-
Leigh B. Stoller authored
1. You cannot unregister a slice at the SA before it has expired. This will be annoying at times, but the alphanumeric namespace for slice ames is probably big enough for us. 2. To renew a slice, the easiest approach is to call the Renew method at the SA, get a new credential for the slice, and then pass that to renew on the CMs where you have slivers. The changes address the problem of slice expiration. Before this change, when registering a slice at the Slice Authority, there was no way to give it an expiration time. The SA just assigns a default (currently one hour). Then when asking for a ticket at a CM, you can specify a "valid_until" field in the rspec, which becomes the sliver expiration time at that CM. You can later (before it expires) "renew" the sliver, extending the time. Both the sliver and the slice will expire from the CM at that time. Further complicating things is that credentials also have an expiration time in them so that credentials are not valid forever. A slice credential picks up the expiration time that the SA assigned to the slice (mentioned in the first paragraph). A problem is that this arrangement allows you to extend the expiration of a sliver past the expiration of the slice that is recorded at the SA. This makes it impossible to expire slice records at the SA since if we did, and there were outstanding slivers, you could get into a situation where you would have no ability to access those slivers. (an admin person can always kill off the sliver). Remember, the SA cannot know for sure if there are any slivers out there, especially if they can exist past the expiration of the slice. The solution: * Provide a Renew call at the SA to update the slice expiration time. Also allow for an expiration time in the Register() call. The SA will need to abide by these three rules: 1. Never issue slice credentials which expire later than the corresponding slice 2. Never allow the slice expiration time to be moved earlier 3. Never deregister slices before they expire [*]. * Change the CM to not set the expiration of a sliver past the expiration of the slice credential; the credential expiration is an upper bound on the valid_until field of the rspec. Instead, one must first extend the slice at the SA, get a new slice credential, and use that to extend the sliver at the CM. * For consistency with the SA, the CM API will changed so that RenewSliver() becomes RenewSlice(), and it will require the slice credential.
5c63cf86