OSCARS Architecture Overview April 2012
description
Transcript of OSCARS Architecture Overview April 2012
![Page 1: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/1.jpg)
Supporting Advanced Scientific Computing Research • Basic Energy Sciences • Biological and Environmental Research • Fusion Energy
Sciences • High Energy Physics • Nuclear Physics
OSCARS Architecture Overview
April 2012
ESnet OSCARS Development TeamEnergy Sciences Network (ESnet)
Lawrence Berkeley National Laboratory
![Page 2: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/2.jpg)
OSCARS 0.6 Design / Implementation Goals
• Support production deployment of service, and facilitate research collaborations• Distinct functions in stand-alone modules
• Supports distributed model• Facilitates module redundancy
• Formalize (internal) interface between modules• Facilitates module plug-ins from collaborative work (e.g. PCE)• Customization of modules based on deployment needs (e.g.
AuthN, AuthZ, PSS)• Standardize external API messages and control access
• Facilitates inter-operability with other dynamic VC services (e.g. Nortel DRAC, GÉANT AuthBAHN)
• Supports backward compatibility of IDC protocol
![Page 3: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/3.jpg)
OSCARS 0.6 Architecture
Notification Bridge• Forward Notifications
AuthN• Authentication
Resource Manager• Manage Reservations
• Auditing
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Path Setup• Network Element
Interface
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
3
![Page 4: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/4.jpg)
OSCARS 0.6Module APIs
![Page 5: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/5.jpg)
Notification Broker Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Resource Manager• Manage Reservations
• Auditing
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Path Setup• Network Element
Interface
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
5
![Page 6: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/6.jpg)
External API (Notification Broker)
• Push interface for event notification • Contacts external notification services:
– Sends emails to user or administrators– Sends messages to “wsnbroker”, a component that
implements WS-Notification and allows people to subscribe to topics of events.
![Page 7: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/7.jpg)
Internal API (Notification Broker)
• Coordinator sends notify messages as events occur• Notify messages NOT used between OSCARS
modules
![Page 8: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/8.jpg)
Lookup Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
8
Resource Manager• Manage Reservations
• Auditing
Path Setup• Network Element
Interface
![Page 9: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/9.jpg)
Internal API (Lookup)
• Find location of services (i.e. IDC services) that control a particular domain
• Register location of externally facing services
![Page 10: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/10.jpg)
Topology Bridge Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
10
Resource Manager• Manage Reservations
• Auditing
Path Setup• Network Element
Interface
![Page 11: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/11.jpg)
Overview (Topology Bridge)
• An abstraction of topology storage • API is trivial: getTopology()• Two implementations:
– “bridge” to PerfSONAR topology server– Local storage at a static file
![Page 12: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/12.jpg)
AuthN Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Path Setup• Network Element
Interface
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Resource Manager• Manage Reservations
• Auditing
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
12
![Page 13: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/13.jpg)
Overview (AuthN)
• AuthNService takes a validated identity token and returns attributes for the users
• Modeled on a Shibboleth or VOMS IDP and returns attributes of the identity (could be easily replaced by a shim to other IDPs)
• ID token is either– x.509 DistinguishedName (DN)– Previously registered login name and password
• AuthNPolicy* manages user and institution tables
*Resides in AuthN module but run as a separate service
![Page 14: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/14.jpg)
Internal API (AuthN)
• VerifyDN is called by the IDC API (v0.5 and 0.6), and passes the user attributes* to all its calls in the Coordinator
• VerifyLogin is called by the WBUI, and passes on the user attributes* to all its calls to other modules
*User attributes are SAML 2 AttributeTypes which contain a name and a value. The login name of the user and his/her institution are always included in the attribute list
![Page 15: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/15.jpg)
AuthZ Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Path Setup• Network Element
Interface
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Resource Manager• Manage Reservations
• Auditing
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
15
![Page 16: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/16.jpg)
Overview (AuthZ)
• AuthZ takes a list of user attributes, a resource and a requested action and returns an AuthorizationDecision which may be DENIED, ALLUSERS, SELFONLY, SITEONLY and a list of Auth Conditions consisting of name, values pairs
