[tahoe-dev] accounting: reachability-graph
Brian Warner
warner at lothar.com
Tue Jun 12 06:04:08 UTC 2012
On 6/10/12 2:46 PM, Greg Troxel wrote:
>
> while the unit of operation in tahoe is a node, socially the unit is
> a person (or maybe company etc.). So it would be nice to be able to
> authorize a person to store data and let them do it from any of a
> number of nodes, since the storee doesn't care how it got there,
> just on whose authority it was stored
>
> maybe your scheme takes this into account already, but it seemed worth
> mentioning.
It's an excellent point. I kind of punted on that aspect.
A few years ago, I was thinking in terms of "storagecaps", in which the
authority to consume space on the servers is managed with fine-grained
capability strings, just like we use filecaps to manage fine-grained
read/write authority. The vague idea was that each webapi upload
operation would require both a writecap and a storagecap, and servers
would keep track of space used per storagecap. You'd be able to delegate
portions of your storage to other people too: derived storagecaps that
fit into a tree, which quotas enforced on each subtree.
But it got too hard to manage. We couldn't come up with any
non-JS-centric WUI that could manage two orthogonal authority strings at
the same time, sharing filecaps with/without the storagecap got weird,
offline derivation of storagecaps requires a cert-chain syntax, teaching
servers about the relationship between derived caps looked hard,
allowing a hired Repairer to use some (but not all) of your storage
capacity got weird, allowing a Helper to do the same got weird, and
expressing reciprocal tit-for-tat relationships between
I-provide-you-storage and you-provide-me-storage got complicated.
Storagecaps still seem like the *right* thing to do, but we kept getting
stuck trying to actually design and implement a system that used them.
So in our nigh-yearly simplification cycle, I figured we might make more
progress if we punted on the fine-grained storagecaps, and fall back to
a coarser one-node-per-Account scheme. It's going well so far.. time
will tell.
I'm hoping that once we figure out the per-node approach and get some
experience with it (and our WUI gets a bit more mature), maybe we'll
have more success with proper storagecaps.
cheers,
-Brian
More information about the tahoe-dev
mailing list