[saga-rg] Re: comment on SAGA strawman doc.

Fri Jul 29 15:27:03 CDT 2005

I agree with John: if the problem is basically unsolved,
we (SAGA-RG) should noty try to solve it.  We would do a bad
job at it anyway I guess.

So Gregors proposal to stick to the (well understood) scheme
of Unix like owner/group/other permissions sounds pretty
good to me...

My $0.02, 

  Andre.

Quoting [Gregor von Laszewski] (Jul 29 2005):
> 
> we have some rudimentary abstraction based on unix permissions in the  
> Java CoG Kit. If the server supports it we can change permissions  
> from the client. This is available as part of Java CoG kit 4. this is  
> probably not the perfect solution but it could provide some input on  
> how we have developed something that was useful to us.
> 
> gregor
> 
> On Jul 29, 2005, at 12:47 PM, John Shalf wrote:
> 
> >
> >On Jul 27, 2005, at 2:37 AM, Thilo Kielmann wrote:
> >
> >
> >>All,
> >>
> >>
> >>>since we have not approached ACLs yet, and since I am not
> >>>really knowladgable about security, I have no answer.
> >>>
> >>
> >>
> >>>>if you issue a copy command and the source is not owned by you but
> >>>>you have read permission (say through ACLs). and it is a  
> >>>>recursive copy;
> >>>>how do you propagate permission information to the target? do  
> >>>>you make
> >>>>everything owned by the person whe issues the copy (which may be  
> >>>>a service!)
> >>>>or do you copy the ACLs and the permissions along with the file  
> >>>>(ie metadata
> >>>>copy)? how do you make sure that the same users exist then on  
> >>>>the target
> >>>>site?
> >>>>
> >>
> >>IMHO, there is only one sensible solution: the new owner of the copy
> >>determines access control to the newly created file. That should be a
> >>policy decision local to the target site.
> >>
> >>However, controling this from the SAGA API may be 'interesting'.
> >>So, should there be some kind of property determining access control
> >>for files and directories to be created?
> >>(I am afraid, we are stressing the "S" for simplicity if we are
> >>working towards a comprehensive solution...)
> >>
> >>Any thoughts?
> >>
> >
> >My current thought on this is that file permissions management is a  
> >serious problem and it is quite unfortunate that it has been mostly  
> >overlooked in much of the current grid middleware.  I can move  
> >files, but I can't use the same interface that I used to move the  
> >files around to manage the permissions on said files.  Its  
> >something that I've complained about for years to no avail.  This  
> >deficiency has led to a number of significant problems in many  
> >collaboratory projects, but I haven't seen it adequately addressed  
> >by any "completed" or "deployed" standard as of yet.  Am I missing  
> >something or is there a group that is working on solving this  
> >problem as I speak? (I don't know because DOE doesn't let me go to  
> >grid meetings anymore)
> >
> >So getting back to SAGA, while I think that permissions management  
> >is an important and oft-neglected aspect of distributed file access  
> >middleware, I don't actually see any "standard" solutions to the  
> >problem.  Since SAGA is supposed to be an API standardization  
> >rather than trying to write a "new grid" or fix any deficiencies in  
> >current middleware, the proper approach is to not attempt to  
> >address this issue until we see more middleware implementations  
> >that actually implement this feature.  For the time being, its  
> >probably best to use the convention that Thilo mentions above  
> >because its pretty much what we are doing currently with grid file  
> >movers.  This is kind of sad as far as solutions are concerned, but  
> >its probably good to set aside standardization of features in SAGA  
> >that are not already apparent in mainstream grid software  
> >implementations.
> >
> >-john
> >
> >

-- 
+-----------------------------------------------------------------+
| Andre Merzky                      | phon: +31 - 20 - 598 - 7759 |
| Vrije Universiteit Amsterdam (VU) | fax : +31 - 20 - 598 - 7653 |
| Dept. of Computer Science         | mail: merzky at cs.vu.nl       |
| De Boelelaan 1083a                | www:  http://www.merzky.net |
| 1081 HV Amsterdam, Netherlands    |                             |
+-----------------------------------------------------------------+