[ogsa-dmi-wg] New version
Michel Drescher
Michel.Drescher at uk.fujitsu.com
Thu Aug 23 05:26:52 CDT 2007
Steve,
thanks that makes it a lot clearer.
I have, though, some comments:
A) Regarding the security credentials
=====================================
The proposal makes sense, but I would like to extend it and slightly change
it as follows.
1. We should consider the DataEPRs personalised EPRs, i.e. minted for
exactly one client. That client MAY re-use this DataEPR (whether for the
[source] or the [sink] in a DMI call, or otherwise) but SHOULD NOT (or
MUST NOT?) pass it along to other entities in a Grid for their use.
2. The element "dmi:Credential" suggests only one credential allowed, even
though the contents is defined as "<xs:any/>*", i.e. zero or more child
elements may occur.
I instead propose to change "dmi:Credential" as follows (in pseudo
schema):
<dmi:Credentials>
<xs:any namespace="##other">*
<dmi:Credentials>
This then would serve as a more generic credentials container, and proper
identification and tagging of each of the credentials if any are left to
be specified by either profiles, or implementations. This would even all
ow for cross security-framework implementations to insert credentials for
GridFTP in a GSI implementation, and (in the future, credentials for
GridFRP in, say, a UNICORE security framework. Good data transfer
protocols allow for more than one security framework; GridFTP is just not
yet there.
At the same time this would allow for both the future [source | sink]
service *and* the DMI client to insert credentials into this section. It
seems a bit awkward to me that the [source | sink] service should insert
the client's (user's?) security credentials into the DataEPR. It should
be *both*, to serve the following use cases. As the DataEPRs have an
identical structure for both source and sink the use cases mention only
one DataEPR for brevity:
- The client uses a command line tool and forges the DataEPR. The command
line client, in the process of creating the DataEPRs uses security
information taken from the context (e.g. command line parameters,
linked-in security store, etc.
- The client (or user) obtains the DataEPR from the source service. The
source service adds a username/password credential in a reckognised
format to the dmi:Credentials element, indicating that no more
information is necessary (this is done within the reckognised format
out of scope for OGSA-DMI). The client then MAY add the user's
identification credentials to communicate on who's behalf it is
operating.
- The client (or user) obtains the DataEPR from the source service. The
source service adds challenge information to the dmi:Credentials
element of the minted DataEPR (e.g. a SecurID challenge). The client
then MAY add the user's identification credentials to communicate on
who's behalf it is operating. The client MUST add the proper challenge
response to the dmi:Credentials section to successfully be authorized
to access the data.
The details how the security stuff is actually handled can be left
completely implementation specific, or handled in profiles on OGSA-DMI.
But I think OGSA-DMI should indicate that it can be more than one set of
credentials passed in.
Actually, come to think of it, really advanced implementations may use
DataEPRs to the extreme: Given that advanced implementations support
several security frameworks (say, Globus GSI, UNICORE style Explicit
Trust Delegation, and Windows Active Directory) equally available for
some data transfer protocols (e.g. GridFTP, HTTP, SRB), then they could
put the security credentials that are shared between two different data
transfer protocols outside the dmi:Credentials section, and just add XML
links (using for example xs:ID and xs:IDREF) from within the
dmi:Credentials section pointing to the external credential information.
And all that is compliant to the OGSA-DMI specification while greatly
saving from duplicating information in the DataEPRs metadata section. But
that is probably just my thoughts gone wild...
B) Editorial nag regarding authors list
=======================================
You are beyond doubt an important author of this spec, and as such ought to
be mentioned as such. Chapter 7 lists at the moment 4 people, all of which I
believe are the authors of this specification.
GFSG, however, did not intend to have the names of the authors in the
document headers. Instead, the document (and page) header was intended to
contain the names of those people who volunteer for permanent stewardship of
the document. That list of names can be a subset of the authors, but can
also be a different list of names.
GFSG originally thought of 2 people at max, but left the backdoor open for
more *if there are compelling reasons*.
I hence propose that we keep that list to two, at max 3 people, and
strengthen the statement in chapter 7 regarding the authors - and other
contributors if any. But I am not terminally glued to this and very open to
discussions (I mainly want to avoid stupid nags just like this in PC).
Cheers,
Michel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://www.ogf.org/pipermail/ogsa-dmi-wg/attachments/20070823/b57db6f8/attachment.pgp
More information about the ogsa-dmi-wg
mailing list