Hi,
Following a chat with Jeremy, some ideas about how to proceed further in terms of CVMFS with the various small projects within the regional UK VOs came to our minds.
Taking as example 'lsst' project that's part of the 'vo.northgrid.ac.uk' VO, we assume that the members of the project are registered with the 'northgrid' VO.
For CVMFS, an initial /cvmfs/lsst.gridpp.ac.uk space will be configured and permission for uploads and maintenance given to specific 'northgrid' VO members (based on their DNs _or_ on the northgrid/Role=lsst)
With the above setup, the GSI access to the RAL cvmfs uploader (and to the correct CVMFS area) will be ensured by the 'northgrid' DN/VOMS credentials and the mapping between the DN/Role and specific SGM-like user for each project (between DN/Role and 'lsstsgm' user for example).
And the CVMFS area for each project is standalone with no possibility of interference. The drawback is that one needs separate DNs (or roles memberships) in order to access/maintain multiple repositories.
There are currently several projects that asked access to CVMFS and their members are not yet member of any registered VO, so the option is to give them a {northgrid,southgrid,scotgrid,londongrid} membership and access to /cvmfs/<repo>.gridpp.ac.uk CVMFS area.
Once they are getting bigger, is it possible to register their own VO, and also we could move them to the 'egi.eu' CVMFS domain.
Please let me know what do you think about this proposal or if I missed something.
Many thanks,
Catalin
|