Hi Alessandra:
I'll try to find some docs about it. The general idea is that the
poolaccount will be reserved for a user (or job) by the broker and when
the job is finished it will be quarantined to be used again or can be
recycled.
Hi Maarten:
From a security point of view I can understand this very strict use of
giving each job its own poolaccount.
But it seems that this aproach will gain an extra administrative
overhead to work with that many accounts and keeping them clean.
Either the way we work with the poolaccounts must be simplified in the
same factors as they create the new overhead or perhaps keeping the
current (and gaining the WorkSpace Service) will make/keep life simple(r)?
cheers,
Oscar "just my thoughts out loud"
Alessandra Forti wrote:
> Hi Oscar,
>
> is there any document describing this job-pool-account association
> scheme?
>
> I'll soon have a ~2000 cpus. The idea of creating and managing
> ~8000 accounts only for LHC + 4000 for babar and dzero + all the other
> VOs I have enabled makes me a bit nervous.
>
> thanks
>
> cheers
> alessandra
>
>
> On Tue, 18 Oct 2005, Oscar Koeroo wrote:
>
>> Hi,
>>
>> In GLite there is the WorkSpace Service (from Globus) which will
>> enable you to give lifetime properties to a poolaccount.
>> It uses LCMAPS as a backend.
>>
>> So it is in the pipeline to be deployed.
>>
>>
>> cheers,
>>
>> Oscar
>>
>>
>> Brew, CAJ (Chris) wrote:
>>
>>> Hi,
>>>
>>> Doesn't GUMS from BNL (http://grid.racf.bnl.gov/GUMS/index.html) work
>>> something like this. I seem to recall it creates accounts in a single
>>> pool on the fly and assigns them the right properties for the VO. It
>>> doesn't seem to do account recycling though but then no-one's ever
>>> really solved all the security problems with that anyway.
>>>
>>> Yours,
>>> Chris.
>>>
>>>
>>>> -----Original Message-----
>>>> From: LHC Computer Grid - Rollout
>>>> [mailto:[log in to unmask]] On Behalf Of Jeff Templon
>>>> Sent: 18 October 2005 11:07
>>>> To: [log in to unmask]
>>>> Subject: Re: [LCG-ROLLOUT] number of pool accounts per VO
>>>>
>>>> Valentin Vidic wrote:
>>>>
>>>>> On Tue, Oct 18, 2005 at 09:21:33AM +0200, Tim Bell wrote:
>>>>>
>>>>>
>>>>>> (which is currently at 15,000 users). One of the operations was
>>>>>> taking
>>>>>> 8 minutes since it was doing an O(n**2) lookup on the users.
>>>>>>
>>>>> nscd or libnss-db can be used to speed up the lookups.
>>>>>
>>>>> But here is another idea: we use LDAP and create/delete
>>>>
>>>> accounts on the fly.
>>>>
>>>> hmm, but how do you keep your accounting data, and permissions on
>>>> files, straight? creating accounts on the fly OK, but deleting them?
>>>>
>>>> JT
>>>>
>>>>
>>
>
|