• AuthConditons– permittedLoginId/loginName,– permittedDomains/.institutionName,– internatlHopsAllowed/true
• AuthZPolicy manages permissions, actions and attributes
![Page 17: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/17.jpg)
Internal API (AuthZ)
• CheckAccess is called by the Coordinator, which will reject a request if permission is DENIED or will pass the AuthCondition on to calls to the Resource Manager which will base its decision on the specific reservation that is being accessed
• Setup and teardown calls to the PSS it checks verifies the owner or site of the reservation if there is a permitttedLogin or permittedDomains condition
• Calls to the PCEs are permitted as regardless of any AuthConditions
• MutliCheckAccess is called by the WBUI in order to know what functions to make available to a user
![Page 18: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/18.jpg)
Coordinator Module API
Notification Bridge Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
18
Resource Manager• Manage Reservations
• Auditing
Path Setup• Network Element
Interface
![Page 19: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/19.jpg)
Coordinator API (Coordinator)
• Provided to modules such as the API, WebUI, and PSS
• SOAP based, Java bindings provided• Matches the IDC API: same datatypes, without
security with a list of user attributes• Does not implement protocol adaptation: this is an
internal, intra-domain API• Last but not least: implements the coordination of
the IDC protocol
![Page 20: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/20.jpg)
IDC Protocol Coordination API (Coordinator)
• Create Reservations (provides end points, Virtual Circuit requested constraints)
• Modify/Delete Reservations• Query/Monitor Reservations• Handles request from both clients and inter-domain
messages• Issues messages to other domains via the API
module
![Page 21: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/21.jpg)
Intra-Domain API (Coordinator)
• Provided to modules such as the PSS and Resource Manager
• Implements service level tasks such as path setup, teardown.
• Each request, IDC protocol, or service level task consist of coordinated exchange of messages to other modules.
![Page 22: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/22.jpg)
PCE Module API
Notification Bridge Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
22
Resource Manager• Manage Reservations
• Auditing
Path Setup• Network Element
Interface
![Page 23: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/23.jpg)
Semi-Public PCE API (PCE)
• Provided to the modules implementing intra-domain path computation
• SOAP based, Java bindings provided• Implements the tree of PCE’s used to resolve a
path.• Implements flow of messages between PCE’s in an
enforced asynchronous model• Translate path into topologies and vice-versa• Implemented within the Coordinator for performance
reason, but could be separated• Provides hook for co-scheduling
![Page 24: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/24.jpg)
Fine Grain API (PCE)
• PCE stands for Topology Computation Element and for the sake of consistency, a topology is called “a path”
• Allows for roles in the overall topology computation and resource reservation. Currently support Path Aggregation and Path Computation
• Compute paths with constraints and temporary reserve intra-domain resources for them
• Reserve intra-domain resources for scheduled paths• Modify/Delete resources for existing reserved paths
![Page 25: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/25.jpg)
Packaged API (PCE)
• Standalone library is provided for independent PCE developer
• Java packaging is provided in the form of a JAR file containing all classes and packages that are required to run a PCE module (Python and Perl bindings are possible)
• Packaged IDC simulator used for testing PCE development, or experiment offline on topologies
![Page 26: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/26.jpg)
Resource Manager Module API
Notification Bridge Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
26
Path Setup• Network Element
Interface
Resource Manager• Manage Reservations
• Auditing
![Page 27: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/27.jpg)
Internal API (Resource Manager)
• Provided to modules such as Coordinator and PCE• SOAP based, Java bindings provided• Implements the persistent, source of truth for the
state and set of intra-domain resources for all reservation (GRI)
• Authorization Final Authority• Transparently uses backend database (mySQL)• Contains scheduler that detects circuit
setup/teardown time and notifies PSS via the coordinator
![Page 28: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/28.jpg)
Resource API (Resource Manager)
• Store/Load/Modify domain, user, path resources used by other modules.
• Synchronous API: resources are modified or committed upon completion of the call.
• Create GRI resources• Query the database for resources
![Page 29: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/29.jpg)
Path Setup Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
29
Resource Manager• Manage Reservations
• Auditing
Path Setup• Network Element
Interface
![Page 30: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/30.jpg)
Overview (Path Setup)
• Talks to network devices• Is called by the Coordinator on demand – does not
have an internal schedule• Fully asynchronous - when a task is done, PSS
notifies Coordinator with a callback.
