tahoe-lafs/docs/proposed/old-accounts-introducer.txt

This is a proposal for handing accounts and quotas in Tahoe. Nothing is final
yet.. we are still evaluating the options.


= Account Management: Introducer-based =

A Tahoe grid can be configured in several different modes. The simplest mode
(which is also the default) is completely permissive: all storage servers
will accept shares from all clients, and no attempt is made to keep track of
who is storing what. Access to the grid is mostly equivalent to having access
to the Introducer (or convincing one of the existing members to give you a
list of all their storage server FURLs).

This mode, while a good starting point, does not accomodate any sort of
auditing or quota management. Even in a small friendnet, operators might like
to know how much of their storage space is being consumed by Alice, so they
might be able to ask her to cut back when overall disk usage is getting to
high. In a larger commercial deployment, a service provider needs to be able
to get accurate usage numbers so they can bill the user appropriately. In
addition, the operator may want the ability to delete all of Bob's shares
(i.e. cancel any outstanding leases) when he terminates his account.

There are several lease-management/garbage-collection/deletion strategies
possible for a Tahoe grid, but the most efficient ones require knowledge of
lease ownership, so that renewals and expiration can take place on a
per-account basis rather than a (more numerous) per-share basis.

== Accounts ==

To accomplish this, "Accounts" can be established in a Tahoe grid. There is
nominally one account per human user of the grid, but of course a user might
use multiple accounts, or an account might be shared between multiple users.
The Account is the smallest unit of quota and lease management.

Accounts are created by an "Account Manager". In a commercial network there
will be just one (centralized) account manager, and all storage nodes will be
configured to require a valid account before providing storage services. In a
friendnet, each peer can run their own account manager, and servers will
accept accounts from any of the managers (this mode is permissive but allows
quota-tracking of non-malicious users).

The account manager is free to manage the accounts as it pleases. Large
systems will probably use a database to correlate things like username,
storage consumed, billing status, etc.

== Overview ==

The Account Manager ("AM") replaces the normal Introducer node: grids which
use an Account Manager will not run an Introducer, and the participating
nodes will not be configured with an "introducer.furl".

Instead, each client will be configured with a different "account.furl",
which gives that client access to a specific account. These account FURLs
point to an object inside the Account Manager which exists solely for the
benefit of that one account. When the client needs access to storage servers,
it will use this account object to acquire personalized introductions to a
per-account "Personal Storage Server" facet, one per storage server node. For
example, Alice would wind up with PSS[1A] on server 1, and PSS[2A] on server
2. Bob would get PSS[1B] and PSS[2B].

These PSS facets provide the same remote methods as the old generic SS facet,
except that every time they create a lease object, the account information of
the holder is recorded in that lease. The client stores a list of these PSS
facet FURLs in persistent storage, and uses them in the "get_permuted_peers"
function that all uploads and downloads use to figure out who to talk to when
looking for shares or shareholders.

Each Storage Server has a private facet that it gives to the Account Manager.
This facet allows the AM to create PSS facets for a specific account. In
particular, the AM tells the SS "please create account number 42, and tell me
the PSS FURL that I should give to the client". The SS creates an object
which remembers the account number, creates a FURL for it, and returns the
FURL.

If there is a single central account manager, then account numbers can be
small integers. (if there are multiple ones, they need to be large random
strings to ensure uniqueness). To avoid requiring large (accounts*servers)
lookup tables, a given account should use the same identifer for all the
servers it talks to. When this can be done, the PSS and Account FURLs are
generated as MAC'ed copies of the account number.

More specifically, the PSS FURL is a MAC'ed copy of the account number: each
SS has a private secret "S", and it creates a string "%d-%s" % (accountnum,
b2a(hash(S+accountnum))) to use as the swissnum part of the FURL. The SS uses
tub.registerNameLookupHandler to add a function that tries to validate
inbound FURLs against this scheme: if successful, it creates a new PSS object
with the account number stashed inside. This allows the server to minimize
their per-user storage requirements but still insure that PSS FURLs are
unguessable.

