[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ggf-ogsa-sec-wg] VO consideration

To: Philippe Janson <pj@zurich.ibm.com>
Subject: Re: [ggf-ogsa-sec-wg] VO consideration
From: Von Welch <welch@mcs.anl.gov>
Date: Tue, 29 Oct 2002 09:38:42 -0600
Cc: "Takashi Kojo" <kojo@bk.jp.nec.com>, ogsa-sec-wg@gridforum.org
In-Reply-To: <OFB3BB3153.7DE266CC-ONC1256C61.00408087-C1256C61.004109ED@ch.ibm.com>
References: <035801c27f22$dc6a8820$2c7e110a@isd.nec.co.jp><OFB3BB3153.7DE266CC-ONC1256C61.00408087-C1256C61.004109ED@ch.ibm.com>
Sender: owner-ogsa-sec-wg@gridforum.org


Philippe Janson writes (12:50 October 29, 2002):
 > Yes, I believe there are some conceptual differences beween RO and VO.
 > A RO owns physical assets and retains control over them,
 > whereas a VO can only gain access to physical resources owned by ROs.
 > A VO would typically not own any resources of its own.

Probably not compute resources, but I could see it owning resources on
which collective level services are run (today these are often
contributed from one of the ROs).

 > Similarly ROs register real users directly whereas a user can join a VO 
 > only after it is registered with one of the ROs participating in the VO.

I think this depends on the policies of the ROs and is not
inherent. Some ROs today require users to be regisitered at their
site, regardless of any other registrations that user might have in
the VO. But I could envision ROs that would be willing to trust the VO
to register users or just don't care how/if the user is registered as
long as they can bill the VO for usage.

Von

 > I suppose you could envision recursively building VOs out of ROs.
 > I just do not know at this stage whether this is required and for what 
 > scenario.
 > It may well be needed for gereic inter-grids but I have not thought that 
 > far.
 > 
 > In any case, all these concepts are purely thought provocation at this 
 > stage.
 > There is no doc anywhere that defines ROs and VOs as we have been talking 
 > about.
 > These are so far pure constructions of our imagination for disussion only.
 > 
 > Phil
 > 
 > <br>
 > <br><font size=2><tt>&quot;Takashi Kojo&quot; &lt;kojo@isd.nec.co.jp&gt;
 > wrote on 2002/10/29 09:12:00:<br>
 > <br>
 > &gt; Phil,<br>
 > &gt; <br>
 > &gt; &gt;&gt; - What would be real organization(RO) policy/trust and VO
 > policy/trust?<br>
 > &gt; &gt; Quite similar in abstract syntax and semantics but bearing on
 > different<br>
 > &gt; objects with<br>
 > &gt; &gt; different scope in practice.<br>
 > &gt; &gt; Just as a security officer in some RO could set policies like
 > users in<br>
 > &gt; (previously defined)<br>
 > &gt; &gt; &nbsp;group G or with (previously defined) attribute A have access
 > to resources<br>
 > &gt; in (previously<br>
 > &gt; &gt; defined) pool P, &nbsp;so could a security officer in the same
 > RO involved in a<br>
 > &gt; VO V set<br>
 > &gt; &gt; policies that (external) users with membership in V are authorized
 > to<br>
 > &gt; access local resources<br>
 > &gt; &gt; in the (previously defined) pool Pv. &nbsp;Each RO security officer
 > can define<br>
 > &gt; which of his real<br>
 > &gt; &gt; local users and resources are cleared to be in V.<br>
 > &gt; <br>
 > &gt; I understand this far.<br>
 > &gt; <br>
 > &gt; I tentatively distinguished RO from VO, but are they essentially different<br>
 > &gt; or<br>
 > &gt; not at certain level? Assuming they have common class at certain level,<br>
 > &gt; we could recursively construct a VO from combination of some VOs.<br>
 > &gt; <br>
 > &gt; Kojo<br>
 > &gt; </tt></font>
 > <br><font size=2><tt>Yes, I believe there are some conceptual differences
 > beween RO and VO.</tt></font>
 > <br><font size=2><tt>A RO owns physical assets and retains control over
 > them,</tt></font>
 > <br><font size=2><tt>whereas a VO can only gain access to physical resources
 > owned by ROs.</tt></font>
 > <br><font size=2><tt>A VO would typically not own any resources of its
 > own.</tt></font>
 > <br>
 > <br><font size=2><tt>Similarly ROs register real users directly whereas
 > a user can join a VO </tt></font>
 > <br><font size=2><tt>only after it is registered with one of the ROs participating
 > in the VO.</tt></font>
 > <br>
 > <br><font size=2><tt>I suppose you could envision recursively building
 > VOs out of ROs.</tt></font>
 > <br><font size=2><tt>I just do not know at this stage whether this is required
 > and for what scenario.</tt></font>
 > <br><font size=2><tt>It may well be needed for gereic inter-grids but I
 > have not thought that far.</tt></font>
 > <br>
 > <br><font size=2><tt>In any case, all these concepts are purely thought
 > provocation at this stage.</tt></font>
 > <br><font size=2><tt>There is no doc anywhere that defines ROs and VOs
 > as we have been talking about.</tt></font>
 > <br><font size=2><tt>These are so far pure constructions of our imagination
 > for disussion only.</tt></font>
 > <br>
 > <br><font size=2><tt>Phil<br>
 > </tt></font>

Follow-Ups:
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: Philippe Janson <pj@zurich.ibm.com>
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: "Takashi Kojo" <tkojo@mvi.biglobe.ne.jp>

References:
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: "Takashi Kojo" <kojo@isd.nec.co.jp>
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: Philippe Janson <pj@zurich.ibm.com>

Prev by Date: Re: [ggf-ogsa-sec-wg] VO consideration
Next by Date: Re: [ggf-ogsa-sec-wg] VO consideration
Prev by thread: Re: [ggf-ogsa-sec-wg] VO consideration
Next by thread: Re: [ggf-ogsa-sec-wg] VO consideration
Index(es):
- Date
- Thread