[glue-wg] Handling VO specific information in Glue 2.1

[Enol Fernández]

Hi *,

as we start to implement v2.1 of the GlueSchema for the EGI federated cloud
we have realised that we miss some VO specific information and we are
unsure how/where is the best way to publish this:

Users belong to several VOs and sites may support more than one of  those.
When users authenticate against a given endpoint, the endpoint will return
a list of local projects/groups that the users is allowed to use. Each
project/group supports a VO in our current implementation. While in the
past this was not an issue since the user authenticated with a VOMS proxy
that only contained information a single VO and therefore the endpoint
would just return a single project. Now with the transition to federated
identity, the endpoint will receive claims on every VO the user is member
of and there is no way for the user to determine which local project/group
to use.

We would need a way to publish a site-defined identifier of the
project/group that supports each VO at a given site, so user could just
match the VO with that id and select the appropriate one during
authentication.

We have checked the current draft of the schema and haven't seen a clear
place to publish this kind of information. Our current guess would be to
include this in the  AccessPolicy or MappingPolicy. Since in our
implementation we are using shares as a way to express VO information
probably for us the MappingPolicy is the best fit, but would like to get
your input on the best way to proceed.

PS: I tried to submit this email before being subscribed, so apologies if
it gets sent twice.

>


-- 
Enol Fernández | Cloud Technologist | EGI Foundation
enol.fernandez at egi.eu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/glue-wg/attachments/20171018/fed80e06/attachment.html>