Hewlett-Packard Confidential Client Utility Tutorial.

Hewlett-Packard Confidential

Client Utility Tutorial


Operating System

Kernel

Physical Resources

Applications

e.g., CPU time slice, disk

NT/Unix - “OS for Devices”


Operating System

CoreCUSP

Information and Services Resources (sub-services)

Services

Kernel

Physical Resources

Applications

e.g., CPU time slice, disk

e.g., location, brokering, provisioning, monitoring, security, billing, management

CUSP - “OS for the Internet”

Kernel Kernel


Standard Resource Model

Legacy Resource Abstraction

Basic ServicesInterrupt

Handling Scheduling

Memory Management

Timer Services

Legacy OS

(eg: NTFS)

ResourceAccess


Client Utility Resource Model

Attribute Descriptions Naming

Permissions Interfaces

Communication

Virtual Resource Abstraction

Attribute Vocabularies

Authorization

Transports Repositories

Basic Services

Legacy Resource Abstraction

Basic Services

Interrupt Handling

Scheduling

Memory Management

Timer Services

Legacy OSUtility System

ResourceAccess

(eg: NTFS)

LDAPDCOM/CORBAJava PlatformHTTP


System Structure

•Collection of Logical Machines•Logical Machine

• Active entity - Core• Passive entity - Repository

• Mailbox metaphor for requests to Core


Fundamentals

• Every resource registered with Core• Tasks access resources by name• Core associates name with resource metadata• Each task has an outbox connected to the Core

– Outgoing message has envelope and payload• Each task has zero or more inboxes

– Incoming message has envelope and payload


A First Request

Core

Router

App API

Repository


Open a File• Construct outbox envelope and append payload

– Name field - (/mydoc.txt)– Payload - (open rw /mydoc.txt)

• Look up /mydoc.txt• Finds resource description in repository• Forwards to designated resource proxy

Name: /mydoc.txtPayload: open rw /mydoc.txt


Problem

How can a resource owner control access without needing to authenticate a large number of potential users?

How can a task describe the access rights it wants to use for a particular request?

Use keys to unlock permissions


Extracting Access Rights

Core

Permission

Router

App API

Repository


Setting Up Permissions

• Inserted by resource owner• Recorded with resource metadata in

repository• (Lock,Permission) pair• Permission forwarded if lock opened


Request with Access Rights

• Outbox envelope includes collection of keys– Key rings - (mykeys)– Name field - (/mydoc.txt)– Payload - (open rw /mydoc.txt)

• Inbox envelope gets permissions– Name: /mydoc.txt– Permissions: read,write– Payload: open rw /mydoc.txt


Problem

How can a task find its “stuff” no matter where it runs?

Virtualize namesAll names are personal to taskCore identifies actual resource being

referenced


Name Virtualization

Core

NamingPermission

Router

App API

Repository

Name Space Name Space


Name Virtualization• Construct outbox envelope

– Name field - (/boss_is_dumb)– Label - (/boss_is_smart)– Payload - (open rw /boss_is_smart)

• Name manager looks up name in Name Space• Finds resource description in repository• Forwards to resource proxy

Name: X928 Label: /boss_is_smart

Permissions: read,writePayload: open rw /boss_is_smart


Problem

How does the resource proxy know what resource is being accessed if there is no common name?

The resource metadata has a field for resource specific data


Resource Identification• Construct outbox envelope

– Name field - (/resume.txt)– Label - (/doc.txt)– Payload - (open rw /doc.txt)

• Name manager looks up /resume.txt in repository• Forwards to resource proxy

Name: G3965 Label: /doc.txt

Resource data: /u/karp/report.txt,read,writePayload: open rw /doc.txt


Problem

How can one task put a name into another task’s name space while avoiding accidental name conflicts?

Give name spaces structure


Typical Name Space Structure

MyDefaultFrame

InboxFrame

FrameA FrameB

MyNameSpace=(MyDefaultFrame,InboxFrame,FrameA,FrameB)


Name Space Structure

• Name space an ordered list of frames• Frames hold collections of name associations• Core looks for names in designated order• Unique frame for each mailbox• Delivery associates names in inbox frame• Receiver can rename or move entries• Name spaces and frames are resources


Problem

How can two or more tasks share a set of names?