Account FURLs are created by the Account Manager in a similar fashion, using
a MAC of the account number. The Account Manager can use the same account
number to index other information in a database, like account status, billing
status, etc.

The mechanism by which Account FURLs are minted is left up to the account
manager, but the simple AM that the 'tahoe create-account-manager' command
makes has a "new-account" FURL which accepts a username and creates an
account for them. The 'tahoe create-account' command is a CLI frontend to
this facility. In a friendnet, you could publish this FURL to your friends,
allowing everyone to make their own account. In a commercial grid, this
facility would be reserved use by the same code which handles billing.


== Creating the Account Manager ==

The 'tahoe create-account-manager' command is used to create a simple account
manager node. When started, this node will write several FURLs to its
private/ directory, some of which should be provided to other services.

 * new-account.furl : this FURL allows the holder to create new accounts
 * manage-accounts.furl : this FURL allows the holder to list and modify
                          all existing accounts
 * serverdesk.furl : this FURL is used by storage servers to make themselves
                     available to all account holders


== Configuring the Storage Servers ==

To use an account manager, each storage server node should be given access to
the AM's serverdesk (by simply copying "serverdesk.furl" into the storage
server's base directory). In addition, it should *not* be given an
introducer.furl . The serverdesk FURL tells the SS that it should allow the
AM to create PSS facets for each account, and the lack of an introducer FURL
tells the SS to not make its generic SS facet available to anyone. The
combination means that clients must acquire PSS facets instead of using the
generic one.

== Configuring Clients ==

Each client should be configured to use a specific account by copying their
account FURL into their basedir, in a file named "account.furl". In addition,
these client nodes should *not* have an "introducer.furl". This combination
tells the client to ask the AM for ...
docs: add some accounting proposals 2008-03-20 19:18:41 +00:00			`This is a proposal for handing accounts and quotas in Tahoe. Nothing is final`
			`yet.. we are still evaluating the options.`


			`= Account Management: Introducer-based =`

			`A Tahoe grid can be configured in several different modes. The simplest mode`
			`(which is also the default) is completely permissive: all storage servers`
			`will accept shares from all clients, and no attempt is made to keep track of`
			`who is storing what. Access to the grid is mostly equivalent to having access`
			`to the Introducer (or convincing one of the existing members to give you a`
			`list of all their storage server FURLs).`

			`This mode, while a good starting point, does not accomodate any sort of`
			`auditing or quota management. Even in a small friendnet, operators might like`
			`to know how much of their storage space is being consumed by Alice, so they`
			`might be able to ask her to cut back when overall disk usage is getting to`
			`high. In a larger commercial deployment, a service provider needs to be able`
			`to get accurate usage numbers so they can bill the user appropriately. In`
			`addition, the operator may want the ability to delete all of Bob's shares`
			`(i.e. cancel any outstanding leases) when he terminates his account.`

			`There are several lease-management/garbage-collection/deletion strategies`
			`possible for a Tahoe grid, but the most efficient ones require knowledge of`
			`lease ownership, so that renewals and expiration can take place on a`
			`per-account basis rather than a (more numerous) per-share basis.`

			`== Accounts ==`

			`To accomplish this, "Accounts" can be established in a Tahoe grid. There is`
			`nominally one account per human user of the grid, but of course a user might`
			`use multiple accounts, or an account might be shared between multiple users.`
			`The Account is the smallest unit of quota and lease management.`

			`Accounts are created by an "Account Manager". In a commercial network there`
			`will be just one (centralized) account manager, and all storage nodes will be`
			`configured to require a valid account before providing storage services. In a`
			`friendnet, each peer can run their own account manager, and servers will`
			`accept accounts from any of the managers (this mode is permissive but allows`
			`quota-tracking of non-malicious users).`

			`The account manager is free to manage the accounts as it pleases. Large`
			`systems will probably use a database to correlate things like username,`
			`storage consumed, billing status, etc.`

			`== Overview ==`

			`The Account Manager ("AM") replaces the normal Introducer node: grids which`
			`use an Account Manager will not run an Introducer, and the participating`
			`nodes will not be configured with an "introducer.furl".`

