elichad
commented
4 years ago Design notes:
- When creating a new VO, super_root should create the root account and a corresponding identity for it. Super_root will also be able to add or update root identities later.
- Force super_root to operate from the local machine by limiting access to the VO management REST endpoint
- Administration within a specific VO (e.g. adding users) should be handled by root only – super_root should not have those permissions.
- super_root should use the 'def' VO - and nothing else should be assigned to this VO in a multi-VO setup. We will have to be careful with this as 'def' is the default VO
Discussion needed:
- Import of policy packages (related to Rucio PR #2842)
- Multi-VO webUI design options: landing page with possible VOs, domain/vo URL, etc.
Later considerations (if there is time after everything else is done):
- Other potential multi-VO hosts may want a client interface
- VOs to be able to plug in their own naming conventions
User authentication to a specific VO. Super_root administration of VOs. Specific permissions for root and super_root.
These changes will form the second PR against the main Rucio fork. (Individual issues to be listed below.)