On Wed, 30 Sep 2009, Stephen Burke wrote:
> > If this works, we can cook up YAIM post-configuration functions that
> > will preserve the changes and maybe open an RFE in Savannah.
>
> I'm not sure we really want this as standard, it's fairly hacky. Among
I do not like it either, but it does seem to comply with the conditions
that were stated...
> other things, where do you get the list of DNs - back to the old LDAP VO
> servers?! Really we want this kind of thing done with VOMS if possible.
CMS may not want to create a separate VOMS group for every institute,
whereas that would be the cleanest indeed.
> Also the information publishing may become unhelpful, depending on how
> much priority the special users get and what the balance of jobs is -
> e.g. a long queue of jobs from non-local users will push up the ERT even
> if local user jobs would go straight in.
Indeed.
> Returning to my earlier suggestion of a separate queue, you may be
The separate queue would be "respected" by the WMS matchmaker,
but the matchmaker can be bypassed, so the queue could be abused
if the privileged users are not mapped differently.
> able to fake it with a pseudo-VO if the WMS still lets you override the
> VOMS proxy - e.g. put VO:xyz in the ACBR and specify "xyz" as the VO in
> the JDL ... also rather a hack though!
The WMS client does not let you override the VO in your proxy...
|