On Jan 17, 2008 3:33 AM, Krzysztof Benedyczak <golbi@mat.uni.torun.pl> wrote:
Tom Scavo wrote:
<saml:Attribute xmlns:xacmlprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:XACML" xmlns:ldapprof="urn:oasis:names:tc:SAML:2.0:profiles:attribute:LDAP" xacmlprof:DataType="http://www.w3.org/2001/XMLSchema#string" ldapprof:Encoding="LDAP" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" Name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" FriendlyName="isMemberOf"> <saml:AttributeValue xsi:type="xs:string">voName:group</saml:AttributeValue> <saml:AttributeValue xsi:type="xs:string">voName:group:subgroup</saml:AttributeValue> </saml:Attribute>
Using this notation, a group name is simply an URN.
I don't think it is an URN - no 'urn:' prefix, no NSS part (which should determine syntactic rules for the tail). Also it clearly offends the RFC in the point: "Global uniqueness: The same URN will never be assigned to two different resources".
Of course I agree that interoperability with the software like Grouper is desirable. But except of it, do we have any other reasons for making it an URN?
Of course you're right, Krzysztof. I didn't quite take the example far enough. Since I wrote the above example, however, I've had a change of heart. Maybe a URL is easier to deal with than an URN. Consider the following deployment scenario involving a (real) VO, groups, and roles. Suppose, for example, UIUC and UIowa jointly offer a graduate-level geography course (GEOG 602) to advanced undergraduate and graduate students at both institutions. The first semester this joint course is offered, it is agreed that the GISolve gateway (VO name: http://gisolve.org) deployed at UIUC will support all students taking the course. Consequently, each student is obliged to obtain a GISolve gateway account at http://www.gisolve.org/. Now it turns out that the GISolve gateway proxies grid requests to a resource provider (RP) on the back end. To distinguish grid requests originating from the two groups of users (uiuc.edu and uiowa.edu), the RP (hosted by NCSA at UIUC) requires isMemberOf attributes with one of the following values: http://gisolve.org/uiuc.edu/geog602 http://gisolve.org/uiowa.edu/geog602 To further distinguish requests, the gateway and RP together define roles (faculty, student, admin, etc.) that are appended to the relevant isMemberOf attribute values using familiar URL notation. For example, to distinguish between students at each of the two institutions, the following attribute values are defined: http://gisolve.org/uiuc.edu/geog602#student http://gisolve.org/uiowa.edu/geog602#student Attributes values such as these have a number of desirable properties. First of all, the VO already owns the namespace, so globally unique attribute values are immediately available. Moreover, URLs are easily parsed by most languages, so processing is a snap. Does anyone see a downside to such a naming scheme? Tom