[ogsa-wg] OGSA Primer Newest Latest draft - v5
Donal K. Fellows
donal.k.fellows at manchester.ac.uk
Fri Oct 12 18:25:28 CDT 2007
Duane Merrill wrote:
> * Delegation is a useful feature to be addressed and supported by
> the architecture. (I hesitate at making it a /requirement /for
> participating in the architecture: composition of features,
> no-pay-no-play, etc.). Perhaps also include a motivating simple
> generic use-case of: "I want to run my job, the executor needs to
> obtain resources/input on my behalf, etc."
Good use cases for delegation can include portals and workflow engines.
It can sometimes also be useful during resource discovery.
> * Delegation mechanisms have historically been closely tied to
> credential mechanisms (e.g., X-509 proxy certs and MyProxy,
> holder-of-key SAML assertions, etc.), which we have stated the
> OGSA is to be flexible with in terms of type, subject to profiling
> by the OGSA security model. (Grand-unifying delegation
> specifications pending....)
Be careful here not to fall into the Usual Security Trap. That's where
you say "you can do this, or you can do that, or you can do the other,
and there's a bazillion ways to combine them". Implementors hate that
sort of thing, since it gives them very little guidance as to what to
really write. Fewer options, more utility. :-)
Donal.
More information about the ogsa-wg
mailing list