a single slice, authorized?  what keys/certificates/credentials are used?  what is held by each service?  (Martin)  [in LAMP, service to service, https with LAMP cert, from LAMP CA]
     1005)  Discussion of user workspace service:
     102Current view:    (Harry)
     104a)  Persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user;  could also have rspec store, etc.
     106b)  Place for tools, e.g., Gush and OMNI, and scripts;  can easily call one another;  not in slice;  could deal with multiple slices
     108c)  Place for "portals";  but what are they? (see below)
     110d)  Task:  Setup user workspace using server (or VM) in BBN Cambridge lab;  begin to include tools, etc .    (Jeanne) 
     111On 3/30/12:  Done on VM in BBN Cambridge lab, ubuntu 10.04, internal to BBN. 
     112**Next:  external to BBN
     114e)  Task: Consider VM to distribute user workspace  (Matt);  e.g, ubuntu on virtual box [similar to what has been done at GEC tutorials]
     116f)  Task:  What is required to secure keys/certificates/credentials?  passphrase?  other?  [Per Tom Mitchell, OMNI does not require passphrase, but FLACK does currently require passpharase]  [Per Jim protoGENI cert does require passphrase] [Vic to check with Steve Schwab;  need to balance security and ability ot use scripts.]
     118g)  Start with CNRI:  Directory Archive (DA) service, which can push data to DOA service, using OI service
     119Then replace DOA with iRODS
     120[Have iRODS at IU for NetKarma;  Jim and Wesley talking with Ilia and Shu]
     122h)  Include MDOD creator/editor  (CNRI, GPO)
     124i)  Task:  Need help with final formulation of MDOD   (Ezra?)
     126j)  Task:  Define view of user workspace service (Jeannie, Matt, Harry, Jim, Martin, Niky) 
     127[Jeanne to add security policy into view]
     1306)  Discussion of portals:
     132a)  Option 1:  "portal to UIs".  [Is this close to Jim's proposal?]
     134b)  Option 2:  a more complete tool for managing I&M services, as is implied in the SOW, so that it can view, orchestrate, edit MDOD, manage archiving, etc.  [Is this close to Max's proposal]
     136c)  Task:  understand options for authentication and authorization at a web interface.  (who?)
     138d)  Task: provide a more complete view of GEMINI portal service   (Harry, jim and Charles)
     140Task:  Jim and Charles plan to provide in a week or two.
     142Task:  Charles needs to find a name for the service 
     144After discussion on 3/31/12 with Jim, Harry feels that this is very close to Option 1:  "portal to UIs". 
     146Jim expects User to have a capable browser, e.g., one that runs HTML-5
     148Jim expects portal to manage windowing to various GUIs.
     150Jim expect all interactions to be via browser, so there are window(s) to login to shell(s), etc.
     152Jim does not specify whether browser is looking at GUI in slice, or a tool;  tools are not in a specified place.
     154Harry feels that portal and other tools are in a "user workspace",  in a persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user;  could also have rspec store, etc. ;  then, all tools have ready access to required info, and can readily call one another.
     156Harry thinks of "persistent Linux environment" on infrastructure, e.g., a server under your desk or in the lab;  not your laptop;  Jim agrees, and has thought portal would be hosted on infrastructure at Kentucky
     158Harry feels that this is just a strucutre, that there is much more work to define tools, interfaces, etc.;  Jim agrees, was concerned it was the final configuration.
     160Task:  Harry will modify drawing to reflect discussion with Jim, and then two perspectives can be compared.
     161Done on 4/4;  agree thatprotal can be in user workspace, or somewhere else.
     162See updated drawing.
     165e)  Task:  Understand NICTA's iREEL portal service;  is this a more complete tool for managing I&M services? 
     167Get login, and survey  (Jeanne)
     169Provide more info (NICTA, e.g., Christoph)
     1737)  Discussion of configuration to gather host metrics:
     175a)  Use BLiPP to gather host metrics   (Guilherme)
     177via libvirt?