![Page 31: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/31.jpg)
API (Path Setup)
• Operations supported:– setup, teardown, status, modify
• All calls have as argument a complete OSCARS reservation object.
• Possibility for standardization here!
![Page 32: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/32.jpg)
Framework (Path Setup)
• An ad-hoc internal Java API and workflow engine for PSS “agents”
• Different agent interfaces for different tasks (i.e. SetupAgent, StatusAgent etc)
• A WorkflowAgent receives tasks from Coordinator, then choreographs the other agents according to desired logic
• Sample implementation: FifoWF
![Page 33: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/33.jpg)
IDC API Module API
Notification Bridge• Forward Notifications
AuthN• Authentication
Coordinator• Workflow
Coordinator
PCE• Constrained Path
Computations
Topology Bridge• Topology Information
Management
IDC API• Manages External
WS Communications
Lookup• Lookup service
AuthZ*• Authorization
• Costing
*Distinct Data and Control Plane Functions
Web Browser User Interface
33
Resource Manager• Manage Reservations
• Auditing
Path Setup• Network Element
Interface
![Page 34: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/34.jpg)
Overview (IDC API)
• Implements the public IDC API:– Provides SOAP-XML API to client application– Provides API to other domains– Provides hooks for the IDC built-in Web UI– Provides IDC protocol backward compatibility
NB: 0.6 protocol and API is changed from 0.5
![Page 35: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/35.jpg)
Client API (IDC API)
• Authenticate user/query (see AuthN module)• Create Reservations (provides end points, Virtual
Circuit requested constraints)• Modify/Delete Reservations• Query/Monitor Reservations
![Page 36: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/36.jpg)
Public IDC API (IDC API)
• SOAP based, Java binding provided• Provided to other IDC (other domains), security
model defined by AuthN and AuthZ• Compute intra-domain path within a defined set of
constraints and topology• Reserve and schedule intra-domain resources• Manage (setup/teardown) intra-domain resources• Event Management (intra-domain state change,
intra-domain faults)
![Page 37: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/37.jpg)
Private API (IDC API)
• Provided to the modules making up the IDC, such as the Coordinator, WBUI, Notification Broker
• SOAP based, Java bindings provided• Implements inter-domain messaging, inter-domain
security model• Provides inter-domain protocol adaptation
(backward compatibility, protocol translation)• Currently limited to the local server: no security
model
![Page 38: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/38.jpg)
OSCARS 0.6Code and Directory Structure
![Page 39: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/39.jpg)
Overview
• Maven, Eclipse, Subversion • Latest code at 0.6 branch• Root project (“OSCARS”) has
– main pom.xml– some documentation– directories, one per maven module
![Page 40: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/40.jpg)
Module Overview
• Commons: common-xxx, database, utils• PCE: pce, xxxPCE, coordinator (*)• PSS: pss, xxxPSS• Auth: AuthN/Z, AuthN/ZStub• Web UI: wbui, oscars-war• Other: api, RM, lookup, topoBridge
![Page 41: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/41.jpg)
Directory Structure
• Generally follow Maven paradigm• $OSCARS_HOME is deployed directory• $OSCARS_DIST is development dir
• bin/exportconfig will deploy config, other files• $module/config holds config files
![Page 42: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/42.jpg)
OSCARS_HOME
• Where certs, config files, etc will be during production
• One directory per module / category • Plus misc stuff (wsdls, logs)
• By default will not get overwritten during exportconfig
![Page 43: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/43.jpg)
Java Code
• Root package is net.es.oscars• One package per module category:
– net.es.oscars.pss
• WSDL2Java generated packages in common-soap– net.es.oscars.XXX.gen
![Page 44: OSCARS Architecture Overview April 2012](https://reader036.fdocuments.in/reader036/viewer/2022081511/56816452550346895dd61e09/html5/thumbnails/44.jpg)
Dependencies
• Generally kept to a minimum, managed with Maven
• Pretty much all modules depend on utils• Most are either SOAP servers or clients, so
they get common-soap• Implementation modules (“stubPSS”)
generally depend on the category libraries (“pss”)