			`Instead, each client will be configured with a different "account.furl",`
			`which gives that client access to a specific account. These account FURLs`
			`point to an object inside the Account Manager which exists solely for the`
			`benefit of that one account. When the client needs access to storage servers,`
			`it will use this account object to acquire personalized introductions to a`
			`per-account "Personal Storage Server" facet, one per storage server node. For`
			`example, Alice would wind up with PSS[1A] on server 1, and PSS[2A] on server`
			`2. Bob would get PSS[1B] and PSS[2B].`

			`These PSS facets provide the same remote methods as the old generic SS facet,`
			`except that every time they create a lease object, the account information of`
			`the holder is recorded in that lease. The client stores a list of these PSS`
			`facet FURLs in persistent storage, and uses them in the "get_permuted_peers"`
			`function that all uploads and downloads use to figure out who to talk to when`
			`looking for shares or shareholders.`

			`Each Storage Server has a private facet that it gives to the Account Manager.`
			`This facet allows the AM to create PSS facets for a specific account. In`
			`particular, the AM tells the SS "please create account number 42, and tell me`
			`the PSS FURL that I should give to the client". The SS creates an object`
			`which remembers the account number, creates a FURL for it, and returns the`
			`FURL.`

			`If there is a single central account manager, then account numbers can be`
			`small integers. (if there are multiple ones, they need to be large random`
			`strings to ensure uniqueness). To avoid requiring large (accounts*servers)`
			`lookup tables, a given account should use the same identifer for all the`
			`servers it talks to. When this can be done, the PSS and Account FURLs are`
			`generated as MAC'ed copies of the account number.`

			`More specifically, the PSS FURL is a MAC'ed copy of the account number: each`
			`SS has a private secret "S", and it creates a string "%d-%s" % (accountnum,`
			`b2a(hash(S+accountnum))) to use as the swissnum part of the FURL. The SS uses`
			`tub.registerNameLookupHandler to add a function that tries to validate`
			`inbound FURLs against this scheme: if successful, it creates a new PSS object`
			`with the account number stashed inside. This allows the server to minimize`
			`their per-user storage requirements but still insure that PSS FURLs are`
			`unguessable.`

			`Account FURLs are created by the Account Manager in a similar fashion, using`
			`a MAC of the account number. The Account Manager can use the same account`
			`number to index other information in a database, like account status, billing`
			`status, etc.`

			`The mechanism by which Account FURLs are minted is left up to the account`
			`manager, but the simple AM that the 'tahoe create-account-manager' command`
			`makes has a "new-account" FURL which accepts a username and creates an`
			`account for them. The 'tahoe create-account' command is a CLI frontend to`
			`this facility. In a friendnet, you could publish this FURL to your friends,`
			`allowing everyone to make their own account. In a commercial grid, this`
			`facility would be reserved use by the same code which handles billing.`


			`== Creating the Account Manager ==`

			`The 'tahoe create-account-manager' command is used to create a simple account`
			`manager node. When started, this node will write several FURLs to its`
			`private/ directory, some of which should be provided to other services.`

			`* new-account.furl : this FURL allows the holder to create new accounts`
			`* manage-accounts.furl : this FURL allows the holder to list and modify`
			`all existing accounts`
			`* serverdesk.furl : this FURL is used by storage servers to make themselves`
			`available to all account holders`


			`== Configuring the Storage Servers ==`

			`To use an account manager, each storage server node should be given access to`
			`the AM's serverdesk (by simply copying "serverdesk.furl" into the storage`
			`server's base directory). In addition, it should not be given an`
			`introducer.furl . The serverdesk FURL tells the SS that it should allow the`
			`AM to create PSS facets for each account, and the lack of an introducer FURL`
			`tells the SS to not make its generic SS facet available to anyone. The`
			`combination means that clients must acquire PSS facets instead of using the`
			`generic one.`

			`== Configuring Clients ==`

			`Each client should be configured to use a specific account by copying their`
			`account FURL into their basedir, in a file named "account.furl". In addition,`
			`these client nodes should not have an "introducer.furl". This combination`
			`tells the client to ask the AM for ...`