     179via Shinken?
     181Talking to Dan about use cases for gathering host metrics. 
     183Could still use SNMP daemon from INSTOOLS  (Jim)
     185b)  BLiPP pushes to Measurement Store (MS)
     187Use http?  POST to port?  what about authentication and authorization?
     189Use XSP, for streaming?
     191c)  Need to realize MS
     193How many options?
     195One per Aggregate?
     197d)  Need to realize MAP service
     199Based on Periscope?
     201Include druple form INSTOOLS>
     203How is this integrated with MS?
     205e)  Uses UNIS (new version)
     207Uses RESTful interface, replaces older UNIS with SOAP interface
     209Allows drawing topology
     211Used to configure services?
     213Prototype underway (Ahmed)
     215**Concern:  incompatible with earlier UNIS, which will still be required (see 9) below.
     217e)  Later:  Extend to gathering data from an application
     219f)  Task:  Prototype soon  (Guilherme)
     221Need baseline configuration ASAP
     2268)  Steps towards GEMINI tutorial at GEC14
     228a)  Which aggregates, servers, hosts, etc.?
     230b)  Start with protoGENI tutorial?  LAMP tutorial?  INSTOOLS tutorial?
     232c)  Arrange user workspace (GPO, Jeannie)
     234d)  What is first configuration of tools (see below) ?  LAMP on VMs?  (who provides?)   test scripts?  (Jeannie)
     236e)  What is second configuration of tools (see below)?  BLiPP to measurement store, with presentation?  (Guilherme?)  when?  test scripts?  (Jeannie)
     2409)  First configuration, follows p15 Operator A slice, to collect network measurements, like LAMP project:
     242a)  Start:  each node on a server, with an available public IP address  (single aggregate or multiple aggregates)
     244a')  Second:  all nodes on VMs, or all nodes on VMs except common node on server
     246b)  One common node (e.g., node n+1) to:  configure measurements, collect data, present data
     248c)  Multiple measurement nodes (e.g., nodes 1, 2, ..., n)
     250d)  Start:  one slice, classic pS interface, with data pulled from measurement node, authorized with GENI credential or ?
     252e)  Global UNIS as shown;  include local UNIS on common node
     254f)  Load software onto common node with image;  as option, use wget
     256g)  Load software onto measurement node with image;  as option, load after app with wget
     258h)  Use web interface on common node to configure services, tests, like LAMP;  how does this push config to UNIS??  How do we let only user do this with keys, etc.
     260i)  Use web interface on common node to present/observe data, like LAMP  How do we let only user do this with keys, etc.
     262j)  Demo all of the perfSONAR network performance tools, tests, as was done in LAMP project
     264k)  Extension:  pull data from one slice to another, as shown in p15 from Operator A to Operator B;  authorize using GENI credentials
     266k)  Provide regression tests of various configurations, features, etc., driven by scripts
     268l)  Provide tutorial for users at GEC14.
     27210)  Second configuration to support basic host monitoring using BLiPP, like p15 Experimenter C slice  What this means:  no SNMP daemon
     274**Concern:  Per 7) above, still defining intial configuration;  need firm plan to meet GEC14 goals;  or do we start with earlier INSTOOLS code?
     276a)  Introduces push of data to common node;  what protocol?  http?  XSP?  (is this GENI Event Messaging Service?)
     278b)  Need to organize presentation of data at a web interface;  like INSTOOLS?  Introduce DRUPLE into periscope? (plan Dec 2012)
     280c)  Extend:  gather data from user's application (like OML client)
     282d)  Provide regression tests of various configurations, features, etc., driven by scripts
     284e)  Provide tutorial for users at GEC14.
     28711)  GEMINI project documentation
     289a)  Code on IU github
     291Good:  all relevant code appears to be here, including Kentuck code
     293b)  Jira
     295Good:  being used by IU to track project
     297**Concern:  Kentucky effort not reflected here
     299c)  GENI trac for GEMINI
     301Include TopicsTasksIssues
     303Include drawings