[Planetlab-devel] opening up GetSliceTicket()

Justin Cappos justincappos at gmail.com
Wed May 30 11:16:50 EDT 2007 

We'd like to have the public keys that are allowed to log into a slice
available from within the slice.   We don't really care if the mechanism
that provides this is a call to the node manager or just that the
authorized_keys file is linked into the slice.

Everything else we do is via the API.

Thanks,
Justin



On 5/29/07, Marc E. Fiuczynski <mef at cs.princeton.edu> wrote:
>
> We need to revisit what info is exposed via slices.xml and then figure
> out a way to expose those parts used by various services/people via the
> API.  I believe the plush folks are using info in slices.xml to know
> which nodes are associated with a given slice. Not sure what else folks
> use slices.xml for.
>
> Marc
>
> Steve Muir wrote:
> > slices.xml allowed anybody to get information about any slice, but i
> > think it was generally agreed, at least at Princeton, that that
> > shouldn't be formally made part of the API (i mean that in a broader
> > sense than just the XML-RPC API) i.e., it could go away at anytime.
> > no-one ever complained about their slice info being public, but the
> > argument was that once you state that it is always publicly available
> > then you are committed to making it so, and there may be future
> > circumstances where that is not desirable.  on the other hand, enough
> > services used slices.xml that it probably became a de facto part of the
> > API and so removing access to it would have been practically and/or
> > politically difficult.
> >
> > prohibiting anonymous calls to GetSliceTicket() only address part of the
> > question: can i still get a ticket for anybody's slice or just my own?
> > is there a reason why i should, or need to, be able to get information
> > about arbitrary slices?  if you don't support it now i wouldn't add it.
> >
> >
> >
> > On Fri, 25 May 2007, David E. Eisenstat wrote:
> >
> >> On Fri, 25 May 2007, Stephen Soltesz wrote:
> >>
> >>> Hey, David,
> >>>
> >>> I have questions just for clarification.
> >>>
> >>> What distinguishes a slice that is called 'delegated' from a slice
> >>> that is called 'plc-instantiated'?
> >>
> >> PLC and NodeManager behave differently depending on a slice's
> >> instantiation. If the instantiation is 'plc-instantiated', PLC will
> >> advertise the slice only to nodes to which it has been added. If it is
> >> delegated, it will tell all nodes about the slice. NodeManager will
> >> automatically instantiate all slices with instantiation
> >> 'plc-instantiation' that PLC has told it about. It will instantiate
> >> slices with instantiation 'delegated' only when someone calls Create()
> >> for it.
> >>
> >> The reason all nodes find out about a delegated slice is that the new
> >> NodeManager must have an indication from PLC that PLC knows about the
> >> slice before it will instantiate.
> >>
> >>> You say that a ticket doesn't 'allow the bearer to do anything they
> >>> couldn't otherwise do.' I understand this as: in both cases there is
> >>> existing mechanism for instantiating the slice regardless of how the
> >>> slice info gets to NM.
> >>
> >> Right, and the ticket grants no rights to control the mechanism,
> >> except possibly advancing when it acts by up to 15 minutes (or
> >> whatever the polling interval is).
> >>
> >>> If there is more to delegation than this, I want to find out more. If
> >>> this is the essential distinction, then 'delegated' or 'PLC
> >>> instantiated' is just another slice attribute, right?  Is it treated
> >>> differently than this today?
> >>
> >> Instantiation is actually part of the slice table proper, but yes,
> >> what I've said above is the extent of what this attribute controls.
> >> Delegation in PlanetLab also covers performing PLC/NodeManager API
> >> calls on someone else's behalf, which is not the subject of this
> thread.
> >>
> >>> Does anyone with history have insight into whether anyone complained
> >>> about slices.xml (public slice info)?
> >>
> >> Killing slices.xml was Mark Huang's idea as much as anyone else's, and
> >> I got the impression that his motivation was to have all access to PLC
> >> go through the API, rather than a particular security incident/concern.
> >>
> >> In any case, Larry vetoed anonymous GetSliceTicket() calls, so this is
> >> perhaps a moot point.
> >>
> >> -David
> >>
> >> _______________________________________________
> >> Devel mailing list
> >> Devel at lists.planet-lab.org
> >> https://lists.planet-lab.org/mailman/listinfo/devel
> >>
> >
> > _______________________________________________
> > Devel mailing list
> > Devel at lists.planet-lab.org
> > https://lists.planet-lab.org/mailman/listinfo/devel
>
>
> _______________________________________________
> Devel mailing list
> Devel at lists.planet-lab.org
> https://lists.planet-lab.org/mailman/listinfo/devel
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.planet-lab.org/pipermail/devel/attachments/20070530/7a3ff1e0/attachment-0001.html

More information about the Devel mailing list