OptIn Manager

From OpenFlow Wiki

Contents 1 What is Opt-In Manager 2 Set Up the Opt-In Manager 3 Setting up new Users and Admins 4 Users and Admins Flowspace Request 4.1 Users 4.2 Admins 4.3 Site-Wide Auto Approval Methods 4.4 Custom XML-RPC Calls to Personalized Auto-Approve Server 4.5 Opt-In and Opt-Out 4.6 View Opt-in and Alter Priority

What is Opt-In Manager

In a nutshell, Opt-In Manager (OM) is a database and web UI that holds information about the flowspace that each user owns and the list of experiments that are running in a network along with the flowspaces that they are interested in controlling. The web UI allows users to opt their traffic into individual experiments. When a user opts into an experiment, the Opt-In manager finds the intersection of that user's flowspace and the experiment's flowspace and pushes it down to flowvisor causing the packets matching the intersection to be controlled by the requested experiment's controller.

Opt-In Manager needs a way to know which user owns which piece of flowspace. Each user can request a piece of flowspace from an administrator who owns that piece of flowspace. At the install time, a root admin will own the entire flowspace, and if any user requests a piece of flowspace, the request will be routed to the root admin for confirmation. However, an admin can delegate some portion of her flowspace to a lower-level admin in which case that admin will do the confirmation of flowspace requests for that portion. (one may think of this as the hierarchy of network admins in a university campus, with one administrator for entire campus, several department admins,etc)

Set Up the Opt-In Manager

1. At this point you have your database set up and the root user created (username: expedient password: expedient). The root user owns the entire flowspace, and is also the site administrator.
2. Next you need to set up the username and password for clearinghouse (expedient) for xmlrpc calls to OM.
   • Go to Manage Website->Set Clearinghouse and set a username and password for clearinghouse. This username should be unique from any existing user in the system.
3. Then you need to set up flowvisor
   • Go to Manage Website->Set FlowVisor. Enter the username and password for your user account on FV. assign an arbitrary name to recognize this flowvisor in the "FV name" field. "Server URL" is the URL of FlowVisor. It may have a format like this: https://<your_flowvisor_ip_or_host_name>:8080/xmlrpc
   • OM will ping FV to verify that the information is correct.

Setting up new Users and Admins

There are three type of users on the system:

1. Root Admin: root admin is the admin who owns the entire flowspace, administrate the Opt-In Manager website and is the network admin for the entire flowspace. He can't abandon the flowspace he owns and can't resign from his network admin role.
2. Network Admins: network admins usually own a bigger chunk of flowspace and are more sophisticated users. They have more control over the flowspaces they opt in. They also confirm flowspace requests by normal users (see below)
3. Normal Users: These are the users that own one or two machines connected to the network and are willing to give the control of their normal traffic to experiments running in the network.

To create a new user account, go to the log-in page and click on Register link. Fill out the form and confirm your e-mail address. Then log in to your account. At this point a normal user is created in the system.

To upgrade a normal user to network admin position, go to Profile->Promote to Admin. Choose the network admin that you want your flowspace to be delegated from, and submit the request. At this point a request has been sent to the admin.

Log out from this new account and log in as the admin. Under Flowspace Requests->Admin Requests, you should see the request and you can confirm or reject it. Once confirmed, the UI for that user will be changed to admin UI. However at this point the new admin doesn't own any flowspace. See the next section on requesting Flowspace for Users and Admins.

Users and Admins Flowspace Request

When a user or admin first create their accounts, they don't own any flowspace and need to request some from an admin who owns some.

Users

Go to Administrate FlowSpace->Request Flowspace and enter the ip address/mac address combination.

Admins

Go to Profile->Request Flowspace. Here an admin fills out a more detail form for the flowspace request.

In case of the a User flowspace request, the request will be routed to the lowest level admin who owns the requested flowspace for approval. In the case of an admin flowspace request, the request will be routed to the supervisor admin.

In order to confirm the flowspace request, log out from current user and log in as the Admin who should confirm the request. Under Flowspace Requests->Admin Requests you will find all the admin's flowspace requests and under Flowspace Requests->User Requests all the user flowspace requests.

Note that the default way to confirm a USER flowspace request, is manually through the above method. However, an admin has the following options for automatically approving or rejecting a user flowspace request:

Site-Wide Auto Approval Methods

An admin can go to Flowspace Requests->Auto-Approve Settings and choose one of the methods installed on the OM website. e.g. if an admin chooses Approve Sender IP the request will be accepted only if the requested ip address is the IP address of the user when he was requesting the flowspace.

Setting up Auto-Approve Methods: Each installation of Opt-In Manager can have different sets of site-wide auto-approve methods. These methods are defined under openflow/optin_manager/auto_approval_scripts. You may add more site-wide methods here, by following the same format as other available methods. In order to activate these methods, go to openflow/optin_manager/defaultsettings/admin_manager.py and add them to AUTO_APPROVAL_MODULES.

Custom XML-RPC Calls to Personalized Auto-Approve Server

Each admin, can have a personalized method for accepting flowspace requests. To do that she needs to install a server that accepts xmlrpc calls. There should be one XMLRPC call with the same name and format as the methods in openflow/optin_manager/auto_approval_scripts. (i.e. there should be a XMLRPC call named 'approve' that accepts a dictionary as input. the dictionary will have the same keys as other approve methods.) To set up OM to use XMLRPC call for flowspace requests, an admin should go to Flowspace Requests->Auto-Approve Settings and choose Remote as her auto-approve method and fill in the information for the xmlrpc server.

Opt-In and Opt-Out

Users who already own some piece of flowspace can opt their traffic into available experiments. For doing that, go to Administrate FlowSpace->Add Rule. You will see a list of available experiments that you can opt into. Choose one and click Opt-In. Based on what part of the requested flowspace the admin wishes to allow, the individual fields should be changed from the default All requested values to a restrictive value.

To Opt out of an experiment you already opted into, go to Administrate FlowSpace->Remove Rule. Check the experiments you want to opt out and click Opt Out.

Admins can also opt some piece of flowspace they own into available experiments. Although admins have more control over which piece of flowspace they want to opt in, the mechanism is essentially the same. An admin can go to Administrate Flowspace->Add Rule to do opt in. (For an admin, opt-in is called Rule because it is more of an administrative rule rather than opt-in. An admin may decide not to allow any of the https traffic in her network be arbitrarily opted in by users, and as a result she can add a rule to opt in all https traffic (transport port 443) into a trusted experiment. Because admins have higher priority over normal users, their decisions will overwrite users')

View Opt-in and Alter Priority

After the Opt-In is done, you can view the list of opted-in experiments by clicking on Administrate FlowSpace->Set Rule Priority. In this page, you may also choose the priority of your opt-in relative to other opt-in(s) that you have already done. (If there is an intersection between the flowspaces in some of the opt-in(s), the one with higher priority will receive the shared part of traffic)