Changes between Initial Version and Version 1 of GEMINI_TopicsIssuesTasks


Ignore:
Timestamp:
04/04/12 17:24:18 (8 years ago)
Author:
hmussman@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GEMINI_TopicsIssuesTasks

    v1 v1  
     1GEMINI Topics, Issues and Tasks
     2
     3Notes and tasks from 3/22/12 GEMINI status call:
     4Additions and corrections after call on 3/27/12 with Martin:
     5Additions and corrections after team call on 3/29/12, and call on 3/30/12 with Jim:
     6Additions and changes after call with Martin and Jim on 4/4/12:
     7
     8
     91)  Discussion of authentication and authorization:  multiple actor options:
     10
     11a)  tool (outside slice) to AggMgr srvc;  AM API;  XMl-RPC + ssl   [protoGENI cert + GENI credential]
     12
     13b)  tool (outside slice) to host (Slice A);  ssh, scp    [private/public keys]
     14
     15c)  tool (outside slice) to I&M srvc (Slice A);  http(s)   [in LAMP, browser to GUI, https with protoGENI cert]  [can private/public keys be used for access to a GUI?]  [in OMF, signed messages using private/public keys;  more details?]
     16
     17d)  I&M srvc (Slice A) to I&M srvc (Slice A);  http(s)   [in LAMP, service to service, https with LAMP cert, from LAMP CA]    [in GIMI/OML, not using http;  what is done there?]
     18
     19e)  I&M srvc (Slice A) to I&M srvc (Slice B);  http(s)   [in European perfSONAR, SOAP interface with security tokens]  [can delegated GENI credentials be used?]  {can credentials based on ABAC be used?]
     20
     21f)  I&M srvc (Slice A) to UNIS srvc;  http(s)   [in LAMP, service to UNIS, https with protoGENI cert]
     22
     23g)  tool (outside slice) to iRODS archive srvc;  what is interface to iRODS?  ftp(s)?  can it be http(s)?  how is authentication/authorization handled?   [need info from Shu]
     24
     25h)  option:  I&M srvc (Slice A) to iRODS archive srvc;  is there any way to move data from MC direct to iRODS?  perhaps mount iRODS on node with MC?  [need info from Shu]
     26
     27
     28
     29
     302)  Discussion of authentication and authorization:  multiple methods:
     31
     32a)  [for ssh, ssl, etc.]  private/public keys   
     33
     34a')  [in OMF]  signed messages using private/public keys
     35
     36b)  user certificates
     37
     38c)  GENI credentials  (user and slice)
     39
     40c')  [in IMF, GENI credentials included with XML messages, for authorization?  how?  reuse?]
     41
     42d)  ABAC  [Harry:  GPO believes that ABAC may eventually be used for resource assignment, but not soon]  [What code is available from ISI?  Jim is checking with Teb Faber;  waiting for a response]
     43
     44        ABAC references:
     45        Deter web site: http://abac.deterlab.net/
     46        Authorization storyboard from Jeff Chase:  http://groups.geni.net/geni/wiki/AuthStoryBoard
     47        Slides on credential store from Jeff Chase:  http://groups.geni.net/geni/attachment/wiki/AuthStoryBoard/certstore.ppt
     48        Slides on future of authorization in GENI from Tom Mitchell:  http://groups.geni.net/geni/attachment/wiki/GEC13Agenda/Authorization/AuthFuture.pdf  [note options without and with credential store]
     49        Summary of GENI authorization discussion at GEC13 (and before):  http://groups.geni.net/geni/wiki/GeniAuthorization 
     50
     51
     52
     533)  Discussion of target protoGENI environments:
     54
     55a)  servers:  relatively few;  public IP available
     56
     57b)  VMs:  OpenVZ;  expect move to LXC;  internal to an aggregate, private host name, private IP addresses, need more details
     58
     59c)  To date, all LAMP/periscope has been on servers
     60
     61c')  Task:  try to run all LAMP nodes (or just common node) on VMs   (Matt Jaffe)
     62
     63d)  To date, all INSTOOLS has been with MC on server, and MPs on VMs
     64
     65e)  Task:  Try to run INSTOOLS MC in a VM;  Nasir on 3/30:  still runs, although might need some small code changes; but would need to open http port, perhaps with extension to rspec;  need to discuss with protoGENI (Jonathan Deurig) about adding to mapping agent;  Jim had discussed with Jonathan and Rob earlier, quite doable, but would have to restart mapping agent;  perhaps could "piggyback" on opening ssh port? 
     66
     67f)  Task:  can ssh into public host name (or public IP) , with special 5+ digit port number (from manifest) from port map
     68
     69g)  Task:  (see e) above) how to access http interface?  tunnel through ssh?  port map, like ssh?  perhaps could "piggyback" on opening ssh port?  setup a separate proxy? 
     70
     71g')  New task:  **Review possible tunnel through ssh (or use fo ssh to forward http port), to reuse available ssh port mapping.  (who?)
