Hi,
see my text below:
Thomas Leonard wrote:
> Hi Dawid,
>
> One way to handle this is to have the broker create the job as itself and
> then transfer ownership to the client. Then the broker does not need any
> special privileges.
>
Could you explain me what do you mean in case of "transfer ownership"?
If broker submits the job
then broker is the owner of this job in GRIA. And as I understand the
broker is able to move the
ownership to someone else who is trusted GRIA user? Then all information
connected with such job (and all data stagers)
will change the ownership to other user (pointed by the broker?).
> You cannot use only the DN for security decisions, since GRIA allows self-
> signed certificates and certificates signed by CAs that are not globally
> trusted. Therefore, two users could easily have the same DN (but not the
> same public key, of course). All access decisions in GRIA are based on
> the public key, not the DN.
>
> The job service does not expose the state of the job queue to clients. If
> the cluster is internal then you can query it directly. If the client is
> outside your organisation then you usually do not want them to know the
> queue state.
>
So I can see that we have to use some external technologies (maybe
ganglia) to get such information.
It is crucial if we want to do some brokering.
See also the end of this email ;)
> Hope that helps,
>
>
> On Thu, 21 Aug 2008 14:48:04 +0200, dejw wrote:
>
>
>> 1. Security.
>>
>> We want to use some job broker between web portal and GRIA services -
>> and now we have question about security token transmission/handling.
>>
>
>
>> We can have a user cert/key pair in the portal - then we can use it to
>> contact our broker. But later the broker will use its own credential
>> (cert/key) to contact GRIA service. (so in the normal configuration only
>> broker user will be recognized)
>>
>> And now the question is:
>>
>> Is it possible to use the GRMS certificate to connect to GRIA service
>> and add in the secured authentication frame the DN of the portal end
>> user. In GRIA maybe we can add some identity provider which will extract
>> the DN and recognize the end user on such basis.
>>
>> If GRMS could be a privileged and trusted external component for the
>> GRIA the DN of the user could be extracted and used to identify the user
>> in the GRIA service - so the transmitted DN will point which user uses
>> given GRIA service (x509 certificate is only used to make secure
>> connection).
>>
>> Or maybe some kind of delegation is possible? Or proxy credentials
>> support?
>>
>> What do you think about such use case? Is it possible in GRIA 5.3? How
>> it should be done ?
>>
>>
>> 2. Information system.
>>
>> 2.1 Is it possible to get information about number of jobs in the queue
>> (in the batch system)
>> which is used by GRIA service? Such information could be used to
>> determine which GRIA service should be used to submit some job if we
>> have many GRIA front ends in the organization.
>>
>> 2.2 Other thing is to get an image of the whole organization - so you
>> can have a few clusters with GRIA services. I saw there is something
>> like GRIA Registry as one of GRIA services. Is it possible to have a
>> global GRIA Registry for all GRIA's front ends in the whole
>> organization?
>>
>> Is the information in the registry dynamic? (if some service is down is
>> it reflected, checked) ?
>> How the information is provided ? - services are automatically
>> registered out there or the administrator registers them?
>>
Unfortunately I didn't get any response as regard point 2.2 from you? So
how it looks like?
I got such information from one of my colleagues about registry:
Every GRIA frontend to the cluster contains registry. Administrator
registers every service deployed in this registry.
There is also possible to register external GRIA services in the given
registry.
Question is - admin does it manually? or every service is registered
automatically in this registry?
The information is dynamic or static? If some service is down then
registry is able to reflect it while querying it?
Is it possible to create registry federation? So if I have a few
clusters with GRIA's on them. Can I choose one of the
registry as a global one? And all others services (from all others
cluster could be registered out there?)
If yes then such global registry is able to reflect dynamically
availability of all services?
Regards,
Dawid
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
gria-general mailing list
gria-general@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/gria-general
