[voms-proc-wg] VOMSPROC WG session and strawman document

Andrea Ceccanti andrea.ceccanti at cnaf.infn.it
Sat Oct 13 04:09:13 EDT 2012 

Hi Paul,

Il 12/10/12 15:49, Paul Millar ha scritto:
> Hi all,
>
> I haven't read the document yet (sorry, but it is on the list)
>
> On 10/11/2012 06:08 PM, David Groep wrote:
> [...]
>>> - Computing the intersection of a set of attributes coming from 
>>> several ACs in
>>> the chain poses the problem of
>>> stating how the order of the attributes is computed when is 
>>> different in the
>>> ACs. The document should address
>>> this, e.g. proposing that the the order of the AC result of the 
>>> original user
>>> delegation is enforced.
>>
>> Fully agree: the ordering section of the document is still missing, and
>> we should think about what a user 'expects' in this case. Should a 
>> downstream
>> service be able to 'select' a new primary FQAN by itself (i.e. on a 
>> service
>> then selecting a new primary when writing data files)? But then the
>> user may not 'know' this was to happen.
>> I can see cases for either option, and the document should indeed be 
>> explicit
>> in what is to be allowed.
>
> Just a comment on what dCache does, which may be relevant.
> (I can't remember, have I already said this?)
>
> We take the first FQAN as primary and all others as non-primary. If 
> there are multiple ACs then (iirc) the first FQAN of the first AC is 
> primary and all others (from all other ACs) are non-primary.
>
> We do not preserve the order of FQANs, only that one is primary and 
> the others are not.
I like how you define primary FQAN (first fqan of first AC).

In a single AC FQANs are ordered by definition. voms-proxy-init provides 
an option to request a specific ordering from the server, applications 
could take advantage of that.
In practice people just rely on the primary FQAN.

However the point above is different, and is related to how the VOMS ACs 
are extracted and parsed
from a chain.

Currently VOMS attributes are extracted only from the VOMS extension 
found in the latest delegation in the chain.

The proposal instead suggests AFAIU that all the valid ACs in the chain 
(not only the one in the latest delegation) are considered when parsing 
to ensure that the attributes returned are a subset of the attributes 
originally requested by the user from the VOMS server.

In the end the application will always have an ordered list of ACs as 
result, that can be processed as you are describing now, but such list 
will be composed from several "levels" in the chain, not simply taken 
from the last delegation. VOMS APIs will do this composition work for you.

However, this composition needs to be properly defined not only to 
ensure that the attributes returned
are a subset of the ones originally requested but also to address the 
ordering (which may be different
at different levels of the chain).

The more natural approach to me is to keep the order as originally 
requested by the user.
Other approaches are also possible and will be discussed here, I guess.

Cheers,
Andrea

More information about the voms-proc-wg mailing list