[glue-wg] New class and attributes for GLUE 2.1/cloud extensions
Baptiste Grenier
baptiste.grenier at egi.eu
Fri Oct 13 11:46:01 EDT 2017
Hi Stephen,
Le 13/10/17 à 15:51, stephen.burke at stfc.ac.uk téléscripta :
>glue-wg [mailto:glue-wg-bounces at ogf.org] On Behalf Of Baptiste Grenier said:
>A few comments ...
>> * GLUE2CloudComputingEndpointAuthentication
>> * EndpointAuthentication_t
>> * New type
>> * Mandatory
>> * Open enumeration
>> * Default Values: X509-VOMS, OIDC ?
>> * Replacing:
>> * GLUE2EntityOtherInfo : Authn=X509-VOMS
>It's arguable that this should go into the base Endpoint definition as
>it's potentially useful for anything - although in that case it
>couldn't be mandatory as that would make all existing objects invalid.
>If it is mandatory you should probably have a NONE option or similar.
>Also is anything else needed? For the standard X509 case Endpoint has
>IssuerCA and TrustedCA, could other authn types need anything more? One
>other thing, X509-VOMS seems an odd value here since VOMS is about
>authorization (already covered by the Policy class) and not
>authentication.
OK, so for the Mandatory flag I wasn't sure about the usage in the GLUE
spec, I think this is an important information required to allow tools
such as orchestrators to understand how they could (or couldn't) use an
endpoint.
But if its not possible/acceptable with regards to existing objects
let's put it non mandatory. Or maybe can we put it as mandatory and have
some kind of default value/option set to UNKNOWN? (we tend to prefer
this to NONE as it is less ambiguous).
What is the most appropriate?
The X509-VOMS auth type is in fact something that is already published
(probably not used yet) within EGI FedCloud, but yes its mixes
authentication and authorization so having X509 and something for OIDC
seems appropriate.
>> * GLUE2CloudComputingImageDescription
>> * New type
>> * Mandatory
>> * String
>> * Replacing:
>> * GLUE2EntityOtherInfo: description:Image for TinyCoreLinux
>It seems slightly odd for a text description to be mandatory.
Image description cannot be anything else than some free text, but yes
we can certainly put it as optional, it shouldn't be a critical
information.
>> * GLUE2CloudComputingImageNetworkInput /
>> GLUE2CloudComputingImageNetworkOuput
>> * Used to represent communication ports used/required/exposed by the
>> image
>> * Custom objectClass: NetworkTraffic
>> * Optional
>> * Can be specified multiple times
>> * Replacing:
>> * GLUE2EntityOtherInfo traffic-in:XXXXX
>> * GLUE2EntityOtherInfo traffic-out:XXXXX
>This is missing a data type and a clear definition.
In GLUE2CloudComputingImage we could have associations with
GLUE2CloudComputingImageNetworkInput and
GLUE2CloudComputingImageNetworkOuput.
GLUE2CloudComputingImageNetworkOuput and
GLUE2CloudComputingImageNetworkInput would be of the class
NetworkTraffic, inheriting from Entity. Its attributes are presented
below.
We could have them multiple times as the goal is to be able to describe
the list of required/expected input and output connections.
>> * NetworkTrafficProtocol_t:
>> * Custom type
>> * Mandatory
>> * Closed enumeration
>> * Values: all, tcp, udp, cmp, ipsec
>Is that certain to be an exhaustive list?
Probably not, we can put it as an open enumeration with this list of
values.
>> * NetworkTrafficType_t:
>> * Custom type
>> * Mandatory
>> * Closed enumeration
>> * Values: inbound, outbound
>TrafficDirection rather than Type? Never bidirectional?
TrafficDirection sounds good.
I'm not sure but I think we did not add bidirectional as the goal is to
be able to know what are the ports to open in firewalls/security
groups/... for inbound and outbound connections, and it is quite common
to describe INPUT and OUTPUT separately. And as we have
GLUE2CloudComputingImageNetworkInput (type would be always inbound) and
GLUE2CloudComputingImageNetworkOuput (type would be always outbound) we
should be able to describe everything and it will probably be easier to
search with separate attributes. Does it make sense? If not what would
do you think would be a more correct way to publish this info?
>> * NetworkTrafficRange_t:
>> * Custom type
>> * Mandatory
>> * String
>> * Example (default?): 0.0.0.0/0
>AddressRange rather than just Range?
Sounds good too.
>> * NetworkTrafficPort_t:
>> * Custom type
>> * Mandatory
>> * String
>> * Example: 443
>Single valued or multivalued? Can it be a range or just a single port? If the latter why a string?
We were thinking that it could be a port (53) range (0:1024) or a list
(22,443), that's why it's a string.
Thanks!
>Stephen
Cheers,
Baptiste
--
Baptiste Grenier
EGI Foundation - Operations Officer
Phone: +31 627 860 852
Skype: baptiste.grenier.egi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1867 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/glue-wg/attachments/20171013/832b6f42/attachment.bin>
More information about the glue-wg
mailing list