[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ggf-ogsa-sec-wg] VO consideration

To: "Von Welch" <welch@mcs.anl.gov>, "Philippe Janson" <pj@zurich.ibm.com>
Subject: Re: [ggf-ogsa-sec-wg] VO consideration
From: "Takashi Kojo" <tkojo@mvi.biglobe.ne.jp>
Date: Mon, 4 Nov 2002 11:45:19 +0900
Cc: <ogsa-sec-wg@gridforum.org>
References: <035801c27f22$dc6a8820$2c7e110a@isd.nec.co.jp><OFB3BB3153.7DE266CC-ONC1256C61.00408087-C1256C61.004109ED@ch.ibm.com> <15806.43906.474000.551136@gargle.gargle.HOWL>
Reply-To: "Takashi Kojo" <kojo@bk.jp.nec.com>
Sender: owner-ogsa-sec-wg@gridforum.org



> Philippe Janson writes (12:50 October 29, 2002):
>  > Yes, I believe there are some conceptual differences beween RO and VO.
>  > A RO owns physical assets and retains control over them,
>  > whereas a VO can only gain access to physical resources owned by ROs.
>  > A VO would typically not own any resources of its own.
>
> Probably not compute resources, but I could see it owning resources on
> which collective level services are run (today these are often
> contributed from one of the ROs).

VO cannot literally own physical assets. But a RO can delegate some of
its authority to VOs, I think. In other word, VO can own the authority.
For summary, a difference between them is type of resources
they can own.


>  > Similarly ROs register real users directly whereas a user can join a VO
>  > only after it is registered with one of the ROs participating in the
VO.
>
> I think this depends on the policies of the ROs and is not
> inherent. Some ROs today require users to be regisitered at their
> site, regardless of any other registrations that user might have in
> the VO. But I could envision ROs that would be willing to trust the VO
> to register users or just don't care how/if the user is registered as
> long as they can bill the VO for usage.

I think Identity Federation's role is virtualizing the registrations to ROs.


Kojo


> Von
>
>  > I suppose you could envision recursively building VOs out of ROs.
>  > I just do not know at this stage whether this is required and for what
>  > scenario.
>  > It may well be needed for gereic inter-grids but I have not thought
that
>  > far.
>  >
>  > In any case, all these concepts are purely thought provocation at this
>  > stage.
>  > There is no doc anywhere that defines ROs and VOs as we have been
talking
>  > about.
>  > These are so far pure constructions of our imagination for disussion
only.
>  >
>  > Phil
>  >
>  > <br>
>  > <br><font size=2><tt>&quot;Takashi Kojo&quot;
&lt;kojo@isd.nec.co.jp&gt;
>  > wrote on 2002/10/29 09:12:00:<br>
>  > <br>
>  > &gt; Phil,<br>
>  > &gt; <br>
>  > &gt; &gt;&gt; - What would be real organization(RO) policy/trust and VO
>  > policy/trust?<br>
>  > &gt; &gt; Quite similar in abstract syntax and semantics but bearing on
>  > different<br>
>  > &gt; objects with<br>
>  > &gt; &gt; different scope in practice.<br>
>  > &gt; &gt; Just as a security officer in some RO could set policies like
>  > users in<br>
>  > &gt; (previously defined)<br>
>  > &gt; &gt; &nbsp;group G or with (previously defined) attribute A have
access
>  > to resources<br>
>  > &gt; in (previously<br>
>  > &gt; &gt; defined) pool P, &nbsp;so could a security officer in the
same
>  > RO involved in a<br>
>  > &gt; VO V set<br>
>  > &gt; &gt; policies that (external) users with membership in V are
authorized
>  > to<br>
>  > &gt; access local resources<br>
>  > &gt; &gt; in the (previously defined) pool Pv. &nbsp;Each RO security
officer
>  > can define<br>
>  > &gt; which of his real<br>
>  > &gt; &gt; local users and resources are cleared to be in V.<br>
>  > &gt; <br>
>  > &gt; I understand this far.<br>
>  > &gt; <br>
>  > &gt; I tentatively distinguished RO from VO, but are they essentially
different<br>
>  > &gt; or<br>
>  > &gt; not at certain level? Assuming they have common class at certain
level,<br>
>  > &gt; we could recursively construct a VO from combination of some
VOs.<br>
>  > &gt; <br>
>  > &gt; Kojo<br>
>  > &gt; </tt></font>
>  > <br><font size=2><tt>Yes, I believe there are some conceptual
differences
>  > beween RO and VO.</tt></font>
>  > <br><font size=2><tt>A RO owns physical assets and retains control over
>  > them,</tt></font>
>  > <br><font size=2><tt>whereas a VO can only gain access to physical
resources
>  > owned by ROs.</tt></font>
>  > <br><font size=2><tt>A VO would typically not own any resources of its
>  > own.</tt></font>
>  > <br>
>  > <br><font size=2><tt>Similarly ROs register real users directly whereas
>  > a user can join a VO </tt></font>
>  > <br><font size=2><tt>only after it is registered with one of the ROs
participating
>  > in the VO.</tt></font>
>  > <br>
>  > <br><font size=2><tt>I suppose you could envision recursively building
>  > VOs out of ROs.</tt></font>
>  > <br><font size=2><tt>I just do not know at this stage whether this is
required
>  > and for what scenario.</tt></font>
>  > <br><font size=2><tt>It may well be needed for gereic inter-grids but I
>  > have not thought that far.</tt></font>
>  > <br>
>  > <br><font size=2><tt>In any case, all these concepts are purely thought
>  > provocation at this stage.</tt></font>
>  > <br><font size=2><tt>There is no doc anywhere that defines ROs and VOs
>  > as we have been talking about.</tt></font>
>  > <br><font size=2><tt>These are so far pure constructions of our
imagination
>  > for disussion only.</tt></font>
>  > <br>
>  > <br><font size=2><tt>Phil<br>
>  > </tt></font>
>
>

References:
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: "Takashi Kojo" <kojo@isd.nec.co.jp>
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: Philippe Janson <pj@zurich.ibm.com>
- Re: [ggf-ogsa-sec-wg] VO consideration
  - From: Von Welch <welch@mcs.anl.gov>

Prev by Date: Re: [ggf-ogsa-sec-wg] VO consideration
Next by Date: Re: [ggf-ogsa-sec-wg] inter-domain requirements
Prev by thread: Re: [ggf-ogsa-sec-wg] VO consideration
Next by thread: RE: [ggf-ogsa-sec-wg] VO consideration
Index(es):
- Date
- Thread