[gin-auth] Multiple VO membership (Some ramblings and 1 question).

[Mike 'Mike' Jones]

It dawned on me on the way to work this morning that in the current 
implementation for accepting grid VOs through VOMS/LDAP/HTTPS where 
resources construct a 'grid-mapfile', I as a user do not know through 
which VO I will be accepted onto a resource.  I can find this out by 
getting an interactive session some how on a resource and poking around, 
but this is not easy.

This is not a new problem, I know!  But, I can now see that signing up to 
a low usage VO could mean that I might be expected to adhere to those low 
usage rules that the VO was accepted for, even though through another VO 
membership I would be allowed more resource.  For me this is now a 
distinct possibility.

In the GIN case this problem will go away with the VOMS proxy credentials 
somewhere down the line.  Some JDL might go some way to helping too, but 
I do not currently know of any JDL-aware middleware at this time that 
would help.  A resource broker could also address this*, but I believe 
that so far resource brokers are only aware of the VOs a resource supports 
and not in what order they have been accepted.

I guess the only immediate way round this is to hope that participating 
resources all behave in the same way and configure themselves to accept 
VOs in order of maximum usage.

If I submitted a big job to the LCG (where I have access to the 
resource) but am mapped to a low usage GIN account will the LCG site my 
job ends up at try to have my GIN membership blacklisted?

Mike

*I however like to keep the idea that I might not always need or want to 
go through a broker where the protocols allow.

-- 
http://www.sve.man.ac.uk/General/Staff/jonesM/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 1784 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/gin-auth/attachments/20060503/7ada8371/attachment.bin