/[pdpsoft]/trunk/grid-mw-security/ees/thesis/nextgen.tex
ViewVC logotype

Contents of /trunk/grid-mw-security/ees/thesis/nextgen.tex

Parent Directory Parent Directory | Revision Log Revision Log


Revision 787 - (show annotations) (download) (as text)
Tue Sep 15 13:30:48 2009 UTC (13 years ago) by aramv
File MIME type: text/x-latex
File size: 5548 byte(s)
Latest thesis updates
1 \chapter{The EES Execution Framework}
2 \section{Motivation}
3 %Because the LCAS, LCMAPS and SCAS services share some overlap in business logic
4
5 \section{Improvements}
6 The \textit{EES Execution Framework} (EEF) fits in to Argus, which aims to improve interoperability between Grid services.
7
8 The EEF is implemented as a complete rewrite, while trying to remain (mostly) backward-compatible with existing plug-ins.
9 It aims to be completely backward-compatible with existing deployment schemes (provided the required plug-ins are updated accordingly).
10
11 \section{Architecture of the EES Execution Framework}
12 % TODO
13 % EEF is agnostisch, dom ding. Daarom geschikt om pluggable te maken.
14 The EEF is designed to be an abstract shared object that enables LCAS/LCMAPS-like functionality.%, meaning it's largely compatible with LCAS/LCMAPS plugins.
15 It's completely agnostic about SCAS-like business logic, relying on plug-ins to provide its inputs, translations and output.
16
17 \subsection{Components of the EEF}
18 \begin{itemize}
19 \item \textit{Attribute and Obligation Store} (AOS)
20
21 \labelitemi{The \textit{Attribute and Obligation Store} is used to store and exchange data between plug-ins.}
22 \item \textit{Plug-in Manager} (PM)
23
24 \labelitemi{The Plug-in Manager maintains the list of plug-ins and is able to execute them consecutively.
25 It has functions to add a single plug-in to the list (which is called by the Evaluation Manager) and a function that runs the loaded plug-ins in order.}
26 \item \textit{Evaluation Manager} (EM)
27
28 \labelitemi{The \textit{Evaluation Manager} parses the user account mapping configuration file and loads specified plug-ins.
29 Once the plug-ins are successfully loaded, plug-in chains are created as described in the configuration file.
30 These chains serve to hold different acquisition, transformation and enforcement plug-ins to efficiently translate between credentials and user mappings.}
31 \end{itemize}
32 \begin{figure}[hp]
33 \centering
34 \includegraphics[width=\textwidth]{ees_class_diagram}
35 \caption[Pseudo-class diagram of the EES execution framework]%
36 {Pseudo-class diagram of the EES Execution Framework, which shows the different files associated with different roles in the design.}
37 \end{figure}
38
39 \subsection{Life-cycle of an EEF run}
40 \begin{itemize}
41 \item The EEF is invoked with a string containing a path to the LCMAPS policy description file and a logging configuration
42 \item To enable plug-ins to exchange information while being executed consecutively the AOS is initialized by the EEF
43 \item The EEF then invokes The Evaluation Manager to parse the supplied policy file, which performs some error-checking to assert the policy file has parseable syntax and will not create recursions
44 \item If all is well the Evaluation Manager then loads and initializes the specified plug-ins by making calls to the Plug-in Manager
45 \item If all the plug-ins have been successfully loaded they are ready to be executed by a call from the EEF
46 \end{itemize}
47
48 \pagebreak
49 \begin{figure}[hp]
50 \centering
51 \includegraphics[width=\textwidth]{ees_sequence_diagram}
52 \caption[Sequence diagram of the EES execution framework]%
53 {Sequence diagram of the EES execution framework, which shows the different pseudo-classes interacting.}
54 \end{figure}
55
56 \subsection{API choices}
57 % NG init, run en term methodes heten anders, ze zijn algemener
58 % Het idee is hetzelfde, maar toch totaal anders.
59 % Handig om een simpele init functies
60 % Handig om simepele run functies
61 % Door init de plugins laat
62 % Een run is algemener geworden. Eerst konden we use cases aan naar het aantal run functies dat we hadden.
63 The initialization, invocation and termination of the EEF is entirely the same as that of its predecessors.
64 The only changes visible to third-party developers are the addition the AOS, and the omission of the requirement to implement a plug-in\_introspect() function.
65 \subsection{Attribute \& Object Store}
66 In designing the API for the AOS we have chosen to expose a series of getter/setter functions.
67 A single setter function is used to store data into the AOS.
68 Next to the actual data this function accepts an argument that identifies the type of data and a size argument and a label to identify the data.
69 Data can be retrieved from the AOS by its label through getter functions which return type-casted results. This way, a crude mechanism for dynamic typing has been implemented.
70 Ownership of the stored data is based on the address of the calling plug-in. Plug-ins cannot overwrite or delete each other's data.
71 \subsection{Plug-in Manager}
72 It is not exposed outside the EEF.
73 \subsection{Evaluation Manager}
74 It is not exposed outside the EEF.
75 \subsection{Tools}
76 \section{API's}
77 \subsection{Framework/Front-end}
78 \subsection{Plug-ins}
79 Plug-ins for the EEF should implement the following functions:
80 \begin{itemize}
81 \item plug-in\_initialize()
82 \item plug-in\_run()
83 \item plug-in\_terminate()
84 \end{itemize}
85 This is the same API as LCAS/LCMAPS, with the omission of the plug-in\_introspect() function.
86 \section{Plug-ins}
87 % Hetzelfde model als wat in LCAS/LCMAPS voor backwards compatibilty.
88 \subsection{Acquisition}
89 Acquire user credentials.
90 % Translate credentials
91 Possible formats:
92
93 \begin{itemize}
94 \item personal X.509 certificate
95 \item VOMS attribute certificate
96 \item XACML request
97 \item SAML statements
98 \end{itemize}
99
100 \subsection{...}
101 \subsection{Enforcement}
102 Enforces user credentials onto target system.
103 \begin{itemize}
104 \item LDAP
105 \item UNIX pool accounts
106 % LRMS, Batch-ssystem specifieke tokens, speciale groep-account (golden account), VM's
107 \end{itemize}
108

grid.support@nikhef.nl
ViewVC Help
Powered by ViewVC 1.1.28