[glue-wg] Comments on GLUE Schema 2.0

[Burke, S (Stephen)]

glue-wg-bounces at ogf.org 
> [mailto:glue-wg-bounces at ogf.org] On Behalf Of Parag Mhashilkar said:
> Based on the description for Endpoint, cardinality of Endpoint ->
> Service should be 1 and not 0..1. Maybe cardinality in UML diagram is
> still in works?

I agree that it looks wrong - in rare cases you could have services
without endpoints, but I don't think you can have an endpoint without a
service.

> 2. AccessPolicy:
> How can access policy be used to express Access control Base Rule?
> Additional info on this will be useful. Another question we 
> had was, is
> it possible to express policies on FQANs and if so how? Is there an
> extension to this scheme and will it allow to express policies on all
> the elements of the certificate/proxies? For example, will it be
> possible to express a policy stating that "As a site I will not accept
> any jobs from users who have proxies valid for less than a day?"

You may have noticed that this is quite controversial! As things stand
the only real restriction comes from the general structure of the
schema, which effectively means that you have a default-deny, and then a
set of "allow" rules applied independently, so if any rule matches you
assume that access is allowed. There has been some discussion about
adding explicit "deny" rules to override the "allow"s, but so far I
don't think we have any agreement on that (it's a non-trivial thing to
implement).

  The format of the rules themselves is extensible. Basically they are
strings encoding URIs, where we have so far defined three schemes: one
for explicit DNs, one for VO names and one for VOMS FQANs. For EGEE that
seems to be all we need at the moment (with a rather limited wildcard
extension for the FQANs). Other Grids are free to define their own
schemes as long as they can fit into the overall schema structure.
Basically I would suggest that you try to decide what your real
use-cases are and then see if they can be satisfied.

  On the face of it your test on proxy validity could be difficult
because it's effectively a DENY rule, but there are ways you could do
it, for example extending the FQAN format to include the minimum
lifetime. However, there would be a price to pay in more complex
matching rules, so I'd suggest that you consider how important it really
is, and whether you need to represent the general case or something more
restricted.

> 3. Conceptual Model of the Computing Service:
> Based on the description of various attributes, cardinality for
> ComputingEndPoint->ComputingService, ComputingShare->ComputingService
> and ComputingResource->ComputingService should be 1..* 
> instead of *.

That diagram looks a bit weird in general, it's not obvious what the *s
are attached to, they just float in space ... but indeed there should
always be a service object.

> 4. MPI jobs:
> >From the description of ApplicationEnvironment and 
> ApplicationHandle it
> is not clear if there is a way to express Compiler Versions used to
> compile MPI libraries.

I haven't been following this, but it looks a bit odd to me too, it
isn't obvious how the application is specified - there is a Name
attribute, but in the rest of the schema that's just a human-readable
tag and not something you query on.

> Also it is not clear how one can express connection between
> ApplicationEnvironment and ApplicationHandle.

There is a relationship, as you can see from the diagram but currently
not from the text. Basically one AE can have any number of AHs, each of
which specifies a way to set up the application environment on the WN.

Stephen