Dear Henry,
I have a few comments and a few questions.

As you stated correctly each and every sgm can move code to any of  
her VO's vo-boxes and
run the code as a mapped user.
I don't see a fundamental difference between this and the ability to  
run long running jobs on a batch system through the grid.
In both cases the sysadmin has no effective control over what code  
the users run and a 48h job with external network connectivity is
not so different from what the users can do on a VO box. Since the  
farms give by one way external network access the VOs could implement  
with a bit of
additional complication their service like programs as a series of  
long running jobs that use the local SE for keeping the state.
 From the security point of view I can see no difference between  
giving access to a WN or the VO box. In both cases the users can be  
traced and
are mapped to a local user. In both cases the user can bring non  
security reviewed software to the site.

The question that I have are of practical matter:
You mention that you have to make sure that you are responsible that  
people don't misuse the service (as an example you
mention the storage of ripped movies).
How do you ensure this? Are you in control of what the users store on  
your site and what software they run?

            markus


On Sep 14, 2005, at 2:24 AM, Henry Nebrensky wrote:

> On Wed, 7 Sep 2005, Burke, S (Stephen) wrote:
> ...
>
>> I'd like to add my 2 cents' worth, as someone who has not so far been
>> involved in any of the discussions. To me it seems rather strange  
>> to see
>> that "a VO box" is a vital baseline service - as I understand it  
>> these
>> are not services, but containers for services.
>>
>
> I thought that tomcat (as found in the MON box) was a service  
> container -
> and a Grid-aware one at that...
>
> Anyway, I'm still trying to find out how these VO-boxes are planned  
> to be
> used, in particular what services they make available and where  
> they are
> accessed from. Google threw up
>     https://uimon.cern.ch/twiki/bin/view/Atlas/DDMSc3
> which is a start but still incomplete - is the apache accessed from
> outside the site? How does security monitoring and response work?
> The result is that at present I don't believe we would be ALLOWED to
> deploy a VO-box here, and I get the impression the situation is  
> similar at
> other sites, though some admins may have more power to bend rules.
>
> Let me start at the beginning: in order for us to run an LCG site at
> Brunel, the University has identified some people, e.g. me, whose  
> job it
> is to make sure that Grid services (as an example, gridftp on the  
> SE) are
> firstly installed properly and then maintained (patched); and  
> secondly to
> make sure that people don't misuse the services (no ripped movies  
> in the
> datastore, etc.)
>
> As described in http://goc.grid.sinica.edu.tw/gocwiki/VOBOX_HowTo
> there is no way for a grid-admin like me to supervise a VO-box in that
> fashion - anyone[*] can upload and start a service at any time (and  
> also
> stop and remove an obsolete one).
>
> So if the grid-admins CANNOT be responsible for these services,  
> then the
> situation at least at Brunel University is trivially simple:
>
> ---------------------------------------------------------------------
> Experiments/VOs wishing to operate services on hosts inside Brunel
> University's network and/or externally visible within the brunel.ac.uk
> domain must apply in writing to the head to Computer Services here.
> ----------------------------------------------------------------------
>
> I don't see how anyone proposing something like a VO-box could be
> surprised with that - it's the obvious consequence of the VO-box idea.
>
>
> I probably won't be able to make the upcoming meeting, but I would  
> suggest
> that the details of how these things are supposed to work needs to be
> thrashed out (and not just what lives on which ports, but also things
> like how the thing fits into the incident response framework).
> Most of us directly involved with Grid *are* wanting to get it to
> work (and even do something useful)... but we have to remember that in
> order to do so we depend on others, who don't have that personal  
> interest,
> and have a conflicting set of pressures.
>
> Henry
>
> [*] The list of a VO's SGMs being dynamic and outside Brunel's control
> (and I suspect it would have to be more than one person - or would  
> these
> services all be shut down while the SGM is on holiday and can't  
> react to
> security issues)
>
> -- 
> Dr. Henry Nebrensky                     [log in to unmask]
>                              http://people.brunel.ac.uk/~eesrjjn
> "The opossum is a very sophisticated animal.
>  It doesn't even get up until 5 or 6 p.m."
>