Tom Scavo wrote:
Hi Benjamin,On Wed, Jul 9, 2008 at 10:12 AM, Benjamin Hennein conjunction with attribute-based authorization we think about an 1:n mapping of attributes (primary VOMS attributes, maybe SAML in future) to local user accounts. The current VOMS and GridShib authz can only do a 1:1 mapping of an attribute to a local account. We want to have the possibility to map a group of users with the same attributes to different local (pool) accounts instead of sharing one account with multiple users.I'd like to understand your use case a little better. Does each user require an unique account? Are these accounts created ahead of time or are dynamic accounts required? Thanks, Tom
Hi Tom,in the German Grid Initiative we want to use attribute-based user-mapping additionally to the currently used DN-based mapping. The attribute mapping shall not replace the DN mapping. Every user has and will have an own single account his DN is mapped to. This account has standard rights and abilities on the resources. Using attributes (groups, roles et cetera) we want to enable users to activate additional special rights on demand by mapping to special accounts.
Some roles, for example a role "VO software admin", can be mapped to a community account which for example has special rights to install VO-specific software on compute resources.
But, for example another role we want to implement would be the role "developer". A developer could have special rights on some resources, may have access to special batch queues. Different "developers" shall not be mapped to the same (community) account. This is where we want to use pool accounts. The special rights shall have to be activated and shall only be used for special purposes. Because we cannot have a single account for any DN-attribute-combination our preferred solution is using pool accounts. In the case of Globus this is what Dynamic Accounts with database or LCMAPS back-end implements.
Regards, Benjamin
smime.p7s
Description: S/MIME Cryptographic Signature
