On Mon, 3 Feb 2003, Ian Stokes-Rees wrote:
> > They are created the first time a grid user comes in. A
> > mapping is created so that the next time that person comes in
> > they get the same pool account again. The string is case
> > lowered and url encoded version of the users DN.
>
> I had assumed that multiple people could be assigned to the same account,
> even if they were each always assigned to that particular account.
No one else gets assigned to a particular pool account while your URL
encoded certificate subject name is hard-linked to it (ie same inode as
Steve says.) The presence of the hard link (via the link count of the
inode which can be read with stat(2)) stops the pool account being
reused: the advantage of doing it this way is that the link count changes
atomically, even over NFS, so you never get caught between states.)
> What are the benefits of people being assigned to the same accounts?
If you come into the site via the Gatekeeper and run a job, you can come
back in via GridFTP and get the same pool UID again and be able to read
your output files.
(This is really only an advantage with a UID-based filesystem like
standard Unix or ext2/3 filesystems, and with filesystems using Grid
security, like SlashGrid filesystems, this issue/advantage goes away.)
> Is this because there are "left over" files which hang about?
Yes. The pool accounts must only be recycled once all files owned by that
UID have been removed. There are scripts to do that cleanup, but for the
current scale of the Testbed people are just recycling accounts when they
reinstall their CE.
> If so, and if it is possible for multiple people to be assigned to the same
> account, then aren't there security implications here?
There would be if it did that. The original year-2001 proposal was to map
all users on the Testbed in the same VO to the same UID per site. (Some
sites really ran this way with multiple users mapped to something like
globususer.) As you say, this would have been a security but also
bookkeeping nightmare: what if two people create a file called
$HOME/output.log say?
Cheers,
Andrew
------------------------------------------------------------------------
[log in to unmask] http://www.hep.man.ac.uk/~mcnab/ +44-161-275-4227
"/C=UK/O=eScience/OU=Manchester/L=HEP/CN=Andrew McNab"
Grid Research, High Energy Physics Group, University of Manchester, UK
------------------------------------------------------------------------
|