[ogsa-rss-wg] comments on the EPS wsdl

Arvid Norberg arvid at cs.umu.se
Tue Aug 8 03:35:03 CDT 2006 

On Aug 7, 2006, at 17:10, Donal K. Fellows wrote:

> Arvid Norberg wrote:
>> I'm currently attempting to implement an EPS and have based its  
>> interface
>> on the WSDL files posted to this list by Donal.
>> My first attempt was to make the wsdl/xsd files to build with the  
>> globus wsrf tools.
>> By downloading the (not very easy to find) files:
>>   wsrf/resourceproperties/rp-1.xsd
>>   wsrf/resource/rw-1.wsdl
>>   etc.
>> Are these really the versions that are supposed to be used?
>
> Umm, they're the versions I'm using with my tooling, but I'm using the
> Unicore/GS tooling which is a bit different to the Globus tooling. I'm
> not going to argue about tooling versioning though;

I see, I'm somewhat of a noob still, I mostly know globus.

> at this stage the
> WSDL's really just illustrative as it has many things in it I need  
> to fix.
>
> I should note that Unicore/GS uses a different (more recent)  
> version of
> WS-RF than Globus. That could cause problems, but can't really be  
> helped.

I see.

> [after fiddling around]
>> Then it built and worked ok.
>
> OK, I'll take that as validation of the interesting bits. :-) It seems
> something of a shame to point out that I've got to do a lot more  
> work on
> it to fix inconsistencies in it.
>
>> One addition I have found the need of is to supply an EPR to  
>> credentials (delegated
>> via the delegation service) in the call to GetExecutionPlans. This  
>> is necessary when
>> using Globus' MDS index server, since you typically need to  
>> authenticate against it.
>> It may also be of interest for the CSG to know which user is the  
>> caller, since it may
>> be able to only respond with resources which that particular user  
>> has the right to
>> use.
>
> While that's true, I'd expect such information to be passed in the
> service context (i.e. as a field in the SOAP header where the WSDL
> doesn't see it) and I have absolutely no intention of restricting the
> security model to just the Globus (or the Unicore/GS) model. Aside  
> from
> that, I'd say you're on the money there with the ideas. Candidates  
> most
> certainly should only be generated in suck a way that the user can  
> make
> use of them, and that should (where possible and practical) include
> checking to see if the user is permitted to execute the job there.
> Indeed, one of the things that came up last GGF was that the EPS spec
> will need to have a non-trivial Security Aspects section, unlike most
> GGF specs that I've seen to date...

As far as I know, using the delegation service is the only portable  
way of delegating credentials in globus at least. (The C libraries  
don't support SecureConversation).

> In any case, thanks very much for your feedback.
>
> (Should we start holding telecons? Or is everyone happy with  
> continuing
> to use email as our collaboration tool? I prefer email myself, but I'm
> perfectly willing to adapt to other people's preferences.)

I prefer email as well.

thank you!

--
Arvid Norberg

More information about the ogsa-rss-wg mailing list