Date post: | 18-Jan-2018 |
Category: |
Documents |
Upload: | gervais-freeman |
View: | 223 times |
Download: | 0 times |
Hewlett-Packard Confidential
Client Utility Tutorial
Hewlett-Packard Confidential
Operating System
Kernel
Physical Resources
Applications
e.g., CPU time slice, disk
NT/Unix - “OS for Devices”
Hewlett-Packard Confidential
Operating System
CoreCUSP
Information and Services Resources (sub-services)
Services
Kernel
Physical Resources
Applications
e.g., CPU time slice, disk
e.g., location, brokering, provisioning, monitoring, security, billing, management
CUSP - “OS for the Internet”
Kernel Kernel
Hewlett-Packard Confidential
Standard Resource Model
Legacy Resource Abstraction
Basic ServicesInterrupt
Handling Scheduling
Memory Management
Timer Services
Legacy OS
(eg: NTFS)
ResourceAccess
Hewlett-Packard Confidential
Client Utility Resource Model
Attribute Descriptions Naming
Permissions Interfaces
Communication
Virtual Resource Abstraction
Attribute Vocabularies
Authorization
Transports Repositories
Basic Services
Legacy Resource Abstraction
Basic Services
Interrupt Handling
Scheduling
Memory Management
Timer Services
Legacy OSUtility System
ResourceAccess
(eg: NTFS)
LDAPDCOM/CORBAJava PlatformHTTP
Hewlett-Packard Confidential
System Structure
•Collection of Logical Machines•Logical Machine
• Active entity - Core• Passive entity - Repository
• Mailbox metaphor for requests to Core
Hewlett-Packard Confidential
Fundamentals
• Every resource registered with Core• Tasks access resources by name• Core associates name with resource metadata• Each task has an outbox connected to the Core
– Outgoing message has envelope and payload• Each task has zero or more inboxes
– Incoming message has envelope and payload
Hewlett-Packard Confidential
A First Request
Core
Router
App API
Repository
Hewlett-Packard Confidential
Open a File• Construct outbox envelope and append payload
– Name field - (/mydoc.txt)– Payload - (open rw /mydoc.txt)
• Look up /mydoc.txt• Finds resource description in repository• Forwards to designated resource proxy
Name: /mydoc.txtPayload: open rw /mydoc.txt
Hewlett-Packard Confidential
Problem
How can a resource owner control access without needing to authenticate a large number of potential users?
How can a task describe the access rights it wants to use for a particular request?
Use keys to unlock permissions
Hewlett-Packard Confidential
Extracting Access Rights
Core
Permission
Router
App API
Repository
Hewlett-Packard Confidential
Setting Up Permissions
• Inserted by resource owner• Recorded with resource metadata in
repository• (Lock,Permission) pair• Permission forwarded if lock opened
Hewlett-Packard Confidential
Request with Access Rights
• Outbox envelope includes collection of keys– Key rings - (mykeys)– Name field - (/mydoc.txt)– Payload - (open rw /mydoc.txt)
• Inbox envelope gets permissions– Name: /mydoc.txt– Permissions: read,write– Payload: open rw /mydoc.txt
Hewlett-Packard Confidential
Problem
How can a task find its “stuff” no matter where it runs?
Virtualize namesAll names are personal to taskCore identifies actual resource being
referenced
Hewlett-Packard Confidential
Name Virtualization
Core
NamingPermission
Router
App API
Repository
Name Space Name Space
Hewlett-Packard Confidential
Name Virtualization• Construct outbox envelope
– Name field - (/boss_is_dumb)– Label - (/boss_is_smart)– Payload - (open rw /boss_is_smart)
• Name manager looks up name in Name Space• Finds resource description in repository• Forwards to resource proxy
Name: X928 Label: /boss_is_smart
Permissions: read,writePayload: open rw /boss_is_smart
Hewlett-Packard Confidential
Problem
How does the resource proxy know what resource is being accessed if there is no common name?
The resource metadata has a field for resource specific data
Hewlett-Packard Confidential
Resource Identification• Construct outbox envelope
– Name field - (/resume.txt)– Label - (/doc.txt)– Payload - (open rw /doc.txt)
• Name manager looks up /resume.txt in repository• Forwards to resource proxy
Name: G3965 Label: /doc.txt
Resource data: /u/karp/report.txt,read,writePayload: open rw /doc.txt
Hewlett-Packard Confidential
Problem
How can one task put a name into another task’s name space while avoiding accidental name conflicts?
Give name spaces structure
Hewlett-Packard Confidential
Typical Name Space Structure
MyDefaultFrame
InboxFrame
FrameA FrameB
MyNameSpace=(MyDefaultFrame,InboxFrame,FrameA,FrameB)
Hewlett-Packard Confidential
Name Space Structure
• Name space an ordered list of frames• Frames hold collections of name associations• Core looks for names in designated order• Unique frame for each mailbox• Delivery associates names in inbox frame• Receiver can rename or move entries• Name spaces and frames are resources
Hewlett-Packard Confidential
Problem
How can two or more tasks share a set of names?
