Changes between Initial Version and Version 1 of PLfed/VICCIPolicyConfig


Ignore:
Timestamp:
04/14/11 15:46:47 (10 years ago)
Author:
acb@cs.princeton.edu
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • PLfed/VICCIPolicyConfig

    v1 v1  
     1== VICCI Policy Configuration ==
     2
     3The control framework of the [http://vicci.planet-lab.org VICCI testbed] is based on [http://svn.planet-lab.org/wiki/MyPLCUserGuide MyPLC] and supports the [http://groups.geni.net/geni/wiki/GeniApi GENI AM API].  Access to VICCI via the GENI AM API is limited to a set of approved PlanetLab slices (a “whitelist”).  Only whitelisted slices are able to list and allocate VICCI resources.  The whitelist is enforced by the [http://svn.planet-lab.org/raw-attachment/wiki/WikiStart/sfatables.pdf sfatables] policy engine that runs as part of the VICCI Aggregate Manager.  Sfatables is inspired by the ''iptables'' firewall tool, so configuring sfatables should be fairly intuitive for those familiar with iptables.
     4
     5Following is a brief description on how the VICCI whitelist is configured using sfatables.  The first step is to configure sfatables to reject resource requests by default.  To accomplish this, two commands are run on the machine that hosts the VICCI Aggregate Manager:
     6
     7{{{
     8# sfatables -A INCOMING -- -m all -- -j REJECT
     9# sfatables -A OUTGOING -- -m all -- -j REJECT
     10}}}
     11
     12All resource requests that match these default rules will receive a response like this:
     13
     14{{{
     15<?xml version="1.0"?>
     16<sfa-verdict>
     17    Your resource-allocation request has been rejected.
     18</sfa-verdict>
     19}}}
     20
     21In order to allow some slices to access VICCI resources, the PI at a VICCI site emails the name of the slice to PlanetLab support, and the support team adds the slice HRN to the sfatables whitelist. For example, suppose that the slice is ''plc.princeton.foo''.    The support team would execute the following commands at the VICCI Aggregate Manager:
     22
     23{{{
     24# sfatables -I INCOMING 1 -- -m slice --hrn=plc.princeton.foo -- -j ACCEPT
     25# sfatables -I OUTGOING 1 -- -m slice --hrn=plc.princeton.foo -- -j ACCEPT
     26}}}
     27
     28These rules would inserted at the front of the INCOMING and OUTGOING chains.  A resource request for the specified slice is allowed to proceed.  Otherwise the default rule is matched, and the request is denied.