[gin-auth] Re: Nightly cron for DN list dump ?

Oxana Smirnova oxana.smirnova at hep.lu.se
Mon Mar 20 12:31:55 CST 2006 

Hi Oscar,

that's neat - however, how shall one interpret the ".gin.ggf.org" 
string? E.g., we use VO lists like

https://www.pdc.kth.se/grid/swegrid-vo/vo.atlas-testusers-vo

which are interpreted by the mkgridmap kind of utility, and as each such 
list uniquely represents a VO, there's no need to mention the VO name 
explicitly, right?

Cheers,
Oxana

Oscar Koeroo пишет:
> Hi Dane and others,
> 
> I've create a crontab to supply a non-secured grid-mapfile. The crontab 
> is set to execute each 6 hours of each day to provide the controlled 
> priviledge leak :-)
> The location is here: http://kuiken.nikhef.nl/gin.ggf.org/grid-mapfile
> 
> I've also written my first RSS file. I hope I have understood the 
> standard correctly.
> The feed contains two channels "unsecured_gin.ggf.org" and 
> "secured_gin.ggf.org". Both have simulair settings, but the secured is 
> using the direct weblink that will be used by the mkgridmap script to 
> the XML though an HTTPS connection and the other is my crontab-created 
> grid-mapfile.
> 
> It seems that Thunderbird has a minor bug. I get two messages there but 
> both are listed as Sended by 'unsecured_gin.ggf.org', clicking on them 
> work perfectly. The secure connection need a valid certificate to 
> mutually authenticate the content of the feed, de default error is 
> -12229. This is good behaviour :-)
> ps: I'll not update the secured feed because it is linked to the direct 
> database list creation method on the VOMS Admin.
> 
> Comments/improvements are always welcome.
> 
> 
>    Oscar - your feeding VO-Admin
> 
> 
> 
> Dane Skow wrote:
> 
>>
>> Oscar,
>>
>> Would it be possible to setup a nightly cronjob to dump the DN list  
>> from this VOMS server to a webpage someplace ? That way anyone who  
>> has not setup the edg-makegridmapfile scripts or equivalent automata  
>> can grab the list and manage the appropriate snippet for a  
>> gridmapfile by hand ? That helps lower the bar for bootstrapping one  
>> more notch.
>>
>> The UK folks have offered their WIKI server as a headquarters for  
>> this kind of contributed links. I'll send info (or Stephen will  
>> directly) with the link soon.
>>
>> Double Bonus points if you make the webpage an RSS feed ;-))  (so one  
>> can get notice of updates)
>>
>> Cheers,
>> Dane
>>
>> On Mar 14, 2006, at 8:09 AM, Oscar Koeroo wrote:
>>
>>> Hello everybody,
>>>
>>> The GIN VO name has been change from 'GIN-GGF-ORG' to 'gin.ggf.org'  
>>> with the approval of the security area directroy to use the ggf.org  
>>> domain name.
>>> All other configurations and registration have stayed persistently.  
>>> Which means, the same portnumbers do apply on the same server with  
>>> the same certificate.
>>>
>>> Though the web site as been move to:
>>> https://kuiken.nikhef.nl:8443/voms/gin.ggf.org/
>>>
>>> The configuration for the vomses file has change to:
>>>
>>> "gin.ggf.org" "kuiken.nikhef.nl" "15050" "/O=dutchgrid/O=hosts/ 
>>> OU=nikhef.nl/CN=kuiken.nikhef.nl" "gin.ggf.org"
>>>
>>> And also the legacy support interface for mkgridmap has also  changed 
>>> with the URL change to:
>>> group vomss://kuiken.nikhef.nl:8443/voms/gin.ggf.org  .gin.ggf.org
>>>
>>>
>>>
>>>    Oscar - /gin.ggf.org/Role=VO-Admin
>>>
>>>
>>> Oscar Koeroo wrote:
>>>
>>>> which means that I'll change the GIN-GGF-ORG VO name to:        
>>>> "gin.ggf.org"
>>>> ... if one or both security area directors approve with the change  
>>>> and use of the "ggf.org" domain as a suffix to the GIN VO.
>>>>
>>>>    Oscar
>>>>
>>>>
>>>> Von Welch wrote:
>>>>
>>>>>
>>>>> Works for me.
>>>>>
>>>>> Von
>>>>>
>>>>>
>>>>> On Mar 13, 2006, at 12:42 PM, Olle Mulmo wrote:
>>>>>
>>>>>>
>>>>>> FYI,
>>>>>>
>>>>>> This was discussed (again) at two consecutive EGEE meetings at  
>>>>>> CERN  last week, ending in the draft text proposed below.
>>>>>>
>>>>>> /Olle
>>>>>>
>>>>>>
>>>>>> VO Naming
>>>>>> ---------
>>>>>> The VO name is a string, used to represent the VO in all  
>>>>>> interactions
>>>>>> with grid software, such as in expressions of policy and access   
>>>>>> rights.
>>>>>>
>>>>>> The VO name MUST be formatted as a subdomain name as specified in
>>>>>> RFC 1034 section 3.5. The VO Manager of a VO using a thus- 
>>>>>> formatted  name
>>>>>> MUST be entitled to the use of this name, when interpreted as a   
>>>>>> name in the Internet Domain Name System.
>>>>>> This entitlement MUST stem either from a direct delegation of  
>>>>>> the  corresponding name in the Domain Name System by an  
>>>>>> accredited  registrar for
>>>>>> the next-higher level subdomain, or from a direct delegation of the
>>>>>> equivalent name in the Domain Name System by ICANN, or from the   
>>>>>> consent
>>>>>> of the administrative or operational contact of the next-higher   
>>>>>> equivalent
>>>>>> subdomain name for that VO name that itself is registered with  
>>>>>> such an
>>>>>> accredited registrar.
>>>>>>
>>>>>> Considering that RFC1034 section 3.5 states that both upper  case  
>>>>>> and lower
>>>>>> case letters are allowed, but no significance is to be attached  
>>>>>> to  the case,
>>>>>> but that today the software handling VO names may still be case   
>>>>>> sensisitive,
>>>>>> all VO names MUST be entirely in lower case.
>>>>>>
>>>
>

More information about the gin-auth mailing list