Each has a name for the same frame
Hewlett-Packard Confidential
Sharing Names
Hewlett-Packard Confidential
Problem
How can the core begin the name look-up procedure?
Use default frame as anchor
Hewlett-Packard Confidential
Name Look-up Procedure
• Outbox has associated frame• Look for default name space• Use mandatory key ring• Find name mapping for name space• Find name mapping for key rings• Step through frames looking for names
Hewlett-Packard Confidential
Problem
How can an administrator know what’s going on?
Record resource access requests
Hewlett-Packard Confidential
Structure of the CU Core
Core Monitor
NamingPermission
Router
App API
Repository
Name Space Name Space
Monitor Data Base
Hewlett-Packard Confidential
Monitor
• Monitor records all requests• Database is a resource like any other• Requests to database specify keys• Monitoring task has a different set of keys• Management task has keys to change
repository entries
Hewlett-Packard Confidential
Problem
How can a task add name bindings to its protection domain?
Describe resource
Hewlett-Packard Confidential
Resource Look-up
• Attribute-based look-upget {DOC=“CU Architecture”,VER=3.8}, bind to /cuarch.doc in frame CUArch
• Search repository for matches• Use designated arbitration if many found• Error return if no matches
Hewlett-Packard Confidential
Problem
What can be done if no attribute grammar can describe a new kind of resource?
Make grammar a resource that can be specified with the attributes
Hewlett-Packard Confidential
Attribute Grammars
• Define a new grammar and register it with Core• Built up out of Core supplied components
– Data types: integer, string, etc.– Comparisons: equal, greater than, longer,
etc.– Logic: AND, OR– Other: valid names, required, bounds
• Name grammar in a resource description or as part of a look-up request
Hewlett-Packard Confidential
Attribute GrammarGrammar Toolkit
ShoeSizeGrammar
Size=int, > 6, <12
Width=char,From(A,B,C,D,E)
Hewlett-Packard Confidential
Grammar Matching Rules
• Each grammar has matching rules for each field• Can match fields in other grammars• Service can translate between grammars
Hewlett-Packard Confidential
Problem
How do machines share resources
Connect with DRIP
Hewlett-Packard Confidential
Distributed Resource Interchange Protocol
• Agree on a connection mode (TCP, IR)• Agree on a DRIP version• Mutually authenticate• Derive session key (optional)• Set up proxy for other machine• Exchange resource descriptions• Register in each Core repository with proxy
as handler
Hewlett-Packard Confidential
Connecting Two Machines
Hewlett-Packard Confidential
Problem
How does a task use a resource from another machine?
The same way it uses any other resource
Hewlett-Packard Confidential
Using a Remote Resource
Request Reply
Hewlett-Packard Confidential
Using a resource from another machine
• Get a name association (transfer or look-up)• Specify name in outbox envelope• Core forwards to proxy as handler• Proxy forwards request over the wire• Proxy on owning side names resource in its
outbox envelope• Its Core routes request to handler• Reply sent back along same path
Hewlett-Packard Confidential
Problem
How can an application limit what it might find?
How can the application speed up searches?
Use views into the repository
Hewlett-Packard Confidential
Specifying a Look-UpMy Stuff
His Stuff
Her Stuff
Default
Hewlett-Packard Confidential
Repository Views
• Any task can create a repository view– View for “MyStuff”– Proxy uses view for imported resources
• Registered resources can be added• Name association for repository view can be
given out• Look-up names an ordered list of repository
views• Default view contains all resources
Hewlett-Packard Confidential
Problem
Must resource descriptions be pushed or can they be pulled?
Repository view may specify an extended look-up handler
Hewlett-Packard Confidential
Extending a Look-upMy Stuff
His Stuff
Her Stuff
HerHandler
HisHandler
Hewlett-Packard Confidential
Extending a Look-up
• Repository view specifies task to continue look-up
• If look-up fails, requester gets a partial binding• Core asked to complete binding• Examples
– Proxy can pull resource description across wire– File system may register files on demand
• If successful, requester gets name association
Hewlett-Packard Confidential
Finding a Machine
•What if extended look-up fails?
•Need to find a machine
•Do a discovery at an advertising service
•Get back one or more connection objects
•Initiate connection and import desired resources
Hewlett-Packard Confidential
Problem
How can applications that need additional resources ensure that they are available?
Resource description points to other resources to be bound to names
Hewlett-Packard Confidential
Inheriting ResourcesResource Metadata Inheritance Field
(Application’s name, Repository Handle)(/word97,53384)(/times8.fnt,593)(/times12.fnt,4937)(/times16.fnt, 332)
Hewlett-Packard Confidential
Problem
How does a user login to the system?