     72       
     73g'')  New task:  ** Review port mapping for http, like ssh, with protoGENI, to see how it might be done (Nasir/Jim)
     74       
     75g''') New task:  **Review need within GENI/GPO to open ports, and implications for rspec  (Harry)
     76
     77h)  Task:  what about vnc tunnels?  how were they done in INSTOOLS?   which port on host?  (who?)
     78
     79i)  Task:  what happens when VMs are on multiple aggregates?   (who?)
     80
     81j)  Task:  consider separate host for managing communications?  VM?  server?  centralized?  include pub/sub?  is this GENI Event Messaging Service?     (who?)
     82
     83
     84
     85
     86
     874)  LAMP/Periscope questions:
     88Per call with Martin on 3/27/12:
     89
     90a)  Question:  Is there a local UNIS, or not??   (Martin) Not yet;  needs to be, with push from local UNIS to global UNIS.
     91
     92b)  How does UNIS authenticate/authorize when receiving data?   (Martin)  [in LAMP, service to UNIS, https with protoGENI cert]
     93
     94c)  Question:  Use web interface on common node to configure services, tests;  how does this push config to UNIS?  What authentication/authorization steps are included?
     95
     96d)  How is data transfer from service to service, in a single slice, authorized?  what keys/certificates/credentials are used?  what is held by each service?  (Martin)  [in LAMP, service to service, https with LAMP cert, from LAMP CA]
     97
     98
     99
     1005)  Discussion of user workspace service:
     101
     102Current view:    (Harry)
     103
     104a)  Persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user;  could also have rspec store, etc.
     105
     106b)  Place for tools, e.g., Gush and OMNI, and scripts;  can easily call one another;  not in slice;  could deal with multiple slices
     107
     108c)  Place for "portals";  but what are they? (see below)
     109
     110d)  Task:  Setup user workspace using server (or VM) in BBN Cambridge lab;  begin to include tools, etc .    (Jeanne) 
     111On 3/30/12:  Done on VM in BBN Cambridge lab, ubuntu 10.04, internal to BBN. 
     112**Next:  external to BBN
     113
     114e)  Task: Consider VM to distribute user workspace  (Matt);  e.g, ubuntu on virtual box [similar to what has been done at GEC tutorials]
     115
     116f)  Task:  What is required to secure keys/certificates/credentials?  passphrase?  other?  [Per Tom Mitchell, OMNI does not require passphrase, but FLACK does currently require passpharase]  [Per Jim protoGENI cert does require passphrase] [Vic to check with Steve Schwab;  need to balance security and ability ot use scripts.]
     117
     118g)  Start with CNRI:  Directory Archive (DA) service, which can push data to DOA service, using OI service
     119Then replace DOA with iRODS
     120[Have iRODS at IU for NetKarma;  Jim and Wesley talking with Ilia and Shu]
     121
     122h)  Include MDOD creator/editor  (CNRI, GPO)
     123
     124i)  Task:  Need help with final formulation of MDOD   (Ezra?)
     125
     126j)  Task:  Define view of user workspace service (Jeannie, Matt, Harry, Jim, Martin, Niky) 
     127[Jeanne to add security policy into view]
     128
     129
     1306)  Discussion of portals:
     131
     132a)  Option 1:  "portal to UIs".  [Is this close to Jim's proposal?]
     133
     134b)  Option 2:  a more complete tool for managing I&M services, as is implied in the SOW, so that it can view, orchestrate, edit MDOD, manage archiving, etc.  [Is this close to Max's proposal]
     135
     136c)  Task:  understand options for authentication and authorization at a web interface.  (who?)
     137
     138d)  Task: provide a more complete view of GEMINI portal service   (Harry, jim and Charles)
     139
     140Task:  Jim and Charles plan to provide in a week or two.
     141       
     142Task:  Charles needs to find a name for the service 
     143
     144After discussion on 3/31/12 with Jim, Harry feels that this is very close to Option 1:  "portal to UIs". 
     145       
     146Jim expects User to have a capable browser, e.g., one that runs HTML-5
     147       
     148Jim expects portal to manage windowing to various GUIs.
     149       
     150Jim expect all interactions to be via browser, so there are window(s) to login to shell(s), etc.
     151       
     152Jim does not specify whether browser is looking at GUI in slice, or a tool;  tools are not in a specified place.
     153       
     154Harry feels that portal and other tools are in a "user workspace",  in a persistent Linux environment, with file system, key/certificate/credential store, dedicated to the user;  could also have rspec store, etc. ;  then, all tools have ready access to required info, and can readily call one another.
     155       
     156Harry thinks of "persistent Linux environment" on infrastructure, e.g., a server under your desk or in the lab;  not your laptop;  Jim agrees, and has thought portal would be hosted on infrastructure at Kentucky
     157       
     158Harry feels that this is just a strucutre, that there is much more work to define tools, interfaces, etc.;  Jim agrees, was concerned it was the final configuration.
     159       
     160Task:  Harry will modify drawing to reflect discussion with Jim, and then two perspectives can be compared.
