On 2012-11-02 10:27, stephen.burke@stfc.ac.uk wrote:
Florido Paganelli [mailto:florido.paganelli@hep.lu.se] said:
ARC clients use this information for selection and brokering of CEs. We used to have a similar approach in NorduGrid schema. ARC infosystem is a crucial part of the infrastructure, we really rely on what is published there.
In practice do you have cases where some users in a VO can't use a particular resource because their CA is not allowed, while other users can?
Stephen
I launched a quick survey on NorduGrid communication channels and the answer to your question is NO, the clusters joining well know scientific experiments using grid that are part of EGI and the like do not filter. However I recently heard of France filtering out Iranian CAs on some clusters, and I am quite sure in the US are picky about who to trust either. Did you hear about that so far? I don't know how they solved it. Then I also asked the following: "Is it common to filter or customize the allowed CAs on several clusters?" And the answer was YES from different sites because of special training CAs that are put in place during training session for those who do not have a grid certificate and should just use selected clusters. In the above, ARC clients would be able to submit only to those clusters holding the correct CA by checking TrustedCA, wherever they are, without the need of hardcoding the target cluster somewhere. Very nice autodiscovery. In principle in such scenario one could have both the IGTF string AND a list of allowed CAs in TrustedCA. I am, however, still puzzled on how a client should find out what are the CAs allowed on that cluster by just reading a plain string and not a DN... Cheers, -- Florido Paganelli Lund University - Particle Physics ARC Middleware EMI Project