User Tools

Site Tools


Slice-based Federation Architecture

Slice-based Federation Architecture (SFA) provides a minimal interface to enable the federation of testbeds with different technologies and belonging to different administrators, while granting the control of the resources to their owners. This allows researchers to combine resources available in different testbeds, increasing the scale and diversity of their experiments.

SFA is based on a set of high-level concepts that define the actors and the resources that interact on the testbed, as well as defining an architecture with its interfaces and main datatypes to facilitate the federation of testbeds.


On SFA, principals refers to the actors present on the architecture. SFA considers three principals:

  • The management authority is responsible for a set of physical components, ensuring that the components behave properly and execute the resource allocation wishes of the component owner.
  • The slice authority is responsible of one of more slices, i.e. it names and registers slices while giving users access and control to their slices.
  • Users, who are people playing one or more role in the facility.

On the other hand, the CONFINE data model defines users and groups. CONFINE's users are equivalent to the users in SFA, whereas for the authorities, CONFINE does not distinguish between management and slice authority: the authority of a slice will be the group related to it, while the management authority of a component will be the group related to it.

In this case, CONFINE is centrally managed by the controller, so both the management authority and the slice authority are implemented by the controller.


The resources managed on a testbed are not only the physical substrate, but also the share of resources assigned to a researcher, which usually correspond to virtualized versions of the former substrate. SFA abstracts those resources in:

  • Components, which represent the minimal aggregation of physical resources that can be managed;
  • Slivers, which are the portion of such resources let to the researchers; and
  • Slices, which are collections of slivers assigned to researchers to perform an experiment. Slices are the primary abstraction for accounting and accountability. SFA defines three stages in a slice life-cycle: (i) register: at this point the slice exists only in name; (ii) instantiate: the slice is instantiated in the required components, being granted of a set of resources; and (iii) activate: the slice becomes active and runs code on behalf of the researcher.

The software modules that manage those components are the aggregate manager for the components (or component manager if it manages a single component) and the slice manager for slices and slivers.

The case in CONFINE is pretty similar, we have slivers and slices, where slices have an equivalent set of states: register, deploy and start, and the only components that CONFINE considers are research devices (nodes). Regarding the management, it is all done in a centralized way by the controller.


SFA defines the interaction between actors and resources by means of a set of APIs, however, before getting into detail, some datatypes need to be explained, to understand them. The main datatypes in SFA are:

  • Global identifier or GID is an identifier assigned to components, slices, services and every principal participating in the system. Specifically a GID is a certificate that binds together a public key, a UUID and a period of time during while the GID is valid. Even though at the moment CONFINE controller does not consider GIDs, it has been enriched with an extension that will allow the assignation of GIDs to the entities in the controller.
  • Resource specification or RSpec is used to describe the resources on the system. Therefore, for a component it will describe the set of resources it possesses and constraints and dependencies on the allocation of those resources; whereas for slices it will describe the set of slivers it consists of and their characteristics. The RSpec is an XML dependent of the testbed, since every testbed will have its own type of resources and requirements. The RSpec for CONFINE testbeds has not been defined yet, although resource descriptions (JSON-based) in its REST API may be regarded as equivalent.
  • Ticket is a promise signed by an aggregate manager, giving an entity the right to allocate the resources that are being granted.
  • Credential, on the other hand, is a grant of a set of rights and privileges associated with a particular principal.

CONFINE leasing of resources does not work as a ticket system, so it lacks both the ticket and credential datatypes. However, SFA tickets in CONFINE may be handled as temporary allocations of resources with a lifetime limited to that of the associated GID.

The interaction of all these components is shown in the picture below (SVG source):

Federation of Community-Lab through SFA

The Community-Lab testbed provides a SFA interface for federation with other testbeds. The SFA-compliant interface is provided by a wrapper implemented on top of the REST API, and it can be used to interact with the testbed in a federation scenario.

sfa/start.txt · Last modified: 2014/07/18 10:34 by gerardmn