Each has a name for the same frame


Sharing Names


Problem

How can the core begin the name look-up procedure?

Use default frame as anchor


Name Look-up Procedure

• Outbox has associated frame• Look for default name space• Use mandatory key ring• Find name mapping for name space• Find name mapping for key rings• Step through frames looking for names


Problem

How can an administrator know what’s going on?

Record resource access requests


Structure of the CU Core

Core Monitor

NamingPermission

Router

App API

Repository

Name Space Name Space

Monitor Data Base


Monitor

• Monitor records all requests• Database is a resource like any other• Requests to database specify keys• Monitoring task has a different set of keys• Management task has keys to change

repository entries


Problem

How can a task add name bindings to its protection domain?

Describe resource


Resource Look-up

• Attribute-based look-upget {DOC=“CU Architecture”,VER=3.8}, bind to /cuarch.doc in frame CUArch

• Search repository for matches• Use designated arbitration if many found• Error return if no matches


Problem

What can be done if no attribute grammar can describe a new kind of resource?

Make grammar a resource that can be specified with the attributes


Attribute Grammars

• Define a new grammar and register it with Core• Built up out of Core supplied components

– Data types: integer, string, etc.– Comparisons: equal, greater than, longer,

etc.– Logic: AND, OR– Other: valid names, required, bounds

• Name grammar in a resource description or as part of a look-up request


Attribute GrammarGrammar Toolkit

ShoeSizeGrammar

Size=int, > 6, <12

Width=char,From(A,B,C,D,E)


Grammar Matching Rules

• Each grammar has matching rules for each field• Can match fields in other grammars• Service can translate between grammars


Problem

How do machines share resources

Connect with DRIP


Distributed Resource Interchange Protocol

• Agree on a connection mode (TCP, IR)• Agree on a DRIP version• Mutually authenticate• Derive session key (optional)• Set up proxy for other machine• Exchange resource descriptions• Register in each Core repository with proxy

as handler


Connecting Two Machines


Problem

How does a task use a resource from another machine?

The same way it uses any other resource


Using a Remote Resource

Request Reply


Using a resource from another machine

• Get a name association (transfer or look-up)• Specify name in outbox envelope• Core forwards to proxy as handler• Proxy forwards request over the wire• Proxy on owning side names resource in its

outbox envelope• Its Core routes request to handler• Reply sent back along same path


Problem

How can an application limit what it might find?

How can the application speed up searches?

Use views into the repository


Specifying a Look-UpMy Stuff

His Stuff

Her Stuff

Default


Repository Views

• Any task can create a repository view– View for “MyStuff”– Proxy uses view for imported resources

• Registered resources can be added• Name association for repository view can be

given out• Look-up names an ordered list of repository

views• Default view contains all resources


Problem

Must resource descriptions be pushed or can they be pulled?

Repository view may specify an extended look-up handler


Extending a Look-upMy Stuff

His Stuff

Her Stuff

HerHandler

HisHandler


Extending a Look-up

• Repository view specifies task to continue look-up

• If look-up fails, requester gets a partial binding• Core asked to complete binding• Examples

– Proxy can pull resource description across wire– File system may register files on demand

• If successful, requester gets name association


Finding a Machine

•What if extended look-up fails?

•Need to find a machine

•Do a discovery at an advertising service

•Get back one or more connection objects

•Initiate connection and import desired resources


Problem

How can applications that need additional resources ensure that they are available?

Resource description points to other resources to be bound to names


Inheriting ResourcesResource Metadata Inheritance Field

(Application’s name, Repository Handle)(/word97,53384)(/times8.fnt,593)(/times12.fnt,4937)(/times16.fnt, 332)


Problem

How does a user login to the system?

