glue-wg-bounces@ogf.org
[mailto:glue-wg-bounces@ogf.org] On Behalf Of Paul Millar said: My view is GLUE simply shouldn't publish any ACL information: a simple link from UserDomain to the objects that UserDomain might interact with should be sufficient, right? At worse, people try a service and find out they're not authorised (which is an inevitable possibility, as GLUE can never publish all ACEs).
I think a key point in all these discussions is to remember that we're always striking a balance, and practicality is more important than purity. It's certainly true that we can't publish all ACLs at an arbitrary level of detail. On the other hand the main purpose of GLUE is to allow a client to prune the range of resources it has to deal with - if you have to contact 500 services to find the one that authorises you then you probably have a problem. I think the way to deal with that is for the schema to define the format, and individual grids can then decide what level of detail is needed for their community. Stephen