     161Done on 4/4;  agree thatprotal can be in user workspace, or somewhere else.
     162See updated drawing.
     163       
     164       
     165e)  Task:  Understand NICTA's iREEL portal service;  is this a more complete tool for managing I&M services? 
     166
     167Get login, and survey  (Jeanne)
     168       
     169Provide more info (NICTA, e.g., Christoph)
     170
     171
     172
     1737)  Discussion of configuration to gather host metrics:
     174
     175a)  Use BLiPP to gather host metrics   (Guilherme)
     176
     177via libvirt?
     178       
     179via Shinken?
     180
     181Talking to Dan about use cases for gathering host metrics. 
     182
     183Could still use SNMP daemon from INSTOOLS  (Jim)
     184
     185b)  BLiPP pushes to Measurement Store (MS)
     186
     187Use http?  POST to port?  what about authentication and authorization?
     188       
     189Use XSP, for streaming?
     190       
     191c)  Need to realize MS
     192
     193How many options?
     194       
     195One per Aggregate?
     196
     197d)  Need to realize MAP service
     198
     199Based on Periscope?
     200       
     201Include druple form INSTOOLS>
     202       
     203How is this integrated with MS?
     204       
     205e)  Uses UNIS (new version)
     206       
     207Uses RESTful interface, replaces older UNIS with SOAP interface
     208       
     209Allows drawing topology
     210       
     211Used to configure services?
     212       
     213Prototype underway (Ahmed)
     214       
     215**Concern:  incompatible with earlier UNIS, which will still be required (see 9) below.
     216
     217e)  Later:  Extend to gathering data from an application
     218
     219f)  Task:  Prototype soon  (Guilherme)
     220
     221Need baseline configuration ASAP
     222
     223
     224
     225
     2268)  Steps towards GEMINI tutorial at GEC14
     227
     228a)  Which aggregates, servers, hosts, etc.?
     229
     230b)  Start with protoGENI tutorial?  LAMP tutorial?  INSTOOLS tutorial?
     231
     232c)  Arrange user workspace (GPO, Jeannie)
     233
     234d)  What is first configuration of tools (see below) ?  LAMP on VMs?  (who provides?)   test scripts?  (Jeannie)
     235
     236e)  What is second configuration of tools (see below)?  BLiPP to measurement store, with presentation?  (Guilherme?)  when?  test scripts?  (Jeannie)
     237
     238
     239
     2409)  First configuration, follows p15 Operator A slice, to collect network measurements, like LAMP project:
     241
     242a)  Start:  each node on a server, with an available public IP address  (single aggregate or multiple aggregates)
     243
     244a')  Second:  all nodes on VMs, or all nodes on VMs except common node on server
     245
     246b)  One common node (e.g., node n+1) to:  configure measurements, collect data, present data
     247
     248c)  Multiple measurement nodes (e.g., nodes 1, 2, ..., n)
     249
     250d)  Start:  one slice, classic pS interface, with data pulled from measurement node, authorized with GENI credential or ?
     251
     252e)  Global UNIS as shown;  include local UNIS on common node
     253
     254f)  Load software onto common node with image;  as option, use wget
     255
     256g)  Load software onto measurement node with image;  as option, load after app with wget
     257
     258h)  Use web interface on common node to configure services, tests, like LAMP;  how does this push config to UNIS??  How do we let only user do this with keys, etc.
     259
     260i)  Use web interface on common node to present/observe data, like LAMP  How do we let only user do this with keys, etc.
     261
     262j)  Demo all of the perfSONAR network performance tools, tests, as was done in LAMP project
     263
     264k)  Extension:  pull data from one slice to another, as shown in p15 from Operator A to Operator B;  authorize using GENI credentials
     265
     266k)  Provide regression tests of various configurations, features, etc., driven by scripts
     267
     268l)  Provide tutorial for users at GEC14.
     269
     270
     271
     27210)  Second configuration to support basic host monitoring using BLiPP, like p15 Experimenter C slice  What this means:  no SNMP daemon
     273
     274**Concern:  Per 7) above, still defining intial configuration;  need firm plan to meet GEC14 goals;  or do we start with earlier INSTOOLS code?
     275
     276a)  Introduces push of data to common node;  what protocol?  http?  XSP?  (is this GENI Event Messaging Service?)
     277
     278b)  Need to organize presentation of data at a web interface;  like INSTOOLS?  Introduce DRUPLE into periscope? (plan Dec 2012)
     279
     280c)  Extend:  gather data from user's application (like OML client)
     281
     282d)  Provide regression tests of various configurations, features, etc., driven by scripts
     283
     284e)  Provide tutorial for users at GEC14.
     285
     286
     28711)  GEMINI project documentation
     288
     289a)  Code on IU github
     290
     291Good:  all relevant code appears to be here, including Kentuck code
     292       
     293b)  Jira
     294
     295Good:  being used by IU to track project
     296       
     297**Concern:  Kentucky effort not reflected here
     298
     299c)  GENI trac for GEMINI
     300
     301Include TopicsTasksIssues
     302
     303Include drawings