Attribute based look-up of a Protection Domain


Logging In• Task starts with default resources• Checks in with Core

– Core sets up protection domain– Gives enough resources to ask for more

• Logs in– Gets Protection Domain resource

get {USER=Karp,PW=m20xyo},bind to Me in frame Default

– Make active make Me active


Problem

How can a task know when new resources become available?

Use flexible name associations


Flexible Name Associations• Can be associated with one or more Handles - explicit

word97=(339,4297)()• Can be associated with a description - implicit

word97=()(APP=word97,Source=MS)• Can be associated with both - hybrid

word97=(339,4297),(APP=word97,Source=MS)• Request tells what to do on name resolution

– Use explicit if valid, else implicit– Use implicit and update explicit– etc.


Problem

How can the requests made for additional resources be controlled?

Use positive and negative permissions


Positive and Negative Rights

• Deny field tells who may not reference resource– May not open any lock

• Allow field tells who may reference resource– Must open one lock

• Allows advanced security structures– Compartments– Control of critical resources


Enforcing Compartments• Alice’s secret stuff resource description

Allow=(3448),Deny=(982)• Bob’s secret stuff resource description

Allow=(982),Deny=(3448)• To access Alice’s project

Key ring=(3448,12,833)• To access Bob’s project

Key ring=(982,12,833)• Can’t see Alice’s and Bob’s stuff at same time


Control of Critical Resources

• General users should not see most system configuration files

• Put a lock in the deny field of these resource descriptions

• Put the matching key on the default key ring of all general users

• Don’t give general users a name for this key


Problem

How can the Core support advanced security models?

Delegate responsibility to a designated task


Advanced Access Control

• Audit trail - Notify Authorizers– Send message when used in outbox

envelope– Deliver name binding to recipient

• ACLs - Grant Authorizers– Deliver partially bound name to recipient– If name association needed, contact

authorizer– Only grant authorizer can transfer binding


Authorizers

Core

App

Auth

APIGrantNotify

Request


Problem

How can a task conveniently take on different roles?

Vary names and permissions used


Roles

• Each role of task is a different set of– Name bindings– Access rights

• Each request to Client Utility specifies– Name space– Collection of keys

• Every request is in a particular role


Problem

How does a task let another task act on its behalf yet reserve the power to revoke the privilege?

Use the fact that a frame is a resource like any other


Delegation with Revocation

• Create a frame (or even a name space)• Associate names for resources to be

delegated• Transfer name association for frame• Don’t transfer key to modify frame• Revoke by deleting items or frame


Delegation with RevocationTask A Task B

Default

Delegate=(320)

Key=(442)

Default

AsFrame=(320)

Key=(9382)

320: Frame:(442,Own)(9382,Use):{/}:{TYPE=Adelegate}:{7}:{}

Handle:API:Perms:Allow/Deny:Atts:Auth:Bid

Repository


Problem

How can a task signal another task that something must be dealt with immediately?

Send an event message.

How can a task control who can send what events a task can send it?

Use permissions


Events

Message Queue

Message Loop

NormalMessage

Event Callback

Message Thread


Event Processing

• Task has a thread looking for incoming messages

• Default action is to put thread on message queue

• If event corresponds to a designated event, a thread running the specified code is started


Problem

How does a task find out about events that other tasks may be generating?

Subscribe with an event distributor


Event Distributor

Event Publisher

Event Distributor

Subscriber

Subscribe with filter

Filter

Publish Notify


Event Distributor

• Event distribution is a discoverable service• Publishers forward events to distributors• Subscribers register with distributor

– Subscription can include a filter– Limits when events get forwarded


Problem

How can a Client Utility System deal with new kinds of resources?

Deal only with resource metadata


Client Utility Core Services

• Client Utility does not understand any resources• No attempt to understand message contents• No attempt to understand semantics of

permissions• Client Utility only provides

– Naming– Extraction of access rights– Message routing– Monitoring

• Understanding nothing => handle everything

Date post:	18-Jan-2018
Category:	Documents
Upload:	gervais-freeman
View:	223 times
Download:	0 times

Hewlett-Packard Confidential Client Utility Tutorial.

Documents