Attribute based look-up of a Protection Domain
Hewlett-Packard Confidential
Logging In• Task starts with default resources• Checks in with Core
– Core sets up protection domain– Gives enough resources to ask for more
• Logs in– Gets Protection Domain resource
get {USER=Karp,PW=m20xyo},bind to Me in frame Default
– Make active make Me active
Hewlett-Packard Confidential
Problem
How can a task know when new resources become available?
Use flexible name associations
Hewlett-Packard Confidential
Flexible Name Associations• Can be associated with one or more Handles - explicit
word97=(339,4297)()• Can be associated with a description - implicit
word97=()(APP=word97,Source=MS)• Can be associated with both - hybrid
word97=(339,4297),(APP=word97,Source=MS)• Request tells what to do on name resolution
– Use explicit if valid, else implicit– Use implicit and update explicit– etc.
Hewlett-Packard Confidential
Problem
How can the requests made for additional resources be controlled?
Use positive and negative permissions
Hewlett-Packard Confidential
Positive and Negative Rights
• Deny field tells who may not reference resource– May not open any lock
• Allow field tells who may reference resource– Must open one lock
• Allows advanced security structures– Compartments– Control of critical resources
Hewlett-Packard Confidential
Enforcing Compartments• Alice’s secret stuff resource description
Allow=(3448),Deny=(982)• Bob’s secret stuff resource description
Allow=(982),Deny=(3448)• To access Alice’s project
Key ring=(3448,12,833)• To access Bob’s project
Key ring=(982,12,833)• Can’t see Alice’s and Bob’s stuff at same time
Hewlett-Packard Confidential
Control of Critical Resources
• General users should not see most system configuration files
• Put a lock in the deny field of these resource descriptions
• Put the matching key on the default key ring of all general users
• Don’t give general users a name for this key
Hewlett-Packard Confidential
Problem
How can the Core support advanced security models?
Delegate responsibility to a designated task
Hewlett-Packard Confidential
Advanced Access Control
• Audit trail - Notify Authorizers– Send message when used in outbox
envelope– Deliver name binding to recipient
• ACLs - Grant Authorizers– Deliver partially bound name to recipient– If name association needed, contact
authorizer– Only grant authorizer can transfer binding
Hewlett-Packard Confidential
Authorizers
Core
App
Auth
APIGrantNotify
Request
Hewlett-Packard Confidential
Problem
How can a task conveniently take on different roles?
Vary names and permissions used
Hewlett-Packard Confidential
Roles
• Each role of task is a different set of– Name bindings– Access rights
• Each request to Client Utility specifies– Name space– Collection of keys
• Every request is in a particular role
Hewlett-Packard Confidential
Problem
How does a task let another task act on its behalf yet reserve the power to revoke the privilege?
Use the fact that a frame is a resource like any other
Hewlett-Packard Confidential
Delegation with Revocation
• Create a frame (or even a name space)• Associate names for resources to be
delegated• Transfer name association for frame• Don’t transfer key to modify frame• Revoke by deleting items or frame
Hewlett-Packard Confidential
Delegation with RevocationTask A Task B
Default
Delegate=(320)
Key=(442)
Default
AsFrame=(320)
Key=(9382)
320: Frame:(442,Own)(9382,Use):{/}:{TYPE=Adelegate}:{7}:{}
Handle:API:Perms:Allow/Deny:Atts:Auth:Bid
Repository
Hewlett-Packard Confidential
Problem
How can a task signal another task that something must be dealt with immediately?
Send an event message.
How can a task control who can send what events a task can send it?
Use permissions
Hewlett-Packard Confidential
Events
Message Queue
Message Loop
NormalMessage
Event Callback
Message Thread
Hewlett-Packard Confidential
Event Processing
• Task has a thread looking for incoming messages
• Default action is to put thread on message queue
• If event corresponds to a designated event, a thread running the specified code is started
Hewlett-Packard Confidential
Problem
How does a task find out about events that other tasks may be generating?
Subscribe with an event distributor
Hewlett-Packard Confidential
Event Distributor
Event Publisher
Event Distributor
Subscriber
Subscribe with filter
Filter
Publish Notify
Hewlett-Packard Confidential
Event Distributor
• Event distribution is a discoverable service• Publishers forward events to distributors• Subscribers register with distributor
– Subscription can include a filter– Limits when events get forwarded
Hewlett-Packard Confidential
Problem
How can a Client Utility System deal with new kinds of resources?
Deal only with resource metadata
Hewlett-Packard Confidential
Client Utility Core Services
• Client Utility does not understand any resources• No attempt to understand message contents• No attempt to understand semantics of
permissions• Client Utility only provides
– Naming– Extraction of access rights– Message routing– Monitoring
• Understanding nothing => handle everything