You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@teaclave.apache.org by ms...@apache.org on 2020/05/06 05:08:13 UTC
[incubator-teaclave] branch master updated: [services] Add
README.md (#282)
This is an automated email from the ASF dual-hosted git repository.
mssun pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-teaclave.git
The following commit(s) were added to refs/heads/master by this push:
new 5d9d6ac [services] Add README.md (#282)
5d9d6ac is described below
commit 5d9d6ac3d2408cc0822feeb247ca53ef0b1071a2
Author: Mingshen Sun <bo...@mssun.me>
AuthorDate: Tue May 5 22:08:05 2020 -0700
[services] Add README.md (#282)
---
README.md | 8 ++++++
config/build.config.toml | 14 +++++------
docs/my-first-function.md | 2 +-
services/README.md | 63 +++++++++++++++++++++++++++++++++++++++++++++++
4 files changed, 79 insertions(+), 8 deletions(-)
diff --git a/README.md b/README.md
index a3ec79c..db4326a 100644
--- a/README.md
+++ b/README.md
@@ -39,6 +39,14 @@ platform, making computation on privacy-sensitive data safe and simple.
- [Threat Model](docs/threat-model.md)
- [Mutual Attestation: Why and How](docs/mutual-attestation.md)
+### Codebase
+
+- [Teaclave Services](services)
+- [Configurations in Teaclave](config)
+- [Data Center Attestation Service](dcap)
+- [Keys and Certificates](keys)
+- [Dockerfile and Compose File](docker)
+
## Contributing
Teaclave is open source in [The Apache Way](https://www.apache.org/theapacheway/),
diff --git a/config/build.config.toml b/config/build.config.toml
index cddef8c..cc6ff17 100644
--- a/config/build.config.toml
+++ b/config/build.config.toml
@@ -21,14 +21,14 @@ attestation_validity_secs = 3600
# Specify accepted inbound services to enforce incoming connections via mutual
# attestation. Below figure illustrates current topology of Teaclave services.
#
-# client => authentication <-+ +----> storage <----+
-# | | |
-# client => frontend ----------> management scheduler <-- execution
-# |
-# +--> access_control
+# clients => authentication <-+ +----> storage <----+
+# | | |
+# clients => frontend ----------> management scheduler <-- execution
+# |
+# +--> access_control
#
-# => api endpoint connections
-# -> internal endpoint connections
+# => api endpoint connections
+# -> internal endpoint connections
[inbound]
access_control = ["teaclave_management_service"]
authentication = ["teaclave_frontend_service"]
diff --git a/docs/my-first-function.md b/docs/my-first-function.md
index 5bb4fe9..a01e989 100644
--- a/docs/my-first-function.md
+++ b/docs/my-first-function.md
@@ -43,7 +43,7 @@ $ docker run --rm -v $(pwd):/teaclave -w /teaclave \
To build in simulation mode, you can add `-DSGX_SIM_MODE=ON` to `cmake`.
-## Launch The Teaclave Services
+## Launch Teaclave Services
Teaclave contains multiple services. To ease the deployment, you can use
[docker-compose](https://docs.docker.com/compose/) to manage all services in a
diff --git a/services/README.md b/services/README.md
new file mode 100644
index 0000000..0f43755
--- /dev/null
+++ b/services/README.md
@@ -0,0 +1,63 @@
+# Teaclave Services
+
+This directory contains protocol definitions and implementations of services in
+the Teaclave platform.
+
+## Services
+
+The platform includes several services (or subsystem) running inside TEE, and
+communicated with *mutual-attested channels*. They coordinate together to provide
+a safe and secure FaaS platform.
+
+- **Authentication Service**: A reference implementation of user authentication
+ infrastructure. Here, we use JSON Web Token (JWT), a simple and widely-used
+ authentication standard, to provide a secure authentication mechanism in the
+ platform. Clients need to get valid token before interacting with the platform.
+- **Frontend Service**: This is the entry point of all requests from users. It will
+ validate user's identity/token and forward requests to appropriate services.
+- **Management Service**: This service plays an important role in the whole services.
+ It handles almost all requests, such as registering functions/data, creating
+ tasks, and invoking tasks. Also, the management service will contact the
+ access control service to authorize operations when needed. In addition, task
+ and function information will be persistent into the storage services.
+- **Storage Service**: Basically, the storage service stores persistent data like
+ function, execution data, and task information in the platform. Here, we
+ deploy a key-value database (an implementation of LevelDB) in TEE and use
+ protected file system (secured by the enclave) for data persistence.
+- **Access Control Service**: Provides a flexible access control configurations
+ to support access control rules for multi-party secure computation.
+- **Scheduler Service**: Schedules staged task ready for execution to a proper
+ execution node with desirable capabilities.
+- **Execution Service**: A host of different executors interacting with the
+ scheduler service to complete tasks. There could be many execution service
+ instances (or nodes) with different capabilities deployed in a cloud
+ infrastructure.
+
+## Protocols
+
+We use ProtoBuf to define messages and RPC interfaces of the Teaclave services.
+Utility functions, traits, and structures will be automatically generated to
+help implementing services to handle requests and send responses. You can find
+detailed protocol definitions in the [`proto` files](./proto/src/proto).
+
+## Topology
+
+These services are communicating through RPC with remote attestation.
+This topological graph illustrates connections between services.
+
+```
+clients => authentication <-+ +----> storage <----+
+ | | |
+clients => frontend ----------> management scheduler <-- execution
+ |
+ +--> access_control
+
+
+ => api endpoint connections
+ -> internal endpoint connections
+```
+
+Internal endpoint connections will be established and verified with mutual
+remote attestation to ensure the integrity and confidentiality of whole system.
+Therefore, clients can trust the whole platform and safely interacting with the
+system through the attested authentication and frontend services.
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@teaclave.apache.org
For additional commands, e-mail: commits-help@teaclave.apache.org