[cap-talk] Capability accounting

Jed at Webstart donnelley1 at webstart.com
Wed Jun 21 20:45:06 EDT 2006 

All,

If others aren't interested in this topic (e.g. think it a waste of
time), why so?  E.g. because there isn't enough capability
infrastructure to account for (e.g. wideword?), because
capability mechanisms don't need accounting, because there's
some other clear and better way to do it, or what?

At 03:32 PM 6/21/2006, Norman Hardy wrote:

>On Jun 21, 2006, at 10:51 AM, Jed at Webstart wrote:
>
> > At 04:57 AM 6/21/2006, Norman Hardy wrote:
> >
> >> On Jun 19, 2006, at 1:41 PM, Jed at Webstart wrote:
> >> .........
> > I read through the material available via the above link.
> > I'd like to ask a couple of high level questions with regard to that
> > material:
>
>Indeed I can't find a good answer to your questions on my site.
>I will try to fix that. In the mean time...
>
> > 1.  Regarding deputizing use of accounted resources: Do I assume
> > correctly from the description that ... the idea would be for
> > users/applications to create subservient meters or space banks that
> > could be given to the deputy so that it could allocate resources
> > charged to the requesting user/application?
>
>Yes.

So far so good.  However, there's something about the answer to
this question that doesn't seem to jive below (see below).

> > Was there some sort of textual
> > or other identification information in the space banks and meters
> > (we had such in our accounts, including "sub" accounts) that could
> > label charges to a deputy?

Actually what I was getting at was the "subservient" meters and space
banks.  Perhaps your answer below applies to that case, but there seems
to me to be a conflict there that I address below.

>There was an object whose invocation produced a new user account with
>its own command language interpreter and directory of capabilities.
>This invocation took the directory as an argument and that directory
>typically included a sub-space bank and sub meter.
>In practice there was one user who created new user accounts.
>That user would create the sub-bank and sub meter for each new account.
>He would retain the service keys to both the bank and meter.
>A directory of users mapped user names to nodes with these keys which
>allowed intervention in the user's world.

I understand from the above that there is no capability representation
of a "user account".  That the only account mechanisms represented
as capabilities are meters and space banks - seeming all "sub"
versions from some system master (?).  Creating a "user account"
seems to involve somehow binding this user directory and
the command line interpreter (that seems rather odd to me, but I'll
otherwise pass on that) somehow.  Is that binding to some sort
of bundle that a person can authenticate (login) to?

If I'm following correctly, then an application acting on behalf
of a user (e.g. the user's command language interpreter) that
wished to deputize a server to act on the user's behalf and
which may require accountable resources before acting on
the user's behalf, would need to create and appropriate "sub"
meter and space bank to pass to the server for it's use.

Is that about right?  What I was asking about is whether there
is some sort of information in such a "sub" meter and space
bank so that when reports are generated they show up something
like:

Charge  user            project

X units Alice           The Bob work done for Alice

> > What sort of information was written out
> > in your accounting reports.  FYI, everything in NLTSS was handled
> > in terms of "time" (CPU time nominally, but also used for storage
> > charges).
>
>A trivial program would use the service keys to record the current and
>cumulative usage.

This is the first I've heard of a "service key" (capability).  What is the
role of a service key?  How does it tie in with meters and space banks?

> > 2.  Regarding "There is no garbage collection in Keykos ...".  That's
> > the same philosophy we took, really by necessity, in NLTSS.
> > The attitude was that, while objects could indeed become "lost"
> > (possibly no or at least no easily found instances of capabilities
> > to them), they were still accounted for.  Whoever was responsible
> > for the account would have an incentive to clean up and destroy
> > the unused but still allocated resources.  We had a mechanism
> > whereby the owner of an account could produce new capabilities
> > for objects being charged to the account.  Such capabilities could
> > be produced (reproduced one might say) and then destroyed if
> > that was their appropriate fate.
>
>We were even more strict. A space bank had the authority to
>regurgitate the bits and pieces that it had provided but assembling
>them back into useful would have been difficult.
>There was no such order on a space-bank however.
>We guaranteed to space bank users that pages and nodes
>therefrom would be private, even from holders of service keys to
>superior banks.

So then I must ask the question about what a user does to
destroy objects that are accounted to the users space bank
but become lost.  Would that be some variation on this
alternative approach suggested here (from the last message):

> > An alternative approach that was available in NLTSS was to
> > isolate the account that was being used to charge for unused
> > resources (e.g. change active resources to other accounts) and
> > then shut off the account, resulting in the destruction of the objects
> > now no longer accounted for.  While this mechanism was available,
> > I don't believe it was ever used in practice.

Or something different.  Namely, how was the "lost object"
problem really dealt with?  For us on NLTSS objects could
become "lost" (that's the user's problem) and they would still
be charged for.  However, users could see what they were
being charged for and had the power to destroy objects
(resources) that were being charged to their accounts by
both the methods above (as I recall, it has been a while).

> > I'd be interested to hear what others think of these accounting
> > approaches for resources accessed via capabilities.  I don't
> > believe a capability based system (e.g. on the Internet as with
> > Widewords and YURLs) can get very far without dealing with
> > the issue of accounting.
> >
> > If others believe such accounting mechanisms are not needed,
> > I'd also be interested to hear that and their reasoning.

Let me extend the above general reaching out sort of query
<repeated from the start of this message>:

If others aren't interested in this topic (e.g. think it a waste of
time), why so?  E.g. because there isn't enough capability
infrastructure to account for (e.g. wideword?), because
capability mechanisms don't need accounting, because there's
some other clear and better way to do it, or what?

--Jed http://www.webstart.com/jed/

More information about the cap-talk mailing list