Michel Drescher wrote:
On Apr 07, Yuri Demchenko loaded a tape reading:
In some respect the CNL process flow requires that the JobDescription carries some kind of delegation from the user, e.g. User want that Grid processing environment maintains the trust/delegation path.
Any information that directly relates to authentication or authorisation of the information stored in a JSDL instance document (yes, I promised to be clearer in my language...) should be handled in the embracing instance document (or by other means).
I persistently want to draw your attention to the specific use case when users/customers require that all jobs submitted on behalf of them carry unbroken path of credentials/trust. This is a requirement to the Resource's processing environment to have this functionality and this can be achieved by including SubjectID and SubjConfData/Creds information. You may decide not to include this elements but then you probably need to explain this in the Security considerations section. If you move your JSDL doc from one su-exec/admin domain/host to another, you definitely need to worry about this kind of potential vulnerability. This is also outcome from ongoing EGEE operational security model development. Regards, Yuri