Routing multi cluster requests » History » Version 6
Peter Amstutz, 08/16/2018 12:50 PM
| 1 | 2 | Peter Amstutz | h1. Routing multi cluster requests |
|---|---|---|---|
| 2 | 1 | Peter Amstutz | |
| 3 | 2 | Peter Amstutz | h2. Concept |
| 4 | |||
| 5 | 1 | Peter Amstutz | The goal of federation is to present an interface that fuses multiple clusters into a single view. |
| 6 | |||
| 7 | 6 | Peter Amstutz | The role of arvados-controller is to determine which cluster(s) a request should go. |
| 8 | 2 | Peter Amstutz | |
| 9 | h2. Examples |
||
| 10 | |||
| 11 | My "home cluster" is qr1hi. I have a token qr1hi-secretsecretsecret. |
||
| 12 | |||
| 13 | h3. I want to read a collection on c97qk using the Python SDK. |
||
| 14 | |||
| 15 | <pre> |
||
| 16 | 1 | Peter Amstutz | c = CollectionReader("c97qk-...") |
| 17 | </pre> |
||
| 18 | 2 | Peter Amstutz | |
| 19 | 6 | Peter Amstutz | # The CollectionReader sends a request to arvados-controller. |
| 20 | # arvados-controller examines the prefix c97qk and contacts c97qk.arvadosapi.com. |
||
| 21 | 1 | Peter Amstutz | # The request router uses the "salted" token hmac(c97qk, qr1hi-secretsecretsecret) → qr1hi-secretsecretc97qk |
| 22 | # c97qk gets the token and notices the qr1hi prefix. |
||
| 23 | # c97qk contacts qr1hi to determine if the token is valid and what user is associated with the token. |
||
| 24 | 2 | Peter Amstutz | # c97qk caches the token and sets current_user. The request proceeds as normal. |
| 25 | 6 | Peter Amstutz | # The response is returned to arvados-controller |
| 26 | # The manifest_text needs is updated by arvados-controller to transform the block signatures from "+A..." to "+Rc97qk-..." to indicate the signatures are valid for c97qk |
||
| 27 | # The response is returned to CollectionReader. |
||
| 28 | # The CollectionReader sends a block read request to a qr1hi keepstore with the +Rc97qk signature |
||
| 29 | # The keepstore recognizes that it is a remote signature and contacts the remote cluster to fetch the block. The signature is transformed from a remote signature back to a regular one. |
||
| 30 | # The block is returned to the client. |
||
| 31 | 2 | Peter Amstutz | |
| 32 | h3. I want to search for a collection across clusters |
||
| 33 | |||
| 34 | <pre> |
||
| 35 | c = router.collections().list(filters=[["name", "like", "sample-1234%"]]).execute() |
||
| 36 | </pre> |
||
| 37 | |||
| 38 | 6 | Peter Amstutz | # arvados-controller has a "search list" of clusters (where does this come from??? maybe an attribute of the primary user account on qr1hi?) |
| 39 | # arvados-controller sends the request to each cluster in parallel using federated identity / salted token described above. |
||
| 40 | # arvados-controller gathers the results. |
||
| 41 | # arvados-controller collates the results (will need to understand "order" option to do this properly) |
||
| 42 | 2 | Peter Amstutz | # Collated results are returned |
| 43 | # Paging - ??? likely need to keep track of some state locally to be able to be able to issue correct follow-up requests to each cluster. Can have consistent ordering within a page but not across pages unless all pages are fetched first. |
||
| 44 | |||
| 45 | 4 | Peter Amstutz | Another case: I want to list the contents of a project across clusters. Same query process. |
| 46 | |||
| 47 | 1 | Peter Amstutz | <pre> |
| 48 | 4 | Peter Amstutz | c = router.collections().list(owner_uuid="qr1hi-....").execute() |
| 49 | </pre> |
||
| 50 | |||
| 51 | 2 | Peter Amstutz | h3. I want to create a collection on another cluster. |
| 52 | |||
| 53 | Provide "owner_uuid" of a project or group on a foreign cluster. |
||
| 54 | |||
| 55 | <pre> |
||
| 56 | router.collections().create(body={"owner_uuid": "c97qk-...."}).execute() |
||
| 57 | </pre> |
||
| 58 | 1 | Peter Amstutz | |
| 59 | 6 | Peter Amstutz | # arvados-controller examines the prefix c97qk and contacts c97qk.arvadosapi.com using federated identity / salted token described above . |
| 60 | 2 | Peter Amstutz | # The cluster determines if the user has write access to the group or project and validates the create request as normal. |
| 61 | # The newly created record is returned. |
||
| 62 | |||
| 63 | No "owner_uuid" means creating the object on the "home" cluster. |
||
| 64 | |||
| 65 | h3. I want to update an object on another cluster. |
||
| 66 | |||
| 67 | <pre> |
||
| 68 | router.collections().update(uuid="c97qk-....", body={....}).execute() |
||
| 69 | </pre> |
||
| 70 | |||
| 71 | 6 | Peter Amstutz | # arvados-controller examines the prefix c97qk and contacts c97qk.arvadosapi.com using federated identity / salted token described above . |
| 72 | 2 | Peter Amstutz | # The cluster determines if the user has write access to object and validates the update request as normal. |
| 73 | # The updated record is returned. |
||
| 74 | |||
| 75 | 3 | Peter Amstutz | h3. I want to change the ownership of a remote object to a project on my home cluster. |
| 76 | 1 | Peter Amstutz | |
| 77 | 3 | Peter Amstutz | The object is located on c97qk and currently owned by me, I'd like to make it owned by a project qr1hi-... |
| 78 | |||
| 79 | 5 | Peter Amstutz | # Route an "update" request to change "owner_uuid" to c97qk as described above. |
| 80 | 3 | Peter Amstutz | # c97qk contacts qr1hi and asks if the user has write access to the project. |
| 81 | # The object is updated and returned to the user |
||
| 82 | |||
| 83 | (This suggests I can only share things with groups on the same home cluster as me. hmm.) |
||
| 84 | 4 | Peter Amstutz | |
| 85 | h3. I want to change the ownership of an object on my home cluster object to a project on a remote cluster. |
||
| 86 | |||
| 87 | # Route the "update" as described above to qr1hi. |
||
| 88 | # qr1hi contacts c97qk _using the c97qk salted token_ and asks if the user has write access to the project. |
||
| 89 | # The object is updated and returned to the user |
||
| 90 | |||
| 91 | h3. I want to change the ownership of an object from one remote project (c97qk) to another (4xphq). |
||
| 92 | |||
| 93 | Can't be done directly (???) because c97qk and 4xphq don't talk to each other directly. (The token given to c97qk is not valid for accessing 4xphq and likewise). Could be done as a two-step process where ownership is assigned from c97qk to qr1hi, then from qr1hi to 4xphq. |