[saga-rg] Re: comment on SAGA strawman doc.

Gregor von Laszewski gregor at mcs.anl.gov
Fri Jul 29 13:22:20 CDT 2005 

we have some rudimentary abstraction based on unix permissions in the  
Java CoG Kit. If the server supports it we can change permissions  
from the client. This is available as part of Java CoG kit 4. this is  
probably not the perfect solution but it could provide some input on  
how we have developed something that was useful to us.

gregor

On Jul 29, 2005, at 12:47 PM, John Shalf wrote:

>
> On Jul 27, 2005, at 2:37 AM, Thilo Kielmann wrote:
>
>
>> All,
>>
>>
>>> since we have not approached ACLs yet, and since I am not
>>> really knowladgable about security, I have no answer.
>>>
>>
>>
>>>> if you issue a copy command and the source is not owned by you but
>>>> you have read permission (say through ACLs). and it is a  
>>>> recursive copy;
>>>> how do you propagate permission information to the target? do  
>>>> you make
>>>> everything owned by the person whe issues the copy (which may be  
>>>> a service!)
>>>> or do you copy the ACLs and the permissions along with the file  
>>>> (ie metadata
>>>> copy)? how do you make sure that the same users exist then on  
>>>> the target
>>>> site?
>>>>
>>
>> IMHO, there is only one sensible solution: the new owner of the copy
>> determines access control to the newly created file. That should be a
>> policy decision local to the target site.
>>
>> However, controling this from the SAGA API may be 'interesting'.
>> So, should there be some kind of property determining access control
>> for files and directories to be created?
>> (I am afraid, we are stressing the "S" for simplicity if we are
>> working towards a comprehensive solution...)
>>
>> Any thoughts?
>>
>
> My current thought on this is that file permissions management is a  
> serious problem and it is quite unfortunate that it has been mostly  
> overlooked in much of the current grid middleware.  I can move  
> files, but I can't use the same interface that I used to move the  
> files around to manage the permissions on said files.  Its  
> something that I've complained about for years to no avail.  This  
> deficiency has led to a number of significant problems in many  
> collaboratory projects, but I haven't seen it adequately addressed  
> by any "completed" or "deployed" standard as of yet.  Am I missing  
> something or is there a group that is working on solving this  
> problem as I speak? (I don't know because DOE doesn't let me go to  
> grid meetings anymore)
>
> So getting back to SAGA, while I think that permissions management  
> is an important and oft-neglected aspect of distributed file access  
> middleware, I don't actually see any "standard" solutions to the  
> problem.  Since SAGA is supposed to be an API standardization  
> rather than trying to write a "new grid" or fix any deficiencies in  
> current middleware, the proper approach is to not attempt to  
> address this issue until we see more middleware implementations  
> that actually implement this feature.  For the time being, its  
> probably best to use the convention that Thilo mentions above  
> because its pretty much what we are doing currently with grid file  
> movers.  This is kind of sad as far as solutions are concerned, but  
> its probably good to set aside standardization of features in SAGA  
> that are not already apparent in mainstream grid software  
> implementations.
>
> -john
>
>

More information about the saga-rg mailing list