[gin-auth] Multiple VO membership (Some ramblings and 1 question).
Oscar Koeroo
okoeroo at nikhef.nl
Wed May 3 07:44:10 CDT 2006
Hi David,
There are some solution already in production status.
David Bannon wrote:
>Dane, we've been looking at that but have decided, at least for now, the
>end to end use is just not ready. So we'd dependant on gridmap files and
>they really are a very, very blunt weapon!
>
>The issues :
>
>1. Gridmap files don't allow a user to be in several VOs and chose at
>launch time.
>
>2. VOMRS allows users to put themselves into any group/role they wish.
>Indications are that this will be fixed in a July release.
>
>
There is also VOMS Admin software, where only the VO-Admin can set the
groups/roles according to its own desire and for the GIN VO there is no
use of VOMRS only the VOMS Admin.
>3. Nothing seems to adequately interpret VOMS attributes at the glous
>level.
>
>
We have, the VOMS-api-c stuff, the c++ libs, there is Bouncycastle where
the Java version for VOMS extraction is, there is the Globus VOMS PDP.
For implementation: one can look at LCAS (pure authZ) and its VOMS
module and how that works for example, and for DN+VOMS to uid/gid(s)
translation there is LCMAPS and GUMS and probably some more...
Maybe I didn't understand the context.
cheers,
Oscar
>David
>
>On Wed, 2006-05-03 at 16:36 +0800, Dane Skow wrote:
>....
>
>
>>I'd be very interested in operations experience of anyone who's gone
>>the full way to REQUIRING VOMS extensions so that they could do the
>>account mapping directly without having to have a gridmapfile preloaded.
>>Is anyone running that way now ? planning on it soon ? Would sure
>>simplify maintenance and would seem reasonable for cross-grid
>>resources in my view (though it may be too complex for the users just
>>yet).
>>
>>Dane
>>
>>
>
>
>
More information about the gin-auth
mailing list