On Thu, 12 Jun 2003, D.Kant wrote:
> Some of the documentation I have found is a bit vague on this so
> perhaps someone can shed some light with a few clear examples about
> the need for VOMS? Whats wrong with the VO scheme in the current
> testbed?
The basic thing is that the current system has no granularity, there is no
kind of subdivision within a VO and only one level of authorisation,
everyone in a VO gets mapped to a single Unix group and the only controls
you have (e.g. file permissions) are at the level of that group.
Also VOs are exclusive, to be a member of three VOs I need three
separate certificates. Also there is not much of a management interface to
the current system, and no security on reading, anyone in the world can
read the membership. And there is no redundancy, if the VO server is
unreachable you can't create a map file. And there is no direct way to
infer VO membership from your proxy.
Stephen
|