User Tools

Site Tools


This wiki page discuss the implementation of SFA by PlanetLab. The source code can be found here

The SFA specification can be found here and a document about its implementation, here

Trust Package

Implements authentication and authorization. Determines which operations a user is allowed to do over an object.


  • Class that extends pyOpenSSL X.509 by adding a parent field to support certificate chains


  • Certificate that binds together <PublicKey, UUID, Lifetime>. The object identified by UUID holds the private key corresponding to PublicKey. A GID sets the field subject-public-key of the certificate to PublicKey and the field subject-alt-name to the UUID and hrn of the object.


  • Extends the class Certificate to include the 5-tuple <GIDCaller, GIDObject, Lifetime, Privileges, Delegate>, which defines the privileges and rights a particular principal (GIDCaller) has over an object (GIDObject). Delegate indicates whether the holder is permitted to delegate the credential to another principal. A credential is signed by the responsible authority and re-signed when delegated.


  • Is an RSpec signed by an AM, which indicates a promise to bind resources to the ticket-holder.
  • Extends the class Certificate adding the 5-tuple <GIDCaller, GIDObject, Attributes, RSpec, Delegate>, where GIDCaller is the GID of the principal perfoming the operation, GIDObject the GID of the slice to which the ticket is bound, attributes is a set of tag-value pairs and RSpec specifies the set of resources bound to the slice.

Storage Package

Describes the record types that are stored by the Registry.


  • RegRecord defines a registry record, which includes the 4-tuple <HRN, GID, Type, Info>. It records facts about the objects in the system (components and slices) and the principals (users, Management Authorities and Slice Authorities) that use and authorize them.
  • Type is one among {Authority, Component, Slice, User} and Info depends on the type.
  • RegRecord implementation is PlanetLab dependent, as pointer points to the id of the element in the PlanetLab database


  • Extends RegRecord for Authorities, providing as info the PIs related with this authority


  • Extends RegRecord for components.


  • Extends RegRecord for Slices, providing information about the associated researchers


  • Extends RegRecord for Users and provides their email.

Methods Package

Implements authentication and authorization. Determines which operations a user is allowed to do over an object. For the complete list of methods check SFA interfaces.

Servers Package

HTTPS XML-RPC servers that provide the SFA interfaces.

Managers Package

Actual implementation of the Aggregate Manager, Slice Manager, Component Manager and Registry Manager. Each Testbed should implement its testbed-dependent driver.

sfa/implementation.txt · Last modified: 2012/10/23 21:22 by ester