>>>>> "David" == David Chadwick <[log in to unmask]> writes:

    David> There is masses of experience with using VOs today. They have
    David> been in existence for nearly a decade and are well used. STFC
    David> runs a national VOMS service for the UK so we can ask them
    David> for example.

Yes, and if STFC needed a one-to-one mapping between what they have and
a Moonshot infrastructure then whethelr to map VOs in their
infrastructure to Moonshot communities would require some discussion.

Options I can see include:

1) map VOs to communities, but be much more loose about what a service
means on the Moonshot side than you might otherwise expect.

That is, have multiple service endpoints on a real service.

2) Have a VO layer on top of communities.

However, technical infrastructure does impact these sorts of boundaries.
The boundaries I'd choose for Kerberos realms (AD domains) are not the
same as the boundaries I'd choose for Moonshot realms.  The
infrastructures are somewhat different.

In the specific case of Openstack, allowing someone to put an additional
layer on top of communities seems like a good idea.
Allowing there to be multiple authentication endpoints each intside a
community seems like another good idea.
Requiring a VO layer on top of communities or baking a particular VO
layer in seems like a very bad idea if you're trying to build something
general enough that Openstack should merge it upstream.
The VO layer--especially something designed to be a good mapping to the
Grid community's VO layer seems way too specific for something like
Openstack.

--Sam