VOM(R)S Convergence workshop 21-24 October 2008
Notes by Maria (comments on savannah ticket
Last update 2008-10-24
Attendance
----------
Andrea, Dimitar, Maria, Steve, Tanya, Vincenzo
Also on 22 October: Patricia M.(UNOSAT, GEAR, GEANT4), Alessandro de
S.(ATLAS, by tel.), Joel C. and Roberto S.(LHCb), Martti P. (CMS).
and on 24 October am: Miguel A. (for the Oracle discussion).
Results of the vomrs functionality questionnaire to the VO Admins
Answers to the questionnaire by the VO Admins showed that there is not a single
VOMRS
feature we could ignore. Most features are used by all, those few not needed by some, are indispensable for others (e.g. point 6 on "Interfacing
third-party directory during registration and membership validation", is the only way to authenticate for LHC VOs and requested by D-Grids).
VOMRS/Voms-Admin convergence plan
Going through the list of
voms-admin development items (21 in total today) one by one, we saw the difficulty to pronounce any concrete deadline for the convergence. The
required functionality involves a lot of voms-admin development effort. The
EGEE-JRA1-Work-Plan-Tracking Task #7729 and dependent tasks 7719, 7720, 7721, 7722,
7723, 7725 contain very high-level descriptions compared to the expected functionality of the new voms-admin.
A slightly more detailed list is this:
- Items required by the up-to-date Joint Security Policy Group
JSPG Membership Management Policy document (or are very simple to implement)
will be implemented in 1st priority. Original date was August 2008 but now this work can be expected sometime between January and March 2009:
- Items on functionality required by VO Admins using VOMRS today will be done next (delivery date was not committed):
- Major development items remain the interface to an external information source. According to Andrea, this may come as late as the end of EGEE III
(Spring 2010):
VOMRS future
- VOMRS certification will be done by Steve.
- A new VOMRS version is going into production before the end of this month.
- Tanya continues testing the new (Oracle?) bug with error message "Exhausted result set".
As it only hits LHC experiment VOs the last thing to stress-test is intense VOMRS activity with CERN HR db disconnected.
This will also be complete before the end of this month.
- If the convergence plan is very much delayed, backwards compatibility of the new and very different voms-admin to ensure VOMRS
synchronisation will not be easy.
A.O.B.
- JSPG should probably include in the VO management policy document the requirement for the
administrator to be a VO member, hence to have signed, at least, the AUP. In the new voms-admin framework,
DNs may obtain full privileges via acls without being 'visible' in the VO at all.
- Steve asked Andrea to remove from the voms-admin config. files the creation and population of [VOname]/voms.conf
(voms core config. files).
- Andrea didn't wish a savannah bug covering the special (bottom-up) DTEAM VO workflow, where the GroupOwner/GroupManager approves the candidate in
the group before the VO Admin has enabled him/her in the actual VO. A flag will be implemented to show the chain of approval authorities and the
necessary series of email notifications will be triggered per step when step-1 is completed. How this will be implemented, tested and certified without
any savannah entry is a concern (for Maria).
- LHCb asks for quite sometime some functionality in the products vomrs/voms-admin allowing to change the VO member certificates in one go by the VO
Admin when a CA revokation occurs.
- LHCb asks for an operational VOMS replica. On-going testing with
CNAF is reaching the end. VO Admins (for VO-ID cards' updates) and the yaim team will be informed by Steve when we are ready to enter production.