[gin-auth] Multiple VO membership (Some ramblings and 1 question).
Mike 'Mike' Jones
mike.jones at manchester.ac.uk
Wed May 3 03:03:53 CDT 2006
It dawned on me on the way to work this morning that in the current
implementation for accepting grid VOs through VOMS/LDAP/HTTPS where
resources construct a 'grid-mapfile', I as a user do not know through
which VO I will be accepted onto a resource. I can find this out by
getting an interactive session some how on a resource and poking around,
but this is not easy.
This is not a new problem, I know! But, I can now see that signing up to
a low usage VO could mean that I might be expected to adhere to those low
usage rules that the VO was accepted for, even though through another VO
membership I would be allowed more resource. For me this is now a
distinct possibility.
In the GIN case this problem will go away with the VOMS proxy credentials
somewhere down the line. Some JDL might go some way to helping too, but
I do not currently know of any JDL-aware middleware at this time that
would help. A resource broker could also address this*, but I believe
that so far resource brokers are only aware of the VOs a resource supports
and not in what order they have been accepted.
I guess the only immediate way round this is to hope that participating
resources all behave in the same way and configure themselves to accept
VOs in order of maximum usage.
If I submitted a big job to the LCG (where I have access to the
resource) but am mapped to a low usage GIN account will the LCG site my
job ends up at try to have my GIN membership blacklisted?
Mike
*I however like to keep the idea that I might not always need or want to
go through a broker where the protocols allow.
--
http://www.sve.man.ac.uk/General/Staff/jonesM/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 1784 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.ogf.org/pipermail/gin-auth/attachments/20060503/7ada8371/attachment.bin
More information about the gin-auth
mailing list