[jsdl-wg] my view on execution user and group

Andreas Savva andreas.savva at jp.fujitsu.com
Mon Apr 4 08:19:01 CDT 2005 

Michel

>
>
>>> ExecutionGroupID, Hostname (and others bits): These seem to go 
>>> against the idea that you are not going to support security aspects 
>>> in JSDL, but then the user can assert groups or hostnames which may 
>>> require a particular authorization token in order to access or 
>>> complete the request.  Something will need to provide a mapping 
>>> which says "Use this token to be able to exec in group X or on host 
>>> Y", don't you think?
>>
>>
>> We used to have this mechanism (called Profiles) but we removed it. 
>> It belongs in the scope of other specs (e.g. WS-Agreement).
>
>
> Donal, I think you missed what Ian said here.
> Profiles were not meant to provide different security tokens the way 
> Ian outlined it. At least, they were not designed having that in mind; 
> but they were certainly (ab)usable that way. :^)
>
> I think Ian meant something different: While JSDL claims to be a job 
> dcescription language striving to scope out security issues (which we 
> did not always do) there're still security related issues creeping in 
> like ExecutonUserID.
>
> Well, IMHO I'd like to follow the "clean trail of purity" and kick 
> these things out, bbut yu always have to consider the trade off 
> between purity and usability. Vulgo, have a nice pure document that 
> nobody will use or have a document that has its stains but is 
> incredibly popular. :^) Also take in mind that standardised documents 
> always represent comppromises on all ends of it.
>  That's the inherent nature of standardisation bodies. :^)


I don't see this as a purity issue. We put out of scope security saying 
that jsdl should be composed with some specialized language to describe 
those requirements. This is not the same as saying that jsdl should have 
no elements that might need such extra security assertions.  So I can 
ask for machine with name X but whether I am allowed to use it or not 
(and what I have to provide to be able to use it) is a different issue 
and is out of scope. But asking for the machine or resource by name is a 
resource request and is in scope.

(And I do hope such in-scope / out-of-scope statements don't sound too 
arbitrary. :-)

Andreas

More information about the jsdl-wg mailing list