[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ggf-ogsa-sec-wg] Re: VO consideration
Takashi,
> My motive is to find out if/how the VO model is sufficient enough
> to deal with real use cases of the grid regarding with grid security.
VOs, as you point out, do seem to mean different things to
different people. In many grid installations, a set of directories
cataloging the VOs users and resources, a CA which issues certificates
that the VO resources accept and appropriate local (to the individual
resources) security mechanisms constitute a VO.
At the University of Virginia, we've been doing research on VOs
and are designing policy languages and mechanism to more easily create
virtual organizations. The main idea is to support formal, virtual
organization-wide policy that allows for autonomic enforcement/management
of that policy.
> - Would a single layer of VO be sufficient enough?
> to deal with levels of trusted users or VOs...
Certainly this is a needed capability. The forth-coming
specifications WS-Trust and WS-Policy will be important here.
> - How do you set up/modify the VOs with which authority?
> or maybe can you partially define them statically, too?
> What would be a set of services of VO manipulations?
Of course, this depends on how you define your virtual
organization. Setting up and running a CA (if you require this) can be a
complex operation. The goal of our research is to allow a VO creator to
specify VO policy and have a set of tools that generate the necessary
mechanism (e.g. grid services) that operate the VO according to that
policy.
> - What would be real organization(RO) policy/trust and VO policy/trust?
Again, WS-Policy and WS-Trust will play a role here. Policy
conflict between VO-wide policy and the policies of the various ROs in the
VO is an area of active research for us. Policy and trust are both dynamic
considerations and so there must be mechanisms to handle updates.
Glenn
---
Glenn Wasson
wasson@virginia.edu
http://www.cs.virginia.edu/~gsw2c/