[gin-auth] Re: Create a VO for MultiGrid team ?
Dane Skow
skow at mcs.anl.gov
Thu Mar 2 16:40:16 CST 2006
(I'm going to duck out for a long weekend holiday in just a minute so
let me make a comment then sign off until Monday.)
Until we get a first GIN VOMS service, we're stuck with dealing with
individual DNs for each grid pairing.
I agree with you, that is very undesirable even in the short term.
I think you're advocating to choose an arbitrary name which is
unlikely to conflict (to avoid contributing to the problem) rather
than try to quickly drive to consensus on a namespace schema. I'm
fine with that if we recognize that for what it is. I just don't want
to stall on the namespace issue (while agreeing it needs to be dealt
with in the not too distant future).
I think we should take opportunities to make steps forward as we
integrate, but we shouldn't hold up critical path items for non
critical path concerns (don't let the "better" become the enemy of
the "good enough"). I'm happy with whatever name is agreed (and I'm
happy to let Oscar choose, myself), but let's recognize this VO as
bootstrapping and that we'll likely have to revise as we move forward
and move on. For example, we could debate whether we want a "big
endian" (like OID) or a "little endian" (like DNS) namespace. All
needs to be settled, but isn't defined today. If we can reach
consensus quickly - fine - but the debate on the EGEE lists has
lasted quite a while now just there.
I think a better way to frame the same question is: What VOs do
people have in the GIN grids now and how will we deal with namespaces
as we pull THOSE VOs in as cross-grid authorities ? (There's another
inventory that it would be good for someone to push -- by the way,
haven't seen anything more back on the CA inventory
contributions ;-)) Buys us a few weeks at least to discuss (and we
can reform the GIN* VO as needed to deal with the resulting
convention) while we continue to make progress in the here and now.
Cheers,
Dane
On Mar 2, 2006, at 3:57 PM, Oxana Smirnova wrote:
> Hi,
>
> I'm sorry, but what if soon somebody else will create a VO called
> GIN? How can we tell one from anther? Maybe such a VO already
> exists and we are going to infringe on somebody's rights?
>
> What I mean, please let's call it GRID.GIN, or GGF.GIN, or at least
> (worse is only simply GIN) GIN.GGF.ORG, before we all agree on
> globally unique VO names. Oscar, you should know better than
> anybody else about the "FUSION" VO name clash couple of weeks ago.
>
> Cheers,
> Oxana
>
> Oscar Koeroo пишет:
>> Hi Dane,
>> I will create a new VO called "GIN" in the morning (Central
>> European Time) which means a new VOMS Admin instance and a new
>> VOMS daemon (AC provider).
>> It will have the grid-mapfile interface limited to everybody who
>> can present a user/hostcertificate signed by a CA within the IGTF
>> (standard policy but I can be more flexibel for the GIN VO).
>> I'll email to this list about the coordinates of the VOMS server.
>> Oscar
>> Dane Skow wrote:
>>>
>>> Thanks for the ping Erwin. I'm sorry for the slow response. Yes,
>>> I think we should take you up on the offer. I've done a quick
>>> survey of those who mentioned interest in running a VOMS and the
>>> other options would have greater startup delays and effort. I
>>> like the "GIN" name. Oscar can you let us know when this is
>>> setup and how to register people's certificates ? Once we have
>>> this ready, we should announce it to the full GIN at ggf.org list
>>> since the other groups will likely want to start registering too.
>>>
>>> To be clear, we want both VOMS functions (right?): to be able
>>> to generate a list of DNs (for constructing a gridmapfile
>>> snippet) and the ability to generate VOMS authorization
>>> attributes so people can use whichever
>>> combination they need to get started. I think we'll likely have a
>>> mix of gridmapfiles and authorization service calls for a while
>>> yet.
>>>
>>> Dane
>>>
>>> On Mar 2, 2006, at 2:42 AM, Erwin Laure wrote:
>>>
>>>> Hi Dane,
>>>>
>>>> Was there already a decision which VOMS server to use? I
>>>> haven't heard anything so I assume it will be the NIKHEF one.
>>>>
>>>> Cheers,
>>>>
>>>> -- Erwin
>>>>
>>>> Erwin Laure wrote:
>>>>
>>>>> Hi Dane et al.,
>>>>> This is a very good plan.
>>>>> EGEE could offer our existing VOMS service that runs in NIKHEF
>>>>> (Oscar Koeroo, cc'ed, is the responsible for the system) and
>>>>> already serves a number EGEE pre-production VOs.
>>>>> I'd suggest we call the VO "gin" ;-)
>>>>> Cheers,
>>>>> -- Erwin
>>>>> Dane Skow wrote:
>>>>>
>>>>>>
>>>>>> First copy of this didn't get through due to list problem.
>>>>>> Hopefully fixed now.
>>>>>> D
>>>>>>
>>>>>> On Feb 23, 2006, at 11:23 AM, Dane Skow wrote:
>>>>>>
>>>>>>>
>>>>>>> Oxana brought up the excellent suggestion that we should
>>>>>>> quickly create a VOMS service for persons working on
>>>>>>> bringing up the MultiGrid interoperation. Since we need to
>>>>>>> identify a manageable set of DNs for early adopters to
>>>>>>> enable and clearly identify them (and they will be involved
>>>>>>> in different groups), and we're consolidating on the VOMS
>>>>>>> authorization info for now, this seems like a good
>>>>>>> bootstrap idea. Rhys from APAC has offered to setup such a
>>>>>>> VOMS service but is checking on the timescale that could be
>>>>>>> done. Is there someone else ready and eager to setup a VOMS
>>>>>>> instance so we can get started with identifying people
>>>>>>> working on GIN ?
>>>>>>>
>>>>>>> Another thing I've started is a matrix of CA usage by the
>>>>>>> various grids (updated by David Groep and Yoshio Tanaka -
>>>>>>> thanks). I've discovered this list is rather larger than I
>>>>>>> expected and that it's changing quickly as people move
>>>>>>> forward on interoperation, but I think there may be value
>>>>>>> in creating a snapshot of what our grids use now. It may
>>>>>>> not be worth the effort to try to keep a current master
>>>>>>> list, but we can see. I'll keep a current copy at http://
>>>>>>> www.mcs.anl.gov/~skow/GIN/ GIN-CAs.xls if folks send me
>>>>>>> their updates (at least til we get a full coverage).
>>>>>>>
>>>>>>> Cheers,
>>>>>>> Dane
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>
>
More information about the gin-auth
mailing list