Testbed Support for GridPP member institutes
> [mailto:[log in to unmask]] On Behalf Of Ian Stokes-Rees said:
> Perhaps using the test one at RAL will meet my needs. I want to
> understand the difference between roles, groups, and capabilities and
> how those are attached to files, resource access rights,
> running jobs, and proxy certificates. I want to understand what
> capabilities regular
> users have to manipulate/control these things, and also what
> control is available to running jobs and "grid services".
Catching up with old mail here, but this may be of general interest ...
I have a feeling that capabilities are being phased out, as they aren't
really different from roles. For many purposes groups and roles aren't
all that different either. The end result is to attach something like
/picard/bridge/Role=NULL/Capability=NULL
or
/picard/Role=ensign/Capability=NULL
to your proxy in a verifiable way - it's then up to services to decide
what to do with that. A user can control which roles they enable with
voms-proxy-init, but you always get the group information. From your
list above the attributes are not attached to jobs as such, but each job
has a proxy and that carries the VOMS information.
On the service side it's still mostly undefined. In general you would
expect ACLs on services which allow or deny an action based on the proxy
information. For the globus gatekeeper and gridftp we have LCAS and
LCMAPS which allow decisions via plugins, the standard thing is to
pretty much duplicate what the pool accounts do but with the ability to
cope with multiple mappings. For files there is not much yet; SRMs don't
yet support VOMS, and I think the glite data management doesn't have
ACLs yet either, although it does decide which catalogue to look at
based on the VO in the proxy. R-GMA doesn't support VOMS yet. The RB has
limited support which basically just selects the VO from the proxy as
you would otherwise do in the JDL or with the command line.
Basically, as I said in my talk last week I think we'll have to use
VOMS for quite a while before we find out how to get the best use out of
it, and people shouldn't be assuming that it will magically solve all
their problems as soon as we start using it!
Stephen
|