140 likes | 247 Views
Perl Universal Daemon (pud). Andrew Hanushevsky SLAC Computing Services Produced under contract DE-AC03-76SF00515 between Stanford University and the Department of Energy. The Problem. Quickly deploy client-server applications Typically Perl programs
E N D
Perl Universal Daemon(pud) Andrew Hanushevsky SLAC Computing Services Produced under contract DE-AC03-76SF00515 between Stanford University and the Department of Energy
The Problem • Quickly deploy client-server applications • Typically Perl programs • Accommodate arbitrary authentication models • Kerberos • PGP • Fault-tolerant services • Quick doesn’t mean unreliable • Need to be portable • AIX, SunOS, Solaris
The Solution - pud • Simple • Allows one to trivially map requests to remote methods • Secure • Allows the mapping of authentication protocol to arbitrary method • Fault Tolerant • Supports server replication with automatic fail-over • Controllable • Server controls the number of simultaneous requests • Portable • Written in Perl5 • Configurable
Architecture Part I Client Server Method • pudc command parameters • Sends the following stream to pud (the server) • &V=verno&Rid=pid&Req=command&Parms=parameters • Server maps command to a method and instantiates it • Invokes the request constructor • Invokes the method • Invokes the request destructor pud meth pudc 1-n 1-n 1-n
Architecture Part II Client Server Method • Method optionally sets a message and result then returns • Server responds with • &RC=rc&Rid=pid&Msg=message&Result=result • pudc then • Displays message on stderr, if present and rc != 0 • Prints result on stdout if present and rc == 0 • Exits with rc pud meth pudc 1-n 1-n 1-n
Mapping Request To Method • Config file maps requests to methods • bindrequest module class::method • request actual name of incoming request -or- • *beg initialization routine (called at start-up) • *new constructor (called before each request) • *wen destructor (called after each request) • module name of perl module • class method’s class (I.e., package name) • method name of function to be called within class • All methods loaded at initialization time • *beg method called after loading completes • All methods called in a standard way • method(request, parameters)
Method Callable Functions • pud_Alert(logging_level,subject,text[,notify_list]) • Send an logging_level alert to one or more people • pud_Config(directive) • Obtain associated config file value for directive • pud_Log(logging_level,message) • Place message into the log • pud_Pud(action) • Execute pud control function • pud_RC(rc [,message]) • Set return code and optional message • pud_Result() • Get the rc, result, and message to be returned to puds
Authentication Architecture Client Server pud pudc &V=verno&Rid=pid &Req=command &Parms=parameters &CT=type &Cred=credentials authd authe Authentication Decoder Authentication Encoder
Mapping Authentication Protocol &V=verno&Rid=pid&Req=command&Parms=parameters &CT=type&Cred=credentials Server Config Client Config authd domain type cmd parms domain is a dns-based region (e.g., stanford.edu) typeis arbitrary (e.g.,K4, K5, PGP) cmd decodescredentials (a hex string) authe type cmd parms typeis arbitrary (e.g.,K4, K5, PGP) cmd generatescredentials (a hex string) puds pud
Decoding Credentials • Server dynamically matches encoder with correct decoder • First search for domain match in order specified in config file • Then searches for matching type within domain • Invokes the associated decoder passing it the credentials • Allows for a completely heterogeneous security architecture • Supports cross-domain (e.g., cross-cell) authentication
Kerberos Authentication (example) • In pudc config file • authe K4 /usr/local/bin/katix hpss • Generates an ASCII hex string ticket (credentials) for hpss service • Encoder called for each request • In pud config file • authd slac.stanford.edu K4 /usr/local/bin/kachk ./srvtab -p hpss -t • Decodes a kerberos ticket and outputs “id.instance@realm” • Called whenever matching credentials (domain/type) are received • Can have any number of domain/type combinations for heterogeneous authentication
Method Callable Authentication Functions • pud_Auth() • Returns authentication domain and type used for decoding credentials • pud_User() • Returns hostname, username, instance, and realm
Replicated Server Selection • Pud supports server replication with priority selection • In pudc config file specify shostshostlist [ |hostlist [ . . . ] ] • hostlist – list of hostnames, any of which can be equally selected • pudc randomly orders the list and tries each one until success • | – priority separator, next hostlist of lower priority • pudc does not try next hostlist until all entries in previous one failed • Pure random selection • shostshostlist • Pure sequential selection • shostshost1|host2|host3|host4 . . .
Summary • pud useful for quickly deploying client/server applications • Does not require client/server expertise • Automatically includes strong authentication upon request • Comes with man pages • Future directions • Produce SSP (Simple Stream Protocol) RFC • Add push protocol • Add connection hold option