Tom Scavo schrieb:
Every user has and will have an own single account his DN is mapped to. This account has standard rights and abilities on the resources. Using attributes (groups, roles et cetera) we want to enable users to activate additional special rights on demand by mapping to special accounts.This is precisely the TeraGrid Science Gateway use case. The next major release of GridShib for GT (v0.7.0) will support this use case fully.
To what (kind of) accounts users with activated special rights are mapped to at TeraGrid? Are they mapped to community accounts? Or do users have a second/third/aso. account for those purposes. This is exactly where we think about pool accounts, so that different users are not mapped to the same account simultaneously.
I've never used pool accounts, but they need not be dynamic, right? If I'm understanding you correctly, you require *dynamic* pool accounts. This goes beyond what GS4GT alone can provide, I'm afraid. I'll have to look at the DA code and see what might be involved.
If one has two users using the same role at the same time, we do not what them to be mapped to the same account. First, it is difficult to differ which action has been done by which user (auditing), second, users could read/write the other's files. We think the use of pool accounts could solve this problem. Starting a job, every user would get one of the accounts from an predefined pool (he leases it for the needed time). After job termination the leased account would be release for the use by another user (no persistent account leasing). In this way two users would never use the same account simultaneously.
Regards, Benjamin
smime.p7s
Description: S/MIME Cryptographic Signature
